Subscribe in iTunes:

Subscribe with XML:

Subscribe in iTunes:

Subscribe with XML:

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Jack Danahy. Jack was the Founder and CTO/CEO of Ounce Labs, which was acquired by IBM in July 28^th of 2009. Jack, thanks for joining me today!

Jack Danahy: Happy to do so!

Amrit Williams: And today you are what is called the Worldwide Security Executive for the Rational Division inside of IBM. I don’t know a lot about what that probably means, but I imagine that means you do a lot of speaking, a lot of thinking, a lot of writing, lot of trying to get message out about security.

So talk a little bit about what your role is inside of IBM and what type of things you are trying to drive the market towards?

Jack Danahy: You are right, it’s all of those things that you described; there is quite a bit of education really that has to go on inside the marketplace. Security remains really amorphous, but rapidly growing space. New problem types are popping up all the time, new approaches to solving those problems arise, and lot of my responsibility is understanding how to frame those changes and those new problems and solutions in a language that our clients can understand.

Within Rational, many of the customers have typically looked at IBM to be their partner in developing applications, making sure that they work the correct way, making sure that they were developed efficiently, the productivity was high. The centralization of lot of the traditional development functions happen through Rational products. And so security is really a new entrant to a lot of those clients.

The security team has traditionally been pretty operational, and so as IBM clients and prospects begin their maturation into moving security further back in the lifecycle, don’t just test the product when you are about to deploy it, why not start building some security into it, well, those customers are looking for some information and some experience in terms of the best ways, the most efficient ways to introduce security earlier on as they are designing and building the applications that they rely on IBM to help them with.

And so my job is to figure out how do I integrate, how do we integrate security and security experience into the tools and the processes that IBM customers use to build things securely.

So the second piece is that this introduction of security in the development phase is most useful when I can mesh it with the existing investments people are making in operational security. There are a lot of excellent technologies that are already helping people with things like patch management and monitoring, authentication, access control; really more traditional security disciplines that are better understood.

And trying to help the people who are security folks understand the development teams, areas of responsibility, and their strengths and weaknesses, helps the organizations that we work with have a much better communication about security in general, not communication about security in two very discrete pockets; one being operational, one being developmental. And it’s my job to sort of help folks bridge that gap and share our experiences as IBM with them.

Amrit Williams: And it really is — today we are facing a pretty big challenge in the conversations being elevated into different aspects of the business, it’s being expanded out to different domain groups within an organization. And as we know, security has tended to have its own language and its own way of communicating either issues or problems or methods for resolution, those are not, as you had mentioned to me earlier, very digestible by the sort of the primary folks inside of a business that are trying to make the decisions, that have the funding or can actually effect change, and so there is a lot of need for that.

What are some of the ways that you are seeing that evolve better inside of the software development lifecycle as part of app development, how are you seeing that evolve and get to a point where folks in security and outside of security can actually have a comprehensive conversation about what needs to be done without too much fear and uncertainty and doubt?

Jack Danahy: It’s really about a common language. When development teams think about problems in the code, they are typically talking about bugs or flaws. When security folks are thinking about what can go wrong inside an infrastructure, they are thinking about vulnerabilities and exploits. And there really has not historically been a tight mapping between those two things.

The security team had so many responsibilities around operational management, of things like log files and system configuration, what have you, they were very busy there. And the development teams were typically being pounded for performance and functionality and getting things built on time. And so they really hadn’t ever taken the time to organize these into a single and comprehensive set of requirements for the development of an overarching view of what security would mean across both of these organizational boundaries.

And so what we have done is by understanding that the security problem evidences itself as a type of software defect, we can now communicate to the developer. When we tell them that there is a problem with this program, we can show them both what the programmatic issue is, i.e., sort of how they have done memory management or input validation, what have you, and they understand that really, really well.

(00:05:04)

But we can also help them understand what the net effect is of that, that will cause people to be able to do things they shouldn’t, or it will cause data to go places where it shouldn’t. So now the development team understands that the programmatic issues that they were having evidences itself from the security concern up top.

In the same way, the security team can understand which of the errors and the issues and the vulnerabilities that they see are really related to programming problems as opposed to system configuration problems or base level update sorts of problems. Now they can say, you know what, I see this type of problem, it looks to me as though it may be a validation problem or encoding problem, and now they can take that information, knowing that it can be characterized as something that exists within the software itself, and now they can communicate to development, that this is a concern that potentially the development team should be worrying about.

So number one, by sort of unifying the language of that conversation around terms like vulnerability, which are understandable from both perspectives; the perspective of a security team and the perspective of an individual developer perhaps, now I can get these folks to talk about it.

Mechanically, having tools which can introduce this language and these issues into both frameworks, into the capacity to translate a security finding of some sort into information that is useful for a security person and understanding its impact, and the same feature being introduced sort of non-disruptively into the development lifecycle, i.e., populating things like defect tracking systems, quality systems, into the developers’ desktops.

Well, now what I have done is I have created not only a common language, but common delivery mechanisms that they are used to, whether I am pushing data into reporting infrastructures with which the security team is comfortable and proficient, or whether I am pushing information results and recommended fixes done to developers in the IDE that look just like the recommendations that you get for quality related fixes. Well, now everybody is pretty happy, because I have taken security, I have given them the capacity to communicate in a common language, and I have introduced that information relatively non-disruptively into the interfaces they have been using forever.

Amrit Williams: And that makes a lot of sense. Do you find that — real quick, I think bridging that gap between how security can communicate with the folks on the operational side that actually have to effect change, whether we are talking about modifications to code or modifications or configurations to settings to network or computing devices, there has still been a pretty big gap there between how they communicate.

So definitely you need the ability to work inside of the ecosystems that these groups are both comfortable in, and a common language. Have you found that the resistance is stronger on one side versus the other, because they still tend to be pretty myopic in their views around what they need to communicate, and reaching out to the other side has always been quite challenging?

Jack Danahy: I think that’s really an insightful point, because I think on the face of it, everyone wants to do the right thing, and if I could, I would make little air quotes in the air, but they want to do the right thing when it comes to security. It’s hard to find an individual or an organization where they are intentionally ignoring security.

But the inside is exactly square on. The security team tends to believe that the development groups should just build things which are secure. They believe it is as natural as creating food that isn’t poisonous. So for them, we have seen some resistance, a little bit of washing of hands that says, listen, when that thing comes over the wall to me, it better be secure, because it’s my job to make sure that I am deploying secure infrastructure.

So security can, before they really get informed in this way, this mutual communication, they can say, my job is to find out if this thing is broken, and if I do find it’s broken, I mark it up and I throw it back over the wall, and I make negative comments about what’s going on in development, and it’s somebody else’s fault to make that right. So they draw this artificial line between the responsibilities of the people who are going to be creating the software and the people who are going to be responsible for deploying it.

