Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Alex Hutton, Principal of Research and Intelligence with Verizon Business. Alex, thanks for joining me today.

Alex Hutton: Amrit, thanks for having me. How are you?

Amrit Williams: I am great. It’s great to hear you again, it has been a while; you have been on the podcast before. Actually, the last time you were on, I think you had just taken a position with Verizon and we didn’t get a chance to drill into some of the details of the last Verizon Data Breach Report. But now I have you back and I am really excited to talk about the details of the 2010 Data Breach Investigations Report from Verizon.

So why don’t we start with just a real quick overview, if you could provide the listeners, what is the Verizon Data Breach Investigations Report, what’s its focus, goal, and purpose.

Alex Hutton: Sure. Thanks. The goal of the Data Breach Investigations Report is basically to give people information they can us to better manage their risk, optimize their security program.

The background is this, Verizon Business, as you guys probably know, we do a lot of infinite response cases, where we go out on the client side when they have incidents. Our IR team has done a great job in the past, I don’t know, since 2004, of keeping detailed metrics about what the environments that they find.

So the first Data Breach Report was an attempt to basically take kind of the narratives that they capture; first the bad guys did this, then he did that, then he did the other thing, and really create risk management metrics out of them. This year’s report is kind of unique and different, because it also includes the Secret Services data for the past few years, about the incidents that they respond to and work.

Amrit Williams: This is the first year you guys worked in conjunction with the U.S. Secret Service, right?

Alex Hutton: Correct.

Amrit Williams: I got to tell you, those guys know how to party. No, I am joking. They are actually one of the most straight faced people I have ever met. How was it working with them, before we get into the details of the report?

Alex Hutton: It was really fantastic, it was very exciting. We had some internal champions there that I probably can’t name by name, but I do want to publicly thank them for their effort and their hard work that made this all come together. It was very exciting.

Wade Baker did a lot of work with those guys and getting this to fruition, training, and so forth. They have been extremely responsive and actually very eager to get metrics out of what they — and get them released and get people understanding what’s going on and managing better. So kudos to them.

Amrit Williams: It’s encouraging too, because there’s definitely more of an outreach from U.S. law enforcement, actually even worldwide law enforcement, to better coordinate with the private sector and businesses, so we can hopefully create an environment that makes it sacred for all of us to work and have fun online.

Alex Hutton: At Black Cat, I did meet the fed’s panels. It was amazing the amount of programs and the amount of information that the U.S. government is willing to go out and share and utilize. Programs that they have to utilize, that we can utilize to help people, manage their risk better, optimize their security programs, understand the threat landscape, and so forth; really fantastic stuff.

Amrit Williams: Well, maybe when guys show up in black helicopters, dark suits, and dark sunglasses, and they say, we are from the government, we are here to help, they actually really mean it.

Alex Hutton: We can only hope.

Amrit Williams: So let’s turn to the 2010 Data Breach Investigations Report. I find the report just fantastic. I love reading this thing once a year, because it has such a wealth of data. And what it helps to do a lot is it helps to either support some assumptions that people have or maybe change their ideas around some assumptions.

I know that I think last year’s report indicated that insider threats were not as great as I think people were stating that they were, especially those folks who sell insider threat capabilities as a vendor, but we see a proliferation in that. So talk a little bit about what are some of the major themes that you guys saw in 2010 that were different from 2009 and then we can sort of drill into what impact they are going to have on the enterprise.

Alex Hutton: Sure. Well, one of the things that came about from the cooperation with the Secret Service is that, we actually did get a more clear picture about what may not be reported, and a lot of that had to do with the insider.

If you have read the 2009 supplemental report that we put out, part of the work that — I was a part of the team that did the normalization with the data lost database information. It was interesting that once we took out like lost laptops and USB keys that are lost, that had a bunch of social security numbers and basically said, okay, these are the incidents that DoD covers that are very similar to the incidents that we work. Their percentage of insiders and outsiders was statistically similar to what we had been seeing. So that was kind of validation at that time; what is publicly reported and what is represented in the press, seems to match the percentages that Verizon works.

(00:05:09)

This year, we actually, because of the Secret Service data, we actually do see a greater frequency and incidence caused by internal agents. If you look at page 12 of the report, we show a 70% external agent representation, a 48% internal agent representation, and 11% partner representation. Those percentages add up to above a 100%, because many times you will have an external agent working with an internal agent on a case. So that’s why you get greater than 100% there. But we do see a significant rise there because of the Secret Service dataset.

Now, that said, I have to qualify that. If we think of risk as being frequency and impact, if you take a look at our numbers, and this is on page 14 for those listeners who are kind of reading along with us, or want to take notes and look at the Data Breach Report themselves, what we do there is we kind of say, okay, now, we have got a frequency number in terms of representation in the caseload, what about actual impact? And if you look there, you are like 70 times more likely to have compromised records, compromised by an external agent than an internal agent.

So out of the nearly over 900 million records total in the dataset, that combine U.S. Secret Service and Verizon dataset, out of 900 million records that have been compromised, 800 million were from external agents, 28 million were from internal agents.

Amrit Williams: That’s actually pretty incredible. I have a quick question about this metrics that were caused by insiders. There is a similar metric here, almost exactly same numbers, 48% were caused by insiders, an increase of 26% over last year. Another part of the report says, how do breaches occur, 48% involve privilege misuse, and again, that 26% increase over last year. Have you been able to determine through the investigations which of these were negligence versus malicious activity?

Alex Hutton: Yeah, actually we have kind of breakdowns of what misuse means. If you go ahead and take a look at the Misuse section, that kind of starts on Page 33, we give a type of misuse that’s kind of broken down between embezzlement, skimming, and related frauds, versus say, what we would typically think of misuse as access in privileges. So you do kind of get a breakout by type of misuse there to answer that.

Amrit Williams: I am looking at this, this is quite interesting, because this implies that in the majority of cases where there was an internal breach, there was actually an attempt to breach. I mean, it wasn’t negligence or wasn’t an accident.

Alex Hutton: No, no, and that’s significant. One of the things — to get back to, I guess, what you are kind of driving at, there is a wonderful graph that we do, where we break out sort of the over time, the frequency or the representation in the dataset, and you see the shape of the Secret Services internal — representation of the internal agent between 2007 and 2009 on Page 13. It’s a little V shape, basically, that starts high in 2007, at near 90%, kind of bottoms out around 55% over 2008, and jumps back up towards 70% in 2009.

Now, to show you what kind of influence, misuse, and what you are talking about, and the Secret Service dataset has on our representation of misuse in the internal actor in the Data Breach Report, you go to Page 22 and you take a look at the dotted green line for misuse as a threat action there, and it is a same shaped curve, that same V shape is represented there.

So that just shows you that if you go to that representation of what types of misuse are represented with dataset, that’s almost same for same, kind of related to the frequency for the internal actor. So taking a look at abusive system access and privileges and embezzlement, and making sure you have controls around that, well, you are going to knock out a significant probability of internal actors being successful just by focusing on those sorts of threat actions. I think that’s the power of the Data Breach Report and the power of looking at data, is that optimization.

(00:09:49)

Amrit Williams: Well, I guess we want to touch on what organizations can do to better defend themselves, but before I go there, I do want to ask you a question about this concept of insider threat and misuse. I think over the years we have seen sort of negligence and accidental misuse. As this report is indicating, there is actually a targeted type of thing that’s going on, whether that’s for embezzlement or any number of things.

Do you think there is or have you — did the Secret Service itself or Verizon look at any correlations between the current economic conditions and people’s fear about either losing their jobs or being laid off that has driven this number up, or is this just opportunistic?

Alex Hutton: Yeah. The answer I should give you is, we don’t see that in the dataset, because you get this internal and misused representation actually dropping between 2007-2008. If I were to be able to say, oh, of course, the economy is causing bad people to do bad things, you would think that, that would actually have increased between 2007 and 2008. I think the long-term answer is, we don’t have enough data. I mean, the kind of statistician want to be in deep inside me says, well, I would really like to have several recessions worth of data to show you, but then again, I don’t want several recessions worth of data.

Amrit Williams: Very good point! And hopefully we won’t touch that dataset anytime in the near term, because I think 11:22 from some of the economic conditions that are going on.

Quick question, have you been able to do any correlation between a combination of external actors utilizing internal actors to compromise, is that anything that you have seen increased? Is there a proliferation of that, or are these still fairly independent entities, you have the external folks trying to gain access and you have internal folks trying to gain access and there is no real sort of combination?

Alex Hutton: There is actually a significant representation of combination of cooperation and combination in the dataset. If you look at Figure 7 on Page 14, we have got 27% of all breaches included Asians working together. A lot of times, especially with regards to what we see in the Secret Service dataset, that’s an insider using a skimmer or what have you in conjunction with an outsider, so that you have got an unsophisticated internal actor who is being approached by or utilizing a more sophisticated external actor who kind of acts as the laundryman for the data that they have breached and used.

Amrit Williams: One of the things that I am also curious about is, the word sophistication is used a lot, and I know that we have talked about the movement from hobby-based malware and cyber-vandalism, to fairly sophisticated and stealthy attacks driven by financial gain. Are you seeing that level of sophistication required in exploiting companies, or are folks still falling prey to the very basic stuff, that if they just simply implemented better controls that they wouldn’t fall prey to this, at least, they would fall prey to something different, but are the external actors or even the internal folks, they are just still taking advantages of some pretty basic stuff, right, we are not seeing a huge increase in some highly sophisticated attacks, are we?

Alex Hutton: When I was first exposed to the Verizon dataset, I said no, no, no, none of this is sophisticated at all. But the fact that for five years running the dataset shows what I would consider simple things like SQL injection to be represented, I would have to say, well, maybe that is sophisticated, right?

The attackers, I think, from looking at the dataset and understanding what’s going on, especially when you kind of mentally correlate that to what we are being sold as an industry in terms of products and so forth, the attackers are very economically focused, they will expend only the energy they need to in order to make the data breach happen.

So if we are giving them access through SQL injection and we are giving them access through simple malware and drive-bys and so forth, and what you and I from the technical standpoint might consider unsophisticated attacks, they are going to use unsophisticated attacks.

That said, we still can’t manage these things. So maybe the technical concept is simple, maybe it’s actually a complex management problem, I don’t know. But whatever it is, I think every reader out there would say, looking at the dataset, we have got fairly unsophisticated attacks still being the majority representation in the dataset.

Amrit Williams: That makes sense. I think maybe I stated this wrong. I think the use of the word sophistication requires context, because you and I have an understanding of something that’s the average IT person may not. Maybe a different way to state this is, have the initial compromises into an organization evolved to a point that traditional mechanisms or traditional controls would be easily bypassed?

(00:15:02)

And I think what you are stating is that, no, we are still falling prey to the same stuff we fell prey through yesterday, even though the malware that might be stuck on these machines to store passwords or data may be becoming more sophisticated. The attackers today are still enjoying the ability to crack our systems the same way they cracked them five, ten years ago.

Alex Hutton: Yeah, exactly, and I think what the dataset says, and you can look at this in the latter pages, Page 50 on, if you are interested in reading about it, is basically, it’s relatively unsophisticated. Mitigation is usually 64% of the time simple and cheap. These are not new trends; these are things that you will see in the previous two Data Breach Investigations Reports as well. 90% of the time the information about a breach is in the logs, that sort of thing.

So that evidence points to, it’s there, we just are overwhelmed by mountains of information, overwhelmed by a lot of noise, in the signal to noise ratio. Basically, it is the fundamental things that lead to data breaches.

That said, there are representation of sophisticated attacks, and many times a targeted attack is going to have sophisticated means utilized. But the vast majority of attacks just don’t cost the attackers that much in terms of skills and resources.

Amrit Williams: That’s troubling to me. That’s a very troubling statement. The Verizon Data Breach Report has been coming out for a couple of years. We have all this data that comes out from vendors themselves that talk about the type of attacks that are out there. It’s not a surprise that security is an issue for people and they need to increase the level of control that they allow access into systems, as an example. But it doesn’t look like the industry as a whole is doing a very good job of taking care of the basics. And that’s unfortunate, that’s troubling.

Alex Hutton: Let me back up and state one thing though, in terms of kind of correlating, you remember we talked about internal and external and frequency versus impact, and throughout the Data Breach Report we kind of use percent of records breached as a notion of impact, because let’s face it, that’s a pretty good shadow indicator of true impact to a company.

One of the things that was interesting is that, even though, a very subjective notion, but advanced methods were required to perform the attack, only 15% of the aggregate total dataset out of 900, only 15% of those really represented a sophisticated attack. Those sophisticated attacks accounted for 87% of 900 million records breached. So again, you have to balance frequency with impact, and I want to make sure I do that.

Amrit Williams: Oh, that’s a very good point, and well stated. I mean, I think most people can probably understand that an insider, a sophisticated insider, is going to have a far more damaging impact, or even a sophisticated external actor with a lot of support and resources behind him, is a much more devastating attack than unsophisticated folks using traditional methods. But good, very well stated.

So Alex, assuming that there are people out there that don’t know how to use Google, where can we get a copy of the Verizon’s Data Breach Investigations Report?

Alex Hutton: The best place is Verizonbusiness.com/products/security. There will be a link right onto your right there.

Amrit Williams: Alex, I really appreciate you joining us today.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Chris Hoff, who leads the Virtualization & Cloud Computing Strategy with Cisco, and has quite a prolific career, that I will not be able to repeat here today. So I will simply say, welcome Chris!

Chris Hoff: Thanks man!

Amrit Williams: So one of the things that I thought was really interesting in something you said was around this concept of how potentially this changes in the future. So just to sort of end on that, what do you think is going to happen in the next five years; I mean, where does this go?

Chris Hoff: So I think the most interesting thing about computing/cloud computing is that the stuff that runs the back-end in the next five years gets kind of boring and commoditized. So the things providing service start looking very, very similar.

I think the next battleground or the resurgence of a battleground that is far more interesting is that of the mobile platforms that we use to consume and access this data. Why this is interesting and important to me, I gave a keynote talk at the Cloud Security Alliance Summit that focused on this, I called it the Cloud Magic 8 Ball, like what’s next in cloud computing.

Basically, there are seven billion people on the planet and four billion mobile handsets, not including sensors either. So the interesting point here is that, when you look at how smart and competent and capable a good number of these platforms are, regardless of the fact that the app that we started using on these phones was just a dumb web browser, a single app, now we have what ends up being — I have like a 100 apps on my iPhone. So each one of these apps, which uses for the most part HTTP to communicate anyway, but each one of these apps has its own little attack surface, has got its own little portal to various pools of information.

So what’s interesting with cloud is that, as these large cloud providers reconsolidate applications and data in these mega data centers, fewer and fewer of them, but with higher and higher densities of compute network and storage, these same applications and data are being replicated and deployed, in part or in whole, on the same mobile handset platforms that we use to make phone calls and then communicate and replicate data to.

So it’s funny, in as much as people today in the enterprise IT world, talk about the fact that they don’t want their data being in other people’s hands, but quite literally, that data is in other people’s hands.

So the evolution of the mobile platform and our lack of focus on the fact that we have always treated mobile platforms as mobile phones, like, oh, yeah, there is some Bluetooth snarfing and there’s the odd threat of mobile viruses and Trojans, but they have been more pain in the ass and have been widespread. These mobile phones, besides the fact that most of them these days, you can’t even make a freaking telephone call off of, thanks to the provider, and if you hold it with your left hand, you certainly can’t, but the point being there is, they are no longer phones. They are like the entire mini pocket clouds.

So I think the next big thing and it’s starting in the next couple of years, if not already, is, how are we, from a security perspective specifically, going to deal with, A, this complete bifurcated approach of securing the platforms where we were getting the ability to consolidate our data, again, in kind of micro DMCs, in the cloud, but now, I have got to secure that and I have got to figure out what happens to that data and the applications that are consuming it on the other end too, and we suck at both?

So really, really fascinating and interesting things that I think we are going to swing back over. We have discussed this before, about, we still don’t have ubiquitous high speed connectivity and bandwidth. I can’t make phone calls, although I can make a data connection. So I can’t do everything kind of dumb or thin terminal like on my phones. That’s why Apple started out with everything being links and then realized, boy, this sucks. So then they allowed applications to be placed back on the phone.

If you remember when they first came out, it was just a link to a website. Now it’s back to full-fledged apps again. So we are going to see really, really interesting stuff evolving out of that, and that’s kind of what interests me in the next five years.

Amrit Williams: And it will be exciting as the technology improves and we move to a model of free range data, so there are going to have to be data wranglers.

Chris Hoff: Data wranglers, yeah.  So actually, not to plug — well, actually, that would be a lie. To plug my Black Hat talk, the interesting thing here is, everything we have just discussed; my talk at Black Hat is called CLOUDINOMICON. The byline is, Idempotent Infrastructure, Building Survivable Systems, and Bringing Sexy Back to Information Centricity. So that’s exactly what we are talking about. It’s the fact that we have infrastructure that looks identical, which in by itself is an issue, with monocultures and built for scale.

(00:04:57)

We kind of know what building survivable systems mean, but we don’t do a very good job of it. And then the stuff we ought to be focusing on, which is the information, is the stuff that we have the hardest time getting our arms around, and yet, it’s the stuff that as we start to move it around everywhere, is what we need to protect.

So kind of it’s your main conversation given what I hoped to kind of revisit during my talk, but your observation was exactly correct; data wranglers. It’s going to be my new career title at some time I think.

Amrit Williams: And I think that you should give the Black Hat talk running chaps too, to really get the wrangler message across.

Chris Hoff: I could do that.

Amrit Williams: This has been a great conversation, and I think a lot of people are going to get a lot out of it. For those looking to hear more from the Hoff, you will be speaking at Black Hat CLOUDINOMICON. Do you have other conferences coming up that you will be speaking at?

Chris Hoff: I have got DEFCON, which is the FAIL panel too, and we also have the Cloud Security Alliance Summit during Black Hat, on the 28^th. Then I have got a bunch of stuff that I will probably annoy people with coming up. There is some stuff going on at the NASA IT Summit. I am giving a keynote at SANS in D.C. I have got RSA Europe coming up with Mogul, which is going to be a blast. I think we will be the first people this year to be completely deported. Perhaps RSA Japan. All sorts of good stuff coming up. Lots of fun!

