Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Jack Phillips, who is the Co-Founder and CEO of IANS, the Institute for Applied Network Security. Jack, thanks for joining me today.

Jack Phillips: You are welcome.

Amrit Williams: Jack, as I was mentioning to you earlier, I have got a lot of friends in common with the faculty over at IANS, and I have had probably about a half dozen of them come to me independently and say, Amrit, you have been in security for a while, you should probably get involved with this group IANS, and I thought to myself, well, what is this IANS thing? Most of these guys happen to be on the East Coast, in the Boston area.

Then I was out in a conference in Boston and I ran into a couple of more folks that I know from IANS and several of customers of the company I work for. They sat me around at a table and they all explained to me how important IANS was. And I have got to tell you, I was looking at them thinking, this is kind of weird, I feel like I am being surround by a cult and they are going to ask me for my firstborn pretty soon.

But I did take the time to listen to them, and we did get some involvement with IANS, and we have been very impressed. But I wanted to ask you about, what was the problem that IANS was trying to solve that drew all these people together?

Jack Phillips: Well, it’s a great question, and the faculty truly is our secret sauce, it’s one of the ingredients that we really rely on and are proud of, in terms of how we execute on our business. So it’s a group of about 25 strong, now, across the country, who are of varying backgrounds, but the commonality is that they are deep domain experts in information security. They have been in this space for a long time. They are well-respected. Some are practitioners, some are consultants, some are authors. But it’s just a great group, and often I call them the Intel chip inside of our chassis, because they really are the brain trust of what we do.

So about eight years ago, a business partner and I, we are entrepreneurs, we are not technologists, we are not security specialists. We have a knack for looking at and finding job functions that are poorly served from an information angle. We happened into information security through actually our original faculty member, who is Becky Bace, who goes way back in the space, has been both in the government side, as well as now on the venture capital side.

Ultimately, really just backed into an opportunity when she said, information security professionals, it’s an emerging job function, it’s on its way up. It is coalescing. It’s coming together at some point in the future; again, this was pre-9/11, we will have a chief information security officer. It’s not there yet.

So as an entrepreneur team, we looked and said, wow, that’s a great opportunity. So we had done a lot of research in what I call a peer-based research approach. And essentially what we did to build the business was we took a technique; we call it peer-based research, and applied it into an emerging job area, and an emerging functional area, which you know very well, which was information security.

We did it in a very, we think, unique and deliberate way, which was essentially what often many of our customers say is, you are the anti-Gartner-Gartner, you are from the bottom-up. In other words, you are aggregating peer insights and peer views from the bottom-up, from the masses, as opposed to the analysts’ sourced insights that we are used to, as a community we are used to consuming and buying, and frankly, nowadays being somewhat captive to.

So that was the original vision for the business eight years ago. Two months into it, we held our first two-day Information Security Forum, in August of 2001, here in Boston. We had about 40 people, and we had about six vendor companies underwrite the event. We got through that event. Becky was our sole faculty member, and we got through it, and we said, we have something. People said, that was great. I learned more from my peers, and you guys facilitated discussions, but I learned more from my peers and I learned in a lot of time leading and listening to analysts. So we knew we were on to something.

Amrit Williams: That’s very interesting too, because the insight to recognize that there was this gap, that was already there, but was going to become even greater, and also the insight to recognize that the professionals within information security would become more important and would need this type of information. So that’s very unique. I don’t think a lot of people really grasp that. I think that probably lends to your background and your thoughts as an entrepreneur.

When you talk about this concept of peer review, can you give some thoughts around the way that you hold a forum, the way that you communicate information out. Is there a review process? What is a role that the faculty members play in ensuring that information is distributed? Because one of the things I have noticed in information security is people don’t agree. When you have in a collected group of 25 faculty members; and I know many of them, I know they don’t agree. So is it really to facilitate the peer discussions, and how do you accommodate these varying views and ensure that you are still providing a service to those that want to participate and take advantage of what you guys are offering?

Jack Phillips: It’s a super question. The answer is carefully. We do it carefully. As you know, this is a great space in that it is — there are so many answers to the pressing questions that we face. There are a lot of different paths, and you commonly hear professionals — similar job titles in different industries answering a particular question in diametrically opposed ways.

Frankly, again, from an entrepreneurial standpoint, we are really almost information arms dealers in this war, and we love when the war continues to rage and the debate continues to rage.

So the short answer is that, I think what professionals are looking for out in the marketplace is direction, not answers. They are looking for a narrowing of the options, in a sense, a set of decision criteria, decision support that narrows their options. It doesn’t answer the question for them, but that says, most of your peers are approaching this problem in two ways or from two different angles, and here’s some support on those two different angles.

Now, with that in mind, go back internally and decide how you want to proceed. If you continue to need our assistance, and our faculty actually, after helping to tease out what are the primary directions that users are taking, commonly they then will come in, when asked for an opinion, and say, here’s what I think.

So increasingly in the last few years our business model has matured to more recommendations, more course of action recommendations than we have  traditionally done in the past.

But a classic culmination of a lot of activities is the document we produce on a particular topic, which is called a point of view document. That point of view, number one, articulates a few of the different approaches that we have observed. And number two, it does go out on a whim and say, okay, if you are this size and you are in this industry, our recommendation is that you take that approach. So that’s how the model has matured.

I guess the best metaphor is that, we try to build this mosaic of a lot of different pieces of information for our subscribers, for our members, put all that up, kind of on a single sheet of paper, and let them look at that mosaic, and then step back in order to see, okay, I see a path toward an answer for myself.

Again, we supplement a lot of other things that high-performing security teams use to make decisions, we are a supplement, we are not a replacement for, again, for analyst-based research. But that’s essentially the approach which is — to your earlier question, we hold live events all around the country of varying lengths: two days, one day, three hours. We hold phone-based conversations, usually about one hour. We hold online discussions.

The faculty’s role is, again, to act as a moderator, but really an intellectual backstop. So they do have a responsibility to call the truth if somebody varies off of fact, but essentially, we pay them on a strict percentage basis. Their job is to contribute or to speak no more than about 20% of any given conversation, and 80% is meant to come from the participants. They are trained in how to do that. That’s really, I think, the value that we bring to security professionals and vendor companies in terms of delivering insights.

Amrit Williams: You said something that I thought was very well-stated, and I think this is — earlier on you had mentioned the anti-Gartner. I don’t know if you know this, but I am a former Gartner analyst, and I am very familiar with that side of the business. But I think what you said that I really tuned into was when you said it’s not so much that we are trying to provide recommendations, as in, do this and the outcome will be this, and this is what you need to do, which I think a lot of analyst firms fall into that trap. This is how you are supposed to do endpoint protection, this is how you are supposed to evaluate firewalls. They miss the fact that when they speak at that macro level, it’s very difficult for the individual companies to internalize and personalize what they need specific to them.

But when you said, what we are trying to do is provide them and narrow their options and provide them some direction, so that they can make the choices that are specific to their environment, that is something that I see clearly lacking in information security. You have got a lot of people coming out and say, do X, or I think Y is right, or this is why Z doesn’t work, but they don’t often back that up with the rationale that’s specific to an organization. So I really appreciated the way that you stated that.

Folks looking to get more information on IANS, the IANS website is ianetsec.com or .org?

Jack Phillips: It’s actually ianetsec.com.

Amrit Williams: Okay. Thank you very much. Jack, thank you for joining me today. It was a pleasure speaking with you, and I wish you guys the best. I will talk to you soon.

Jack Phillips: Thank you.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Tom Murphy. Tom Murphy is CMO, Chief Marketing Officer, with Bit9. Tom, thanks for joining me today.

I want to shift gears just a little bit Tom and ask you, what is the future of application control? We have got a lot of technologies coming on the horizon; Cloud Computing, virtualization, people are looking for, I am going to work at Starbucks with a device that may or may not actually be a physical instantiation of an OS being streamed to me from someplace else, and I am going to access an application from a third party. How do organizations, how will they look at implementing application control technologies or other controls in a world where they don’t own the assets, and they don’t own the computing paradigm, and they don’t even own the application itself?

Tom Murphy: Well, what we are hearing more and more about is the introduction of virtualization to help have a personal computer; by definition, it’s labeled a personal computer, where someone actually may have that computer for two different uses. Let’s use, home use, for example, and then obviously the business operations.

More and more we are hearing the concept of virtualization to segment a physical machine into two different use cases, where they take the machine home and they are working out of one virtual space, and then they come to work, and they work out of another, and they keep the — the physical machine is the same obviously, but the distinction is made at the virtual layer as to what they do in each one of those layers, and they segment the responsibility.

So what we are hearing a lot about is that, companies want to embrace the use of the same equipment, and make it easier for someone to leverage information from home and take that same machine in. So what we are finding is that they want to have the controls on the established virtual environment, where they are going to be using it for work related, where they are touching information that’s critical to the security of the organization, at the same time, that same machine can go home and they can post stuff on Facebook, they can do Instant Messenger, they can do all the things they want to do.

So what we hear a lot from companies is virtualization on the endpoint, segmentation of responsibilities into buckets. The two most common buckets are, one virtualized environment for corporate environment, and a second ultimately for the home use or the nonbusiness related activities for the end user.