In the same way, the security team can take a very defensive approach. We have seen this in terms of the early adoption of some of these technologies, where a development team who for the first time has an application reviewed by security, if what they basically get is a laundry list of why they are all stupid, they tend to resist. They tend to see this really as an encroachment upon their capability as developers, upon their ability to deliver what they are asked to deliver, and it becomes now really a pretty painful conflict.

The development team typically will say, and rightfully, they have built what they were told to build. There was no articulation of specific security requirements. There was no focus or exposition of how it would be tested for security, and so they feel they did their job according to the requirements they were given and the fault exists within the requirements.

(00:10:05)

The security team on the other side is holding up their end and saying, listen, we tested it, it’s too insecure to run, and now the organization finds itself in a pretty painful stalemate; and this is largely the result of a lack of education. In fact, not really at either of those two levels; it is not — the security team, it’s not their responsibility for being undereducated, it’s not the development team’s responsibility for being undereducated, there exists above both of them some organizational hierarchy, which was supposed to get them to talk in the same language.

Someone was supposed to say, this application has to be secured, and it means the following, and there is a list of things, and a lot of those things will be populated with information from the security team, so they have to participate in terms of setting that context and setting those requirements.

And then the higher level organization, as they are mandating what development will do, has got to sort of rearticulate those in development and design terms, so the team that’s actually building the software knows how to do it correctly, and where correctly means securely.

And so it’s actually that level that is sort of one above, if you think of it as being one above both security/operational and development/quality, that should have specified a language or a goal at least that both these organizations could understand, and then they work together to satisfy that higher level. As opposed to, I give one set of requirements to security that says, your job is to make sure that insecure things are not deployed. And I give another set of requirements to development that says, your job is to go build this functional thing. And then I sort of sit on top and I complain when there is a massive collision between those two sort of conflicting priorities for the groups.

Amrit Williams: Yeah. You said something very interesting, you said it has to be secured, it means the following things. I don’t think that there is almost any agreement on what those things are. I mean, I think there is the ideal and the ultimate of what they should be, but in the context of a specific situation, a specific application, given all of the conditions that, that application or the company finds it in, it’s very difficult to come to consensus there. And I think one of the — I do want to come back and touch on that in a minute, but I think one of the challenges is, is that traditionally, and even today, a lot of the output of the security tools tend to be fairly overwhelming, almost the shock in all reports, where it’s like this thing is so insecure, there are 1,500 ways to exploit it.

Development gets very defensive about that type of stuff, because it really is — not only is it pretty overwhelming for someone to deal with, it’s not oriented always to the resolution, it’s oriented towards the problem, which is generally where security likes to sit.

And I really like the concept and have always pushed for the concept of security needs to be part of an element’s lifecycle, whether it’s an application or a network device or a computing device, but we still really have a problem with language. We still really have a problem with the output of the tools themselves providing information that can be consumed by both the security professionals and the operational or development professionals that need to effect change.

What do you think is the — I mean, inside of the application development lifecycle you have mentioned a couple of things, but what do you think is going to radically change this, or are we just slowly going to trudge towards adoption?

Jack Danahy: I am hoping, there is always the inspirationally aspirational, it is my hope that this changes, because it’s something that is almost unrelated to technology at all, it’s acquisition behavior.

The same people who will be responsible for cleaning up the mess after a bad security incident, at some level, the same people who are responsible to shareholders for what happens as a consequence of something bad happening in security, are the same people who are budgeting the expense for new infrastructure and for new applications, what have you, and that is acquisition behavior.

So I think that if we can change the dynamics of security to being something which is much different than a technical approach to worrying about whether somebody did good memory management or not, and change it into something that says that security is absolutely as fundamental a characteristic about software as is performance or features, then we can change this very much. Because the acquisition, and by acquisition I mean it could be internal budgeting for resources to build something, offshore, outsourced, service managed, doesn’t really make any difference, but we can really change this by making security a characteristic by which acquisition is influenced.

So if I am the person who is buying a piece of software, I would never think to go buy Apple software, and I have a base of Windows machines, because everyone realizes it’s that sort of silly, or I would never think about something that was built to handle a 100 users when I have a user population of 10,000. There are different characteristics of products.

Security today has not really arrived there, and I think mainly because the impacts of security have both been a little bit muted, they have tended to be managed internally, and they have been obfuscated, the causes of the problems have been obfuscated to such an extent, it was harder for there to be a direct relationship between insecurity and inefficiency in cost and acquisition.

(00:15:13)

I think that this market changes and I think that people’s emphasis on security as a component of their infrastructure changes as it becomes the requirements of the acquisition lifecycle.

If I tell a vendor, I am not paying for this unless it is able to be asserted that it is secured, and I use the words carefully because you can’t really say certify, because it’s hard to find a certifying agent, but it has to be positioned in a way that is meaningful as secure, I think that that is where things change.

Amrit Williams: But that’s one of the — sorry to cut you off real quick Jack, but I want you to drill down on that. I think that’s one of the fundamental problems is, a lot of people don’t know how to describe or quantify what it means to include security.

When I was at Gartner we did — I put out a note that discussed, and I think this was in 2006 or 2005 or something like that, that by 2010 most organizations would include security as a critical requirement as part of software acquisition. But we still have not seen enough instantiation for organizations to be able to quantify what that means. They can quantify performance, they can quantify cost, they can quantify availability, they can quantify a lot of different aspects about what they are trying to acquire, but when it comes to security, there is a very abstract world out there where people just say, it needs to be secure, but very few people can actually say what that needs to be at any given point in time for any acquirer of said thing.

So how do we get past that and what do you think is really broken there that’s causing such a problem for people to be able to have a very easy conversation about what security is, because they have those easy conversations in almost every other aspect of software or networking devices or whatever it is.

Jack Danahy: I think the basic problem is one of quantification, that I can describe security qualitatively and I know sort of internally what I mean by it, and capturing that in contract language is really very difficult. As soon as I begin creating a specific list of security enablers, you will use encryption for this, you will use access control for that, you will update according to the following set of schedules, I am automatically creating a list of things they don’t have to do, because you are never, to your point earlier, you are never going to be able to fully enumerate everything that security means inside an application, even given a fair amount of context.

Where we have seen people be successful with this is where they tend to treat it more behaviorally. I will give you a great example that was done by one of our clients about four years ago.

They actually created contract language for customized code, in which they reserved the right to assess whether or not this application met the following set of criteria, i.e., user controllable behavior cannot cause misbehavior on part of the application, and there will not be malicious code anywhere that lives inside here. So the terms that defined what the insecurity was were fairly bland, right? They could have been applied in many different ways. And the terminology, which was exact, was around what would happen and the rights that were reserved to perform that level of assessment.