Amrit Williams: So if people want to get in touch with the Hoff, they want to find out about what you are doing, where you are speaking at, get a little insight into some of the research you are doing, they can follow you at Twitter, @Beaker. They can go to your blog, which is Rational Survivability. What’s the address; is it just rationalsurvivability. –

Chris Hoff: .com.

Amrit Williams: .com, right on. Then they could find out more about the Cloud Security Alliance, that’s CSA.org?

Chris Hoff: Actually, cloudsecurityalliance.org. But if you really want to find out about me, you should come to the HacKid Conference in October in Boston that we are putting on, which is an amazing conference for kids and their parents; teach them how to hack, how to code, how to build robotics, trebuchets, hair hacking, food hacking, all that stuff.

Amrit Williams: Oh my God! What? I want to go. I want to be a kid again. You are going to build a trebuchet and teach people to do robotics, are you joking?

Chris Hoff: No, no, no. We have everything from Chris Boyd coming over from the UK, talking about safety online. We have teaching dads how to hack their kid’s hair. We have food hacking. We have electronic assembly, robotics, trebuchets. We have got meeting law enforcement. I mean, it’s awesome! It’s a two-day conference that came about because I took three of my girls to SOURCE Boston, because my wife left town, and so they had to tramp around a security conference.

They were interested in some things, but didn’t get others. So I thought, you know what, if I gear a conference that has security stuff and hacking stuff and hands-on, for kids and their parents, so you can’t leave them; you have to actually do it with them, it should be pretty cool.

So if you want to learn about that, go to hackid.org, and the schedule is posted. Registration will open pretty soon, and it ought to be a grand old time.

Amrit Williams: Man, that sounds fantastic! I want to — we are here in the Bay Area, I am going to talk to you about this after we get off the podcast.

Chris, I really appreciate you joining me. That was fantastic! Thanks man!

Chris Hoff: Okay dude, bye.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Chris Hoff, who leads the Virtualization & Cloud Computing Strategy with Cisco, and has quite a prolific career that I will not be able to repeat here today. So I will simply say, welcome Chris!

Chris Hoff: Thanks man.

Amrit Williams: So what‘s interesting is, when you were talking a little bit about trust, I think this is probably not the first time, but this is the first time we have — again, not the first time, but where we have seen such a large focus on trust in IT, and it almost sounds like cloud computing, not being the only thing, but being a great driver towards trust becoming a commodity, and that people can actually trade in trust.

I don’t know if that’s probably an oversimplistic and naive way to look at it, but a lot of the rationale around why someone would move to cloud, ultimately there’s some element of trust that comes in that, when they accept that that’s the model they are going to take.

So I am very interested in discussing a little bit more about your experience and your exposure to some of the ways that people are overcoming or are being challenged by some of the compliance requirements when they start looking at cloud computing resources.

Chris Hoff: Wow! By the way, that was — trading and trust, I am going to totally steal that, I think that’s a fantastically elegant way of stating, what in some cases might be obvious to some, but is just such a big problem for the market in general.

So how are people — and I guess I have to ask, when you talk about people overcoming their fears or concerns, which people; security, IT, compliance, the business? I mean, I think each of them have a different perspective on what they are “afraid of”

Amrit Williams: Ultimately, I think by people I mean the business itself and I was probably poorly worded, because I think it doesn’t really matter what Joe Admin thinks about if the company is going to do it, he kind of needs to toe the line and do it, what needs to be said. But ultimately, somebody needs to make a decision that we are going to allocate resources and we are going to allocate dollars to an initiative that has to do with cloud computing, and at some point they get exposed to the compliance challenges. So I mean, people is probably the poor word, I meant organizations as a whole.

Chris Hoff: Yeah. So I mean, even breaking that down further, I think in many cases, business people and lines of business, that if they are responsible and own the expenses associated with computing, are very interested in understanding why their company, their IT department, is not moving to cloud, because they read on Page 3 of the ‘Wall Street Journal’ or even Page 1 that, look, it just saves you so much money. And when we talk about cost efficiencies and agility and time to market, these things matter.

Clearly, however, when they ask IT, the folks that are supposed to — if they ask them at all, by the way, right? And I am not sure how much of this is really one of those urban myths. I continue to hear how like these rampant tribes of business people that are just running out with a credit card and spooling up applications on Amazon, which to me appears to be complete bullshit, because you have to still understand and know how infrastructure functions to make that work.

I can see that on the SaaS side, like you just go to Gmail, great, I get that, but I am not sure how much of this, I just ran out and replaced 300 servers with a credit card overnight and I am Bob from Accountemps, I don’t see that happening a lot. But certainly what we are saying is, hey, our email system at work sucks, why don’t we use Gmail; pressure, pressure, pressure. And these are all valid things, right?

So I think on the SaaS side, people can and do make an excellent business case for cost efficiency, especially when something is free. Now, that’s kind of the hard cost. The soft cost is associated with support. What happens when something bad happens is usually not taken into consideration.

But in many cases, the business — and these large organizations, they kind of get the basics of risk management, risk assessment, they know what’s core to their business and what isn’t. They generally know, ooh, this is something I should ask about, in these larger companies. I mean, some people would argue that, that doesn’t happen, but for the most part my experience has been that they have been generally good about looking at the opportunity, gathering data, and then going to IT saying, why can’t we do this? Tell me why it’s a bad idea.

That happens quite a bit with SaaS services. We have seen that with Salesforce, we have seen that with CRM and email solutions. Applications that are used daily, that in a way it’s funny, in many cases people say, well, email is not critical. I was like, yeah, try going without email for three days and tell me how critical that is.

But they talk in group applications and the things like our sensitive financials, email. At some point you could say that to an organization that sells things, your customer lists are pretty darn sensitive.

(00:05:01)

So depending on the model, we have a lot of stuff being pushed into SaaS, and they are overcoming their “fears”, the businesses, because it’s been generally getting more reliable. They pay more attention to security, because they are responsible, as we already talked about, for the entire stack, generally.

So we have had for the most part some reasonably good experiences, business and personally, with SaaS. That is proceeding nicely. It’s when we get into the platform and infrastructure-as-a-service, which is relatively new from the perspective of what cloud and the operational models mean, to where, done improperly, not understanding that in many cases to take advantage of these architectures you have to completely rearchitect your applications, which impacts operational models, support models, security models, risk management models, all of these things change, and this generally happens more on the platform and infrastructure-as-a-service side.

So what’s happening is, to kind of get over that “fear”, this isn’t so much a business person’s reaction, but more like the IT department’s or the app groups that support the business units, they take noncritical apps or test and dev, and they dip their toe in the water and they try it, where they move noncritical, just kind of even noncritical web applications that don’t transit in heavily regulated information, they put those online. Cutting low-hanging fruit of things that would otherwise just cost money, for which you really don’t need to purchase infrastructure.

So as those things progress, people get more comfortable with the benefits of cloud, but it’s still, as soon as you hit that line, that giant four-letter word of compliance, where anything that is heavily regulated or even is regulated, by something that would prevent me doing business, if I got a finding on it, that’s the thing that causes things to come to a screeching halt.

So in many cases, even if IT would agree that it is a perfectly reasonable platform, that I could make just as secure, if not more secure, that I could reduce cost, get better efficiency, help grow the business, focus on running the business instead of building the business, even if IT agreed, and even if security agreed, the day the auditor shows up and says, you fail because we don’t take into consideration, you don’t meet these requirements, because our regulatory compliance frameworks don’t take into consideration this disruptive innovation, that sucks. That’s what’s stopping these folks.

So even when you have an enlightened set of organizations, they are still being stalled today by what they can or can’t do. That happens to me, to be quite frank with you, in interviews with these big customers, more often than not. You have got a bunch of people who want to do the right thing, who want to focus on the things that matter most, and they end up not being able to, which stinks.

Amrit Williams: Also, we have another problem is, we have a lot of precedence here, I mean, when we look at compliance. I mean, we are a common law country and so we always look for the last case that can help guide a decision, and unfortunately, I don’t think there is anything that’s unconstitutional with cloud computing, so we have to look for those cases we can turn to where something happens, and there’s just not a lot of them. So it’s a very, I think — it’s an unknown for a lot of organizations to say, well, what happens when the auditor comes, who do we look to, who has done this successfully, where is the model that I can turn to, to show, look, this is how it worked over there, why can’t that apply to me here.

Chris Hoff: Yeah, totally! What is worrisome about that is, is the spectrum of referential cases that we are looking at can span everywhere from being constitutional nature, down to tort law and below and basic elements associated with eDiscovery and forensics and preservation of — we talked about monitoring and management before, and the legal implications thereof.

Like how do you — I am waiting for the first time, for example, that somebody has something unfortunate happen to them in a public cloud environment, in an environment where multi-tenancy, Coke and Pepsi, right? Somebody gets charged for doing something wrong in a shared multi-tenant environment, and I am waiting for the first time somebody brings on an expert witness that asks for mathematical proof, that the isolate — or just proof, positive, that the isolation capabilities of a piece of software, vis-à-vis the hypervisor, is such that they can prove without any reasonable doubt that there was not corruption of memory, corruption of the networking space, corruption of storage, or leakage between them, that would in any way suggest that this could have been somebody else acting on my behalf or acting in proxy, as it relates to this image.

(00:09:52)

I mean, when we think about the trust model, with both virtualization and cloud, we predicate the entire operational sanctity of these environments on pieces of, albeit modern and thin, but pieces of software, that in many cases have not undergone a lot of public scrutiny and in some cases haven’t undergone any, because of the proprietary nature. And it’s a violation in some cases to even reverse engineer. So it could be a DMCA and other things.

So here we have, essentially, I can imagine the first day at court when somebody says, you know what, it wasn’t me, prove it was me. You can have all the logs you want saying, came from this IP address, and this virtual machine, and that person owned it, but it comes down to somebody saying, the isolation driven by software, and even in part by hardware, that’s why we have things like Common Criteria. With EAL it was up to 7, where people have to do this ridiculous mathematical proof statements, and these hypervisors aren’t certified under things like EAL or Common Criteria, because they just aren’t, for the most part.

I think the most we get up to is 4 and 4 plus for most of the commercially available hypervisor platforms, and some of the ones that are proprietary, like these mass market clouds, aren’t certified at all.

So that’s going to be really, really interesting when we start seeing the first cases of the abuse of these trust models from the perspective of modeling.

Amrit Williams: It’s going to be fascinating once these things happen, because they will happen. I mean, we are certainly going to see one of these big events. I am sort of surprised one hasn’t happened yet, or maybe one has and it hasn’t been made publicly available, I don’t know. But since we really are working at a trust model here, I think something like that will really start shaking up people’s perception of how viable something like this is.

And quite honestly, at the end of the day, this is a fantastic model. I think it’s very exciting to be a part of it, to see it happen, is really phenomenal. I mean, we are going to see things happen in the next 10 or 20 years leveraging this concept.

Chris Hoff: Yup, I agree. Now, you and I can both put on our security hats and issue the but, right? That’s the duality between that consumerized perspective and the IT perspective. Like there are so many awesome things that come out of this. Like I am so incredibly pro-cloud computing, it’s not even funny.

But then, most people disassociate my love for that, and the fact that I run — I happen to have applications that I have written and deployed on multiple clouds. I use it everyday, I use these consumerized service everyday. But that gets overshadowed by the fact that when I put my security hat on and I say guys, again, we are building — those who fail to learn from the past are doomed to build upon it, and we are building on 40 years of evolving, but imprecise and generally as secure as it was needed to be the function sets of infrastructure, metastructure and infrastructure.

And that’s the challenge, right? In general, enterprises don’t get a chance to do a do-over. This is where Amazon and Google and folks that get to start from scratch and build their own hardware, their own software, their own operating systems, and file systems, have been able to make leaps and bounds to where one could say that the operating system as a whole; the infrastructure, the applications, the protocols, all that sort of thing, packaged as a whole, probably are more securely run and operated than an enterprise, because they don’t have 20 plus years of legacy crap to maintain.

It would be great if we could all just kind of reboot. But that’s part of the problem, with, again, the expectations of the enterprise. We don’t just get to rewrite every single application and move it over to take advantage of this stuff. We have got so many — I think the average large enterprise has something like four-and-a-half versions of every app running on their networks, and there is somewhere on average of 600-2,000 applications per a large enterprise. That’s a boatload of anchors from the last 20 years, right? Lot of it custom-written, lot of it on platforms, mainframes even, things that just unfortunately don’t move over so easily or as quickly as we would like.

So I think the thing isn’t existing enterprise model for compute versus cloud, but it’s the messy stuff in between, that when I put on my security hat and maybe you put on yours, is the thing that really just starts driving me nuts.

Amrit Williams: I mean, one of the things we have in security, I mean — I think I was talking to Jeremiah once, and he is like, gosh, I hope we don’t solve this, because then I don’t have a job. And I said, Jeremiah, trust me, you are always going to have a job. Because even if we look at — there’s going to be a day where I can log onto the Internet and I can program my toaster to make sure I have warm toast when I get home, but as soon as that happens, some 15-year-old kid in Scandinavia is going to burn my toast, right?

Chris Hoff: Yes!

Amrit Williams: So there’s always some way that someone is going to figure out a way that will make sure security people have jobs. But what I find fascinating about all this, and I wanted to dig in a little bit in something you said is, a lot of the infrastructure that we use today is fundamentally flawed in terms of security. I mean, whether it’s our routing infrastructure, whether it’s the operating systems themselves, even some of the hardware capabilities that we have are flawed. And it’s because of all this legacy stuff that people are cramming on top of it.

(00:15:02)

You made a statement that a lot of these companies are able to start from scratch. Do you think that they understand the security implications and build out against those requirements as opposed to try and layer it on top later, which is the problem we are currently facing in most infrastructures?

Chris Hoff: In the example of the two companies I mentioned, specifically Google and Amazon, I think that of what I do know, both from the perspective of people that I have spoken to, as well as their general response and how their systems operate, in terms of being a consumer, I think that they have paid quite a bit of attention to security and security models. To the point that in many cases the things that would give you great amounts of concern have been abstracted to the point that they — it’s like rounding off the sharp edges on a table.

A lot of these things have been blunted, such that the attack surface has become much less pointy. Based on lessons that they have learned, and as well as what is required, in many cases, from their target audience which is good enough security, whereby — and it seems kind of counterintuitive, but in many cases, depending upon the service and what’s offered to you, and which delivery model, I think a lot of the new emerging truly cloud providers, and this gets into the technical detail, versus just kind of plain old web apps that have essentially grown out and had the word cloud plastered in front of them, a lot of these vendors like Amazon have really taken this notion of what works, what doesn’t, what do I need in terms of the bare minimum requirements to move traffic and move it as securely as possible?

And they have done a reasonably good job of designing and looking at like software-driven network fabrics, provisioning and governance and orchestration systems, all the automation and really programmatically addressed a lot of the things that we otherwise, with a much richer set of features and functions in an enterprise class product, so many more switches and knobs you can flip and turn, so many more things that, for example, with extra code have been there in bloat to support legacy requirements, I think they have actually done a pretty good job.

But again, I want to be really specific about the difference between somebody who utilizes technology and operational and infrastructure models that are truly cloud computing in nature, that were built from the ground-up, for scale, for extensibility, agility, self-service, those sorts of things, versus a service that has been around for 8, 10, 15 years, that started out as hosting or as an application ASP, that to be convenient from a marketing perspective has none of the characteristics of cloud computing from the perspective of how you might go through NIST’s definition; no measured service, no rapid elasticity, no resource pooling, not on demand. Doesn’t reflect any of the true kind of definitions on the technical side of cloud, but rather just had the word cloud splattered in front of it, because it was a good marketing term.

I divorce the latter examples from my answer and say that, no, they deal with all of the problems that automation brings and all the crap that they had to maintain with their legacy hardware, at least the newer guys do not.

Amrit Williams: And it also looks — I mean, some of the stuff I have looked at shows an abstraction of what was previously very interconnected elements in two disparate units, which I think is really good. And then taking those disparate units and isolating them from each other, so they are limiting the ability for sort of this cross viral infection type of thing that we have seen a lot of lately.

So that’s exciting, and I think that’s something that will hopefully get adopted into regular commercial practices as well, and not just offered by the cloud computing guys. Because that is a model that, unfortunately, I think we need right now. Everything is so interconnected, even just at the operating system level, that this ability to isolate abstract and try to segment things off from each other, it’s sort of key to how, when you go back to what you were talking about with multi-tenancy and trust, those things become really key, and so hopefully we will see that better adopted as well inside of just commercial practices.

Chris Hoff: Yeah. I mean, we have a lot to thank at the infrastructure and platform level. We have a lot to thank virtualization for in that regard, in the last four or five years has really taken the lessons we have learned with virtualization from the past and made a lot of this stuff a reality.

The counterpoint to that is, when you look at some of the Software-as-a-Service models, they are not actually based on, or they don’t utilize virtualization, their definition of multi-tenancy is something done at the application or database layer.

(00:19:54)

So again, I think I agree that ultimately this isolation is a good thing. How it’s done and how transparent the methodology and technology used to implement that stuff, I mean, a great example is Joanna Rutkowska; somebody that originally had a hard time accepting the way in which some of the research was marketed. But I kind of looked at ultimately the evolution over time of what the message was supposed to be, which is, look, even when we start trusting hypervisors or even the chipsets that do some of the extended virtualization capabilities, her research, and her team’s research, that kind of introduced the notion of reasonable doubt relating to your trust and how these isolation mechanisms are deployed, ought to give us pause, even when we look at how good one of these new style cloud providers may be in terms of their ability to isolate, they still have to deal with the laws of physics, and they still have to deal with the fact that in many cases they are using commodity hardware, and software in some cases, to deploy their services.

So I am not writing a blank check saying, by default they are more secure. I am saying, they have done I think a better job in threat modeling, in understanding what has worked and what hasn’t in the past, and what has introduced security problems. And most of these providers who are staking their business on the fact that they have to maintain integrity and availability, and in most cases confidentiality too of the stuff running on them, their entire business model is based on that.