Amrit Williams: So in terms of the future of application control, one of the things we are seeing, as you mentioned in an earlier segment, is Microsoft providing AppLocker and some basic application control functionality in the OS. You have other vendors providing things like file reputation services. Do you think that the commoditization of those functions, either as part of the OS or as part of adjacent technologies, naturally impacts applications’ controls adoption, or that it accelerates adoption, and it’s good for companies that are able to offer broader sets of capabilities like Bit9 does?

Tom Murphy: I think for sure. Actually, it heightens the awareness of the need, number one. And then what it also does is it starts to build out a requirements list for what does it take to do whitelisting.

Now, the thing that I always think is interesting is that, when we look at Windows 7, and we look at what I would say — AppLocker really to me is an advanced set of software restriction policies, and through policy object you — it’s a combination of those technologies, but it’s just an evolution of what existed in the Operating System prior.

Gartner recently did a research note on — when Windows 7 came out and AppLocker and the functionality, and it almost — again, it heightens the awareness of what needs to happen, but in the same note, Gartner highlights the fact that it falls short of some of the real requirements that are needed to ensure you can deliver whitelisting and app control on the endpoint. Those really refer right back to our initial discussion, which is, you have to be able to ensure legitimate software can make its way to the endpoint.

For example, we talked about leveraging Bit9 to watch BigFix’s software distribution, Microsoft currently cannot look at its own SCCM or SMS products to ensure that, that software is automatically whitelisted when it gets to the endpoint. So simple fundamental technology that — integration point — like you said, tuning the whitelist, that simplifies the tuning of the whitelist, and we have to ensure that — we know that, that has to be there in order for a whitelisting product to be adopted.

Amrit Williams: You mentioned something, I think, when I asked about the unnatural commoditization, what I meant to — how I wanted to phrase that was, do you think the commoditization of only some aspects of application control, like software restriction as you mentioned it, somehow impacts people’s understanding of how application control could really provide benefit to the organization? It puts a lot of burden on you guys to express it, no, Application control is not simply software restriction, it does all these other things. I was curious if you thought that was unnatural in the market or was forcing some conversations that may not have had to occur.

Tom Murphy: I do think that whenever a company or organization like Microsoft makes a statement about whitelisting a app control, that people will take on that perspective, and then they evolve from it. So I do think that it’s up to Bit9 to continue to evangelize the depth and the requirements. But I do think that for most customers, if they don’t look at Windows 7 and the functionality of AppLocker, they are doing themselves a disservice, because that is something that Microsoft is offering, and like other products that Microsoft offers, whether it’s software distribution, we know that they should look at those products, by default.

Eventually what happens is, whether it’s the software distribution moving to BigFix, or it’s application locker and application control moving to Bit9, they have to make the assessment as to whether or not the functionality meets their requirements, and we know in many cases that it will fall short of what they are trying to accomplish.

Amrit Williams: Yeah. To kind of sum up here Tom, what we have been talking about, application control is broader than just software restrictions. Those looking to do application control need to understand that for it to be effective it needs to be part of the operations teams, as well as the security teams, and you need to look at how software is actually deployed and placed onto an endpoint, not just how you lock down applications from executing.

Do you have any other thoughts you would like to express to the audience in terms of how they can better think about application control or how their deployments maybe seen as more effective?

Tom Murphy: Sure. I think when you are looking at app control and application whitelisting, the first orientation is to think about security and advanced persistent threats and malware. But I think ultimately the message we are trying to deliver is, you have to know what’s on your endpoints. You have to build and maintain a good configuration, and that’s the foundation for establishing a good security posture, is just knowing and understanding what’s on your endpoints.

Then once you have that, you have got the ability to establish and define policies as to what can and cannot run. But without that initial visibility of what’s running, and the knowledge of what it is, the latter, which is good security, will never get there. So good visibility, knowledge of what’s running, and then the policies to enforce what can and cannot run is, I think, what BigFix and actually Bit9 are delivering.

Amrit Williams: I think Bit9’s technology is phenomenal. I recommend that everyone takes a moment to check it out. If you guys are interested in looking at Bit9’s technology, you can find them on the web at Bit9.com and reach out to the team there, and they will provide more information to you guys.

Tom, I really appreciate you joining me today. I hope to have you back on soon.

Tom Murphy: Pleasure! Thanks Amrit.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Tom Murphy. Tom Murphy is CMO, Chief Marketing Officer, with Bit9. Tom, thanks for joining me today.

So I wanted to just sort of drill into something you said, which is around the tuning, the impression, especially as folks have worked with HIPS based technologies on the endpoint, is that the tuning aspect of it becomes fairly heavyweight. So when you say tuning, I mean, as we know, there is a lot of things that go into application management and large enterprises, some have thousands of applications. What is the expectation that organizations should have in terms of having to tune application control technology?

Tom Murphy: When we approve software, and the key to whitelisting is software approvals, so it’s not really locking down an endpoint so no new software can run, most companies could probably implement that in some form. The key to whitelisting is to allow legitimate software to get on the endpoint.

So when you think about tuning, what you are doing is you are tuning the legitimate sources of software to get on the endpoint to ensure that users are not disrupted, and to ensure the company can operate as intended. So Bit9 has established in the industry more ways of tuning, more ways of approving software for the endpoints.

I will give you a couple of examples. Some of them are relatively broad, and what I mean by broad are, they can take a large number of applications and software, and allow that to be approved, and some of them are right down to the file level. So I will start with the broader approaches first.

One is the concept of a trusted publisher. A trusted publisher is when software is digitally signed, just look for the digital certificate. If it’s from someone, for example, like Microsoft, allow it to be installed.

A second would be a trusted directory. Most software distribution products have a staging area with a put software before it gets picked up and pushed out to the endpoints. Then I can watch that staging area to pick up and see the new software that’s been put there and say, okay, automatically approve that, when the software distribution product puts it on the endpoint, it’s automatically approved.

Those are just two examples of broad brushes of approval that make the tuning, big chunks of tuning get automatically added to the whitelist. Therefore, you are taking out 90% of the software that goes to the endpoint by looking at those broad brushes.

The other comes down to corporate policy. What do they allow and not allow in the endpoints. Bit9 does have — we think about this thing as locked down, only approved software can run, there’s other policy enforcement on the endpoint as well, where users can be in more of an audit mode, which is, don’t lock down the machine, just tell me what’s on the machine, tell me when they run new applications, when they are installed, and mirror use of applications.

Another is block and ask, where we actually put the enforcement in the user’s hands. We ask the end user anytime something new ones to install, do you actually want this to run? So there is a spectrum of controls and policies, and we try to map the corporate entity as trying to enforce on their endpoints.

Amrit Williams: You said something, I think, that’s very important, and I want to circle back on that and clarify it for those listening, because, I think, the impression is, with technologies like application control that it’s a lock down technology, that, that is the approach. I think that’s what gives people all the consternation about application control that you essentially take a static point in time, you then lock down the machine, and you try to inhibit any deviations from that, whether it’s coming from the user or somewhere else.

But what you stated is very important, is that, the success of application control is really around the software distribution process. It’s really around, how does applications get on the endpoint and how do you integrate technologies so that, that becomes part of how an organization develops and deploys software. So part of software distribution, as you mentioned, the capabilities for a software distribution component, as they distribute software for that process, that software payload distribution to be included into the whitelisting thing in an automated way is really powerful.

Do you think that there is enough people that understand that nuance, because it’s very different to say, the key to this, the key to managing application control and being effective with it really is in trying to implement and integrate as part of your normal software distribution process, versus trying to lock down and inhibit users from doing things? I am not sure that’s fully understood. What are your thoughts on that?

Tom Murphy: Well, I have been here four years, and I definitely see more and more, as time goes on, people understand that whitelisting our app control isn’t locked down. I would say four years ago when I came on to the scene at least and started evangelizing the concept of whitelisting, it was really focused more on just absolutely stop new, unauthorized malware targeted attacks.

What people are realizing more and more is that there are so many other benefits to whitelisting, based on just understanding configurations and understanding how to control them.

So there’s been a lot — Windows 7 comes out with AppLocker, and a lot of the endpoint protection vendors refer to software reputation services as a way of assessing the trustworthiness of software and then making a decision on the software.

If you think about these, these are really just derivatives of what Bit9 has been doing for a while, and that is, go in, understand whether the software should be allowed to run, and then enforcing a policy.

So in a roundabout way what I am saying is, four years ago, I would say absolutely, there was very little distinction or, I guess, expansion of the definition of, 6:00 include things like software approvals, it was just more of a lock down. Now with Gartner’s exposure, Neil MacDonald, John Pescatore, with — there was an article that was put out yesterday by InfoWorld, talking about whitelisting, and the keys to whitelisting, and Bit9 was — there was a product review with six different vendors, and Bit9 came out on top, and a lot of it had to do with the ability to assess the trustworthiness of software, using that global software registry to identify software.

So, I think, we have moved beyond, the whitelisting equates to lock down, and I do think people do understand that it’s about approving legitimate software for the endpoint.