So from a purely contractual view, I believe that there was a small amount of extra money paid to get this into the contract, but at the end of the day there was full cost recovery, because what ended up happening was, there were penalties with it that said, if you agree to this, and we assert our rights to examine the code and we find anything which is bad, well then, you are not getting paid. And in fact, they were getting fined some percentage for certain types of problems and then not paid at all for others until they were remediated.

While the definitions of security were relatively planned and open-ended, the changes in the vendor’s behavior were very concrete, very measurable. They suddenly put into place methodologies through which they would first understand what the client was going to do in terms of their own testing internally and mimic that through their own organization.

They changed the priority of the way in which they addressed different kinds of issues, with an eye towards closing the security things, because a functional gap, you are allowed to patch. If I am contractually obligated to fix security things before I get paid, it changes the prioritization of those, and by defining the requirements for security in a relatively generic way, it really forced the vendor to do more process-oriented things, so that they could demonstrate what they had done. They could influence the perception of the way in which they had delivered a secure product and then they could have a much more harmonious relationship with their client, because there were no surprises at the end of the day.

So the client claimed full cost recovery against the means that they use for assessment, because they didn’t have the patching cost, they had a markedly reduced number of vulnerabilities discovered in user acceptance test. And the other great thing about it was, this was a custom version of a COTS product, and so every client of that COTS product also saw the benefits of this. So I think it was just sort of a win-win, but it changed the discussion from trying to be specific about security, to being specific about sort of legal remediation.

Amrit Williams: I like that Jack. I really appreciate you joining me today. Jack Danahy, Worldwide Security Executive with IBM’s Rational Division. Thanks Jack!

Jack Danahy: Thanks so much.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Alex Hutton, Principal of Research and Intelligence with Verizon Business. Alex, thanks for joining me today.

Well, Alex, I would like to start talking about what organizations should be doing with this data. I mean, someone reads this today and they wake up on Monday, what type of suggestions, changes should they be making in their environment? What are the things that they should get out of this report in terms of — what’s the call to action?

Alex Hutton: Well, regardless of whether you are worried about internal or external, the first thing you should look at is identity and access management. On Page 45, there is a wonderful series of charts, they are column charts that are augmented with lines. The columns represent that frequency and the lines represent that impact.

If you take a look at — and this is what we call our unknown-unknown chart, where we kind of break out unknowns that are represented in the dataset by unknown assets, unknown data, unknown connection and unknown privileges. An unknown asset is like, oh, we didn’t realize we had that server. Unknown data is, wow, that data is actually on that server, uh oh! And so forth.

There is this amazing increase and utilization of unknown privileges that you will see there, just from — in 2007, below 20% of cases, to over 90% of cases involved unknown privileges, where there was an unknown. Identity and access management is significant.

The second is log management. I mean, this is a real problem and being able to find the information in your logs, but when 90% of the time it’s there, that indicates there is a potential solution, we just have to apply technology and imply intuition and ingenuity in order to find a real usable solution there.

I mean, in one case, there was a compromised system that had no increased business requirements, there weren’t more users, there wasn’t more transactions being processed or anything, but this particular server had seen over 400% increase in utilization. That should be an indicator that there is something wrong there.

So we do need to focus on understanding the systems that we have, and being able to find — I think the term that we use is, find the needle in the haystack there.

Amrit Williams: So I wanted to go back to the chart on Page 45, the unknown privilege chart, because it really is quite shocking, an increase from 20% to over 90% from 2008 through 2009 is — well, that is a shocking chart. Can you talk a little bit more about what unknown privileges is representing, how does that instantiate itself?

Alex Hutton: Sure. It’s an unknown user account or roles or responsibilities for a specific user account. They didn’t realize that, that user had access to do these sorts of things on the system. It really is identity and access management.

So basically, what we are representing there is, when I used to work with Pentest team, what we always used to look for was the blank SA password, that would give us the keys to the kingdom. That was years ago.

This is the same stuff. It is, holy cow! I didn’t realize that we had a blank password on that system. I didn’t realize that root on that system had these sorts of access to these sorts of other systems, all of these identity access management problems are represented there. It would be great to break those out. That’s something we hope to do in future reports, and to what exactly those are and how we are finding them.

But in terms of finding a solution and mitigating the risk, it’s actually pretty easy. You focus on audit, usable audits, account audits and so forth, in making sure that you are applying the right technology out of your budget, to make sure that you are not part of that increasing trend.

Amrit Williams: Have you seen any difference or variation between Windows-based servers or UNIX-based servers, in terms of how organizations — I know there are differences in terms of how organizations protect them and what technology is out there, but was there anything in the Data Breach Report or dataset that you guys looked at that indicated there was a higher probability of one type of system versus another that was susceptible to this in organizations?

Alex Hutton: We don’t really break that out.

Amrit Williams: The reason I ask is, because in dealing with organizations that have Windows Server Administrators versus UNIX Server Administrators, they act very differently and they tend to manage the systems in a very different way. It would be an interesting thing to dig into.

Okay. So you mentioned IAM and I think that’s great. I think putting everything under the umbrella of, anytime you can get visibility into the systems, how they are configured, how they are being accessed, and how they are being used, and then look for anomalies is definitely a good thing.

You mentioned log management, the ability to monitor, and I thought that was a great example of sort of anomalous activity that should have been looked at. Anything that you have seen over the last year or two that organizations are probably not looking at, that they definitely should? Because I think in these two areas, these are definitely areas where organizations can do a better job, but most people are aware of these. Anything that you think is different or a mind shift for how people might want to look at improving their security?

Alex Hutton: Well, let be back up first and say, it’s not just visibility, it’s also variability. So anytime you want to manage a process environment, you have to look at both. But in terms of answering the question, the one thing I want to do is stress, share information.

The FS-ISAC and various other organizations are really starting to get great apps, it’s a rapid sharing of threat information. We need to expand beyond that and start sharing all sorts of risk management information, not just information out of threat landscape and not just particulars about IP address ranges or types of malware.

The second thing that’s kind of interesting is the role, and this is part of unknown privileges, what we mentioned before, but the role of stolen credentials, the ability to detect and respond to credentials being stolen, even if it is just an overwhelming amount of false positives around, oh, I think I clicked on a phishing email or whatever. This is critical moving forward.

It is very easy. Remember we talked about economic efficiency in the threat landscape. This represents the most efficient thing that a threat agent can do. They can phish somebody or do some sort of web-based malware drive-by, steal credentials, and boom, they have got some level of privileged access. It’s really that simple.

The increase in the use of stolen credentials actually is kind of correlated to the increases in custom malware that we have seen, from 2006 until now. Increased custom malware is a trend that’s growing and continues to grow. So I think that’s interesting.