Could you imagine? I mean, all it would take today to set the entire cloud market back, and I mean that holistically, in that one ugly bucket of everything cloud, and I pray this never happens, but if Amazon Web Services were to suffer, for example, an attack, or even just suffered from a vulnerability, not even maliciously exploded, but one that’s accidentally exploded, whereby the isolation provided, which is the entire core tenet of why you should trust doing business with them, but if they suffered a breach or an issue there, that allowed or exposed one customer to talk to another or vice versa, the entire premise for why you should trust any amount of cloud or virtualization would be set back ten years.

So for all of us, from the perspective of using and consuming, as well as securing and providing cloud-based services, I hope they have done a very, very good job. But we, in some of these cases, don’t know, because they are not — these companies operate in a very nontransparent, non-communicative way, which unfortunately, for the security community is the worst thing you can do, right? Not talking to us, not telling us how you do things, and just pointing me at a SAS 70 Certificate, that’s not going to help your cause.

Amrit Williams: Thanks for joining me today Chris. And everyone, thanks for listening. If you want to get more information from Chris, you can find him on Twitter at Beaker. You can visit his blog, Rational Survivability. You can also get more information on the Cloud Security Alliance at cloudsecurityalliance.org. And for those interested in working and teaching and learning about how to get kids to hack, and by hack we mean just learn cool stuff, you can visit hackid.org.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPTS

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”; and today I am joined by Chris Hoff, who leads the Virtualization & Cloud Computing Strategy with Cisco and has quite a prolific career that I will not be able to repeat here today. So I will simply say, welcome, Chris.

Chris Hoff: Thanks, man. How are you?

Amrit Williams: I’m good, man, I’m fantastic; how are you?

Chris Hoff: Excellent.

Amrit Williams: Excellent. So just coming off 0:22 Con, I know that was a fantastic event. We won’t drill into that here, but you’ve built up quite a following and put out some fantastic research and some thoughts on cloud computing, especially as it relates to security. So I thought we would dive right into that.

But before we do, because I have a varied audience and I don’t know all of their understanding of the space, maybe you would just give a quick high-level review of what cloud computing means and what it doesn’t mean, because as you know a lot of people argue about that, and we will just get that off the table and then move on.

Chris Hoff: Yeah, awesome. I am just so glad we have six hours to do that. So let me get right on it.

It’s very interesting. I think there are two valid but diametrically opposed perspectives to what cloud computing generally means. And on the one hand, you have a very kind of IT, geeky, empirical Visio/OmniGraffle version of what cloud computing means with lots of boxes and requirements that talk about elasticity and self-provisioning and all of the kind of very technical perspectives on what is or isn’t cloud computing. And it’s interesting and it focuses on infrastructure. For folks in the technology field, it’s a great way to fire up debates on Twitter.

The other perspective, which I think is equally as interesting and valid and in many cases is actually one of the true reasons that cloud computing is so interesting, is the consumerized view, which is that pretty much anything on any platform that interacts with my data using the Internet or, in many cases, any type of ubiquitous network is also cloud computing; so, my Xbox LIVE, Twitter, Gmail, anything that essentially provides me network-based access to applications and content.

So the problem is when you lump everything into one bucket, it becomes very, very difficult to figure out in many cases, depending on the perspective you are coming from, what is or isn’t cloud. The reality is there is — you can’t 2:30 a dead cat without somebody giving you a definition. I am not going to offer one up other than to say that in many cases, it’s the natural evolution of a lot of stuff we have been dealing with for decades with some cool sprinkling of technology with a great confluence of socioeconomic, political and technology happenings converging at the right point in time. And we will just leave it there, right? I mean, I don’t think we need to get any further geeky than that.

Amrit Williams: Well, I think that’s actually a great definition. I even love how you threw in the political thing there, too. That was fantastic, because we all know how much the Federal Government is pushing cloud computing, especially there.

Chris Hoff: Yeah, very much so.

Amrit Williams: So what do you personally focus on, then, in your role?

Chris Hoff: Oh, at Cisco?

Amrit Williams: Yeah.

Chris Hoff: Yeah, so I report into our Security Technology Business Unit, which is responsible for most of the physical as well as cloud-based security offerings everyone knows and loves, everything from the ASA firewalls to Ironport Scan Safe, those sorts of solutions. And my job is to work with our Strategy Team, our Product Teams, Engineers, Marketing and as a vertical within that Business Unit to help build and deliver solutions specific to how we take what we do today and make virtualized and cloud solutions out of them or in conjunction with them. And then since we also leverage those technologies across all the other Business Units in the company also figure out how to make sure we solve those problems for other Business Units so they can take that technology and deploy this part of the  solutions. So that’s what I do internally. I talk to a ton of customers, and I go out and speak a lot.

Amrit Williams: And externally you’ve got a very… probably not a radically different persona than you do internally, I’m sure; but just one that’s probably more vocal.

You focus a lot of attention on the security side of cloud computing, and so I think you gave not a definition but a very broad stroke of what could potentially be termed or fall under the umbrella of cloud computing; but I think ultimately at its core, a lot of organization are looking to take advantage of resources that are provided by third parties that allow them to very quickly bring up or bring down basically computing power.

Chris Hoff: Yep.

Amrit Williams: And that’s pretty powerful, but it also brings up this whole question of what happens when you lose control. And it’s not necessarily that something is insecure because you lose control; but as we know, humans tend to be a irrational. This whole concept of fear of flying versus fear of driving is probably a good representation of a loss of control where one could easily argue that it’s safer to do one over the other, regardless of the level of control.

So when you look at security in cloud computing — and I know that you had some work with the Cloud Security Alliance, I believe that was the organization you were involved in — what are the key things or the key aspects of cloud computing that change the dynamic for how IT is approaching security in general?

Chris Hoff: Yeah, and as a speaker I still am involved in Cloud Security Alliance. I am one of the Founding Members and I am also the Technical Advisor. So I spend a lot of time with the various research projects that we do, and one of them is the guidance that is enjoying its current second rev and embarking on a third rev, which basically addresses the very questions you just asked, like what is the difference between what I do today and what we’ve been doing for years versus what both virtualization as an enabler for some elements of cloud computing and then, more specifically, cloud computing, what do these differences look like, what’s the same? What do I have to look out for? What new risks or threats come out of that?

And in many cases the things that people have trouble with emotionally are, as you allude to, kind of the traditional server-hugging approach of loss of control; but in any case when you lose control, that’s not the same thing as potentially not being able to trust the fact that these systems or the things you’re losing control over are, as you said, any more or less secure.

So a lot of this has to do specifically and unfortunately with some of that definitional nuance we went into before, which is when you are talking losing or, as I say, gracefully giving up operational control in many cases in cloud-computing environments, what kind of cloud computing are you referring to? Your expectations differ, based on the delivery and deployment models of the cloud offering you are using. For example, in Infrastructure as a Service, the line of demarcation in responsibility for what you as a, quote/unquote, “consumer” of that service and what a provider is responsible for is very much different than if you were to use a Software as a Service.

The classical example there is if you used Amazon Web Services, anything within the AMI, the virtual-machine bundle, meaning the operating systems, the applications and the content, are up to you to still deal with in terms of security. Compliance, privacy, all those things are still your problem.

The things under the covers, the mechanisms that make all of that work that is abstracted from you, are the responsibility of the provider. All right, so they get to maximize availability — confidential integrity, if you want to use the GQC/SSC definitions of their platform — but anything above that is you.

In Software as a Service, let’s say like Gmail, the reality is your expectation is the security thereof, is the responsibility protecting your confidential integrity privacy short of settings and buttons that you can do in terms of provisioning and giving others access to it, is the responsibility of the provider.

So we have to be a little bit more clinical and specific about when we talk about the differences of models of both security when we talk about the deployment and delivery models of cloud, because they differ and your expectations do. So on one hand, your only option is to RFP or contract it in, stipulate what you expect with remuneration and penalties if something goes wrong on the Software as a Service side. On the Infrastructure as a Service side, in many cases you have to contract chunks of it; but then you have to build in a tremendous amount of it.

So everything that we deal with in non-virtualized, non-cloud environments, we still have to deal in one form or another; it’s just who gets to deal with it, right:  the accountability versus responsibility piece. That’s the thing that’s critical for people to understand.

Amrit Williams: And I appreciate that. So we will break both of those down in a second; but I think a lot of organizations because of just the sophistication of the threats have really fallen back to trying to expand the level of visibility they can get through monitoring. So they will sit there and they will watch ingress and egress traffic to try to determine if there is any anomalies that are present in the network or the traffic, if there is anyone trying to do something to compromise the systems, and then from that try to respond to an incident to limit its impact.

That becomes incredibly difficult when the traffic is not traversing the network — the network that you control as an IT Administrator, for example, and I am a Security Administrator. So you have a corporate asset, for example, that’s outside of your network that’s traveling the world like you and you happen to be somewhere in a hotel and you are accessing corporate resources that are housed by a third party.

And it’s not so much, you’re right; I think it’s not that these problems go away; but they do shift the accountability. Accountability in the SaaS model is really on the provider to tell the consumers of the technology that, “Listen, we are doing the appropriate thing, and you can trust us that we are monitoring that traffic for you”. But they don’t expose that data, and I think that causes some concerns for an organization that has really fallen back on monitoring as being key.

Chris Hoff: Sure. Well, and in many cases, you said an interesting thing, which is depending upon the platform and the level of abstraction that the cloud provider has settled on building their infrastructure on, the ability for you as a consumer to actually gain access to what would normally be described as the network can be incredibly limited.

In the case of many of the mass-market kind of good-enough-is-good-enough cloud providers where you’re dealing with the topic of my backup talk is this kind of notion of omnipotent infrastructure, which is really maximized for scale where homogeneity at the infrastructure layer is critical for operations. The reality is, you get a dumbed-down single virtual interface, right? And the ability for you to plumb in compensating controls or use technologies like even logical or physical taps are an impossibility, given some of these choices.

There are other cloud providers that are differentiating based on their ability to expose, via API or direct hooks or virtual tapping capabilities, and give you back some of the capability and plumb in virtual appliances, right? But again, you’re dead-on. A lot of the monitoring, say squeezing the balloon problem or, as I call it in my reference diagrams, the Security Hamster Sine Wave of Pain, right, where we invest and how we invest in the compensating controls is really a function of what is made available to us in terms of speeds and feeds being able to keep up and actually peer inside the data.

So as the definition of the network changes from a physical network that gets abstracted into a logical representation thereof where you only see chunks of it and you can’t really get good coverage, you may have to essentially redeploy things at the host level, which gives you a security-scalability problem from a management perspective, right?

And we’ve been playing this game for a long time, right? Host-based agents, 27 agents, 1 super agent, and then the network speeds and feeds catch up and they do well for a while; but then we encrypt everything we can’t see inside it again, and we go back and forth. That’s kind of what’s happening with cloud, and the notion of baselining what is normal when, as you say, a lot of this traffic doesn’t traverse the, quote/unquote, “network” and it’s external to the things you manage and have visibility for, makes monitoring and management in the traditional sense very, very difficult.

In fact, Rich Bejtlich just brought up a post last night that was talking about monitoring in IDS and, in fact, forensics in the cloud and using things like let’s just say a NetWitness product that does full packet capture and replay. The need to, for example, deploy big, fat reverse proxies that cloud providers are doing in order to capture trends over VPN so you can actually truck that back to a central site to do capture and replay or apply policy is kind of what’s happening again. It’s the reinvention of the inside-out model via overlay VPN. It’s a very interesting dynamic that we’ve seem a couple of times before but is happening because of cloud again.

Amrit Williams: Well, let me — you said something very interesting I want to dig at just a little bit because we, having Security backgrounds that we do and also dealing with infrastructure management, it’s not uncommon for organizations to look at Security in a very different way than we would. And you said that there were a set of providers that were differentiating on providing APIs that would allow folks or hooks into the applications that would allow folks basically to plug in their own virtual appliances so that they could get some level of visibility back.

Do you see that as really becoming quite a prolific requirement, or is this still on a fringe? I mean, clearly guys like Bejtlich, I mean, that’s his life, right? His life is monitoring for the most part. So it’s not — I wouldn’t be surprised if he’s dedicating a lot of time to try and evangelize ways that people can get better monitoring with cloud computing. But do you think the average organization or the average folks within that organization that are infrastructure-management people understand or have the desire to make this a criticality, that this is a critical requirement?

Chris Hoff: I will answer this in the only way I know how, which is in the scope of the customers I’ve talked to, which are for the most part very large enterprises. And the barrier to entry for public –

Amrit Williams: Just to set that prerequisite, I mean, when you say “very large”, I mean, you’re talking about very large organizations anyway; so, people, this is not something you’re — you’re not generally interacting with a small –

Chris Hoff: SMB, yeah, yeah. No, I’m talking like Fortune… there isn’t really success a thing, but Fortune 2000, Fortune 500, Fortune 100, Fortune 50, that kind of size; nation-state government type, that sort of thing too. And I bring that up only because it’s to set context and appropriate levels of comments relating to the question you asked, which is the barrier to entry for using public cloud or private clouds that happen to be managed or hosted offsite from their physical premises. The barrier to entry is trust, and trust in this case I define as security, compliance, control, availability and reliability and privacy. So you kind of take all these pieces up and you look at this and see Enterprise Security Teams look at how they are currently regulated, which compliance frameworks they’re under, what their auditors and/or the compliance services allow them or don’t allow them to do.

And in many cases when they try to match up the readiness and availability of cloud providers against the need to be compliant, they notice a couple of things. They notice for the fact that, for example, if you want to pick — pick anything; but pick, let’s say, PCI, which talks about the need for either a WAF or code review, right? If their answer to that has generally been, “Oh, we’ll deploy a WAF”, well, the ability to do that in a certain cloud provider’s network in ways that don’t require them to completely re-architect their applications, which in many cases you have to do anyway for cloud, or buy a new product that fits in a cloud environment that prevent them in many cases from — this is just one example of what could be hundreds — of actually deploying in that environment. It’s a kind — I’ve kind of dumbed-down the case; but as a counterargument, these other cloud providers who take a platform that looks very much like the same virtualization and/or cloud platform or cloud-like platform is being deployed inside their infrastructure, and if these cloud providers deploy that, which allows them to get flexibility in how much of the network they expose, that the hypervisor exposes APIs to allow them to do virtual introspection, that they can plumb in virtual appliances, the same virtual appliances that they might start deploying internally, then not only do I have the ability to more easily pick up a workload from my internal infrastructure and move it out, but I can also pick up the corresponding compensating security controls or require that the provider deploy one, too.

So in the scope of the customers I am talking to, this is an enormous piece of the puzzle and is an absolute requirement, because they require monitoring, they require VPNs, intrusion prevention detection, firewalls, NTX, WAF, all of that stuff in a virtualized context or in a context where even if it’s not a virtual appliance that the provider has integrated the same capabilities — regardless of technology, the same capabilities — and exposed that via the platform. That’s the difference between today’s maturity of mass-market public cloud providers who claim to be, quote, “enterprise-ready” but don’t actually run any critical or heavily regulated compliance-based applications in their networks from customers who simply can’t or won’t, because those things don’t exist.

So reading between the lines here that this whole public/private cloud battle is really about the need to satisfy compliance requirements associated with how these enterprises are measured, which is whether you are compliant or not, period. I mean, that’s the first hurdle you have to get over. It’s not about is it more or less secure for most — in many cases; it’s do I pass the compliance sniff test first? Then we’ll talk about Security.

Amrit Williams: Yeah, that sounds very similar to how people look at internal security as well, unfortunately (laughing).

Chris Hoff: Yeah, exactly (laughing).

Amrit Williams: So let me before I dig into question I wanted to ask you, I wanted to just take a moment, and for the audience’s sake, could you give a brief description between public and private cloud? And by the way, I know this is another very contentious area of definitions.

Chris Hoff: Oh, I don’t know if I –

Amrit Williams: But at a very high level (laughing), for the purposes of the conversation when you describe a public or private cloud, what are you referring to?

Chris Hoff: Well, let’s see. The great part about this conversation is that, as you say, it engenders lots of fabulous emotion that goes along with the answers; but I am going to make this as non-emotional as possible. So within the scope of how I like to refer to public versus private, I kind of build my definitions off of the NIST model, only because I think ultimately that it’s done the best job of unifying language associated with giving meaningful answers to this question.

So public cloud is really cloud-based infrastructure that is made available to the general public, where the notion of multi-tenancy means that you could have Coke and Pepsi sharing the same physical infrastructure isolated from one another; but you don’t necessarily have separately reserved or carved-off sets of infrastructure.

Private cloud, when we talk about that same level of isolation and control and ultimately ownership, what private cloud really talks about is that the infrastructure is operated solely for a single organization within the construct of how it’s governed, how it’s managed and how it’s carved off. That doesn’t mean that I can’t expand or contract within a known scope of compute network and storage resources — because I can, I can scale up and down — but it generally means that these are sets of infrastructure that is in some way dedicated either by policy, isolation or otherwise from mixing Coke and Pepsi.

So that’s why you can have — people confuse the word “public” and “private” with the words “internal” and “external” all the time. And “internal” and “external” are just adjectives that talk about where the resources are located. The things you should be focusing on are ownership and control, right? Who owns the infrastructure and/or who controls it? And when I mean “control”, I talk about policy, governance, that sort of thing.

So two great examples would be Amazon Web Services’ public cloud. allows anybody basically who meets certain requirements like having a credit card or whatnot to sign up and use shared compute network and storage resources. You don’t know who you are sitting next to, you don’t have to worry about that; but the multi-tenant model is that, is a shared one.

Private cloud could be — a good example would be an enterprise that has been building their highly virtualized infrastructure where the notion of multi-tenancy talks about supporting different business units, and the evolution from just heavily virtualized infrastructure to true private cloud really talks about adding chargeback availability and self-service portals, both of which are now arriving on the scene to give you this true private-cloud capability.