Amrit Williams: I agree with you. I think there is that shift happening, and that’s good to see. I think there is another shift that has to happen as well, which is around the concept of operationalization of application control, and that it’s not just a technology that supports and enables the security program, but it is really beneficial to the operation side of it, especially as it relates to application management, software asset management, license controls. There is a huge impact to an organization if they are unable to properly or effectively perform a license true up, if they are either under or over compliance, and I think there is great tie in for application control to support those licensing and the application management aspects that organizations struggle with today, especially since you guys have some visibility into how those things occur on a fairly continuous basis.

Tom Murphy: That’s right.

Amrit Williams: So have you seen sort of the operations guys looking at application control in a way that isn’t just about inhibiting bad stuff, but also just trying to find efficiencies and how they run asset management?

Tom Murphy: Yeah. What we see is, as you can imagine with emerging technology, the early adopters of this technology are, in a lot of cases, people with the most pain. And people with the most pain, from an endpoint perspective, with regard to whitelisting, have been traditionally the security, people that have experienced a breach, or their brand needs to be protected, ultimately it has had a security angle at first.

Over time, when people understand, as we just discussed in the previous section, when they understand that, it can be used to get that vast perspective of what’s on the endpoints.

Has it ever run before? When they start to realize that there is something about looking at an endpoint, establishing a baseline for an endpoint, how much has the endpoint drifted from the baseline, and when you look at the drift, layer on top of that drift either a threat or trust perspective.

People start to realize they can look at it from a license perspective. They can look at it from an operational perspective. What machine is at risk? What machines will probably generate the most trouble tickets? Trying to reduce the number of reimaging.

We have a phrase that we say internally, where desktops are polluted with unauthorized software, and it causes, as we know, three headaches. One is, security risk. If you are under compliance regulations, it’s kind of a threat in that. And the third would be operational costs of just making sure — rule of thumb, for every 1,000 desktops, there is a desktop administrator. Ideally we can impact that, both Bit9 and BigFix can impact that number.

Amrit Williams: Well, I am always amazed at how many applications organizations run. I mean, when we do application inventories for organizations, even ones that are not terribly large, you see thousands of applications running. And when you look at some of the applications running — I mean, we were in a large enterprise, and there was an application for how to cut your hair. I don’t know where this application came from, no one did, who knows how it got on the computer, and you are right, there is lot of bad stuff, but it has impact in other areas. It has operational impact on the organization, not just security impact.

One of the things that, I think, is really interesting about application control is, unlike some of the other security technologies, which tend to be reactive and responsive to threats, there is definitely an element of that in application control. But application control has some very sophisticated, complimentary aspects to the technology for the IT operations folks that may not be focused on security, but are much more focused on how to find efficiencies and effectiveness in the organization itself.

For that, I think, it’s really important that organizations look at how application control can not only support their security programs, but also can support their operations programs, whether it’s license management, asset management, or just general configuration management, and trying to ensure that there is not a lot of turn in support group, or not in the ways coming through the other tech organizations itself.

Tom, thanks for joining me today. For more information on Bit9, you can go to Bit9.com.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Tom Murphy. Tom Murphy is CMO, Chief Marketing Officer, with Bit9. Tom, thanks for joining me today.

Tom Murphy: You are welcome Amrit.

Amrit Williams: So Tom, I wanted to talk a little bit about, obviously whitelisting and Application Whitelisting at Bit9. Maybe, perhaps, we could start with what is whitelisting?

Tom Murphy: Sure. So Amrit, for 20 years the security industry has been chasing; I say chasing bad software, malware, in a form of, let’s build a signature as a defense against the bad software. In the past, I would say, few years it has grown exponentially; whether it’s trying to get credit card information, personal identification information, it really has become kind of a black market in the business.

So what Bit9 has done, has said, as an industry, let’s take a different look or perspective at how people will stop that software. We have come to the conclusion that we cannot keep up with the bad software, we can’t keep up with that explosion, so why don’t we define a set of approved applications and a set of approved sources of software. As new software comes to the endpoint, let’s look at that software itself or where it came from, and if it’s on the approved list, it’s allowed to run, and by default if it’s not trusted, not approved, it’s not allowed to run.

Amrit Williams: I think there is nobody in the world that would question right now anyway who even understands the space that the current blacklisting approach to anti-virus is unattainable, especially against the backdrop of the explosion of malware that we have had. But there are modifications that the anti-virus, anti-malware guys are doing for behavior-based monitoring and everything. But they don’t always look at some of the transient aspects of applications, as they move through an organization, as they go through upgrades and what not. How do you guys deal with just the general concept of whitelisted applications that are allowed to run, becoming infected themselves?

Tom Murphy: There are two ways. First is, when we look at the application and we take three cryptographic hashes of the file. Cryptographic hashes represent kind of a DNA like view of the file. And by taking three of them, we are ensuring that we have got three different layers and methodologies for ensuring the integrity of a file. By trusting a file, we are trusting those three hashes. If something changes in that file, anything tampers with a file, anything at all that goes in and changes one single bit, it changes the DNA for the file, and ultimately changes the integrity of the file, therefore it would no longer be trusted.

In the case where you don’t know what a file is, what Bit9 has done has built a Global Software Registry. This Global Software Registry is, I like to phrase it as, it’s like running a background check on a piece of software, just like you would on an employee, if you don’t know what a piece of software is. We take the hash on the endpoint. We see what the file is. We leverage that hash. We pass it up to our hosted service.

What the service does is it provides you background information, what is the application, what is the version, what is the product, a threat level for that application, and a trust factor for that application that we are deriving from the Global Software Registry.

So to answer your question, two main ways are protecting the integrity of a whitelist. The first is to do hash-based to ensure that it’s not tampered with, and the second is to leverage the Global Software Registry to do the background checks on the software at all times.

Amrit Williams: Are there techniques that allow organizations to deal with internally developed applications? Obviously it’s one method to deal with a known good or the known bad, but what about those things that fall into the gray area, internally developed, vertical applications, web-based applications?

Tom Murphy: Sure. The approach that Bit9 has taken is, leveraging the experience of working with hundreds of customers, we have watched how people build internal applications, how they consume applications from the web, how they update toolbars, ActiveX controls, JavaScript, it comes from many different sources, as you can imagine. What Bit9 has done is said, let’s figure out each one of those sources.

So to come back to your example, if someone has internally developed code, what we have done is we have tried to figure out what ways that they push out that code, for example. And one way they might push it out is through BigFix. They may take the BigFix Software Distribution capabilities or Patching. And when they push out the application to the endpoints what would happen is, that application obviously would go through the BigFix platform. We would actually watch the application coming through the BigFix platform and say, if it does come through the BigFix, either a process or a directory, used as a staging area, approve the software based on the fact that it’s coming through BigFix. That’s just one example of how we would trust internally developed applications.

Amrit Williams: Just for those listening, in terms of disclosure, BigFix and Bit9 do have a relationship and a partnership, and the ability for systems management companies to work with application vendors is, I think, something that drives and provides a lot of value to organizations.

I wanted to switch gears just a little bit to talk about some of the difficulties or challenges that organizations may face when they deal with application control. Just in general, with any type of endpoint security technology that impacts something that the user may do; whether it’s a port or a protocol that may be opened, whether it’s walking ingress/egress traffic, whether it’s trying to control the installation or the execution of an application, there is always some hit that an organization takes in terms of users being impacted.

What are some of the methods that organizations can go through to limit the impact on the end users, but also to maximize the ability for them to manage the solution as they go through all of the various application, life cycle management, processes that most organizations do on a fairly dynamic and regular basis?

Tom Murphy: What we have seen is that customers, when they deploy application whitelisting, as you can imagine, it is a different lens at looking at how to manage an endpoint. As you can imagine as well, when we go in and do an inventory or we do any kind of a perspective of what’s running on the endpoint, we also discover the sources of where software comes from, as much as, whether it’s desktop, Windows server, administrators, as much as they think they know where software is coming from, they are always surprised by the new sources.

With that said, what we do is, when we go through deployments is, we have a learning phase, where the product doesn’t necessarily lock down on day one, or perform a whitelist on day one, of what is allowed to run, because that, as you said, could have a significant impact on end users if the people defining a whitelist don’t know the sources, don’t know the applications that are supposed to run.

So by default when the product is installed, it’s in more of a learning mode, and then over time, we roll out common groups that use common applications. And then what we do is, we can put the product in what’s called a block report only mode, which really implies that when the product is flipped into this mode, it would have blocked a newer application, because it was not in the whitelist, it identifies it to IT, but at the same time the end user is not impacted.

So we have built technology into the product that allow people to understand, educate themselves on where software is coming from, tune their whitelists, eventually to the point where they have got a good feel for where software is coming from, what’s supposed to be on the endpoint, and then they migrate into a lock down state.

Amrit Williams: Okay. Tom, thanks for joining me today. For more information on Bit9, you can go to Bit9.com.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter. I am back with Michael Santarcangelo, author, catalyst, and speaker. It has just been a captivating conversation with Michael about insiders and consequences and people, information, and risk. I wanted to come back to something you said in the last podcast.