Take a look at PCI requirement section, and take a look at what you have — if your organization has to deal with PCI’s requirement, take a look at the kind of compliance rates that we saw, really poor compliance to the DSS across the board and the failure rates that this dataset represents, and kind of take that seriously.

Amrit Williams: Well, boy, I would love to be into PCI and this world of MySpace, but then I decided not to go there just yet. So I want to go back to something you said, because I think it’s really, really important and I think organizations are really challenged on that. It’s a great idea, which is to share information, and build that collective update. I know that you and several others have been big proponents of trying to support that.

What does an organization do though, because they have to balance, and I think I would like to get your perspective on, A, what they should do, and B, how they balance some of their concerns. And some of the concerns would be, I am afraid to share information, because I am afraid it’s going to keep me liable for something. Or I am afraid to share information because I think it’s going to have some impact on my bottom line somewhere down the line if it finds out there is a breach that results in a compromise of data that results in me having to take teams around it.

So A, what should companies do, what do they get involved in, how do they become part of that collective of information? And B, how do they maintain some level of anonymity, so that they can participate and contribute to the greater good without feeling like that’s going to result in some type of fine or negative impact to them somewhere down the line?

So we will take the first one, which is, what do they do, how do they share information, how do they get involved?

Alex Hutton: It’s going to vary from industry to industry. In the past, I have been kind of very involved in ISFA. I have been involved in other kind of industry security groups. And I think the first thing that any organization can do is make sure that you are going to those sorts of events, and basically issuing the PowerPoint and get into the network. I think that you will find that the value of ISFA meetings and 9:36 meetings, certainly is in the education, but it’s mainly the networking.

One of the great things that my friend, Dan Houser, he is an (ISC)² Board member, one of the great things that he did in the Columbus, Ohio area is start a program called the Security MBA. MBA stands for Masters of Beer Appreciation.

The Security MBA was just a collection of security individuals from financial sector institutions in Columbus, retail, whatever it was, but if you were a security geek and you were in Columbus, once a month, Dan found a vendor to kind of shuttle out $200-300 to buy appetizers and beer for everybody, and you go meet, and it would be extremely informal. Dan would have a number of topics.

You talk about the topics for a while, but what really happened was, people shared information about how they were managing, how they were taking vendor solutions and really making use of them and becoming effective. I think that’s the first thing to look at, is doing something informally and doing something locally.

I hate to sound like a bumper sticker about act local, but think global, but that really is a great first step.

Second thing that you can do is get involved. If your industry supports something, in information sharing, get involved in that. If it doesn’t, think about trying to start something with information sharing.

These sorts of things exist and it’s worth seeking that out. As I have been speaking at METROCON, and I have been speaking at Black Hat and so forth, it just becomes really apparent that we are not going to get any better at managing risk until and unless we have comparative analytics.

Comparative analytics for me represents the key to our success as an industry going forward. That’s comparative analytics over everything. So threat landscape, it’s the controls landscape, it’s the asset management that we do, it’s impact, understanding how much things even cost, even if you can talk in vague generalities, understanding how much you are looking at in terms of impact is important and how you can limit that impact.

So that’s a second thing, is seek something formal. If it doesn’t exist, think about building it; Google Groups are free.

The last thing that I would encourage folks to do is download and use our freely available VERIS framework. I know this is going to sound like a vendor pitch, but one of the things that has made the past so successful is that the risk team here has used a framework to take the incident narrative; first, this bad thing happened, then that bad thing happened, and turn that narrative into metrics, the metrics that you see in all the wonderful charts and graphs here.

But what’s great is, once you have that commonality, you can basically take anything, put two different folks in a room, and get them with two different cases, and get them to provide you information on the same to same basis.

So VERIS is freely available, anybody can download it. It’s at verisframework.wiki.zoho.com and start using it.

It’s what made the Secret Service — so one of the things, besides their willingness and their cooperation, one of the things that made this report actually be able to happen is this common framework. They were able to take VERIS and get metrics on a same to same basis as our IR team.

They even developed, I think, an in-house application hub, frame their incidents in a VERIS context.

So that’s the other thing, is get involved in something like VERIS or VERIS itself if you are into sharing incident information, but make sure that you have the language to talk to somebody else in a same to same manner. Those are the three keys.

Amrit Williams: What about the question of anonymity, because I think this is a challenge that — I mean, I think most people want to be able to be part of the collective, to help with the comparative analytics, it helps all of us, but they really struggle with that question of anonymity.

Do you have any ideas around how we better support anonymity while supporting these collectives, and is VERIS — I am not familiar with it, I have to be honest, does that framework provide some level of abstraction from details but allow people to get the information they need?

Alex Hutton: Yeah. Well, that’s one of the things that VERIS is designed to do. There is a demographic section where you kind of describe the victim organization, and you can be as — it’s designed to be fairly general and vague, we are in the financial services industry and we are between ten and a hundred thousand employees and so forth, rather than specifically say, yes, we are a financial institution in 14:27 Washington with 157 employees.

But I will challenge us with — information sharing is going on, we just have to foster and seek that out. The ISACs are a prime example of that. In setting something up with rules and NDAs, I mean I-4 has been doing this for ages through — setting stuff up with NDAs is pretty easy, and bilateral NDAs, you can go Google any number of really good and strong bilateral NDAs.

What you need to do in terms of selling it internally is really kind of figure out — for the listener, in terms of selling it internally is really kind of figure out, okay, what’s the risk reward, and how do I coach that in a PowerPoint for people that I have to go sell the idea of sharing information with my peer groups?

The risk is, somebody might find out we had an incident. Gee, we are imperfect, just like everybody else in the industry. The reward is, I get comparative analytics. I get better information.

So designing a process and program around sharing information before you go sell it and say this is the benefit for taking this risk, that’s the key piece that people need to do in terms of selling it.

Amrit Williams: I think that makes a lot of sense. Alex, I really appreciate you joining us today. I would like you to — I am imagining that there is actually somebody out here that doesn’t know how to use Google, if they were interested in obtaining the copy of the Verizon Data Breach Investigations Report, what address would they go to?

Alex Hutton: The best place is VerizonBusiness.com/products/security. There will be a link right on to your right there.

Amrit Williams: Okay. What about the VERIS framework?

Alex Hutton: The VERIS framework is found at verisframework.wiki.zoho.com. That’s a non-Verizon website that’s hosted that’s meant to be community based, and there is a public kind of creative comments like license surrounding it all.

Amrit Williams: Does Verizon support services like, let’s say somebody wants — has questions about the report itself or wants to somehow participate and they are not using Verizon for forensics or investigations, how can they involved?