I should also say that you don’t have to locate that infrastructure behind your firewall. It can be located and housed and even owned by somebody else but operated and controlled by you. That’s about as short as I can make it, but I wanted to provide some context for how I arrive at those conclusions.

Amrit Williams: And I think that’s completely fair, and I think the audience gets that.

Thank you for joining me today, Chris; and, everyone, thanks for listening. If you want to get more information from Chris, you can find him on Twitter @Beaker,      B-E-A-K-E-R. You can visit his blog, Rational Survivability. You can also get more information on the Cloud Security Alliance at cloudsecurityalliance.org, and for those interested in working and teaching and learning about how to get kids to hack — and by “hack”, we mean just learn cool stuff — you can visit hackid.org; that’s              H-A-C-K-I-D.org.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter’” and today I am joined by Philippe Courtot, Founder, CEO and President of Qualys.

Philippe, thanks for joining me today.

Philippe Courtot: Thank you for inviting me.

Amrit Williams: We’re sitting here in Infosec Europe, and there’ll be a bunch of these podcasts coming up; but Qualys, you know, one of the things that I found interesting, Philippe, about Qualys was the drive that you guys had for moving things into the cloud. And when it was first introduced, I think there was a lot of resistance to it, and you must be feeling a little bit of vindication that cloud computing and these types of approaches to securing infrastructures are becoming much more accepted.

Philippe Courtot: I would not say vindication, but what I would say is today that we have a significant market adoption. In fact, today more than 40% of the Fortune 100 companies have standardized on the Qualys VM platform and are all very excited with the fact that we have brought now PCI as really one of the most powerful platforms. 62% of the VHVs are now using Qualys, 48% of the QSAs. And then, of course, we have our policy compliance that we have introduced about a bit more than a year-and-a-half ago and which is now starting to be mature and taking traction; same thing for the web-application scanning. And of course, we now have the malware detection service, which will be free for all and for every website on the planet.

So people start to see that we have really built a platform today which can essentially simplify and abstract the complexity of security which is, obviously as we very well know, building security application is very hard. And delivering them at the scale, it’s even harder. I think that’s what Qualys has done.

So the support of our customers, to answer your question, is really… what customers which have followed us, most of our customers, in fact, have followed us since ten years so we have very little erosion of our customer base and, in fact, are really welcoming business services.

Amrit Williams: Those three services that you mentioned, I’d like to focus a little bit on the one, the free malware-scanning technology. Can you talk a little bit about the details of that? I mean, what does the service actually provide, and how do people get exposed to it?

Philippe Courtot: Yes, absolutely. So what the service provides essentially if you subscribe to the service, which is free — and will be, by the way, free forever; we have absolutely no intentions of charging for that service, and I would explain to you why after that.

So if you subscribe to the service and then want them to scan daily your website to detect, to ensure that that website is not being compromised and therefore is not serving malware to the visitors to your website. What is also very unique with that technology is that the way it’s done and built, it has no false-positives.

So we may still have some false-negative, missing some malware which has been very cleverly hidden into some deep down into your website; but we will not generate essentially false-positive because of the very nature of the implementation of our solution. And that is what allows us to really make it available for a large population; in fact, we built it to the scale of the planet, as everything that we have done at Qualys. In fact, we do more than 500 million IT scans per year today. And so now we could essentially scan every website on the planet. Currently we do 5 million URLs per day and could do 20, 50 million URLs.

So by now I think you realize the difficulty if you’ve got a lot of websites and you receive all these phone calls for false-positive, you would drive everybody nuts to start with; and second, you have a huge support cost behind that. So the fact that the technology itself doesn’t generate false-positive, or at least it’s very, very rare, and if it is, we can go immediately back into our code, understand where the problem was and then fix it for everybody at the same time. That’s the power of the model of this technology.

Amrit Williams: And how often are you scanning these websites?

Philippe Courtot: Every day.

Amrit Williams: Oh, okay, on a daily basis?

Philippe Courtot: Yes, because I think with malware, if you want to have that, we probably may have some paid services if you want to scan every hour, because some companies are in such a sensitive market that they would want to really know every time. So the reason why we make it for free is the obvious reason: it’s publicity brand recognition; but more importantly, it’s because what that service is is essentially a huge 4:42 on the Internet. And so the more people we have and the more website we scans and the more we look at the malware, the more knowledge of the malware we’re going to have. And then our intent, and we’ve already started to do that, is to share that malware knowledge with other companies which would want to share with us.

(00:05:02)

So with that we create for the community a much better understanding of the type of malware, its evolution, et cetera, et cetera. As you very well know, we are competing against extremely organized individuals, and they share that information between themselves. The Security industry has not had the habit of sharing. It has been much more about “Oh, I’ve got more knowledge than my competitor; therefore, you should buy from me”. And I think that was working well in the past. Today, against the threats that we all have to cope with, that model doesn’t break when you have a much more community approach. Then, of course, except for the people to have the derivative, if you prefer, business models whereby you can obviously recoup the costs.

Amrit Wiliams: It seems like that would be a very natural tie-in for the data that you guys might be able to collect on potential malware, in fact, stations and then feeding that into something like the Trend Smart Protection Network, right…

Philippe Courtot: Absolutely.

Amrit Wiliams: … and allowing them to send it out into their web reputation services.

Philippe Courtot: Absolutely. And you have also additional synergies, like immediate synergies with our web-application scanning, which now also is becoming mature and can essentially scan all of the applications on an enterprise. So we have that scalability again that our model is. So then when you start to realize that obviously, we have now the knowledge of the malware, we have the knowledge of the vulnerabilities on the website, the other PCs is the web-application follow-up. So today we are also like everything that Qualys does, also we interpret; in other words, we always pass our data to others. So in this case, specific case, we are creating integration with Imperva, and we’ll do the integration with other passing of data. So now you have that trilogy of trinities, if you want to call it like that. And then we also will be starting working on building a the web-application follow in the clouds, as well.

Amrit Williams: And folks interested in receiving a service, they can get it from the Qualys website?

Philippe Courtot: Absolutely. So you go to the Qualys website. And then we have not still — it’s in there as of today. So we have not been broad mass distribution yet; it will 7:13 hours a day. We are going to go production mostly likely in June, and then we are going to make it even more broadly available through our partners, et cetera; so make sure that almost, you know, collecting as much malware as we can essentially.

Amrit Williams: So Qualys has been in the business of providing vulnerability assessment and management data for quite some time.

Philippe Courtot: Correct.

Amrit Wiliams: What have you noticed changing, if anything, radically over the past three to five years?

Philippe Courtot: So this is here you go into my favorite subject here. So this is something that I’ve addressed of the keynote that I gave at RSA, in fact, last year and even the year before. The fact that fundamentally today securing the current computing environment, which is your network and the enterprise, as we all know — and I call that “the inconvenient truth in security” — has been and is continuing to be harder and harder and harder. And this is by the very nature of the network itself, the fact that for the business having to open up the network even more. So locking down things becomes impossible either, and then the technology is moving so fast. In the enterprises of today, totally how could you add the talent and even attract and retain the talent who has to understand all these many different facets of security? So everybody now is conscious that the problem is getting bigger.

At the same time, you have now more regulations, which forces you to disclose the averages, which forces you to in fact pay more attention to compliance. So it’s becoming almost impossible to solve. So Qualys, obviously we have a large customer base of very large companies and very small companies, as well.

So we have been, in fact, helping to cope with that by bringing security and compliance together and delivering that as a service, which facilitates the task. But this being said, this is still not fundamentally enough, and I personally believe and I always believe that, in fact, cloud computing is offering a huge opportunity to the Security industry and I would say to the Security professionals through the practitioners to build the security into the infrastructure of the cloud — which is something, by the way, that we, Qualys, as you have had to do early on, because our customers — if you discuss with Marc Benioff, the CEO of Salesforce.com, when he launches his CRM in the cloud model, Salesforce.com, the resistance was coming not from the businesspeople who all wanted to adopt that form of facility, the deployability, the fact that you could connect with your suppliers, with your customers, with everybody into one single place in the cloud; but the people who were resisting were the IT people, who say, “Wait a minute, I don’t have anything anymore to do here”, and then the Security people say, “Wait a minute, my job is to protect the data inside the company, the data is going out”.

Amrit Wiliams: Right.

Philippe Courtot: So these were our customers. So in order to satisfy the very natural, if you prefer, requirements of our customers, the Security people want to essentially not only build the security into the fabric of what Qualys has done, but also demonstrate and be very open and transparent about how we are taking good care of the data. So we have learned that since the very beginning; if we would not have done that, we would have not be where we are.

But this being said, I maintain that today securing the cloud, which we have experience obviously of, is much easier to do than securing the enterprise. The reason is because you have the data in one place. You can therefore control the access. The cloud-computing vendors like Qualys and others can attract and retain the specific talent, and we can amortize a significant cost of building the security into the fabric of what we do across our many, many users. And furthermore, if we are breached, this is a huge threat to our business.

Amrit Wiliams: Right.

Philippe Courtot: So we have absolutely a significant business interest of doing the best we can. So as we see more and more companies moving their application to the cloud, that’s the good news, because it means that the complexity to secure the current networks will be reduced while you pass the responsibility of securing to others.

Amrit Wiliams: To third parties, right.

Philippe Courtot: So we are going, I believe, at some point in time, which I think will be probably in a couple of years now that there is more and more Software-as-a-Service or cloud-computing offerings available in the marketplace, we’re going to start to see that shift accelerating and then at last be in a position where we can gain ground against the bad guys, where today it’s very clear that if you look at the Aurora attack and others, we are losing the battle.

Amrit Williams: Have you seen, because I know that we’ve had lots of conversations in the past, Philippe, and I know maybe 2003, 2004 I made some comments to you that a lot of companies would be resistant to allowing data to go to a third party, and I think you guys have done an excellent job of providing that transparency. Do you still get that type of resistance, or is there much more acceptance that this is really the natural path and the way that things are evolving? Is the resistance dying down? Do you still deal with that in terms of adoption?

Philippe Courtot: We still have to deal with the resistance; however, we see two things that in the past before — I think the turning point for us was about two years ago, so I would say 2009, end of 2008 — where before that, we were not invited to the dance, if I may say so, for many –

Amrit Williams: Just because you were a cloud?

Philippe Courtot: Just because we were a cloud.

Amrit Williams: Yeah, yeah.

Philippe Courtot: Since then, we have been invited and only invited, and those who didn’t have a cloud solution were not invited. So we saw that change.

Amrit Williams: That’s interesting, yeah.

Philippe Courtot: We still see the resistance; however, what it’s doing now — and I think it was very clear at the RSA 2010, and then I went to the CSA Conference in Barcelona in Europe, and then I recently went to the European Commission in Brussels — you could see today that I think the Security people have understood that that movement into the cloud is absolutely inevitable.

Amrit Wiliams: Right.

Philippe Courtot: So even they are still reluctant fundamentally because of their culture, if you prefer, they know now that resisting, in fact, is becoming dangerous, because the business now, again especially with again more regulation, more data breach disclosure, now certainly Security has been elevated at a much higher level. So now it’s not anymore “You don’t tell me I cannot go to the cloud here, because I have to do that for business reasons; so you better now tell me and show that this is going to be secure. And by the way, you still have to secure your enterprise”.

So I think the debate has elevated, which I think gives a very fundamental opportunity again to the Security practitioners. If they elevate themselves so and adopt the cloud, then certainly they’re going to become the ally of the business.

(00:14:55)

I would not say that it’s good news of moving the cloud for the IT people, because they are the ones which are essentially going to be dislocated as more and more of the cloud computing takes very similar — if you look at that cloud-computing phenomena, it’s nothing new. This is exactly the Internet doing to the high-tech industry and the Security industry in particular what it has already done for many other businesses, like the publishing industry:  totally dislocating the business.

Amrit Williams: And it means the practitioners need to evolve.

Philippe Courtot: Absolutely. So those who will evolve will thrive; those who don’t want to evolve, it is going to be harder and harder for them to fight that battle.

Amrit Williams: Yeah, I absolutely agree. So what’s on the horizon? Anything interesting coming that you’re willing to talk about with Qualys?

Philippe Courtot: Oh, I mean, there’s one thing which we are already pushing more and more, as you saw with that initiative with the malware-detection services, that I really believe that we have to really build a much stronger community of Security professionals. And so that I think is a kind of a mission that Qualys has embarked on. I think we want to really show that by bringing more minds into the problem and really creating a kind of an openness, as opposed, if you prefer, to the… I would say that old high-tech industry which essentially was very proprietary, we have seen since the very beginning where the 16:31 APIs when I look at the data that we have, this is not our data. The way we look at it is that this is the data of our customers, and it is our responsibility to do two things:  one is to ensure the security of the data and, the second, make that data available to them to do whatever they want with it. So we use that data to create some application; but we have no reasons of preventing these customers of doing what they want with that data; after all, they pay us to collect that data.

So it’s a very different mindset, and the mindset difference is fundamentally because we are not a product company. When you’re a product company, you’ve got to put your gears there first, because once you have put them there you cannot be displaced, or if yours are not there you cannot displace easily others. When you’re a service, you can interestingly significantly much more easily be switched. It’s like when you rent a car:  if Avis doesn’t give you a good service, you can go to Hertz or vice-versa. So you’ve got to have that security in mind. In other words, you have to have the customer in mind.

Philippe Courtot: So we are not product-centric, so we are a service-centric company, and that’s the fundamental difference that cloud computing also brings, you know, to the market.

Amrit Wiliams: Yeah.

Philippe Courtot: So the Security vendors will have to start to think about service, not about product. And those who don’t evolve, so if you look back, interesting enough, at IBM, what happened with IBM. IBM survived the mainframe, and the only company when you look at it — there’s a lot of very big, powerful companies which were delivering mainframes; none of them survived. And people believe that IBM survived, because they were the biggest. That’s not true. They survived because they evolved, and how did they evolve? Essentially, Steve Mills, which is in my book the unsung hero of IBM, did the technical revolution by embracing Linux $1.5 billion that IBM invested 20 years ago — I don’t remember the date exactly — and everybody thought IBM had gone totally crazy to invest in what? That kind of open-source thing? And, yes, but they were using Linux to capture all their old mainframes and architecture and then emerged as a media ware and a service company. So from a product company, they became a service company.

And then the second hero, obviously, which everybody knows, is Lou Gerstner, which did the cultural revolution and essentially eliminating a lot of the old management of IBM which were product-centric to replacing them by people coming from bottom up and also adding new talent, which were more like him as service-minded people. And that’s why IBM is what is IBM today. If they would not have done that, IBM would have disappeared like everybody else.

Amrit Williams: And it’s interesting. The IT industry, Security specifically, really requires these companies to evolve and evolve quickly, because there’s so much change and it is so dynamic.

Philippe Courtot: Correct, correct, and that’s a very good point that you have. That’s the big difference. It took –

Amrit Wiliams: Yeah.

Philippe Courtot: In fact, I had a discussion on this very subject with Bill Gates like five years ago at the speed of change, because, yes, it took 25 years to have the mainframe-to-enterprise computing revolutions. Today, the argument I was making then was, “It’s not going to take 25 years; it’s going to take 10 years”.

Amrit Wiliams: Oh, yeah.

Philippe Courtot: So that was about five years. So if I’m relatively right, then in five years look at where we are going to be. And some of the arguments that I’m giving to highlight that is if you look today at the cost of mail, it costs about         $84 billion a year to maintain 400 million Microsoft Outlook clients. It doesn’t cost a few millions to Google or Yahoo! to maintain 200 million each, I think, of web-based clients, and it’s not the cost of the software. Even if Microsoft will give away, you know…

Amrit Williams: It’s the cost of the infrastructure.

Philippe Courtot: … it’s the cost of the infrastructure: the servers, the people needed to maintain that 24×7, et cetera, et cetera. And people make a false argument in saying, “Oh, but my mail is not secure at Google”.  Is your mail secure in your company?

Amrit Wiliams: Yeah.

Philippe Courtot: In reality, the mail that goes across the Internet is not encrypted, because encrypting mail is very difficult. In fact, Google could very easily if they wanted to essentially provide a totally encrypted mail as a solution, because the mail is in one place, and then they could encrypt in the similar type of encryption scheme so the user would login essentially; the mail stays encrypted and the user, in fact, when he connects decrypts with his key.

So that I think is one of the examples I think of how disruptive to cloud computing it is, and this is going to be more and more visible every day. You look at the iPod and iPad, iPhone, et cetera, this is a perfect example of a cloud-computing application. Now certainly, who would have believed that Apple would bring thousand-plus applications on the iPhone, which overnight are going to be enhanced significantly because of the new format of the iPad, and it’s the delivery.

So the Internet, what it brings to you is that it’s a fantastic delivery mechanism to deliver technology. So you have that, as long as you balance that Qualys did the resources that you need, the computing power that you need in the cloud, with whatever computing power you need at the client side. So in our case we have appliances totally remotely managed; then that’s the power of distribution that cloud computing has.

Amrit Williams: Yeah. Well, Philippe, I really appreciate you spending time with me today, and hopefully I’ll get a chance to talk to you again on the podcast soon. Thank you so much.

Philippe Courtot: Absolutely. Thank you very much.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am very excited to be joined by John Flowers, also known as kanendosai.

And, John, thank you very much for joining me today; it’s just a great pleasure to spend some time with you, and I appreciate it.

John Flowers: We’ve been doing some really exciting things, everything from traveling to parts of the world that I personally had a lot of connection with and love for, like Thailand and Southeast Asia.

Amrit Williams: As well as doing some digital media work which you discussed briefly earlier. You have credits on such films as “Star Wars, Episode 3”, “King Kong” and “Wasting Away”.  And you’ve been out there; you went into a different industry, left Security altogether. You formed a search company, a natural-language search company called Kozoru.

I’m curious, before I dig into any of these, how much did these experiences influence you in terms of what you’re doing with Kane Box? I mean, what would you say that this world view has done, this sort of looking at the world in a different way through different lenses that don’t really have anything to do with Security? How do you think that’s informed or provided insight for you in terms of how you might approach getting back into the Security world and potentially, you know, starting another company?