Michael, you had mentioned that many people are divorced from the consequences of their actions, and I wrote that down. That really struck me, because I was thinking about comments I hear all the time, which are around, people saying, well, the reason I bought product x, or I did process y, or implemented policy z, is because I know that whether or not it’s effective, if it fails, I won’t be held accountable, because I can simply say, sure, we had a virus infection, but I am using product a, and it’s the leader. Or yeah, sure, no, someone got through our firewalls, but I configured them exactly how I was told to based on this little book that says, ‘How to Configure a Firewall‘, which is the market leading book on configuring firewalls per se.

It struck me when you were saying that, is, what are the consequences for IT people who just do the bear minimum? It doesn’t seem like there is a lot. If you have implemented the market leader in AV product, and you know it may or may not be the best, and you can prove it doesn’t work properly, but yet you get infected with viruses, your job is not impacted.

Michael Santarcangelo: It’s fascinating to look at those, because when I started out writing ‘Into the Breach‘, I didn’t have a conclusion in mind. What I said was, we have all these breaches, they keep happening, we have to go deeper into it. I posited a simple question, what is the breach? It’s a symptom, and it’s not the actual challenge.

What I came back with was our actual challenge was that people, not just IT people, people are disconnected from the consequences of their actions, and it has a very real manifestation; lack of responsibility, lack of accountability. We can see this in the federal government right now. This is a global challenge. It’s not just the security challenge.

So what does it mean? Well, it’s fascinating to me that what you just described was the old, if it’s IBM, I won’t get fired if I buy it. You can supplant that now with 1,000 companies. If it’s the market leader, if they are ranked the right way, if they are recommended to me, I like to say, if they have got a box with little blinky blue lights on it that I can point to my boss and say, look boss, it’s working, I am okay.

When we look at the consequences of actions, I do think people are divorced from them. But there is a couple ways, and this can be applied to any number of things. But what I start to do to frame the situation different is I am going to posit something, because most of us when we look at consequences, we immediately want to label the consequences as being good or bad. What I suggest is we just look at consequences as being intended and unintended.

Now, you can later apply the subjective labels of good and bad. But most of us take an action to get an intended result. I think what we have to start to do is to say, okay, I took an action, now there is a consequence. Most of us, at least most of us I hope are trying to teach our children that our actions have consequences, and we have to live by them. It doesn’t always seem to be that way in the corporate world, because of what you laid out Amrit, but what if we just look at if it’s intended or unintended?

Let’s go back at the example we just had. So a lot of people will say the best practice is we must protect data, or as I am more preferred to say, information. Now unfortunately, it usually comes with this little grumble, our people are stupid, they are going to screw it up anyway. Now, I don’t accept that. But you hear it all the time. So what’s the answer? Well, we will just encrypt it.

Now, when somebody says, hey, why are you encrypting my laptop? What do we do say? You wouldn’t understand it anyway, which probably means, I don’t really understand encryption myself so don’t ask me any questions, because I want to appear smarter than you. So I am just going to pretend that you are too dumb to get it. And then we roll out encryption and then nothing really works.

So what was the intended consequence of rolling out encryption? The intended consequence is that we would reduce data loss, and that we would be “secure” or protected or whatever qualifier you want.

But what’s actually happening? People are writing down their passwords. People are abandoning the technology. People are circumventing it. People are doing whatever. That’s the unintended consequence. Great!

Now, when we look at it that way, it gives us a much different way to look at things. I think what happens is — let me give you an example. I recently got interviewed by a major media outlet. The guy spent a couple of hours with me, and at the end I said, hey, it’s been a joy talking to you, let me give you a copy of my book.

I gave him a copy of my book. He sent me a note about a week later and said, Michael, I have only gotten through the first part of your book, I am realizing now, I have done so many things at work that must be driving the IT people insane. And I now know why I am doing it, but I am making changes because I realize that that’s going to screw me up more that it will screw them up. Bravo! I mean, you are the poster child for what I am trying to work on.

The point that I am making is that, it’s not just IT folks, it’s anybody, most of us today don’t stop and think. I don’t think Amrit, most people stop and say, well, wait a minute, I know it’s the market leading firewall, but what’s the problem that we are trying to solve? We say, Internet bad, firewall good, you have to have a firewall. Which firewall do you get? Well, you go buy the best, of course, because then no one will question me, and I have all the literature to prove it. So when the CFO says, why are we buying this firewall, I will drop a mound of reports in front of him and say, because all these thousand people say it’s really good, so we should buy it, and we are good too.

No one stopped and said, wait a minute, what are we trying to do? What’s the action we are worried about? What’s our intended consequence, and are we going to meet that? So the cycle kind of perpetuates and perpetuates and perpetuates.

What I found then is that, if we keep labeling stuff good and bad, well, nobody wants bad, so we don’t look at intended versus unintended. So what I always look at is, if we are concerned about people who are divorcing the consequences of their actions, we have to take away the qualifiers first, and just say, well, what did you expect to happen?

Now, what I normally suggest then, because this is the difference between a professional and a practitioner. I think professionals can take a look at their consequences, the intended and unintended, and I think they have an obligation to start to expect a potential impact. Because unintended can be good, and they can ultimately influence the design or the roll out or the operation of something, such that you minimize the unwanted or the negative impacts, because they take a broader view.

Whereas, I think practitioners get really stuck in terms of, I have to get to point A, and I am going to do it, and I don’t care who is in my way. It’s a slightly myopic view, and it’s probably something that requires a little bit more nuance to really get into. But it’s the difference of saying, practitioners say no, professionals say yes. It comes down to looking at the consequences, because sometimes no drives a bigger unintended consequence that on a negative scale is an order of magnitude more devastating than any other pathway.

Amrit Williams: Well, I think you are right. I think that organizations do need to look at intended versus unintended consequences and definitely set expectations properly. I was thinking about what are the consequences of failure to the IT security people, specifically though, that they are divorced from the consequences of their actions, because there are no consequences to them for their actions in many cases.

If you are a sales guy in an organization, you don’t make your quarter, you do that  twice, you are fired. If you are an AV desk jockey and you have hundreds of virus outbreaks, and you are using the leading AV product, you are probably not going to get fired.

So I was actually wondering about that. This would be the stick side of human interaction. So definitely agree with all your comments on intended and unintended consequences. I was sort of focusing on what are the consequences to IT security for only doing the bear minimum? Should there be any?

Michael Santarcangelo: Well, I think that there should. I think the thing we have to consider is that this is still an immature field. Yes, there has been people doing it since the 60s. But if you tried to go to a conference based on security in 1998, you probably had to go to a UNIX conference or UseNeXT conference or something to that effect, and go to the security track. It has gained a lot of attention rapidly. The technology is proliferated in a way that most of us don’t understand the implications of it. So the consequences of our actions require somebody to stop and to ponder and to think and to set an acceptable baseline.

I think as an industry it’s still pretty immature. So if you talk about sales, and I lay out a quota, you are a salesperson, we know how sales work more less, and it’s either realistic or unrealistic and it’s very measurable. The challenge with security has often been, we are trying to protect against something that we don’t want to happen, that’s tough to predict, that’s tough to see, and it’s changing probably faster than our ability to keep up with it is.

I think what we have to get better at measuring then is the unintended consequences of well-intentioned actions. It’s that, so I am doing the bear minimum, which I don’t even know how we define bear minimum anymore, although I am actively researching it, but what if you buy x, y, z product, because everybody else did, we need to start looking at the measures of, so did your overall risk go up or down in measuring people that way, then we can tie them back to the consequences of their actions.

Amrit Williams: I think you are right though. We are a far way away from that. It’s unfortunate, and hopefully we will move towards that in the future. You said something I wanted to touch on before we end. You had mentioned sort of the dynamics of human interaction. People are generally good. They want to do the right thing. They can be instructed to do the right thing. People aren’t stupid was the comment you made.

I don’t think people who rally against user awareness training, as I have in the past, necessarily think people are stupid. What I think people are is human, and humans have an innate ability to want to believe, to want to trust, and to want to belong. We are just socially rigged that way. It’s why when we see something that says, somebody loves us, our first instinct is, oh cool, somebody loves us, we want that validation before our other part of our brain clicks up and says, danger, danger, danger.

I think that human psychology is very difficult to change. I think that awareness is important but — and I don’t think people are stupid, but I think changing basic human psychology is very difficult.

Michael Santarcangelo: Or maybe even not the point, right? I mean, look, I agree with you, and I don’t know that I would necessarily want to live in a world where everybody was cold, distant, aloof, and didn’t like anybody else. I think what has to happen is, we have to — and this is probably a great follow-up discussion, because this is something I have been really focusing on a lot, but to try to distill it quickly, it’s as simple as suggesting that what we have to look at really is just consequences of actions. That when you say to somebody after they have done one of these breach-inducing things or security breakdowns, you say, what were you thinking? I wasn’t. Okay. Well, now that you have a better world view of it, you have a new level of self-awareness, I wouldn’t do that again. Does it make them mean, grouchy? No, no, it’s a shift.

The difference is, I don’t think we can keep telling people and beating them with a stick. It doesn’t mean we have to go to a carrot. We have to change the message. We have to change the approach, and we have to get them involved in more of a dialog, instead of just making everything a directive.