Alex Hutton: The first thing to do would be send us an email. There is an email of DBIR, Data Breach Investigations Report, so dbir@verizonbusiness.com, and that will get to the risk team.

Amrit Williams: Well, that’s fantastic! This has been a pleasure to have you on Alex. Hope that I can have you on again, and hopefully we can meet each other sometime face-to-face, seeing that we know each other.

Alex Hutton: I would really like that. Thank you again for having me on. I hope this was useful to you and to your listeners.

Amrit Williams: It absolutely was. You were a pleasure to have on. Thanks a lot Alex.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Alex Hutton, Principal of Research and Intelligence with Verizon Business. Alex, thanks for joining me today.

Alex Hutton: Amrit, thanks for having me. How are you?

Amrit Williams: I am great. It’s great to hear you again, it has been a while; you have been on the podcast before. Actually, the last time you were on, I think you had just taken a position with Verizon and we didn’t get a chance to drill into some of the details of the last Verizon Data Breach Report. But now I have you back and I am really excited to talk about the details of the 2010 Data Breach Investigations Report from Verizon.

So why don’t we start with just a real quick overview, if you could provide the listeners, what is the Verizon Data Breach Investigations Report, what’s its focus, goal, and purpose.

Alex Hutton: Sure. Thanks. The goal of the Data Breach Investigations Report is basically to give people information they can us to better manage their risk, optimize their security program.

The background is this, Verizon Business, as you guys probably know, we do a lot of infinite response cases, where we go out on the client side when they have incidents. Our IR team has done a great job in the past, I don’t know, since 2004, of keeping detailed metrics about what the environments that they find.

So the first Data Breach Report was an attempt to basically take kind of the narratives that they capture; first the bad guys did this, then he did that, then he did the other thing, and really create risk management metrics out of them. This year’s report is kind of unique and different, because it also includes the Secret Services data for the past few years, about the incidents that they respond to and work.

Amrit Williams: This is the first year you guys worked in conjunction with the U.S. Secret Service, right?

Alex Hutton: Correct.

Amrit Williams: I got to tell you, those guys know how to party. No, I am joking. They are actually one of the most straight faced people I have ever met. How was it working with them, before we get into the details of the report?

Alex Hutton: It was really fantastic, it was very exciting. We had some internal champions there that I probably can’t name by name, but I do want to publicly thank them for their effort and their hard work that made this all come together. It was very exciting.

Wade Baker did a lot of work with those guys and getting this to fruition, training, and so forth. They have been extremely responsive and actually very eager to get metrics out of what they — and get them released and get people understanding what’s going on and managing better. So kudos to them.

Amrit Williams: It’s encouraging too, because there’s definitely more of an outreach from U.S. law enforcement, actually even worldwide law enforcement, to better coordinate with the private sector and businesses, so we can hopefully create an environment that makes it sacred for all of us to work and have fun online.

Alex Hutton: At Black Cat, I did meet the fed’s panels. It was amazing the amount of programs and the amount of information that the U.S. government is willing to go out and share and utilize. Programs that they have to utilize, that we can utilize to help people, manage their risk better, optimize their security programs, understand the threat landscape, and so forth; really fantastic stuff.

Amrit Williams: Well, maybe when guys show up in black helicopters, dark suits, and dark sunglasses, and they say, we are from the government, we are here to help, they actually really mean it.

Alex Hutton: We can only hope.

Amrit Williams: So let’s turn to the 2010 Data Breach Investigations Report. I find the report just fantastic. I love reading this thing once a year, because it has such a wealth of data. And what it helps to do a lot is it helps to either support some assumptions that people have or maybe change their ideas around some assumptions.

I know that I think last year’s report indicated that insider threats were not as great as I think people were stating that they were, especially those folks who sell insider threat capabilities as a vendor, but we see a proliferation in that. So talk a little bit about what are some of the major themes that you guys saw in 2010 that were different from 2009 and then we can sort of drill into what impact they are going to have on the enterprise.

Alex Hutton: Sure. Well, one of the things that came about from the cooperation with the Secret Service is that, we actually did get a more clear picture about what may not be reported, and a lot of that had to do with the insider.

If you have read the 2009 supplemental report that we put out, part of the work that — I was a part of the team that did the normalization with the data lost database information. It was interesting that once we took out like lost laptops and USB keys that are lost, that had a bunch of social security numbers and basically said, okay, these are the incidents that DoD covers that are very similar to the incidents that we work. Their percentage of insiders and outsiders was statistically similar to what we had been seeing. So that was kind of validation at that time; what is publicly reported and what is represented in the press, seems to match the percentages that Verizon works.

(00:05:09)

This year, we actually, because of the Secret Service data, we actually do see a greater frequency and incidence caused by internal agents. If you look at page 12 of the report, we show a 70% external agent representation, a 48% internal agent representation, and 11% partner representation. Those percentages add up to above a 100%, because many times you will have an external agent working with an internal agent on a case. So that’s why you get greater than 100% there. But we do see a significant rise there because of the Secret Service dataset.

Now, that said, I have to qualify that. If we think of risk as being frequency and impact, if you take a look at our numbers, and this is on page 14 for those listeners who are kind of reading along with us, or want to take notes and look at the Data Breach Report themselves, what we do there is we kind of say, okay, now, we have got a frequency number in terms of representation in the caseload, what about actual impact? And if you look there, you are like 70 times more likely to have compromised records, compromised by an external agent than an internal agent.

So out of the nearly over 900 million records total in the dataset, that combine U.S. Secret Service and Verizon dataset, out of 900 million records that have been compromised, 800 million were from external agents, 28 million were from internal agents.

Amrit Williams: That’s actually pretty incredible. I have a quick question about this metrics that were caused by insiders. There is a similar metric here, almost exactly same numbers, 48% were caused by insiders, an increase of 26% over last year. Another part of the report says, how do breaches occur, 48% involve privilege misuse, and again, that 26% increase over last year. Have you been able to determine through the investigations which of these were negligence versus malicious activity?

Alex Hutton: Yeah, actually we have kind of breakdowns of what misuse means. If you go ahead and take a look at the Misuse section, that kind of starts on Page 33, we give a type of misuse that’s kind of broken down between embezzlement, skimming, and related frauds, versus say, what we would typically think of misuse as access in privileges. So you do kind of get a breakout by type of misuse there to answer that.

Amrit Williams: I am looking at this, this is quite interesting, because this implies that in the majority of cases where there was an internal breach, there was actually an attempt to breach. I mean, it wasn’t negligence or wasn’t an accident.