John Flowers: Well, I mean, at the risk of sounding a big cheesy, I think it’s the reason I was able to see Kane Box in the way that I am, you know, in the way that I’m seeing it. You know, I did a lot of workflow automation, I did a lot of automated color correction for films.

You know, you mentioned “Wasting Away”. “Wasting Away” was a fun film. I worked with these two guys who were doing the zombie comedy from the perspective of the zombies, and they had this color-correction person who wasn’t quite as good as they might have indicated in their interview (laughing). And I came in at the last minute and, you know, the film needed color correction and it needed all these different things, and we had a very short period of time before we were going to Screamfest.  And we were going up against “30 Days of Night”, if you recall that film.

Amrit Williams: Oh, yeah.

John Flowers: Big budget, you know, Hollywood film; and here we are, this little half-million-dollar zombie film going up against that.

And so I came in and I wrote a lot of software to automate the color-correction process so that these guys could get the film ready for Screamfest. And I’m proud to say — I mean, this was a… I don’t know, two weeks of work, which if you know anything about coming in and color-correcting film from scratch, especially when you’re automating it, that was insane. I actually slept on their couch, I think, every night for all two weeks.

Amrit Williams: (Laughing.)

John Flowers: But we ended up getting it done, we went to Screamfest, and it won the Audience Award at Screamfest against “30 Days of Night”.

And so I started thinking about that and, you know, the film went on to win something like 21 other festival awards and all based on this automated color correction, meaning I didn’t touch a color wheel on that film. I wrote software that looked holistically at what flesh tones look like and what all these other different colors look like; and then we used some pictures that the directors had taken of how they wanted the film to look, and we used that as a model and let the software color-correct the film and drive everything to the right, you know, area.

And, in fact, I actually have something I haven’t released, which I was calling        HD Instant Color, right, which was a plug-in for final cut where you could just drag a picture in it and it would color-correct your film. It’s buggy, it’s gross and, you know, it was cranked out so fast it’s primarily useless; but that technology, obviously you can see some parallels between that and between Kane Box:  this idea of just looking at everything. And you know enough about film when I say to you “Oh, this is a 2K film” or “This is a 1080p, you know, frame”, you understand just the sheer number of pixels per frame, and then there are 24 frames per second.

Amrit Williams: Okay.

John Flowers: So you know how much data is being pushed through when I start talking about those numbers. I mean, you look at a red camera shooting 4K — and actually they shot on a 2K camera — but, you know, the sheer volume of pixels being pushed through per second, right?

And that helped me understand what I needed to do to synthesize all of this information and look at it globally, right, rather than at a pixel-by-pixel level, and do something interesting with it or mathematically interesting, something that was fast.

So when you ask did it inform me, yeah, like I say, I think it all informed me.

Amrit Williams: It’s interesting, too, because the movie industry, I think a lot of folks in Security, the personality type of the people that traditionally go into Security — I know it’s changed over the years, but in the earlier days — I think they’re drawn to the industry, the movie industry as a whole. I don’t think that they fully understand how difficult that industry is and how complex it is to navigate. So it’s very interesting to hear you talk about it.

I’ll send you a link after the podcast. My cousin has a film that they’re working on called “Blue”, and they struggle with a lot of these same issues, being, you know, compared to a big-budget film with the budget constraints, but definitely with all the post-editing work is quite tedious. And when they talk about it, I don’t think everyone realizes how much work absolutely goes into even dealing with something as… as what we all might think as benign as color correction, and it’s fascinating.

John Flowers: Absolutely. The other thing I think people may or may not realize, it typically takes let’s say 6 weeks to shoot a feature film; and then it takes 18 months to edit that film, add music, color-correct it, do all the things that you’re talking about in the post-production world. So a film takes let’s say 18 to 24 months to complete, and the lion’s share of that work is definitely in the post-production side, just telling the story.

Amrit Williams: Yeah, no, it’s — I could go on this whole subject for a long time.

John Flowers: (Laughing.)

Amrit Williams: You know, brothers are sharing a comic and that kind of stuff; some relationship with folks in that industry.

But I wanted to turn it just a little bit back to Security again, because you have such a fascinating background there: your take on the state of Security today. I mean, you were out of it for a while; definitely you still had some tentacles in it even when you were gone, I’m sure, and had communications with folks. But you left, you clearly saw when you came back that there were still problems to be addressed. But if you could — if you could sort of high-level it for the audience, I mean, what’s your take on what’s going on in Security? It certainly hasn’t improved much from the protection side; but give me some of your thoughts based on, you know, leaving and coming back, what you think about what’s going on right now.

John Flowers: Well, I was fortunate enough to have Stephen Northcut interview me as a SANS Network Security Thought Leader. He interviewed you, as well; I read your interview, it was fantastic. I think you and I agree on a couple of fundamental big-picture things about Network Security. It’s not getting better. It’s definitely not getting better.

I have the misfortune of having picked up a net book in Latin America when I was in Panama right around — oh, I was in David; but it’s in Panama, outside Panama City. And I picked up this net book, and aside from it having a Spanish keyboard, which I found infuriating (laughing), it came with on the Spanish language version of Windows a virus. By the time I had powered the system on, the virus had Trojaned my system and was reaching out to places in Canada and Europe and was starting to spam and do spam relaying because of this Trojan, or this bot, I guess, that was installed on my system. And this was before I even downloaded an update.

I found that… well, I found it ridiculous, obviously. I mean, the only reason I booted Windows was to install Linux, no offense (laughing).

Amrit Williams: (Laughing.)

John Flowers: But here I am, I can’t even do that, right? I have to go to an Internet café just to download Linux just to put it on this system, because the system is already compromised.

And we’re hearing stories about other systems that are compromised. There is a cell-phone manufacturer who probably doesn’t want to  be named who released over a million cell-phone units that had a virus installed in them. If you plug the cell-phone into your Windows system, viruses go everywhere.

You know, and so you start hearing about all of these things; but the one thing that you and I both know is that traffic has a pattern: it has a signature, it has a statistical representation from the Trojan to the bot net to all of these other things. And you have to start asking yourself, “Why is no one solving that problem in a way that is not looking at the host as an atomic unit, but looking at the network instead and the traffic on the network as an atomic unit?” And what I mean by that is I really expected this concept of scrubbing, of traffic scrubbing, to be much, much, much further along, and I’m really, really saddened and disappointed that it isn’t. This idea that let’s say your system is compromised. Heaven forbid, we know it never happens; but you’re compromised. If you had an unobtrusive device on your network that knew what normal network traffic looked like — and I know that’s a tall order — that device could scrub out abnormal network traffic. And then the Trojan system becomes a matter of patching, not a matter of DEFCON 1, red alert, threat level orange freak-out (laughing), trying to yank it from the network and then figure out what happened in a forensic way.

So that’s my perspective. And that’s just one aspect of a thousand things that frustrate me, but that’s probably at the top of my mind right now.

Amrit Williams: It’s interesting, too, because there’s been promises that a lot of this stuff would be addressed, and in fact we saw some movement towards that in key areas; but fundamentally the organizations themselves revert back to the old way of doing things, and we get stuck in this… really, I don’t know how else to describe it but just this continuously non-ending circle of reacting and responding and not really thinking about how to look at the organic, what potentially could be thought of as organic elements inside of an environment and addressing those in a much broader way.

And we still have the same divisions: we still have the Security guys being antagonistic with the Network guys, who won’t talk to the Server Ops guys, and the Application guys are sitting in a different room and they won’t communicate. And so everything just boils back down to these stovepipes, and so it’s interesting when you talk about, you know, Kane Box bringing back up these elements that you’re also talking about potentially solving another major problem in Security, which is around language.

And one of the things that when I — when I was with nCircle, one of the things that frustrated me a little bit was it was very difficult to communicate vulnerable conditions and exposures to the IT Ops Teams who ultimately had to make the modifications and the remediation actions, because the output of the data we were providing at the time, as it should have been, was oriented towards the Security guys, and so we would show them information on unique, distinct vulnerabilities and there really… even today, there really is not a good mechanism for providing information that both Security and Operations people can consume and react to. And fundamentally, it’s because there is a large language barrier for the way that the folks interpret data. Anything that can be done to resolve that I think will greatly advance how folks maintain the health and security of their computing environment; so definitely going to be interested to see how that’s received and how that’s developed and evolved. But I think that is a fundamental issue, as well, and it’s interesting to see how that’s gonna be resolved, and it just hasn’t yet.

John Flowers: I agree. And one of the things that I’ve talked about quite a bit in the whitepaper and in other discussions is this concept of the counting game. I cannot believe we’re still playing the counting game; it’s infuriating. And what I mean by that is CDE numbers and CWE and all these different things is just… it’s amazing. It’s like, “Oh, well, look at this: the open-source vulnerability database has 67,000 unique (laughing)… you know, signatures, if you will, for these unique conditions.” Never mind the fact that 15,000 of them are fundamentally the same thing that has a few different words or has a slightly different modification.

And what I’m happy to see is that someone else recognized that, and ironically the person who is working on that project was one of the first employees at nCircle, this guy Tom Stracener, who I’ve been friends with since I was around eight. 12:49 has a solution called CAPEC, the Common Attack Pattern. Have you seen this, www.capec.mitre.org?

Amrit Williams: I have not. I’m actually writing it down.

John Flowers: It is fantastic, and if this were an R-rated show I would use very strong words that started with an F to talk about how fantastic it is (laughing).

Amrit Williams: (Laughing.) Phenomenal if it was spelled with F, right?

John Flowers: Right (laughing). Freaking fantastic, there you go.

Amrit Williams: (Laughing.)

John Flowers: So what it does is it looks at Network Security issues from a big-picture perspective, and it classifies issues at a macro level. And so there are just a few hundred of these CAPEC issues. And one of them be, let’s say, Directory Traversal.

Now, let’s take a step back in the Network Security world and ask ourselves, “Have you ever seen a vulnerability that was so broad and wonderful as Directory Traversal?” Other tools talk about the very tiny and specific microscopic detail that is creating a Directory Traversal problem; but the problem is Directory Traversal. And so one of the things I’m doing with Kane Box is I’m leveraging this; I’m leveraging this beautiful and greatly constructed, very holistic look at Network Security issues. And I can’t believe more people aren’t. And, yeah, you can take 1 CAPEC issue and relate it to 6,000 of these other, you know, CDEs or whatever. And that’s good and that’s fine, and I think that’s great; but the idea of being able to look at something from a big-picture perspective is exciting to me.

You know in that example that I just used, imagine if you had a Trojan horse on your newly installed Windows system, and the technology told you, rather than a bunch of crazy alerts that don’t do anything, it told you, “By the way, a new system came online. That system was running Windows. That Windows system had a Trojan horse, and so I blocked outgoing traffic from that application signature until you fix it”. And that’s the problem I’m trying to solve.

Amrit Williams: And that’s a wonderful promise. You know, as you were talking, I think I realized something. It’s not so much of an epiphany more than something I think I knew but just didn’t articulate well. You mentioned the frustration you had with this… you know, the industry’s wanting to count everything: everything is about quantity — “I have more data files than you” — and we experienced this at nCircle with our competitors: “I have more checks than you do”. It keeps the industry very much focused on the primitive conditions, and focus on the primitive conditions is not reflective of the abstract things that people actually need to do. And these abstract, the abstract versus the primitive or the macro versus the micro I think is reflective of how much difficulty most organizations just have in Information Security.

So it’s definitely… definitely resonates with me, those comments, and I hope that folks listening understand that difference and are able to adopt it and look for tools that are better able to help them move from very primitive, detailed conditions to much more abstract macro-level conditions so that they can take action; and they’re not able to right now.

So, John, I wanted to ask you one thing, because I was going through the airport the other day and I was… I was both shocked and happy and saddened all at the same time. We’ve seen Security — and I don’t like using the term “cyber”, but I’m going to — cybercrime, cyberwar, cyber espionage, cyber blah, blah, blah starting to get mainstream media attention. And there’s a part of me that always just sort of starts shaking and wanting to run into a fetal position because of the way that it’s communicated is so bad. At the same time, I’m excited that it’s getting the attention of the broader world.

I picked up two magazines. The first magazine was Rolling Stone, and the only reason I grabbed it was because the headline on the magazine actually said “The Biggest Cybercrime in History: Sex, Drugs, and Hackers Gone Wild”; so I had to pick up that and read what that was about.
And then I picked up Discover Magazine, and I picked that up because it had an article on paleontology that I thought my son would enjoy; but as I was looking through it, you know, they had a big interview with Richard Clarke and it was all about cybercrime.

So here are two magazines that are certainly not trade journals for Information Security and I think are not read by most Information Security professionals that are touching on Information Security. And there’s… I’m really torn with how much I like or don’t like that.

So I’m curious. What are your thoughts as you see Information Security go mainstream?

John Flowers: Well, that’s a really interesting question (laughing). I guess… I’ve been kind of blinded by my position in life, which is to say, you know, we… we were the first company back at nCircle, we were the first company to come up with this idea of network security scanning combined with intrusion detection. I mean, we may have even coined the phrase “intrusion prevention”, right (laughing)? That’s this whole crazy sort of world that I lived in for years and years and years. And so to me it’s kind of funny, because I sort of always thought it was going mainstream. I always felt like patterns are things that you find when you’re looking for them, and so when I’d flip on the TV and I’m in the Network Security space I say, “Oh, well, look, there’s a CSNBC or a CNBC article about how girls can be hackers, too”. Never mind how offensive that show was, but (laughing)…

Amrit Williams: (Laughing.)

John Flowers: You know, you see the sort of things that you’re looking for, you know. There’s a Buddhist ideology or a Buddhist idea that is, you know, we see as we are, right? So whatever we’re focused on, we sort of see those patterns.

So I kind of always thought, “Oh, wow, it’s going mainstream.” But I have to say, Rolling Stone is a step in a direction that I didn’t expect, and it tells me that Network Security — and this is an unfortunate thing, and it’s one of the reasons I think the good guys are losing — being a hacker somehow, even though it is illegal and it’s a crime against the government and it’s all of these different things, somehow it got sexy over the last four years. And I can’t… I mean, being a hacker was always interesting and dangerous and all of these different things; but being a bad guy is somehow sexy now. And I don’t know if people are watching too much of “24” or what they’re doing, but Rolling Stone kind of proved that, right, with this idea of “Oh, it’s kind of sexy to… you know, ‘Sex, Drugs, and Hackers,’” you know.

And I think that’s a bummer, because I think that means more people are going to be driven toward the glamorous side of it than already are, and less people are gonna be driven toward the side of — the prevention side.

Amrit Williams: Yeah, I mean, I got the same feeling, too. I was disappointed that the article had been written in such a way that it made it sound sexy and cool and, you know, it was outlaw in a way that you would see young teenage boys looking up to, as opposed to outlaw like, you know, the criminals that end up in San Quentin (laughing).

So it’s unfortunate; but at the same time it’s nice that it’s getting more attention from traditional media, and hopefully that attention will equate to actual problem-solving and not just more ridiculous hacking.

Any last thoughts that you’d like to give to the audience before we end the podcast here?

John Flowers: Well, I think one of the things that — and this touches on what we just talked about. One of the things that I would encourage people to take a deep breath and think about is the idea that because vulnerability discovery and disclosure has gone underground, and the idea that the kinds of things that — you know, when we were doing nCircle, the kind of things that were out in the open: on BUGTRAQ and on focus ideas’ list and on Security folks and on all these other places, the kind of things where you could freaking read the source code, right?

Those aren’t there anymore. You know, I fear that a lot of the guys who are doing the really innovative black-hat work are being paid by various nefarious organizations, and they’re being paid well. And, you know, it’s this kind of idea that, you know, when you outlaw guns, only outlaws have guns, right? This idea that we’re sort of outlawing the idea of disclosure, then the only people who are sharing them are these underground organizations, essentially amounting to the bad guys because, you know, if you do disclose something there’s a really serious potential that you could get into trouble for it.

What that means is we have to find different ways of finding vulnerabilities and exposures than relying on the community to disclose them to us. And if I were to say that there was one driving force behind why a tool or technology like Kane Box is the future, I think that would be it. We just… we don’t know what we don’t know, and we have to teach the systems what looks like normal traffic, what doesn’t look like normal traffic and teach them how to alert on it and how to give us meaningful data from that. We sure… we sure aren’t able to play the counting game the way that we used to by sending exploits out in the wild.

Amrit Williams: You know, it’s funny, too, because I just did a podcast with Marc Maiffret from eEye a couple of weeks ago, and he made the same observation about sort of the vulnerability research and disclosure not only going underground; but a lot of the folks that had been involved in exposing that information, a lot of the information that we used when we were nCircle, they just don’t exist. It’s not that they don’t exist; clearly, they’re still alive. But they just don’t do that type of work in the same way, and it’s been at the detriment of the folks that are trying to do good with Information Security that have been impacted, and that’s unfortunate. It’s unfortunate because that — this is a self-created condition.

So hopefully, you know, either the system will correct itself so that the information that was being used can be returned to use, or the technologies that are created in its absence will help folks better understand the environment that they’re in. We shall see.

Well, John, you’ve just been a fantastic guest; I can’t wait to get ya back on, I can’t wait to see ya live ‘cause it’s been, I don’t know, six-plus years since I think we sat in front of each other.

John Flowers: (Laughing.)

Amrit Williams: And I know you’ve definitely… you definitely have some great stories, so I can’t wait to dig into a lot more of ‘em.

Those folks who wanna learn a little bit more about Kane Box and the work that John’s doing, they can find that at www.kane-box.com; again, that’s www.kane-box.com. John also maintains a personal blog at www.lifezero.org, which has information on Kane Box and some of the other stuff he’s involved in. You can follow him on Twitter at kanendosai. You should check out his thought-leadership article on SANS; you can just Google SANS Thought Leadership to pick that out.

John, I’m just really happy you were on; I just had a great time, and I look forward to talking to you again soon. Thanks a lot, man.

John Flowers: My pleasure, absolutely. Loved being on, and love talking to you anytime.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host Williams on “Beyond the Perimeter”, and today I am very excited to be joined by John Flowers, also known as kanendosai.