Amrit Williams: You are absolutely right. It is about dialog. It’s about continuing that conversation. For those of you who are interested in learning more about Michael Santarcangelo and his book, ‘Into the Breach‘, where he talks about many of these subjects, you can definitely find that information at securitycatalyst.com.

Michael, thank you very much for joining me today. It was just a fascinating conversation, and I do want to have you come back very soon so we can continue this conversation. Michael Santarcangelo everybody, thank you.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter, and I am back with Michael Santarcangelo, catalyst, author, and speaker. Michael and I were speaking about the insider threat and how that’s defined, and the impact that has on the organizations. Michael brought up some good points about the importance of us looking at people, information, and risk. I wanted to expand on that.

So Michael, let’s dig right back in. You sort of left off with some good thoughts on people, information, and risk, and the importance of those things together.

Michael Santarcangelo: Thanks Amrit. What I started to take a look at, and this started, not just with the book, it’s fascinating how when you finally put your ideas out in front of everybody and you digest the feedback, you can really grow. What I started to realize was that, we really do need to manage people, information, and risk.

Let’s just take as a quick aside looking at numbers. I love metrics. Is it possible of course to obsess on metrics to the point where they no longer provide value? Yeah, of course. You need metrics. We need to measure stuff in a way that gives us the context to make decisions. What I find fascinating, and this isn’t just security, this is society, we continue this divide with people where we are divorcing them from the consequences of their actions. In so doing, we start to notice this cascade of stuff. What happens, and as we try to measure it, and we just try to pave it forward by coming up with another technology. That is the old, the mouse got smarter, so we built a better mousetrap.

You think that we would start to break that cycle. Well, the way I started to look at it was, what if we don’t measure risk in terms of absolute, and what if we don’t measure risk just, well, I looked at the network, this is the problem. What if instead we backed off for a second and said, wait a minute, there are three fundamental parts of this equation, and maybe not so much from the equation perspective, but we have people that are involved. I think it would be disingenuous to suggest that people weren’t the lifeblood of an organization. With limited exception, businesses exist because of people, and not just to give them jobs, it’s people that make decisions, it’s people that interact, it’s all sorts of things.

The true lifeblood now is information. That’s what we trade on. That’s what we protect. It’s what’s important to us. Those two have to work in to risk. If you look when PricewaterhouseCoopers came out in October, and they said — they did their state of the security. So this — I guess, we are due for the refresh. But the one that came out in 2008, I am still taken with the fact that 71% of companies admitted that they do not know where their information is. This is astounding to me. Not that the number was so high, that 71% knew it and admitted it.

Amrit Williams: I was just going to say, I am surprised by the number too, I thought it would have been more like 100%, I have no clue.

Michael Santarcangelo: Well, I think it’s the real number, right? But think about this, if I come to and I go, so Amrit, are you completely screwing up your infrastructure? What’s your answer, no, I am good.

So if I come and say, hey, do you know where your information is? What are you going to say, of course I do. 70% said no, we don’t have any idea. But this is the fascinating part to me, that misses the point entirely. Because if you don’t understand the context of the information and the consequence of the information, it doesn’t matter.

What I mean by that is, so what happens if the information is not just disclosed; we are so obsessed with disclosure, what if the integrity of it is modified? What if it’s not available when somebody needs it to make an informed decision? If you look at the way that businesses are operating, and the need to operate, it’s not just the information, it’s who is using it, it’s how they are using information.

I did an engagement last year, army base, and I had information to share with them. I hold up a USB drive and I say, hey, who wants the information off the drive? And they all got that panic look on their faces. Oh no, man, you can’t use that here. I went, oh, you have got one of those polices. They went, no, technically, if you stick it into one of our computers, it will be wiped out, encrypted, and really it will be dead to you, and the information off of it is gone. Seriously, we can’t use it. I went, oh, alright, what do you guys want to do?

Well, about five hands reached into a bag and they pulled out CDs and they go, you have got a CD burner, right, just burn it on CD. I went, okay, wait a minute, you are security people, are you possibly suggesting that we are going to violate the security policy here? Deadpan, yeah, that’s exactly what we are suggesting.

So now I go, alright, wait a minute, did you come up with this yourself? No, it was some private, other hall, nothing to do with information security, information assurance. None of it. He was a guy that had to get a job done.

If you think about the military, and you are a private, if your captain says, get this done, you don’t say, well, sir. They don’t want a well, sir, answer, they want it done. So the guy said let me pop in a CD, took care of it.

So now here’s my question, do you guys have shredders that can shred CDs? Deadpan looks, they go, nobody thought about that.

See, I don’t care how people get around it. If you want to tell me you encrypted a laptop and it’s great and it’s really secure, fantastic, prove it. Show me how people are using it. Did you just make it harder for somebody to do their job, so therefore you pat yourself on the back, so you can do a happy dance, oh, we protected everything, but at the end of the day you made it harder, congratulations, you just increased your risk, and you hit it. It’s like telling a bunch of kids not to drink, but then giving them a bottle of vodka. How is that going to work out? All they are going to do is hide it. And vodka I am told, I have no personal experience, but I am told vodka doesn’t show up on your breath.

So if you look at this, we have to understand how people are using the information, anthropologically, not judgmentally, how are they using it, and what’s the context and the consequence. Is it printed out? Is it written down? Are they ferrying it back and forth over the Internet? Are they using Gmail to do that? Are they putting on USB drives? Are they burning it to CDs? Are they bringing it home? Is it showing up on their laptops and their home computers?

Now, you can go further down that rabbit hole, but if you just stop right there and think about that, it gives me a completely different picture of risk, than sitting on an ivory tower saying, well, we just completed a roll out where everybody has encrypted laptops. Well, we are secure. No, we are not. No, we are not.

By the way, why then are we still experiencing 10,000-12,000 laptops abandoned at airport security checkpoints every week, not stolen, abandoned? I can’t imagine leaving a laptop behind. I can’t imagine leaving a dime behind, but let alone a laptop. If you are so disconnected from it, you don’t take any responsibility whatsoever. So I think when we start to look at this stuff, we have to think about people.

Amrit Williams: Well, let’s say — I think people are really, really important, I don’t want to lose that concept, but I have got to ask you a question, because I think this — I have been having this conversation with people for a long time. You have basically laid out a scenario here where there is multiple vectors for information to ingress or egress out of a device; there is the USB, the CD-ROM, a whole bunch of stuff. This organization chose to lock down the USB for whatever reason. There is an easy way to bypass that, people just use CDs.

I have heard arguments used in the past that because we can’t do BCDEF, we shouldn’t do A, even though we can. If you look at a home that has six windows and two doors and you are able to secure the four of the windows and one of the doors, well, there is no point in doing that if you can’t secure all the doors.

I think that to a certain extent, there is validity in eliminating vectors, even if you can’t eliminate them all. There is validity in making it harder for someone to unintentionally bypass corporate policy. I think there is also a realization that it’s very difficult to stop one who intentionally wants to bypass policy and has some skill, at least enough skill to burn a CD and plug it in.

So I wanted to stop there before we get back into people and get your thoughts on that, because I think it’s an important concept that we don’t talk about that much. When is just enough good enough, and is it good enough? If you can’t do everything, should you do nothing?

Michael Santarcangelo: I am going to answer your question by bringing it back to people. I couldn’t agree with what you said more. Here’s the caveat though. Let’s use the windows and doors. So If I can gain entrance or exit from a building through windows or doors, and I am used to walking through the front door everyday, and all of a sudden I come in and now it has got a fortress and it’s a lock, and I can never use it again. I could break a window. I could go around to the back. But man, I am going to be pretty stuck. If there is a quicker path and I can just now leave my window open and I can come in through the fire escape, oh, and by the way, there is no alarm there and no one is checking for it, well, because everybody used to be able to walk into the front door and now they can’t, so I have taken away a vector point. Did I actually increase or decrease the risk?

Well, if now everybody is leaving their windows open, and they are leaving them unlocked, and they are using the fire escapes and they have set up all these other things, because they have made it easier, because no one ever explained why we were locking the front door in the first place. Well then, that’s poor implementation.

Amrit Williams: Yes, you are right.

Michael Santarcangelo: If we say to people, hey, we know x, y, and z, this information is important to you, and we know that there is a lot of risks out there. Look, I have had a laptop stolen, I know other people have had a laptop stolen. We are going to take some actions that are going to help you protect your laptop. No, we can’t protect against everything, we are going to try to help it. We are going to take these particular actions, because these are known problems. We engage them in a dialog, oh, then we can make a lot of changes. The distinction is, managing risk in one dimension versus managing risk and including humans into it, it doesn’t necessarily change the end result, it changes the approach, which then changes the success rate.

Amrit Williams: I agree with you. I do still think that it means an organization does need to understand the controls that they are implementing and policies they are implementing for the unintentional and negligent versus the intentional and malicious. There is no way really to effectively implement the controls and the processes to deal with the unintentional and the negligent without including the human factor.