Alex Hutton: No, no, and that’s significant. One of the things — to get back to, I guess, what you are kind of driving at, there is a wonderful graph that we do, where we break out sort of the over time, the frequency or the representation in the dataset, and you see the shape of the Secret Services internal — representation of the internal agent between 2007 and 2009 on Page 13. It’s a little V shape, basically, that starts high in 2007, at near 90%, kind of bottoms out around 55% over 2008, and jumps back up towards 70% in 2009.

Now, to show you what kind of influence, misuse, and what you are talking about, and the Secret Service dataset has on our representation of misuse in the internal actor in the Data Breach Report, you go to Page 22 and you take a look at the dotted green line for misuse as a threat action there, and it is a same shaped curve, that same V shape is represented there.

So that just shows you that if you go to that representation of what types of misuse are represented with dataset, that’s almost same for same, kind of related to the frequency for the internal actor. So taking a look at abusive system access and privileges and embezzlement, and making sure you have controls around that, well, you are going to knock out a significant probability of internal actors being successful just by focusing on those sorts of threat actions. I think that’s the power of the Data Breach Report and the power of looking at data, is that optimization.

(00:09:49)

Amrit Williams: Well, I guess we want to touch on what organizations can do to better defend themselves, but before I go there, I do want to ask you a question about this concept of insider threat and misuse. I think over the years we have seen sort of negligence and accidental misuse. As this report is indicating, there is actually a targeted type of thing that’s going on, whether that’s for embezzlement or any number of things.

Do you think there is or have you — did the Secret Service itself or Verizon look at any correlations between the current economic conditions and people’s fear about either losing their jobs or being laid off that has driven this number up, or is this just opportunistic?

Alex Hutton: Yeah. The answer I should give you is, we don’t see that in the dataset, because you get this internal and misused representation actually dropping between 2007-2008. If I were to be able to say, oh, of course, the economy is causing bad people to do bad things, you would think that, that would actually have increased between 2007 and 2008. I think the long-term answer is, we don’t have enough data. I mean, the kind of statistician want to be in deep inside me says, well, I would really like to have several recessions worth of data to show you, but then again, I don’t want several recessions worth of data.

Amrit Williams: Very good point! And hopefully we won’t touch that dataset anytime in the near term, because I think 11:22 from some of the economic conditions that are going on.

Quick question, have you been able to do any correlation between a combination of external actors utilizing internal actors to compromise, is that anything that you have seen increased? Is there a proliferation of that, or are these still fairly independent entities, you have the external folks trying to gain access and you have internal folks trying to gain access and there is no real sort of combination?

Alex Hutton: There is actually a significant representation of combination of cooperation and combination in the dataset. If you look at Figure 7 on Page 14, we have got 27% of all breaches included Asians working together. A lot of times, especially with regards to what we see in the Secret Service dataset, that’s an insider using a skimmer or what have you in conjunction with an outsider, so that you have got an unsophisticated internal actor who is being approached by or utilizing a more sophisticated external actor who kind of acts as the laundryman for the data that they have breached and used.

Amrit Williams: One of the things that I am also curious about is, the word sophistication is used a lot, and I know that we have talked about the movement from hobby-based malware and cyber-vandalism, to fairly sophisticated and stealthy attacks driven by financial gain. Are you seeing that level of sophistication required in exploiting companies, or are folks still falling prey to the very basic stuff, that if they just simply implemented better controls that they wouldn’t fall prey to this, at least, they would fall prey to something different, but are the external actors or even the internal folks, they are just still taking advantages of some pretty basic stuff, right, we are not seeing a huge increase in some highly sophisticated attacks, are we?

Alex Hutton: When I was first exposed to the Verizon dataset, I said no, no, no, none of this is sophisticated at all. But the fact that for five years running the dataset shows what I would consider simple things like SQL injection to be represented, I would have to say, well, maybe that is sophisticated, right?

The attackers, I think, from looking at the dataset and understanding what’s going on, especially when you kind of mentally correlate that to what we are being sold as an industry in terms of products and so forth, the attackers are very economically focused, they will expend only the energy they need to in order to make the data breach happen.

So if we are giving them access through SQL injection and we are giving them access through simple malware and drive-bys and so forth, and what you and I from the technical standpoint might consider unsophisticated attacks, they are going to use unsophisticated attacks.

That said, we still can’t manage these things. So maybe the technical concept is simple, maybe it’s actually a complex management problem, I don’t know. But whatever it is, I think every reader out there would say, looking at the dataset, we have got fairly unsophisticated attacks still being the majority representation in the dataset.

Amrit Williams: That makes sense. I think maybe I stated this wrong. I think the use of the word sophistication requires context, because you and I have an understanding of something that’s the average IT person may not. Maybe a different way to state this is, have the initial compromises into an organization evolved to a point that traditional mechanisms or traditional controls would be easily bypassed?

(00:15:02)

And I think what you are stating is that, no, we are still falling prey to the same stuff we fell prey through yesterday, even though the malware that might be stuck on these machines to store passwords or data may be becoming more sophisticated. The attackers today are still enjoying the ability to crack our systems the same way they cracked them five, ten years ago.

Alex Hutton: Yeah, exactly, and I think what the dataset says, and you can look at this in the latter pages, Page 50 on, if you are interested in reading about it, is basically, it’s relatively unsophisticated. Mitigation is usually 64% of the time simple and cheap. These are not new trends; these are things that you will see in the previous two Data Breach Investigations Reports as well. 90% of the time the information about a breach is in the logs, that sort of thing.

So that evidence points to, it’s there, we just are overwhelmed by mountains of information, overwhelmed by a lot of noise, in the signal to noise ratio. Basically, it is the fundamental things that lead to data breaches.

That said, there are representation of sophisticated attacks, and many times a targeted attack is going to have sophisticated means utilized. But the vast majority of attacks just don’t cost the attackers that much in terms of skills and resources.

Amrit Williams: That’s troubling to me. That’s a very troubling statement. The Verizon Data Breach Report has been coming out for a couple of years. We have all this data that comes out from vendors themselves that talk about the type of attacks that are out there. It’s not a surprise that security is an issue for people and they need to increase the level of control that they allow access into systems, as an example. But it doesn’t look like the industry as a whole is doing a very good job of taking care of the basics. And that’s unfortunate, that’s troubling.

Alex Hutton: Let me back up and state one thing though, in terms of kind of correlating, you remember we talked about internal and external and frequency versus impact, and throughout the Data Breach Report we kind of use percent of records breached as a notion of impact, because let’s face it, that’s a pretty good shadow indicator of true impact to a company.

One of the things that was interesting is that, even though, a very subjective notion, but advanced methods were required to perform the attack, only 15% of the aggregate total dataset out of 900, only 15% of those really represented a sophisticated attack. Those sophisticated attacks accounted for 87% of 900 million records breached. So again, you have to balance frequency with impact, and I want to make sure I do that.