And, John, thank you very much for joining me today; it’s just a great pleasure to spend some time with you, and I appreciate it.

John Flowers: Oh, yeah; my pleasure indeed. Thanks for having me.

Amrit Williams: I’ll let you talk a little bit about your background. John and I had a relationship that started at a company called nCircle, which John founded originally as HIPAA World anBayesiand then transferred into a really great vulnerability assessment and security audit and compliance company, which is now still privately held out of San Francisco.

John has done some interesting things, and I definitely want to touch on those. I know you have a lot of passion with writing and creativity and have done some things in digital media with the movie industry, so I definitely want to hear a little bit about that; but I think the thing that’s probably most exciting and I’m most interested in is your new concept and your new ideas in technology, and you always bring just a wealth of experience and information and expertise to the market. So I think a lot of people will be watching with great interest how this company takes off.

And I’d like to start talking a little bit about that. The product is Kane Box, and I believe you have a couple things here that I definitely want to touch on, like you have a very interesting business model, a very interesting approach to delivery of the technology.

But let me turn it over to you, John, and let me just start with tell us a little bit about Kane Box and what you’re bringing to market and the problem you’re trying to solve and how you’re going about doing it.

John Flowers: Sure, my pleasure. Kane Box is kind of an interesting thing for me, because I really didn’t expect to build it. I kind of gave up on security a while back and thought that this product would be built. And for, I don’t know, somewhere in the neighborhood of about six years, I didn’t even really look at the network-security space; I was looking at other spaces. In my case I was looking at, as you said, the space of media. Specifically, I was looking at color correction and automating workflow in feature films.

And I also spent some time building technology called kozoru, and kozoru is a natural-language search system, a platform really, that used a novel approach for answering-natural language questions. We did key sentence extraction out of documents rather than keyword lookups.

And I built that technology, kozoru, in LISP, which I’ve always been a huge fan of LISP. If you recall, the original nCircle system had an awful lot of LISP behind the scenes. And so that’s been a huge passion of mine is this idea of trying to bring this language, this language that I love so much, to the forefront in some kind of way where it actually works.

So, anyway, so I’m out of network security, I’m not looking at it; and I thought these things would happen. One of the things that I thought would happen after nCircle is, I thought network security systems would get smarter — not just that they would get smarter but that they would have to get smarter, because we start seeing all of these different attacks, we start seeing obfuscation techniques and fuzzing and these products that just run enormous amounts of data against your system, such as skipfish; skipfish is a great example that where it just rains a hailstorm of packets at you. And so I thought, “Well, network-security technologies have to get smarter. They have to get smarter to get handle these obfuscation techniques, they have to get smarter to understand what’s on your network, they have to get smarter because it’s not enough to say ‘You’ve had 10,000 signatures fire against these rules.’” What you should be saying is “Someone outside your network ran skipfish against you, or someone outside your network ran HailStorm against you” — I mentioned hailstorm as an idea, now I’m saying it as a product.

But none of them do that, right? None of them say, “Someone ran Nmap with the following options against your system”, right? What they say is, “Oh, you have this kind of ICMP packet, you have this kind of TCP packet, you had these different conditions occur, and I’m gonna generate a mountain of data for you to try and sift through.”

And so when I came back and started looking at the space a few years ago and really getting back into it and the ideas that were being pushed forward in different technologies I expected it to be further along, and that’s where Kane Box comes in. My frustration with the lack of innovation in the space has forced me to try and think about a solution that actually I think works for people in a way that they want it to. And I have a lot of ideas behind that, and I can talk about those in detail.

Amrit Williams: You know, it’s interesting, too, John, because we’ve been sort of facing the same problem with — and I don’t want to call it a lack of innovation so much as a lack of understanding about how companies really require the actionable intelligence to make proper decisions, this mountain of data that they get and how do they respond to it. And we have tools that generate a ton of data; a lot of it is not always actionable, and it requires a ton of expertise on the other side to parse through and make decisions around. So whenever people start taking an approach around how to provide better analytics and more actionable information, I think it’s one that most people would like to embrace and like to see better evolved.

(00:05:18)

But can you talk a little bit about what mechanism is being used differently? I certainly get the concept. If you can, share what you’re actually proposing technically to make this easier. I mean, is there better analytics in terms of correlating these events to provide what basically is an overview of what’s happening versus the very detailed packet level?

John Flowers: That’s exactly right. The best way to think about Kane Box is to look at it as a system that does a couple of things and does those things really well. One, it understands packets. You and I both know a system has to understand packets; packets are what drive all of this. So we start there.

The second thing is, it has an engine behind it, and if you’ve read the whitepaper you see all of these references to the Kane Box engine and these modules, and it’s a fairly complex system. But the idea behind the engine is that it understands packets, and it understands statistical analysis, probability; it understands Bazian statistics, Bazian learning. And so without getting into the math, the idea here is that you can tell Kane Box, “Okay, I want to train you. I want to teach you about something.” And that’s a simple matter of typing “Kane Box” on the command line with a Train option and training it on either a pcap file that you’ve previously captured or on traffic on the network.

And when you train it, you tell it a couple of other things. One, you tell it the CAPEC  capec.mitre.org) number that the training reference is and, if there is no CAPEC  capec.mitre.org) number, you just give it an arbitrary number. And the second thing is, you give it a name. And so you have this training file, and I will give you an example: BitTorrent traffic. BitTorrent traffic is encrypted often and on different ports, and it has all of these wild variations on it; but it has a statistical representation, okay? So you capture a bunch of BitTorrent traffic, you have this pcap capture file and you tell Kane Box, “Hey, Kane Box, this traffic that I’m about to train you on is BitTorrent”. So now, great. So now Kane Box knows what BitTorrent looks like. It knows it from a statistical perspective, not from a signature-based perspective.

Amrit Williams: And just real quickly for the audience, understanding statistically the characteristics of BitTorrent from that perspective versus the packet-level perspective or the port-protocol-communication perspective means that you’re better able to describe and see these things without just dumping the data for folks in sort of a glorified Wireshark or something, some tool like that where you’re just providing some intelligence on top of that.

John Flowers: Correct, yeah, I would agree with that completely. And I’ll tell you, that’s interesting, I think, that you could look at BitTorrent and say, “Okay, I know now what BitTorrent traffic looks like, and if I ever see it I’ll say, ‘Hey, by the way, that’s BitTorrent,’” right? I won’t say, “Oh, that’s a TCP/IP packet on port 31337” or whatever it is, right? I will say, “Oh, that’s BitTorrent.” And that’s fantastic, okay? But it’s not all that useful yet.

Here is where it gets useful. Kane Box has an ability to take multiple different kinds of training sets, or traffic in this case, and to use those training sets to create these overarching or what I would refer to as macro exposures, right? I look at existing technologies and I say, “That’s a micro exposure.” We’re looking at macro exposures. We’re looking at these giant conditions with all of these different variables that are extremely complicated that create these exposures.

Now, how do we know what an exposure is? Well, for one, we train the system. For two, we can tell the system what normal traffic looks like — and I’ll get into that a little bit in a second. But you’ve got these training sets; so what you can say is, you can say, “Okay, I’ve got this training set for BitTorrent. Now, let me create another training set. Let me run, oh, I don’t know, some application like a HailStorm against my network”, okay? And what you do is you tell Kane Box, “Hey, Kane Box, I’m gonna train you, and what I’m gonna say to you is that this traffic that you’re about to see is called HailStorm”, right? And so you run Kane Box with the training set, you blast HailStorm against it, you stop Kane Box when it’s done. Now, Kane Box has a training set that is a training set called HailStorm, right — not an individual specific tiny little packet-based micro exposure, but rather a macro exposure that says, “Hey, somebody is running HailStorm”. So now in your report if someone is running HailStorm what you get is, “Hey, by the way, somebody ran HailStorm against you”, and you can dig in like you can with other tools and look at all the packets and inspect them and go through all the process that you would normally expect to go through; but now you’re not looking at 100,000 different conditions, right? And you can do the same thing with skipfish, and you can do the same thing with all of these other different tools.

And there’s a couple of other things. You can take those training sets and their combinatorial, right, meaning, if you train Kane Box on… let’s say you train it on Nmap with a certain flag, and then you train it on Nmap with another flag, and then you train it on Nmap with another flag. These create a hierarchy where Kane Box starts to learn that all of these things fit within an umbrella that we’re gonna call Nmap, right? And you also get to see about escalation, which we’ve talked about in the past, you and I, if I recall: this idea that you can leverage one vulnerability to get to another…

Amrit Williams: Yes, got it.

John Flowers: … this sort of chaining of vulnerability and conditions. And so that’s the thing that I’m most excited about is the idea that you’re not just seeing one set of conditions; but you’re seeing multiple conditions, how they interact with one another, how they relate to one another and how they can actually be leveraged in a way where you can go from one exposure to another to another to another.

Amrit Williams: So let me ask you, ‘cause I think some of the folks listening would have some obvious questions. Obviously, you know, there are some great resources that you have available for them to get more information, and we’ll talk about those in a minute. But I think the natural skepticism would be around two things. One is the amount of time and resources that one would need to spend to train or get the system to learn and how many preexisting conditions or knowledge the system would have originally. Two is how does it deal with slight variations to that type of traffic that someone might be able to manipulate to get around someone trying to learn it and also how do you look at stuff that just hasn’t been learned yet.

So I think those are probably natural question that folks would have, skepticism about it is how do I deal with the amount of time one needs to spend learning and how do I deal with variations for what’s been learnt or what would be seen as unknown or — you know, I don’t want to stay zero-day; but, you know, you get the idea.

John Flowers: Right, and I think those are natural questions and I think I should probably say out loud that I still don’t believe that Kane Box is gonna work the way that I want it to; but I’m seeing a lot of evidence to suggest that it does. So I find myself every day when I do training and listen on the network, I find myself every single day constantly surprised by it. You know, it’s the idea of taking a different metaphor for finding vulnerabilities.

And, yeah, Kane Box isn’t gonna do the kind of things that… like you suggested Wireshark, right? I mean, it’s not meant to replace Wireshark, it’s not meant to replace Snort, it’s not meant to replace these other tools that gather all of this data and let you sift through it, all right? It’s meant to give you this high-level overview of the kind of things that are going on in your network and to find exposures and vulnerabilities in a way that will help automate a lot of that human work, right, automate a lot of the work that you’re doing with people.

And as you know, that’s been a huge theme in my life is to try and automate all of what I consider to be just the boring details of work that you normally pay someone to do and they probably don’t enjoy that much; or if they do, they’re probably masochists, because some of the work that you have to do sift through packets is really frustrating.

Amrit Williams: Well, I remember in the early days of IDS I was… back at McAfee when we first did the first CyberCop IDS, I remember one of the developers coming to me and he says, “Open up a file-share on your computer”. And I did and he goes, “Look, it shows up as an alert”, and I said, “I’m sorry, why is that good? I just did something very normal, and you’re showing it as several different alerts in the system; how does this thing not innovate somebody with noise?”

And the resistance to trying to get people to see that, you know, just these IDSs back in the days, one example, we’re just overwhelming people with data to get them to understand that this isn’t actually very productive and could in a lot of cases cause them to miss sight of something very serious, and it took a while for people to really understand that. Even today, there’s a lot of people who are very comfortable parsing through, as you say, large amounts of data to pull out what may or may not be relevant to them. And they enjoy it, I think they are masochists.

John Flowers: Yeah, and the real problem is it’s hard for someone to truly understand how much data you’re talking about or how much of a chain of pain this really is until you have a larger network. You have a couple of hundred machines and you’ve got a team of a few people, it’s really not as big a deal, although I think it is a big deal if someone goes crazy with some kind of remote scanning tool. It gets nuts.

(00:14:59)

Like I said, skipfish scares the hell out of me, because I don’t know if you’ve ever seen the amount of traffic that skipfish generates. I mean, it’s a great auditing tool; but it is chat-ty. It’s amazing how much data that thing generates. And I would not want to be the person who had a network of 10,000 machines that had skipfish run against them and try and sift through just what I was looking at.

Amrit Williams: Yeah, variables.

John Flowers: Exactly, and that’s a large part of what I’m talking about.

So you asked a question earlier about there’s this sense of maybe… I’m not quite sure how to word it, right; but there is the sense that maybe Kane Box may or may not do some of the things or there is some skepticism, and I understand skepticism. I mean, we’ve been in this industry long enough that I think people have been mislead or dragged down a path where a tool overpromised and underdelivered, and so one of the realizations I came to over the last couple of years when I was thinking about Kane Box as a tool was ironically something my wife suggested to me, which is a quote from J. K. Rowling of Harry Potter, right? It’s this idea that you should never trust anything that can think for itself if you can’t see its brain, and I completely buy into that idea. I stopped using Mac OS X, I stopped using Windows, I stopped using all of these tools that were closed source, because they were frustrating to me because I didn’t understand how they were doing some of the things that they were doing, or when they’d break obviously that’s frustrating.

So the really big idea here behind Kane Box is the hardware is open source, the software is open source; everything about it you can just download, you can look at it, you can poke it, you can play with it, you can see what it’s doing, you can improve it hopefully because, you know, it’s not being developed by an army of people, and you can make it better. And I think that that idea, the idea of creating a technology that is also a company but is open source and sort of giving people the opportunity to look at it, to see whether I’m accurate or they should be skeptical or what have you I think is a really positive way to maybe bring some of the trust back into these kind of tools, and I hope it will play out that way

Amrit Williams: It’s interesting, too, because, I mean, one of the things I actually didn’t realize at first until recently when I was looking at your website is this business-model approach that you have. I think it’s probably the first time I’ve seen somebody do that. I don’t want to do it a disservice, so can you describe this business model that you have?

John Flowers: Well, the business model is right now kind of a three-pronged approach, right? The first side of it is giving the tool away as an open-source unrestricted license so that you can use it in a way that you want to use it, you can modify the source code, you can contribute back if you want to or not if you don’t, those kind of things. So the idea there is to kind of amplify my signal by putting it out to a lot of smart people and letting them stomp on it or not stomp on it or say it’s great or say they hate it or tell me all the things I’m doing wrong or whatever they want to do. Install it in their network, use it, right? Improve on it for their environment, that’s great.

So the thing that I get back from that is obviously I get contributions from smart people helping make the technology better, and I don’t think there’s anyone who could argue that that’s not a positive thing. I mean, if you look at Linux, you know, you and I remember the day when Linux was unusable; but today, I’m running Ubuntu, the 10.X, you know, LTS release, and I would argue that there are aspects of Ubuntu that are far and away better than Windows, not the least of which is that I’m not virus-ridden every eight seconds.

And so I’m excited about this idea, right, this idea of opening something up and letting smart people beat on it, and I think that’s great.

The second thing is the way that the company will make money is through selling hardware. Now, the one thing about the hardware that’s exciting to me is the hardware is a custom system created and optimized for Kane Box so that it does some things like fast DMA transfers across the bus so that you can sniff and snatch and do all of these different things that Kane Box does at a really high rate of speed across the network interfaces. And as you know, I’m no stranger to that, right? The work that we did in the past to try and increase the transfer speed on network cards is something I remember vividly and something that I know is a necessity. The one step we didn’t take, I think, in the past is you need custom hardware to do this. You can’t just modify an existing network card and make it fast; you have to do something unique, right?

Amrit Williams: Yeah, definitely.

John Flowers: And so that’s where the money gets made essentially for the company, right, the idea of you sell hardware. And the realization that I came to — and this may sound a bit blasphemous and I’m sure it does, but that’s fine; it’s not the first thing I’ve said that’s blasphemous — network-security technology should not be a budget item that requires an executive-level signature just to purchase it, right? Network security should be inexpensive, and it should be baked in to a lot of what you’re doing. And sometimes inexpensive means free in the case of Kane Box and other technologies you can just download and use. Of course, as we know — all know, a lot of those technologies don’t work very well, because they don’t have the resources or funding behind them, and that’s one of the things I’m hoping to change with this model, right?

So that means, too, though, that it should be cheap — or, inexpensive; I don’t want to say “cheap”, that’s not the right word — but it should be inexpensive. And because it’s inexpensive and affordable, maybe more people will use it. I mean, as it stands right now, you can pick up a Kane Box Ronin system, which will be available, will actually be shipping in July, for 500 bucks. And what that system does, it does scrubbing, scanning, sniffing, reporting, all of that, on up to 250 hosts on a network up to full transfer speed of 10 megabit per second for 500 bucks. And the source code is free and the source code is open, and you can play with it and you can dig in and you can do all of these things.

And I think that’s a fundamental shift in the way that most people look at network-security technologies. I think most people look at it as a very expensive line item that they have to have executive-level signatures to purchase, and I’m hoping to change some of that by providing a good tool that people can use for not a lot of money. And hopefully, that will resonate.

Amrit Williams: Oh, I’m sure it will. Whenever you talk about cost reduction, especially in this economy, people are gonna definitely gravitate towards it. It would be interesting to see if — you know, there’s always this misconception that the value of something is predicated on its price; so it will be interesting to see if the value of this is, or anything, for example, when price is reduced below what people believe such a thing should cost that they’ll… they’ll have the same perception of value.

You mentioned some — you actually on your site, you mentioned something about investment and rounds of venture funding, and I thought the approach there was actually pretty innovative, as well. Is that still going on, the ability for folks to donate and be a part of this?

John flowers: Yeah, we’re… as you know I put that on the site about… well, less than 48 hours ago from the time of recording this, and what I said — because there are a lot of legal issues around this and, you know, I’ve raised money before and I know what all these legal issues are — you’re not technically allowed to invest in a company and get stock unless you’re an investor with a certain amount of assets to your name and all of these different things. So there are all these requirements around investors.

So what I did is I talked to a lawyer and we figured it out and we figured out, “You know what? Actually there’s a way around this, which is if somebody donates a dollar to you, you can take that as a donation and then later, if you decide you want to donate them a share of stock, you can do that.”

And so the approach that you’re talking about right now is that I’m working on putting together about $10,000 worth of what I’m just gonna call seed money through donations, and the idea is that that represents 10% of the company. And as you know, that’s a tremendous amount of the company for very little money upfront; but like I said, I want people to feel like they have a sense of ownership in something here.