But I wanted to switch gears as we go into the next segment, and I really appreciate this conversation, but when we come back what I want to talk to you about is a comment that you made, which is, many IT professionals, I believe, are divorced from the consequences of their actions. So this is a pretty important concept that a lot of people don’t understand. So when we come back I would love to talk to you about that. Michael, thanks for joining me today.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter. Today I am joined by Michael Santarcangelo. Michael is a catalyst, an author, and a speaker. Michael is also a good friend. Michael, just great to have you back with us today. So thank you for joining me.

Michael Santarcangelo: Hey, it’s always a pleasure to be with you my friend.

Amrit Williams: So Michael, we were talking just briefly before this a little bit about the numbers around insider threats. I know some stuff came out from the Verizon Data Breach Report and there is a lot of numbers floating around. Several years ago it was positive that insider threats were the biggest threat that we faced. And then recently some of the reports have come out and said, well, no, insiders may not be as big a threat as people face.

I know you have started a series of discussions and concepts around turning insiders into allies and we definitely want to focus in on that as part of a series. But I did want to focus in on something, what’s striking to me is, I think that the majority of external attacks can probably be related to negligence or improper use, misconfiguration, misadministration on the part of the IT department, and that when people talk about insider threats, it’s not always clear what they are talking about.

I always viewed the insider threats specifically and distinctly as those who maliciously try to compromise, take advantage, or steal something from the organization that they work for, as opposed to those who just negligently let data leak. But I wanted to ask you, what are your thoughts on the insider threat, and I know that you had some comments about the Verizon story, and I know that you and Anton have gone back and forth on it. But why don’t you expand on that, what are your thoughts on the insider threat?

Michael Santarcangelo: Yeah. The first thing that I would point out is, what generated some of this discussion was that, when I wrote into the Breach, in the introduction, I put a couple of myths that I wanted to dispel. What I was focused on doing wasn’t so much as saying, look, I have authoritative proof this is something else, but at the time when I wrote the book, the heavy reliance was, we are only under attack from outsiders.

It reminded me very much of the 90s, where the mantra was simple, Internet bad, firewall good. So if you are on the Internet, which is bad; no disrespect to Al Gore by the way, he did a great job hooking us up with the Internet, but if you are on it and you don’t have a firewall, clearly you are doing something wrong. So it felt like that kind of persisted and persisted and persisted.

So here I am watching all these breaches happening and I am saying, wow, it’s hardworking, good people, who don’t know better. Of course, we go through the book and we explain some of these types of things. So I started just reviewing the breaches that I could, anything that was made public.

There are plenty of great websites that have these. There were some research reports that were coming out, pretty much as I was wrapping up the book, and they were starting to show a trend that due to employee error, and theft, and loss, and actions; so not the deliberate, not the intentional upset person with a malicious intent, but just people’s actions, it was actually more like anywhere from two-thirds, 75% of the breaches were in fact caused by insiders.

Now, that’s kind of an interesting thing to think about, because where I have gone further is, I don’t like to declare that we have a people problem. So I looked at it and went, wait a minute. So what I did was I paused and I said, look, here is a myth. The myth is that all attacks — and by the way, I have learned about how to position this better myself, my myth was, all attacks are caused by outsiders, and I attempted to debunk it to say, think about this, 70% of our breaches are caused by insiders.

What I realized in talking with Anton Chuvakin is, he took umbrage with me using that as a statistic. I pushed back on them, and I pushed back on them pretty hard; with no disrespect to the Verizon, because I think it’s a great report, what I said was, please don’t cite me one report back. Don’t cite me one report if somebody engaging a services of a professional firm, expecting, I am hunkering down for a fight. He comes back and he says no, actually, I don’t think anybody knows, and I think citing a number is reckless. I went, oh, yeah, good point. I mean, that’s not an argument you are prepared for.

So talking to you, I mean, I think, we have to step back for a second and say, well, wait a minute, what’s an attack, what is an insider, and when we are talking about something like an insider threat, what is it that we are actually talking about? When you were just going through some statistics and numbers there, it’s kind of fascinating, because I used to suggest, if we were looking at the malicious determined insider; and this is one of those made up statistics, but I would say it’s like 2%, 1%, it’s a 4:34 view of the world, but I think most people are good. I think they are well-intentioned.

But there were some reports that came out where like Robert Half and others have actually gone out and interviewed employees, and they would say, if you were terminated, will you take company data with you? So I don’t think that they went so far as to say, will you be a stealing, lying, cheating person, but I think they made it pretty clear that it’s company data, it’s not yours, are you going to take it with you?

What amazed me was the number of people who said yes. 68% said, yeah, absolutely. By the way, I am guessing that the number, probably they inverted that. It’s probably like 86% would do it, 68% are going to tell you to your face that they are going to take it. Now, is that an insider threat? Probably. So the thing that’s fascinating –

Amrit Williams: But the thing there though, again is though that that is an intentional, malicious violation of corporate policy. So when you look at the insider threat, I think it’s important to break up the unintentional or the negligent versus the intentional and the malicious, because they imply different type of controls and different type of processes that an organization might put in place to ensure that they limit the amount of churn or damage to the organization. Do you not believe that that’s viable?

Michael Santarcangelo: No, I do. In fact, what I am starting to take a look at is that, I think we have to look at this differently. I had a great conversation last week with a client. During the conversation I realized — we got talking about awareness, which — it’s kind of fascinating, you flattered me last time when you made a compliment to me about how I have shifted some of your thinking on awareness, my turn to flatter you back, you have done the same for me.

When you and I first met face-to-face in Atlanta a couple of years ago and we got talking about why awareness fails, I think I probably made some sort of flippant remark that you did it the wrong way. I would still hold by that statement today, but what I realize is, the way that the rest of the world defines awareness and stuff, I don’t think is effective at all. I think people would be better not to spend any money at all, than to do what traditionally passes as awareness.

Well, bring it back to this. We got talking about carrots and sticks, and how some people are motivated because they don’t want to get hit by the stick, and some people are motivated because they want the reward. We were looking at that in the terms of awareness, and it started me down this whole cascade of, maybe it’s not so black and white, people will steal, people won’t steal. I am actually doing a lot of work right now on looking at like the fraud triangle, Cressey’s fraud triangle and things. When it comes to looking at the controls of our organization then, I am going to make two statements, and they may be contrasting. So I think it’s something that as an industry we need more dialog around.

The first of which is, I think yes, we do have to consider that there is insiders and outsiders, and then that there is people, when they are insiders, some are going to be inclined to take a negative action, but there is going to have to be variance on that. Because somebody stealing data that they work with is clearly a problem, but is a lot different than somebody planting a logic bomb in a system design to take it down the day they get fired, or a week after they get fired.

But in terms of, does that change things? I am going to counter it with, maybe it doesn’t matter. So I have got a background in economics and a background in measurement, and studying things and looking at people and figuring these things out, and I love them. But what I am starting to realize; and this is kind of like the point to the book, we have to step back and we have to manage people, we have to manage information, and we have to manage our risk. Maybe it doesn’t matter so much whether they are insiders or outsiders, maybe what matters is making sure that we have a pretty good understanding of our information.

Notice, I am not saying data, I am pretty clear in that distinction. I get why we focus on data, but to me data denotes electrons. I think if we focus on information and we start to look at the way people are using it and the way it’s being used, then we can start to actually get a much more accurate picture of our risk, and then we can manage the risk a little bit better. What do you think about that?

Amrit Williams: Well, I think that’s important. So what I would like to do Michael is have you come back for another part here. Thank you for joining me now. When you come back what I would like to dig into is people information and risk and how we look at the economy or economic factors of information as security versus the human ecology of it. So Michael, thanks for joining me, we will be back soon.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host, on Beyond the Perimeter. I’m back with Vikram Desai, President and CEO of Liquid Computing. Vik, thanks for joining me back again. We were speaking about some of the broader aspects of Liquid Computing and data center automation. I wanted to talk to you about unified computing in general.

Vik, let’s start with the concept of unified computing. What’s the vision for unified computing that Liquid Computing has?

Vikram Desai: Sure. So unified computing by fundamental definition in our opinion has to be able to support open standards. Open standards come in two flavors, if you will. First is on the hardware side, we want to be able to, and a unified computing solution should be able to embrace the commodity elements from any type of server storage and switching provider. We don’t want to have any customer locked in to a particular brand.

So, for example, with our currently available system, LiquidIQ 2.0, we support any type of iSCSI-based standard storage. We have the deepest integration with products from NetApp. We support Standard x86-based servers. Then, from a switching perspective, we have a standards-based Fulcrum 10-Gigabit switching backbone. So each of those are considered best of breed and we’ll continue to expand that hardware compatibility list as we move forward.

But there’s something even more important too. We really don’t have the desire to replace enterprise element management systems or any other systems that already exist in the data center today. So we have morphed down interfaces in to those higher-level systems and we could feed those higher-level systems with all of the automation and sensor information that they are currently lacking. Much, much more granular level information is fed up and as a result those element management systems become much more powerful.

The last part about a standard-based type of unified computing system is that our customers want to make sure that the UCS system doesn’t require the customer to make any types of additive software drivers or proprietary elements that are required in order for a standard operating system or a standard type of application to run. We’ve been able to achieve all of those aspects with the Liquid Computing offering.