Amrit Williams: Oh, that’s a very good point, and well stated. I mean, I think most people can probably understand that an insider, a sophisticated insider, is going to have a far more damaging impact, or even a sophisticated external actor with a lot of support and resources behind him, is a much more devastating attack than unsophisticated folks using traditional methods. But good, very well stated.

So Alex, assuming that there are people out there that don’t know how to use Google, where can we get a copy of the Verizon’s Data Breach Investigations Report?

Alex Hutton: The best place is Verizonbusiness.com/products/security. There will be a link right onto your right there.

Amrit Williams: Alex, I really appreciate you joining us today.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Chris Hoff, who leads the Virtualization & Cloud Computing Strategy with Cisco, and has quite a prolific career, that I will not be able to repeat here today. So I will simply say, welcome Chris!

Chris Hoff: Thanks man!

Amrit Williams: So one of the things that I thought was really interesting in something you said was around this concept of how potentially this changes in the future. So just to sort of end on that, what do you think is going to happen in the next five years; I mean, where does this go?

Chris Hoff: So I think the most interesting thing about computing/cloud computing is that the stuff that runs the back-end in the next five years gets kind of boring and commoditized. So the things providing service start looking very, very similar.

I think the next battleground or the resurgence of a battleground that is far more interesting is that of the mobile platforms that we use to consume and access this data. Why this is interesting and important to me, I gave a keynote talk at the Cloud Security Alliance Summit that focused on this, I called it the Cloud Magic 8 Ball, like what’s next in cloud computing.

Basically, there are seven billion people on the planet and four billion mobile handsets, not including sensors either. So the interesting point here is that, when you look at how smart and competent and capable a good number of these platforms are, regardless of the fact that the app that we started using on these phones was just a dumb web browser, a single app, now we have what ends up being — I have like a 100 apps on my iPhone. So each one of these apps, which uses for the most part HTTP to communicate anyway, but each one of these apps has its own little attack surface, has got its own little portal to various pools of information.

So what’s interesting with cloud is that, as these large cloud providers reconsolidate applications and data in these mega data centers, fewer and fewer of them, but with higher and higher densities of compute network and storage, these same applications and data are being replicated and deployed, in part or in whole, on the same mobile handset platforms that we use to make phone calls and then communicate and replicate data to.

So it’s funny, in as much as people today in the enterprise IT world, talk about the fact that they don’t want their data being in other people’s hands, but quite literally, that data is in other people’s hands.

So the evolution of the mobile platform and our lack of focus on the fact that we have always treated mobile platforms as mobile phones, like, oh, yeah, there is some Bluetooth snarfing and there’s the odd threat of mobile viruses and Trojans, but they have been more pain in the ass and have been widespread. These mobile phones, besides the fact that most of them these days, you can’t even make a freaking telephone call off of, thanks to the provider, and if you hold it with your left hand, you certainly can’t, but the point being there is, they are no longer phones. They are like the entire mini pocket clouds.

So I think the next big thing and it’s starting in the next couple of years, if not already, is, how are we, from a security perspective specifically, going to deal with, A, this complete bifurcated approach of securing the platforms where we were getting the ability to consolidate our data, again, in kind of micro DMCs, in the cloud, but now, I have got to secure that and I have got to figure out what happens to that data and the applications that are consuming it on the other end too, and we suck at both?

So really, really fascinating and interesting things that I think we are going to swing back over. We have discussed this before, about, we still don’t have ubiquitous high speed connectivity and bandwidth. I can’t make phone calls, although I can make a data connection. So I can’t do everything kind of dumb or thin terminal like on my phones. That’s why Apple started out with everything being links and then realized, boy, this sucks. So then they allowed applications to be placed back on the phone.

If you remember when they first came out, it was just a link to a website. Now it’s back to full-fledged apps again. So we are going to see really, really interesting stuff evolving out of that, and that’s kind of what interests me in the next five years.

Amrit Williams: And it will be exciting as the technology improves and we move to a model of free range data, so there are going to have to be data wranglers.

Chris Hoff: Data wranglers, yeah.  So actually, not to plug — well, actually, that would be a lie. To plug my Black Hat talk, the interesting thing here is, everything we have just discussed; my talk at Black Hat is called CLOUDINOMICON. The byline is, Idempotent Infrastructure, Building Survivable Systems, and Bringing Sexy Back to Information Centricity. So that’s exactly what we are talking about. It’s the fact that we have infrastructure that looks identical, which in by itself is an issue, with monocultures and built for scale.

(00:04:57)

We kind of know what building survivable systems mean, but we don’t do a very good job of it. And then the stuff we ought to be focusing on, which is the information, is the stuff that we have the hardest time getting our arms around, and yet, it’s the stuff that as we start to move it around everywhere, is what we need to protect.

So kind of it’s your main conversation given what I hoped to kind of revisit during my talk, but your observation was exactly correct; data wranglers. It’s going to be my new career title at some time I think.

Amrit Williams: And I think that you should give the Black Hat talk running chaps too, to really get the wrangler message across.

Chris Hoff: I could do that.

Amrit Williams: This has been a great conversation, and I think a lot of people are going to get a lot out of it. For those looking to hear more from the Hoff, you will be speaking at Black Hat CLOUDINOMICON. Do you have other conferences coming up that you will be speaking at?

Chris Hoff: I have got DEFCON, which is the FAIL panel too, and we also have the Cloud Security Alliance Summit during Black Hat, on the 28^th. Then I have got a bunch of stuff that I will probably annoy people with coming up. There is some stuff going on at the NASA IT Summit. I am giving a keynote at SANS in D.C. I have got RSA Europe coming up with Mogul, which is going to be a blast. I think we will be the first people this year to be completely deported. Perhaps RSA Japan. All sorts of good stuff coming up. Lots of fun!

Amrit Williams: So if people want to get in touch with the Hoff, they want to find out about what you are doing, where you are speaking at, get a little insight into some of the research you are doing, they can follow you at Twitter, @Beaker. They can go to your blog, which is Rational Survivability. What’s the address; is it just rationalsurvivability. –

Chris Hoff: .com.

Amrit Williams: .com, right on. Then they could find out more about the Cloud Security Alliance, that’s CSA.org?

Chris Hoff: Actually, cloudsecurityalliance.org. But if you really want to find out about me, you should come to the HacKid Conference in October in Boston that we are putting on, which is an amazing conference for kids and their parents; teach them how to hack, how to code, how to build robotics, trebuchets, hair hacking, food hacking, all that stuff.

Amrit Williams: Oh my God! What? I want to go. I want to be a kid again. You are going to build a trebuchet and teach people to do robotics, are you joking?