I mean, like you said, this economy is not great and I think a lot of people have been through a lot of different things, and I think the idea of people being able to participate in something by helping it off the ground and then getting something in return for that, especially in an open-source environment, is really exciting.

And so, yeah, the idea is $10,000 gets you 10% of the company. I’m not taking investments over $1,000. I mean, I’ve just — I’ve turned down probably 20 people in the last 24 hours who wanted to put in the whole thing, because that’s not the point.

Amrit Williams: Right.

John Flowers: The point is to give somebody who has $10 and wants to participate in the next… you know, the next generation of network security, to give them an opportunity to do that.

Amrit Williams: I think it’s fascinating. I’d love to see how that works, and I think if it does work it’s a model that other inventors will be able to adopt and hopefully play with; and, even better, it’s hopefully a model that others will embrace in a more general way.

So I’m certainly excited about seeing that and definitely excited about seeing how Kane Box works; I wouldn’t mind get my hands on a Ronin myself when it’s available.

For those folks out there that are interested in learning more about Kane Box, they can go to  HYPERLINK “http://www.kane-box.com/”www.kane-box.com; so that’s  HYPERLINK “http://www.kane-box.com/”www.kane-box.com. There’s information on John Flowers, his personal website is  HYPERLINK “http://www.lifezero.org/”www.lifezero.org; and you guys can also follow him on Twitter, @kanendosai.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am joined by Brian Honan, an independent security consultant in Dublin, Ireland. And Brian is also one of the members who helped found, and create and manage and maintain and get the word out about Ireland CSIRT program, the Irish Reporting and Information Security Service.

Brian, thanks for joining me today; I really appreciate your time. Talk about some of the mechanics of CSIRT programs. I know there is a lot of folks out here. One of the things I’ve always been impressed with with the security industry is the number of people that are willing to invest their time and resources in supporting causes for the greater community. And I think there’s a lot of folks that really would like to get involved, even locally, in their own potential CERT programs, either fostering them or better enabling them or helping to create them in areas where they are not created.

So why don’t you dig in a little bit, Brian, about your experience in the whole process of creating an infrastructure there for CSIRT? And you mentioned a couple of things here, love to get your take on how these things get funded, how do you start it, how do you coordinate with others. So just start painting a picture here about how one goes about creating a CSIRT program and some of the obstacles and challenges and experiences you’ve had.

Brian Honan: Okay. I suppose the first thing you need to do is to identify the constituency that you’re going to serve; so who are you going to serve: is it going to be businesses, is it going to be the consumer, is it going to be government bodies, is it going to be educational bodies? So identify what is your constituency and focus in on that.

Next, identify what services does that community need from the CSIRT? Different CERTs provide different types of services. Are you going to be just doing, sending out alerts to people; or are you going to coordinate incidents, whereby you can have a victim company talk to an ISP in a given jurisdiction to get an attack shut down from that area; or do you provide triage services, whereby either remotely or you send somebody out to sites where you can have people hands-on be able to issue. Are you going to do malware handling and malware analysis, et cetera, from a big reporting?

So figure out, A, what you community is; and, B, what that community wants from you. And then when you have that, sit down and try to figure out, well, what resources do you have to be able to provide those services to that community.

Resources can be very different things: it can be tools, it can be equipment, it can be offices. It’s also money, because invariably along the way you have to spend money somewhere; but it’s also having staff as well.

So from an IRISS point of view when I sat down and sort of said, “Okay, let’s set this up and get it running”, the big challenge for me was, I had already identified what the community was, because that’s going to be the Irish business community. We identified what the services were, because that was all the work we had done previously already. And the next part was, well, what resources do I have to put in place?

And I have been very lucky. I have been dealing a lot with the UK’s CPNI; they’re the part of the UK Government that looks after critical network infrastructure, and they have what’s called a WARP program — that’s the Warning, Advice, Reporting Points. Their website is www.warp.gov.uk. And they actually provide a package and a tool that you can use to have people subscribe to the service to get alerts and warnings out to them. And that service gets fed by other services such as US-CERT, Microsoft, Symantec, on all the different types of communities that are out there. So it’s a very, very effective platform to get up and running very quickly. That was the tool I identified as being the most cost-effective one for us to use.

I was also extremely lucky in that, as you mentioned, Amrit, Internet security industry is probably unique in a lot of ways, and one of them being the way people want to give so much back to the community. So I actually have 15 other volunteers working with me who have given up their time for free, for no reward at all, to help manage and learn IRISS on a daily basis.

So we provide our service 9:00 to 5:00 every business day. We have two volunteers working and managing the system each day. And then outside of that, then we have project 4:44 to keep things going as well. So we have been very lucky from that point of view.

(00:04:50)

So once you’ve got your tools and your resources, then figure out how much money you are going to need and try and get the money from somewhere. Again, I’ve been very lucky in that how we provide our service to our community is by sponsorship. We have some very good sponsors with us. We have the SANS Institute, have been a great help; without SANS, IRISS would not be up and running.

And we’ve also been very lucky with other sponsors. A local security firm here called Intelligent Solutions and NetWitness have also provided us with some sponsorship as well. So thanks to our sponsors, we’ve been able to continue getting our services out to the community.

Amrit Williams: It’s interesting as you are talking, obviously as I am talking with others, this is really a common theme. There is a lot of different services out there, there is a lot of sources of information. What do you think is… in terms of coordination of all this information, how does that work, specifically with the IRISS CSIRT program? How easy is it to coordinate with either the private sector, like a Symantec, McAfee or Microsoft, or some of the other CERT programs around the world? Can you talk a little bit about coordination or information coordination?

Brian Honan: Yeah, well, I suppose the first thing about getting information out to the users is that with the WARP platform that we’re using, when you sign up for the service, you’re given a logon ID and you can sign into the system. And then you’re given a choice of software, hardware and types of threats that you can receive the warning on.

So if you’re a Microsoft house with Cisco and Oracle, well, you just click those; you just highlight those buttons, and they’re the only ones you’re going to get from IRISS about software vulnerability or attacks. We also send out alerts.

So from the end user point of view, they get an email in their Inbox from IRISS; they know that it’s been embedded, because all those vulnerabilities are set into the WARP platform and are rated and identified as to how critical they are and then fed out ultimately through the system as well.

We can send out our own localized alerts, being the stuff that we’ve seen, and that can go out to people in their Inbox as well. So it’s a very effective way of cutting through all the noise and getting information to people the way they need it.

We coordinate with other CERTs. we have a dedicated email and 7:32 as far as the other CERTs are concerned, 07:34 that’s particularly issues going on or they have identified stuff that they want us to help them out with. And likewise, we have contacts in those CERTs to reciprocate the problem as well, the service as well.

All the time within the community here in Ireland, we’ve established relationships with the ISPs and the telcos and the bodies responsible for the infrastructures, and hopefully over time they’ll begin to trust the quality information that we’re giving them so that they can react appropriately as well.

Amrit Williams: Switch gears just a little bit, Brian. I know you get a lot of information; you are exposed to a lot of incidents that happen, not only in your neck of the woods, but around the world. What type of trends are you seeing over the last couple of years? Has there really been a significant shift in malware? A lot of people talk about it; but you’re sitting there on the frontline seeing a lot of the stuff happen. Can you talk a little bit about what your experience has been with the actual incidents themselves?

Brian Honan: The major incidents we’ve seen is the increase in compromise of websites to help either malware or phishing sites. So a lot of the incidents that we’re dealing with, we‘re getting notified by CERTs in other countries or CERTs within the financial organizations to alert us that a small website belonging to a small company in Ireland has been hacked; the criminals have pushed a phishing site in the backend. So unbeknownst to the owner of that site, they are now hosting a phishing site that has been used to attack the clients of a certain bank in different countries. So we’re seeing quite a lot of that. So when we get that information, we contact the ISPs responsible, and they have their client take the offending site down.

We’ve also seen a lot of sites being compromised to host malware for a drive-by download as well. So again, the targets tend to be the small and medium companies who have a web presence, may not be very technically savvy, and their sites have been compromised unbeknownst to the host owner too.

We have seen other types of attacks as well, but they have been the majority of attacks that we’ve seen.

Amrit Williams: Anything specific to Ireland?

(00:09:54)

Brian Honan: Well, I suppose the funniest one we’ve seen has been phishing emails in the Irish language. That’s a targeted attack of the 10:00. There’s only a few hundred thousand people who speak Irish fluently in the world, and most of them live in Ireland; so to see a phishing email ask 10:12 is unusual in itself (laughing).

Amrit Williams: I have to ask: do they have as bad spelling and grammar when they speak the Irish language as they do in (laughing)…

Brian Honan: Well, like we have one or two native speakers on our team, and though it wasn’t fluent, it was actually — it wasn’t a Google translation (laughing). It was quite good, but it wasn’t done by a native speaker; they actually must have contacted somebody somewhere, but it was 10:41 so you have that.

Other attacks we’ve seen here in Ireland and I can talk about because they’ve been in the newspapers here is that small companies here were attacked whereby the criminals hack into their network, modify their backup  so that when the backup would continue every night for a period of two weeks, the backups actually wouldn’t back up anything. So the source data wasn’t being backed up. And after a period of two or three weeks, the criminals will come back into the network again, and they then encrypted the data on the network and sent the victims an email saying, “You pay us $700 or you won’t get your data back”.

Now, of course, everybody’s reaction was, “Oh, well, I don’t have to worry about that; I have a backup”. And of course they go to their backup, and none of the tapes are on the disk, because they haven’t been… their backups have been altered.

So that was an attack that I haven’t heard — I’ve heard of ransomware attacks against individuals; but that was the first time I had seen a specific attack like that that was all thought out, whereby the backups were encrypted first and then the data encrypted and then the ransom note sent to the victims.

Amrit Williams: You know, as bad as this may sound, I never tire at listening to the creativity of the attackers, they’re extremely creative (laughing). I find it fascinating, and sometimes it makes me giddy; I don’t know why, but that’s probably a bad thing.

I wanted to touch base a little bit on what do you see as moving forward, the future. What type of things are you hoping to see happen with either the CSIRT programs or Information Security in general? How do we start changing this a little bit so that we can get ahead of what has generally been a very reactive industry?

Brian Honan: Well, with IRISS, our plan for the future is we want to develop and grow the maturity and the capabilities that we provide, and we’ve taken steps already. There is a community of CERTs within Europe called the TF-CSIRT, and we have just recently been accredited with full CERT status within that community, which has been a great milestone for us to achieve.

Our next milestone is to become members of FIRST, first.org, and provide more tools and better quality of service as a result of that out to our members.

We’re hoping to cooperate and partner more with organizations in Ireland to try and better provide services to the community and to better educate the community as well. And of course become more active and more involved in the international CERT community, whereby we can attend CERT meetings and conferences and be able to have that level.

Again, unfortunately, all of those things cost money; so we need to take small steps first, and over time hopefully funding will allow and we can achieve those.

On the greater scheme of things, Information Security in general, I would like to see us take a more risk and business approach to security. I think when people mention Information Security, even the business in a lot of places, their first reaction is, “It’s a computer problem, it’s an IT problem”.

Information Security is not an IT problem; it is very much a business problem. If somebody gets into your network, steals your comprising data, steals your customer list, gets into your bank account and enters your bank account, that is not an IT problem; that is a business problem, because you could be out of business the next morning. So we need to better engage with the business and the community so that they’re more aware of the actual threats that are out there and they’re able to deal with it as well.

Amrit Williams: I really like the way that was stated, Brian, and I think oftentimes in the Security industry, I think a lot of us feel that way; but there is always that challenge of convincing the business owners themselves or the greater community, the greater business, commercial, government, whatever it is, that this isn’t a computer problem. This is a business problem. This is a problem that affects our ability to continue delivering services and doing what we are supposed to be doing, and driving that awareness has been quite difficult.

(00:15:01)

Brian Honan: It has been. It’s not even just a business problem. At a bigger scheme of things, it’s a society problem as well. A business can’t do what they’re supposed to be doing in a safe and secure manner, well, society in general is going to be impacted as well.

Let’s not go into the, as you said, the cyberwar or cyber espionage stuff, which is higher-level stuff than just the basic keeping the wheels turning and keeping the lights on. Business and the community need to realize that the threats are out there and they have to deal with them as well.

Amrit Williams: Brian, I really appreciate you joining me today. If folks want to interact with you, get some more information, reach out to you, do you have a place they can do that? Are you willing to talk to folks if they’ve got some more questions?

Brian Honan: Yeah. Well, my email is brian.honan@bhconsulting.ie. If you want to see IRISS, it’s www.iriss.ie. I’m also on Twitter; so if you want to listen to me rant and rave electronically, my Twitter handle is @brianhonan.

Amrit Williams: And that’s B-R-I-A-N, H-O-N-A-N.

Brian Honan: That’s correct, yeah.

Amrit Williams: Brian, fabulous conversation. I really appreciate you taking time today and hope to have you back on soon. Thanks a lot. I guess right now, I guess it’s… what kind of beer do you drink in Ireland there, Brian, at almost 6:00 o’clock on a Friday night?

Brian Honan: I drink Guinness.

Amrit Williams: Guinness (laughing)?

Brian Honan: Guinness for beer. Yeah, it has to be Guinness (laughing).

Amrit Williams: Hey, it’s like dinner, right (laughing)?

Brian Honan: Yeah, you drink enough that you don’t care about food any more.

(Laughter.)

Amrit Williams: Fantastic. Really appreciate your time, Brian; thanks a lot.

Brian Honan: No problem, Amrit. Thank you.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I’m joined by Brian Honan, an independent security consultant in Dublin, Ireland. And Brian is also one of members who helped found and create and maintain and get the word out about Ireland CSIRT Program, the Irish Reporting and Information Security Service.

Brian, thanks for joining me today. I really appreciate your time.

Before we get into some of the other aspects of your background, I am actually quite interested, and I am sure the audience is as well, in how different countries deal with security response. And so if you don’t mind, I’d like to basically start with IRISS, and when it was founded, how it was created and, you, know just a little bit about your experience with it.

Brian Honan: Sure. Well, firstly, thanks for having me on board; it’s great to have the opportunity to talk to you and your audience about this project.

IRISS had been a love child of mine from many years. I started my own company, BH Consulting, as an independent consulting firm back in 2004. And when I started working for myself, I saw this as an opportunity to try and give something back to the community.

One thing that had bothered me for many years previous to that was that Ireland is one of the very few countries I could see within the Western Hemisphere and the developed world that did not actually have a dedicated Computer Emergency Response Team to help out companies or businesses, organizations or even citizens, should they become victims of a cyber attack.

So in 2004 I decided like now that I am working for myself, I can take time and try and get something up. So I took the approach I went and I talked to the Irish Government to the department responsible for Internet security within Ireland — that’s the Department of Communications — and approached them and said, “Hey, guys, you know, we don’t have a CERTAIN. Should we have one?” and the response back then was “Well, we are not sure if we need one or not; nobody who has made a great demand, and we don’t want to create a Field of Dreams and nobody comes type scenario. But if it can be demonstrated there is a demand or a need for it, we will definitely look into it in more detail”.

So I spent the next year going around talking to various different bodies with Ireland; so be they the police, the defense, 2:27 of all shapes and all sizes within Ireland from small sector to medium sector up to large enterprises and Government agencies, talking to the groups in Ireland that would have a good Internet security community because of the 2:44 thing, et cetera, et cetera. And touching base with their members and getting their feedback as to what Ireland should or shouldn’t have from CERT.

And the overall response was, “Yes, Ireland does need a CERT”, and people did see Ireland potentially being on a disadvantage both economically and, you know, there is a 3:09 et cetera, intellectual property, et cetera. And what are the CERTs in place; there was no independent body that could coordinate any response to that.

So with that we went to the government, presented our findings, intelligence, on the need for a CERTAIN, and the response was relatively positive. We talked a bit further, and that was further enhanced then by the attacks against Estonia whereby the whole country was taken offline by Russian 3:37 protesting against Estonia taking the statue of a Russian soldier off of the main street in the capital city. And that demonstrated I think to a lot of nations how fragile putting the network infrastructure and how fragile the Internet is and what happens when it’s not there, like Estonia being very focused on trying to 4:00 et cetera, it was a good poster child about what it could be like. It’s probably not a good thing for this kind Estonia has, but it was a good example of how effective a country attack could be on a nation’s base.

And that obviously gained a lot of attention in Europe and in Ireland, and there was renewed interest from the Government in it. But then other things overtook it, a change in Government, the recession started to hit, and I figured as this things are progressing, we are at a very, very slow pace; we were now in the early year of 2008, and I decided, okay. It waits for funding and all the attempts to align pockets of the Government and get this up and running. We could be waiting a while longer. So in the interim I said, you know, let’s set something up that we can provide some services to the community here in Ireland.

(00:05:06)

So with that, I founded Ireland C-CERT, a 5:09 company, and we have been operating since November 2008. We are providing our services free to all companies operating within Ireland, so all organizations. And the services provided are predominantly alerting, warning and coordination services for attacks, and it’s been very successful so far. We have over 300 companies subscribing to our service, and the response we have had from everybody has been very, very positive.

Amrit Williams: So I don’t know if a lot of people know this; but Ireland actually does a lot of outsourcing. There is a lot of tech companies that have centers either for quality assurance or development throughout Ireland, including companies like Microsoft, I know McAfee just announced something and Quark.

What did they do previously? I mean, I know Microsoft has had a development center in Ireland, I think, for at least a decade. Did they… if they had an incident — I don’t know if you know this — but even if it’s a hypothetical, what would a company do prior to the founding of C-CERT? Who would they contact? How would they coordinate some type of either forensic informations or understanding more about the incidents so that they can respond?

Brian Honan: Well, I suppose certain companies like Microsoft are the big multinationals that we do have here, and as I said, there are quite a few: we have IBM, we have Symantec, we have McAfee, Trend Micro, Apple, Hewlett Packard, Intel; you know, the list is quite long of the big, large multinationals here. Well, they would have quite capable internal CSIRT capabilities, which I am sure they would be able to use themselves and would cooperate with other CERTs of law enforcement in the jurisdiction they would need to.