Amrit Williams: All of this speaks to enabling an infrastructure that’s dynamic. Actually, Liquid Computing probably has one of the coolest IT tech names around. I think it’s fantastic in terms of how it describes agility and dynamism. Do you think that there is a real ability for organizations to be able to do this dynamic resource allocation that we see some organizations talking about? Do you think there’s going to wide adoption of that? Do you think that that’s a reality in the next couple of years here? Is it valid today?

Vikram Desai: I think it’s an inevitability. In fact, Liquid Computing has existing customers in production that are enjoying those benefits today. It’s those customers that we rely upon, such as Virtuoso to document the types of efficiencies and operational savings that can be derived. Virtuoso has reduced their operating expense by 80% through the implementation of our LiquidIQ solution. They’re able to support both virtualized and Bare Metal environments simultaneously, while enjoying those savings.

Of course, there are other approaches that are complimentary to this. Virtualization as an example is something that’s complimentary to the ability to have a software-controlled physical IT environment. Together, you provide an automated data center. So the capability for an automated data center exists today. We have a series of customers who are already having these systems in production and the benefits have been documented.

Amrit Williams: The interesting aspect of this is that I can’t think of anything more exciting than the ability to spin-up or spin-down resources quickly to address whatever is happening in IT as opposed to those resources, sort of, sitting ideally or ineffectively using them. Many years ago, it would have seemed fantastic, it is become a reality and I think that that’s very exciting for people. What type of things do you think we’re going to see over the next five years in terms of unified computing? What type of advances will we see? I mean, it on one hand seems like a long time, on another it seems like tomorrow. But what type of things do you think we are going to experience; enterprises will start adopting over the next five years?

Vikram Desai: Well, there’s a lot of waste right now that’s associated with standby data center infrastructure, as an example, and there may be more of it in some industries and in financial services, for example, there is some government regulations that require standby data center or data center capabilities to be in different physically geographic areas.

Well, with a fully deployed unified computing system you could actually project an entire data center, inclusive of the applications, all the physical and virtual connections; literally, all the MAC addresses to a disparate physical location within minutes. That type of capability is actually not three or five years away, it’s here right now, but I do see that the adoption of these types of business continuity capabilities will grow very quickly, because think about how much money you can save by having a one to ‘n’ type of disaster recovery or business continuity plan.

Amrit Williams: Oh! It’s fantastic, I mean it’s phenomenal. I was reading an article from Roche Pharmaceuticals and one of the IT guys was mentioning that when they used to have to do clinical trials they would spin up all these machines, so that they could form the algorithms and the other aspects of diagnostics that they need. He said, it takes six months just to get the environment prepped and then once they were done, it would take them six months to bring it all down. He says, he does it all, now, from his iPhone.

He basically just submits the order, the machines come up, they’re done by a third party, they’re hosted, and it’s that capability that, that third party has enabled through some of the technologies that you are communicating right now that are really exciting. I mean, they’re game changing for what generally just to even to put in the infrastructure in place to support the clinical trials, could take a year is literally taking a day or two.

Vikram Desai: That’s exactly it. So what you are describing really at the end of the day is ways in which businesses can generate revenue faster, where they couldn’t generate revenue at all. We have a customer in the oil and gas industry that used to take 45 days to spin up new infrastructure in order to support one of their customers. They can now do it in just a matter of a couple of days with Liquid Computing.

Amrit Williams: Oh, it’s phenomenal, it’s really amazing. Vik, I’d like to make sure that the folks know how to find out more about Liquid Computing. The web address, if you could give that for everybody, I believe it’s liquidcomputing.com.

Vikram Desai: Yeah, that’s exactly it and it doesn’t get any easier than that. We would be certainly happy to answer any questions that folks could have.

Amrit Williams: Vikram Desai, President and CEO of Liquid Computing, that provides a unified computing infrastructure. They have a data center and a chassis blade system, combined with some management software, unified software based management. It’s pretty exciting computing technology; I’d recommend everyone give it a look.

Vik, thank you very much for joining me today.

Vikram Desai: Thank you.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on Beyond the Perimeter. And today, I’m joined by the Vikram Desai, President and CEO of Liquid Computing; Vik, thank you for joining me today.

Vikram Desai: My pleasure, Amrit, and thank you for having me down on board.

Amrit Williams: So Liquid Computing, as you guys stated, provides unified computing infrastructure for dynamic data centers, you guys offer what’s called a data center in a chassis, a blade system. You guys seem to have married some of the necessary requirements for data center in a fairly tightly integrated package, but I’d like to start with, if you could just give me a high-level overview, what does Liquid Computing do, what problems are you guys solving, what benefits do you guys offer to the enterprise?

Vikram Desai: Well, that’s a good question and one of the interesting facts out there today is that many vendors who are in pursuit of providing an automated data center and why? Well, because it’s important that the overall cost of operating a data center come down. The specific area that Liquid Computing focuses on is the provision of software control of underlying IT, physical IT assets. So servers, switches, and storage that are relied upon by both bare metal and virtualized operating systems.

Amrit Williams: Have you found the — I ma sure virtualization is having a pretty big impact on your business. When you guys were founded, were you aiming at the virtual market itself? Virtual management infrastructure, any of that or when you were coming in, I suppose I know that Liquid Computing was founded in 2003, the original design wasn’t necessarily being driven by virtualization.

Vikram Desai: Our original design was always focused on data center fabrics. So providing automation and control across the traditional three silos of server switching and storage and what we’ve seen over time is that virtualization has been integrated within each of these silos, but there hasn’t been any type of action to provide automation across the silos. Actually, remove the silo walls so that you can deliver greater efficiencies. So when you take a look at the solution that Liquid Computing provides, we really are insensitive to whether it’s a virtualized environment or a bare metal environment that the automation of the underlying IT physical resources provides the same benefits at either of them.

Amrit Williams: Now, understanding, of course, that virtualization breaks down. Sometimes unnaturally for many organizations, the silos that you talked about, the walls between the silos, it’s very common for networking and switching people to worry about their fabric from their perspective using their tools. They tend to be kind of antagonistic and not very supportive of the application teams or the OS, management, and operations guys, but virtualization breaks all that down.

I mean, you basically have several different processes that are converged into possibly a single device that could be communication between a web server and the database server going through and communicating, again, on the device and it changes the dynamic for organizations.

Have you found that the organizations are finding it easier to facilitate communication because of this, are they struggling with lack of language consistency between the groups?

Vikram Desai: It’s really exacerbated what was already a bad problem in to something that’s dramatically worse and that’s really not just our opinion we’re seeing the same type of information reflected in polls by third party, for example, 00:03:18 Morgan recently provided survey results that indicated that the coordination of server switching and storage configuration whether virtualized or bare metal is one of the biggest problems that data centers are facing today.

Then if you layer on top of that the fact that while virtualization itself provides many benefits in terms of efficiencies, it’s not something that could provide an answer across the board. There are many multitude applications or high performance related database applications that just aren’t suited towards virtualization. They even require more horsepower. They lose the processing efficiencies when they’re virtualized.

So, as a result, current IDC studies I believe have stated that there’s only about 15% to 20% of all data center applications that have been virtualized, today, and by far and away the remainder are still bare metal. That’s not to say over a period of the next three to five years that will become much more balanced, but what I am saying is that there will always be some balance between the two that are required and really predicated by what the application requirements are and what the end user needs are.

Amrit Williams: Do you find that the needs of the administrators themselves shift when they move from bare metal to virtualization in terms of the tools they’re using?

Vikram Desai: Yeah. So if you consider a breakdown of the data center that has both of these technologies or approaches employed and I am going to be very, very generic. At the very bottom, you have your physical IT assets; above that, you’ll have either bare metal, a virtualized environment; and above that, there’ll be the applications; and finally, the element management system that spans across everything, but stops short of being able to manage command and control, the underlying IT physical infrastructure.

So whether it’s virtualized environments or bare metal environments they have a pretty handle on how it is they can motion applications from one space to anther provided those two spaces exist, how they could in a bare metal environment add clusters. But in each of them, they really don’t have a handle at all on how they can — in advance of a motioning of resources over, have the physical assets ready to be motioned to, short of overbuying and having one to end type of capability available for applications just in case they’re needed.

And boy! Right in that area is a tremendous area of waste, if you will; why have assets just sitting there, just in case when they don’t need to be sitting there. And that’s one of the fundamental things that data center administrators struggle with.

Amrit Williams: This is obviously, one of the inherent capabilities that Liquid Computing provides.

Vikram Desai: It is and above and beyond that, there’s a vision for unified computing that we have as a company and it’s related to what we characterize as being an open architecture solution.

Data centers really don’t want to be locked in to any particular brand or label, if you will. They traditionally want to have multiple vendors. They want to be able to choose the best of breed based upon what the application’s needs are. And, we provide that type of offering. So we make sure that we are able to support multiple vendors and we’ll continue to expand that list of calling a hardware compatibility list as we move forward over time.

So our customers can always know if they’re looking for unified computing solutions and then they want to drive the types of cost savings which we found to be incidentally 80% or more is documented by our customers, then they can do so with us and not have to worry about being locked in to a particular brand.