I felt that, you know, those large organizations can survive a 06:54 to a certain extent; but the smaller organizations, you know, medium-sized companies or SMEs, didn’t have anybody to turn to. And in a lot of cases, if they suffered an attack or they had an instant if they knew about it, their response predominantly would have been maybe just to hire in a consultant or get their own internal to get things back online. They wouldn’t have had any capabilities to contact a CERTT in another country to stop an attack from happening. So the main market we were aiming were the medium and smaller companies anyway.

Amrit Williams: Right. And the value of including these large multinationals is not so much to assist them, which I am sure you can do, but the value of this is an aggregation point of information to share with others. Also the ability to notice certain types of trends, so that others can respond to it quickly.

Prior to the creation of IRISS, what did companies do? I mean, where would they get their information? What CERT programs would they affiliate themselves with, or was it just largely based on who they knew or what they were comfortable with? Was there a standard method that they would use, or did they look to the U.S., the UK?

Brian Honan: Yeah, predominantly a lot of companies, you know, when I was doing my research and putting the business case together for IRISS, a good deal of surveys amongst people, and one question I did  was: where do you currently get your CERT capabilities from? And a lot of the people were using CERT/CC or         US-CERTs to get a lot of their information from. But that predominantly would be warnings of, you know, vulnerabilities or alerts; there wouldn’t be any service within Ireland to give any localized or focused information on what’s happening within the Irish area, and we have been able to do that now with IRISS. We have been able to alert certain sectors of the community against attacks that we have been notified about or we have noticed happening and get the word out to that sector quickly to have them improve their defenses or at least be aware of what could be coming through their pipes.

So previous to that start, they would have been looking towards CERTAIN/CC or they would be subscribing to self-executing 9:17 tracker or other maintenance to try to get some heads-up on what’s happening.

Amrit Williams: You know, there is so much here to talk about, Brian; I want to get into a couple of areas. I want to talk a little bit about how one might go about supporting, enabling or better moving the maturity models for CSIRT programs around the world. I want to talk a little bit about coordination with other CERT programs internationally.

But before I do, one of the things we were talking about prior to the podcast was this concept of sometimes electronic crime is seen as a victimless crime. And I am curious if you’re seeing any of those perceptions change as you’ve gone through the process of creating the C-CERT program there in Ireland, either from the Government side or the commercial side, or are we still dealing with a lot of folks struggling with the concept of electronic crime actually having victims associated with it?

Brian Honan: I think the perception of having victims of electronic crime is changing. It is changing slowly. I think what has been happening is that, you know, people are becoming more aware of electronic crime because of various types of phishing attacks or the consumer, for example, is now more — you know, they’ve all having seen Spam, they’ve all had phishing emails. Some have become victims of phishing emails. Newspapers are reporting cybercrime issues a lot more than they did or they would in the past. But I still think, you know, we still have this, you know, perception that if I get mugged in the street and £2,000 is taken out of my pockets, that’s a more serious crime than if somebody electronically gets into my laptop and takes £2,000 out of my credit card or my bank account. And this would be the example we were talking about before the podcast, Amrit, was, you know, a physical attack against somebody is seen more seriously in the courts, if it gets to court, than electronic crime.

And, you know, over time I think it is changing. I still think companies still have a way to go before they realize the threats that are facing them and the potential that cybercrime and the damage that cybercrime could cause their business, be that money taken out of their bank accounts or leaving a 11:37 on the networks which could be used by other people or for their websites to be compromised to whole phishing sites or malware or 11:46 be stolen out of their company, and this 11:53 compared in the streets and stuff.

Amrit Williams: Well, that’s interesting. You mentioned to me the UK actually, I think you mentioned they had a law amended that if there was some type of electronic crime that they needed to contact the bank; they really is no service available for somebody that is experiencing that, especially if they are a consumer, regardless of the amount.

And it is not radically different here in the United States. I don’t think people know how to call or what to do if they have experienced even a significant amount of loss to electronic crime, which is very different in the physical world. Like you mentioned, you have 20 bucks stolen from you on the street of any major U.S. city, and cops will be there quickly — well, not in all major cities, but in some of them.

But, you know, you have thousands or tens of thousands of dollars stolen electronically, and I think the vast majority of people, probably 90% of the world’s population, have no idea what to do.

Brian Honan: I think we have to look at the problem from inside where it’s not just somebody, the victim’s point of view. I do think a lot of police forces need to be educated well of the seriousness of the crime and that, you know, if somebody rings a police station, they say “I’ve been a victim of a phishing attack, all my bank accounts have been raided”, that the police officer that takes that report knows what to do and who to report within the organization the crime to.

Like I found out here in Ireland talking to different companies, they don’t know 13:17 if they ring up their local police station that the police officer on the phone won’t know how to call the crime and report it, and I think that’s kind of the change we have to face as well is police forces need to be better educated in how they engage with the community when it comes to electronic crime.

Amrit Williams: Yeah, and it’s interesting too because in the physical world you’re geographically bounded, right? I mean, you can assign someone in the city of X to take care of a care that happens in the neighborhood of Y. That’s very, very different in the electronic world, because you could be attacked from, you know, anywhere in the world. I mean, you could be sitting in the U.S. attacked from Estonia, or you could be sitting in Ireland attacked from the Ukraine or China and Korea; who knows?

And I think it makes it very difficult, but this is definitely one area where education needs to ring true, and I wonder what is the role that the C-CERT Programs can play in driving better education, especially in the Government and in the commercial.

And let me just give you a quick example. I know when I was over in the UK, one of the things I was noticing with how the UK Government is looking at, you know, cyber attacks — and forgive me for using the word “cyber”, but it’s the best descriptor here.

We have the same problem in the U.S. You know, if you look at, you know, cybercrime, you know, you look at what people are calling cyber warfare — which, you know, I’m not going to get into here nor there statistics of it — or if you look at cyber espionage that as soon as you put the electronic or cyber or digital precursor to it, everyone wants to lump it into one type of thing, which doesn’t happen in the physical world, and I noticed, you know, the same experience when I was over in Europe similar responses. They weren’t really sure how to educate, designate and delineate between these three very different types of things. Organized crime trying to steal money for financial gain is extremely different than a state-sponsored espionage or even state-sponsored cyber attacks.

So my question to you really is around two things. One is how do you see the role of C-CERT in helping to drive better education; and, two, do you see the education being understands throughout your experience there in Europe?

Brian Honan: I think from the first question there as to how can C-CERT help on the education side of things, I think there’s two ways they can do that. One is simply by raising awareness of writing timely advice to people and to organizations when there is an attack or a 15:53 that they see on the horizon, and that may not just be putting an alert there on your RSS feed or on your email subscriptions. You, you know, engage with the press. Educate the press, give them heads-up on what types of attacks and, you know, let the papers try and educate the masses that way as well.

I think the second thing we could do is what we are trying to do with ours as well is really hold an annual cybercrime conference and try and get experts in the field to talk to our constituency about cybercrime and the risks that are there and how to counter those risks and how to deal with those risks, and that has been very well received by our constituents because all our services that we provide, we provide for the CERT; so, you know, you can’t better value for that than using our service and coming to our conferences. So, you know, people have found them to be very, very useful.

And I think that’s the way C-CERTs can help is by engaging more and more with the community, and that’s reaching out not just by the normal channels, you know, such as email and RSS feed, et cetera. Also using by using press and the opportunities, seminars, et cetera, to speak as well.

Amrit Williams: Brian, I really appreciate you joining me today. If folks want to interact with you, get some more information, reach out to you, do you have a place they can do that? Are you willing to talk to folks if they’ve got some more questions?

Yeah, well, my email is Brian.Honan@bhconsulting.ie. If you want to see how it’s www.iriss.ie. And I’m also on Twitter, so if you want to listen to me rant and rave electronically, my Twitter handle is @brianhonan.

Amrit Williams: And that’s B-R-I-A-N, H-O-N-A-N.

Brian Honan: That’s correct, yeah.

Amrit Williams: Brian, a fabulous conversation. I really appreciate you taking time today and hope to have you back on soon. Thanks a lot.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am joined by Marc Maiffret, Chief Security Architect with FireEye and former CTO and Founder of eEye.

Marc, thanks for joining me today. We talked a little bit about the proliferation in terms of the professionalism, the organization of the bad guys. Are you seeing any trends in terms of the number-one threat vectors that folks are using these days?

Marc Maiffret: Yeah, I mean, I think most would agree that… I mean, I think most now hopefully understand that the attacks have really moved to being at least the way that a company is initially becoming breached. I’d say 90-plus percent of the time, it’s definitely from an attack coming into the desktop environment, typically coming through some client application program, whether it’s the browser itself or all the third-party applications that can be exploited through the browser or through email. And definitely in that context also, probably the single most popular thing that we see being exploited is definitely with Adobe Acrobat.

And I think when you look at those third-party applications — and I think I’ve made this point before, but I think it can’t be kind of made enough — but when you look at the third-party applications, most of them from a security perspective they’re where Microsoft was five, ten years ago, and a lot of that is just for the fact that Microsoft had so many problems, as we all know, and so many worms and so many bad incidents that they really had to take security and really invest and treat it as a real problem rather than a kind of marketing problem.

But for most of the other companies, it’s something new for them. It’s only been in the last year or two at most that Adobe became such a large target and under such fire from all the exploits that are out there and continuous Zero Day unpatched vulnerabilities. So there’s that kind of lagging behind, and that’s sadly what we see time and time again with technology companies is it’s only once all the bad things start happening that they start to be proactive or are more proactive in their security. I think that’s a trend that will kind of always be there, and I think the scary part when you think about that is definitely as it relates to cloud computing and, where in the world of all the different cloud services, you can’t have independent researchers discovering all the vulnerabilities like you could with Adobe and Microsoft, because with the cloud obviously if you’re auditing whatever, Salesforce.com or something, as an independent researcher you can’t actually do that ‘cause it’s a third-party server that you’re interacting with and therefore illegal.

So you’re taking the independent security researchers completely out of the game of helping to improve technology, leaving it up to technology companies themselves. And if the last ten years have been any indicator of how that’s going to go, it’s going to go very poorly, in that independent security researchers have really led the charge on helping to improve technology and really to hold technology companies accountable before all the bad stuff starts happening.

Amrit Williams: And it’s interesting, too, because the organizations themselves that rely on these third-party services, they lose visibility and control. So they’re unable to use the normal type of technologies they might to watch traffic flow from a corporate resource sitting out there at Starbucks accessing corporate resources that are maintained by a third party. So it sort of creates a whole new paradigm of trust problems for these organizations.

Marc Maiffret: Yeah, completely. I mean, it’s funny when you think about a lot of the cloud services or just Software as a Service, whatever we’re calling these things today (laughing). But when you think about those technologies, not only is there the underlying just basic, “Hey, is their code secure?”; but they are actually missing… in a lot of cases they’re missing even more fundamental stuff.

For example, when you sign up with some of these different sites, especially if you’re using them for replacing your sales system or replacing your accounting system or other kind of critical core customer-management systems, they’re missing the most basic things of even giving you an audit trail of who’s logging on and logging off and where are they logging off and on from.

And sometimes they might give you that output — you can log into their site, you can look for that on a specific link within the website that you can kind of scroll through it or whatever — but they’re not giving you that in kind of a data format that you can feedback to your sim just like you would with any other type of technology. So there’s a lot of basics as it kind of relates to just the audit and controls that I think companies are used to with the more standard kind of software they’ve been using over the years that are just completely missing from most of the Software as a Service..

(00:05:11)

So I would love to see if there was ever some kind of open standards and requirements, even around the basic aspects of logging in and audit controls of these sites, to where they had kind of an open web services, XML, et cetera, interface that would allow third parties, whether it’s IT kind of building their own tools or security companies themselves. to be able to have a standardized interface through these different cloud services to be able to kind of take some of that audit and security data and bring it back to correlate it all with the bigger picture of what’s happening in a company, because obviously with corporate security there’s more than… not everything is going to be sent off to the cloud, if you will.

Amrit Williams: Yeah, no, it’s interesting you say that, too, because I think folks working trying to create cloud-audit frameworks that support that, a lot of folks have sort of doubled down on the monitoring aspect, the analysis aspect of what’s going on in their environment, so that they can at least limit the incidents once they occur.

But this whole cloud-computing paradigm removes that ability from them, and it’s unfortunate. So hopefully we’ll see a lot more of the service providers providing mechanisms that can support the infrastructure that folks have built for monitoring.

Marc Maiffret: Yeah. It’s one of those funny things; but it seems that in today’s world if you make some Facebook page or related that says that companies can sign up and IT people can sign up saying by joining this Facebook page we’re demanding these ten requirements from cloud stuff. I mean, there’s got to be some sort of grassroots thing like that, because what I’ve seen so far is definitely security folks I see bring it up now and then; but it’s definitely not enough being done to really demand it, and I would say any IT type of people and companies that might be listening to the podcast, even if you can’t necessarily hold up moving to Software as a Service, you should at least be very vocal in making your demand be heard that you do need some of these different kind of audit and kind of control aspects.

Amrit Williams: Hopefully, we’ll see that. I can’t let you go without a little controversy, though; Marc. So I’ve got to ask you a question here.

Marc Maiffret: All right, ask.

Amrit Williams: Verizon came on and started proliferating this term “vulnerability pimps” recently, and one of your old colleagues, Morey over at eEye, had a post about how to write. And he got a lot of backlash on making that comment, especially from vulnerability researchers.

So not to rehash the old vulnerability disclosure debate — I’m actually not interested in doing that — but I do want to get your take, because you mentioned something in terms of cloud computing, which is you do remove the security researchers from the equation. I think vulnerability researchers, security researchers offer a lot of value, especially those that share the information in an appropriate way with the organizations that they find problems with. Without getting into too much detail here, what are your thoughts on this? What are your thoughts on the concept that Verizon is essentially saying that this is not good?

Marc Maiffret: Yeah, you know, I kind of missed the Verizon thing; so I didn’t get the whole context of the “vulnerability pimps”. I’ve kind of heard it around and stuff, but I mean I think it’s funny. I guess for me, I’ve been in that whole realm of vulnerability research and stuff for so long now, and before Verizon had all these 8:45 and stuff that they were even doing. But the sad thing is as it relates to vulnerability researchers, I find it funny when people talk about concepts like “full disclosure” or “vulnerability pimps” or whatever, because the reality is that vulnerability research has been dead for probably a few years now.

What I mean by that is that the few security companies that actually used to still do proactive vulnerability research, like eEye, like ISS, like 9:17, almost none of these companies actually do it any more. I think one of the last commercial companies that still does good vulnerability research and publishing is CORE Securities, who very happily are carrying that flag, and love the guys for doing that. So it’s a funny thing to me when people talk about it, because I don’t know who out there is actually doing public vulnerability research any more. I mean, there’s things now and then — maybe you see something from Dan Kaminsky or now and then an independent researcher being credited in some Microsoft advisory — but it’s actually a sad state of security is that companies no longer do it and most of the independent researchers whom used to do it, they for the most part now are either just selling Zero Day to a variety of different companies and organizations and they’re kind of doing stuff behind the scenes, and that to me is a scary thing.

And that’s I think also why you’re seeing such an explosion in the number of Zero Day and attacks that we see with Adobe: because I promise you, you had to spend five or six years ago when you had companies like eEye and ISS and related doing vulnerability research, responsibly reporting things and getting them patched through Microsoft, they promised you that at least 50% of all the Adobe vulnerabilities that we’re seeing today would have been being found by those companies and fixed in the responsible ways that IT patches.

The problem is that there’s this massive vacuum in the vulnerability-research world where these people aren’t doing it any more, and as such it’s basically left to two groups of people to do it: the vendors, who we know simply do not care until things become really bad for them; and the bad guys, who we know have all the motivation in the world to find these things, and that’s why you see the increase in Zero Day, that’s why you see so many Adobe vulnerabilities and kind of beyond.

Amrit Williams: You know, that’s an interesting point. I hadn’t thought about that, but –

Marc Maiffret: Yeah, there’s a massive vacuum out there for this stuff. And so that’s where it’s like I’d much rather (laughing)… again, I don’t know the full context of “vulnerability pimp” is just about the braggery of finding vulnerabilities or kind of what that context was. But I would take an independent researcher discovering a vulnerability, working with Microsoft or whoever to get it fixed, and I would let them try to plaster all over the media and do everything that they could, because at the end of the day, who cares? They’re the one that found the vulnerability, they’re the one that worked to get it responsibly fixed, and that’s one last bug that’s now out there on the street, if you will, that’s a Zero Day that’s being used by organized crime-backed guys that are spreading stuff.

So I think when it comes down officially to that aspect of people trying to grandstand off vulnerabilities and this and that, yeah, I mean, maybe that can kind of come off kind of cheesy or vulnerability pimp-ly or whatever; but at the end of the day, I’d much rather have those people finding the vulnerabilities than what we have today, and that’s the big problem is that those people don’t even exist any more for the most part.

Amrit Williams: And it’s interesting, too, because like I was saying, I hadn’t thought about that until you mentioned it; but there really has been a major hole left by a lot of these folks and the organizations they report to restructuring how they go about research and what they should focus on. But there hasn’t been any massive drop in the vulnerabilities and patches that are coming out. They’ve spread — you know, have more non-Microsoft third-party applications getting attacked — but there certainly isn’t a massive hole in terms of the number of patching or re-jiggering of various internal security controls to respond to these events.

So the volume is still there. What seems to have changed is the process that one would normally have gone through to help protect these organizations before they become compromised. And I think you’re right: that’s created a major problem.

Marc Maiffret: That’s it.

Amrit Williams: Yeah, and it’s not gonna get any better any time soon.

Marc, I really appreciate you joining me today. Just for the audience again it’s Marc Maiffret, Chief Security Architect with FireEye, and modernmalwareexposed.org is the website that they’ve just launched, a lot of great information up there.

Marc, really appreciate you joining me today. Hopefully, we can get you back soon.

Marc Maiffret: Definitely. Thank you so much.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!