Amrit Williams: As someone who spends a lot of time talking to the folks in the enterprise it’s critically important to this concept of lock in. I don’t think most people appreciate how much time spent by enterprises ensuring that they’re not locked in to a specific solution. This concept of openness, unification, and integration are terribly important to a lot of these, especially large enterprises, as they see these dynamics and the IT organizations shift and evolve.

Vik, I do appreciate you spending time with us. We want to bring you back for the second segment here. So, thank you very much for Vik and Liquid Computing. We’ll be back soon.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This Amrit Williams, your host on Beyond the Perimeter and I am back with Doug Wilson from OWASP. Doug, thanks for coming back and joining me today. We’ve been talking a little bit about OWASP’s origins and what they provide and a little bit about the AppSec Conference you guys have, coming up, in November in DC. I wanted to ask you, and switch gears a little bit, and talk to you a little bit about what are some of the things that organizations can do and what are the top threats? I know the web application security community moves very quickly, there’s things coming out rather rapidly, it’s a very dynamic environment, whether you are on the development side or the security research side.

How does a large organization, how a does a large enterprise approach this, because it is different in terms of the people and the process and the technologies that they would use to do traditional, either software development or traditional patch or configuration management on the back end?

So can you step the audience through, a little bit about, at a high level, how they would approach web application security if they are new to it, what are some of the first initial things they need to do, how do they gain a grasp on this, and how do they start evolving their security programs around it?

Doug Wilson: The first thing to do is to start working on your education, I mean just go out and read a lot of the stuff. There’s a lot of it that’s available out there on the Internet. It’s one of the things — it’s available for anyone who wants to reach out and grab it. I mentioned previously the OWASP Top Ten but it’s a very good place to start. It’s not a complete solution, but it shows you some of the basic issues that are out there. A lot of cases, these are things where people have heard of it; they’ve heard of it in the media — I mean these are no longer some sort of esoteric knowledge that’s hidden away in some hacker’s laptop and that’s it. This is stuff that is in the mainstream press.

A lot of the people hear about it, though they just don’t really realize what it is and what it can do. I mean these are things like cross-site scripting, SQL injection, and malicious file injection. There’s more obscure things like cross-site request forgery, which — when you initially explain it to people, they are like, “What the heck is that?” And when they get it, they are like, “Oh! Yeah, that’s a problem; that may be happening in our application right now.” And then there are things which have always existed in security, such as problems with not having your cryptography set up right or not protecting access and controlling access on authentication, and things like that which are standard security problems, but they move through the web just like everything else has and people in moving through the web forget about them.

We also have a wide variety of other things, once you dig in more. We have projects like OpenSAMM, which is Software Assurance Maturity Model. Where you sort of look at where your process is and model where you want to go to it. There’s a lot of things where people have “Our website tested hacker safe by this company” that’s kind of a running joke in web application security standard circles, because there aren’t really any standards for that.

OWASP has been developing a thing called an Application Security Verification Standard, which is again, sort of, a way to focus your efforts into looking at your process and figure out where the holes are and then say to the world, “Here’s how we verified, that we are really trying to fix our code, and we are really trying to pay attention to it.” We have a bunch of guides on how to review code, on how to develop code, and there are specific projects out there.

A big one that I know, especially in the Java community, is the ESAPI project, the Enterprise Security API, which takes the idea that — for years, security people have, sort of, said, “Well, developers don’t care about security” and developers have said, “Security people are no fun, they don’t want us to do anything.”

You have different priority sets between security people and developers. ESAPI, kind of, adheres to the same rules of cryptography, which is don’t have people who don’t know anything about security, suddenly try and do security. It takes and vets libraries. The initial version of the ESAPI was for Java, but it’s being developed for other languages such as .NET and PHP where established security people do peer review, much like it’s done for cryptography and say, “Okay, this function is potentially insecure, let’s find a way to fix it,” and then what you can do is you can have a bunch of libraries that you just hand to your developers and say, “Hey, use this set of code instead of the old set of code you used, and 95% of your security problems are fixed.” That’s a project that’s really grown in the past year or two at OWASP and that’s the, sort of, thing where it’s the combination of ideology plus code base that could be adapted by organizations.

Also, get involved. I mean if you are near a major city in the United States, there’s probably an OWASP Chapter in it somewhere. If you are outside the United States, there are many, many dozens of places that have OWASP Chapters and some of them are very unlikely, you wouldn’t think of it there, but there’s somebody there who works on web applications and is interested in security. Corporations can become corporate members of OWASP. Individuals can become individual members of OWASP.

OWASP stuff is pretty much old, free to use for whatever you want, but the membership is a way of supporting the organization. We do ask that if corporations are planning on heavily using OWASP products, they consider becoming a corporate member and a helping sponsor. In that way, they also get recognition for what they are doing in helping out and there are also discounts for things like the conferences we do.

If you are an OWASP member, the money you paid for your membership, you pretty much get back the first conference you attend, because of the discounts we give to members. So those are ways that we offer to get involved in resources to try and make a difference, but I think the biggest thing is education and realizing the potential impact that this can have.

As you’ve said, also, the process is very different. You have companies that are already mature for desktop software, they are already mature for their network security, but there’s this rush to get into these new web technologies where you really reinvent the same problems you’ve already solved over and over again in the rush to get online to do the newest cool thing.

By all means, I am not saying, “Don’t innovate,” I am saying, “Innovate, but if you have a mature process that’s working at one of your other areas, consider carrying that over to your web stuff.” Don’t just hand it off to a developer and say, “Hey, get us a website in the next two days on your spare time.” Put it through a vetting process because your company’s reputation and financial assets may be hanging out there on the Internet and if you don’t take the same due-diligence you do with other parts of your organization, you open yourself up to a huge amount of liability and risk.

Amrit Williams: In terms of the participation, the population of those who participate in OWASP, are they primarily security professionals, are they primarily developers with a security focus?

Doug Wilson: That’s one of the interesting things is OWASP is different. In fact, I think web application security groups including OWASP and WASC are different than the stereotypical security background, because it’s not all just about the security guys sitting there and going, “Ha, ha, we hacked you, we published our latest exploit, you all are clean.”

It has a much bigger focus that would appeal to people outside of security circles. That being said, the large majority of people who you see at OWASP events do have some sort of security focus in their task, but most of the founders of OWASP who are not security people are what call themselves secure developers and the people at Aspect Security has been very heavily involved in OWASP since the beginning and they would called themselves developers.

First and foremost, they have been doing development for years; they just excel at secure development and secure development practices. So, I think, probably you do have a large component of OWASP that is security focused, but you have a much, much larger component at OWASP that is developers and developer-focused and writing interesting secure code than you would in almost any other security group on the planet.

Amrit Williams: That’s very encouraging, I know that it was many moons ago when I would try to talk to web developers about software development life-cycles and adding security into the software development life-cycle and for the most part, most of them had no idea what I was talking about and it just wasn’t something that was part of their DNA and it wasn’t about trying to change their mindset, but just trying to make them aware of what the issues were, so that they could look for ways so they could try to avoid those later on when that stuff was publicly available.

So it’s certainly encouraging to see that the population is changing there and has changed and that you have a large set of developers that are part of that and participating and helping to drive it. I definitely think that’s fantastic.

Doug Wilson: You still have no battle. I mean if you go to a mainstream developer conference, you are not going to see a whole lot on security, but you are going to see something and that’s a change that’s happened. I mean I have been going to — I go to a lot of design and development conferences as well as just security conferences based on personal interests in some of the circles I travel. A couple of years ago, we’d go to some things like South By Southwest where, like, the cutting edge of Web 2.0 was being born, and get boot off the stage so to speak for bringing up security in a discussion.

Now you are starting to see that — and again, it’s not all developers, it’s not even a majority of developers, but there’s a very vocal, dynamic, and talented majority who are really embracing the idea of writing secure code and they are starting to talk at conferences. They are starting to talk at mainstream developer conferences, some of OWASP people like Jeff Williams, who is the CEO of Aspect and the Chair of the OWASP Board right now, not only spoke at BlackHat this year but he also spoke at a Java developers conference and he had one of the best received topic of the conference. We have situations where, based on some of the work he has done, Sun and the Java team are actually changing how some of the Java application servers out there work in the next version.

I mean it’s slowly crossing over, but it’s still not so bad, and most developers still are ignorant of this and it’s not any faults of theirs, it hasn’t been brought to their attention, it’s not a priority, and that’s one of the things that we’re trying to do, is make them aware. We routinely have people from the development community in DC, attending our meetings and we get more and more crossover as time goes on, which I think is a very positive thing.

Amrit Williams: Oh! absolutely, and I think the work you guys are doing is really wonderful and the fact that you are making it open in the way that OWASP is being constructed is very powerful, because it makes information available to those who might not otherwise have it and that’s incredibly important.

Doug, I really appreciate you joining me today. I wish you guys the best at the AppSec Conference that’s coming up, November 10 through the 12, and folks can find out more information on that at www.appsecdc.org. If those folks who are interested in finding out more about web application security or OWASP, they can find that at owasp.org as well. Doug, thank you very much.

Doug Wilson: No problem, thank you for having me on the show.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix. Thanks for listening.