Chris Hoff: No, no, no. We have everything from Chris Boyd coming over from the UK, talking about safety online. We have teaching dads how to hack their kid’s hair. We have food hacking. We have electronic assembly, robotics, trebuchets. We have got meeting law enforcement. I mean, it’s awesome! It’s a two-day conference that came about because I took three of my girls to SOURCE Boston, because my wife left town, and so they had to tramp around a security conference.

They were interested in some things, but didn’t get others. So I thought, you know what, if I gear a conference that has security stuff and hacking stuff and hands-on, for kids and their parents, so you can’t leave them; you have to actually do it with them, it should be pretty cool.

So if you want to learn about that, go to hackid.org, and the schedule is posted. Registration will open pretty soon, and it ought to be a grand old time.

Amrit Williams: Man, that sounds fantastic! I want to — we are here in the Bay Area, I am going to talk to you about this after we get off the podcast.

Chris, I really appreciate you joining me. That was fantastic! Thanks man!

Chris Hoff: Okay dude, bye.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Chris Hoff, who leads the Virtualization & Cloud Computing Strategy with Cisco, and has quite a prolific career that I will not be able to repeat here today. So I will simply say, welcome Chris!

Chris Hoff: Thanks man.

Amrit Williams: So what‘s interesting is, when you were talking a little bit about trust, I think this is probably not the first time, but this is the first time we have — again, not the first time, but where we have seen such a large focus on trust in IT, and it almost sounds like cloud computing, not being the only thing, but being a great driver towards trust becoming a commodity, and that people can actually trade in trust.

I don’t know if that’s probably an oversimplistic and naive way to look at it, but a lot of the rationale around why someone would move to cloud, ultimately there’s some element of trust that comes in that, when they accept that that’s the model they are going to take.

So I am very interested in discussing a little bit more about your experience and your exposure to some of the ways that people are overcoming or are being challenged by some of the compliance requirements when they start looking at cloud computing resources.

Chris Hoff: Wow! By the way, that was — trading and trust, I am going to totally steal that, I think that’s a fantastically elegant way of stating, what in some cases might be obvious to some, but is just such a big problem for the market in general.

So how are people — and I guess I have to ask, when you talk about people overcoming their fears or concerns, which people; security, IT, compliance, the business? I mean, I think each of them have a different perspective on what they are “afraid of”

Amrit Williams: Ultimately, I think by people I mean the business itself and I was probably poorly worded, because I think it doesn’t really matter what Joe Admin thinks about if the company is going to do it, he kind of needs to toe the line and do it, what needs to be said. But ultimately, somebody needs to make a decision that we are going to allocate resources and we are going to allocate dollars to an initiative that has to do with cloud computing, and at some point they get exposed to the compliance challenges. So I mean, people is probably the poor word, I meant organizations as a whole.

Chris Hoff: Yeah. So I mean, even breaking that down further, I think in many cases, business people and lines of business, that if they are responsible and own the expenses associated with computing, are very interested in understanding why their company, their IT department, is not moving to cloud, because they read on Page 3 of the ‘Wall Street Journal’ or even Page 1 that, look, it just saves you so much money. And when we talk about cost efficiencies and agility and time to market, these things matter.

Clearly, however, when they ask IT, the folks that are supposed to — if they ask them at all, by the way, right? And I am not sure how much of this is really one of those urban myths. I continue to hear how like these rampant tribes of business people that are just running out with a credit card and spooling up applications on Amazon, which to me appears to be complete bullshit, because you have to still understand and know how infrastructure functions to make that work.

I can see that on the SaaS side, like you just go to Gmail, great, I get that, but I am not sure how much of this, I just ran out and replaced 300 servers with a credit card overnight and I am Bob from Accountemps, I don’t see that happening a lot. But certainly what we are saying is, hey, our email system at work sucks, why don’t we use Gmail; pressure, pressure, pressure. And these are all valid things, right?

So I think on the SaaS side, people can and do make an excellent business case for cost efficiency, especially when something is free. Now, that’s kind of the hard cost. The soft cost is associated with support. What happens when something bad happens is usually not taken into consideration.

But in many cases, the business — and these large organizations, they kind of get the basics of risk management, risk assessment, they know what’s core to their business and what isn’t. They generally know, ooh, this is something I should ask about, in these larger companies. I mean, some people would argue that, that doesn’t happen, but for the most part my experience has been that they have been generally good about looking at the opportunity, gathering data, and then going to IT saying, why can’t we do this? Tell me why it’s a bad idea.

That happens quite a bit with SaaS services. We have seen that with Salesforce, we have seen that with CRM and email solutions. Applications that are used daily, that in a way it’s funny, in many cases people say, well, email is not critical. I was like, yeah, try going without email for three days and tell me how critical that is.

But they talk in group applications and the things like our sensitive financials, email. At some point you could say that to an organization that sells things, your customer lists are pretty darn sensitive.

(00:05:01)

So depending on the model, we have a lot of stuff being pushed into SaaS, and they are overcoming their “fears”, the businesses, because it’s been generally getting more reliable. They pay more attention to security, because they are responsible, as we already talked about, for the entire stack, generally.

So we have had for the most part some reasonably good experiences, business and personally, with SaaS. That is proceeding nicely. It’s when we get into the platform and infrastructure-as-a-service, which is relatively new from the perspective of what cloud and the operational models mean, to where, done improperly, not understanding that in many cases to take advantage of these architectures you have to completely rearchitect your applications, which impacts operational models, support models, security models, risk management models, all of these things change, and this generally happens more on the platform and infrastructure-as-a-service side.

So what’s happening is, to kind of get over that “fear”, this isn’t so much a business person’s reaction, but more like the IT department’s or the app groups that support the business units, they take noncritical apps or test and dev, and they dip their toe in the water and they try it, where they move noncritical, just kind of even noncritical web applications that don’t transit in heavily regulated information, they put those online. Cutting low-hanging fruit of things that would otherwise just cost money, for which you really don’t need to purchase infrastructure.

So as those things progress, people get more comfortable with the benefits of cloud, but it’s still, as soon as you hit that line, that giant four-letter word of compliance, where anything that is heavily regulated or even is regulated, by something that would prevent me doing business, if I got a finding on it, that’s the thing that causes things to come to a screeching halt.

So in many cases, even if IT would agree that it is a perfectly reasonable platform, that I could make just as secure, if not more secure, that I could reduce cost, get better efficiency, help grow the business, focus on running the business instead of building the business, even if IT agreed, and even if security agreed, the day the auditor shows up and says, you fail because we don’t take into consideration, you don’t meet these requirements, because our regulatory compliance frameworks don’t take into consideration this disruptive innovation, that sucks. That’s what’s stopping these folks.

So even when you have an enlightened set of organizations, they are still being stalled today by what they can or can’t do. That happens to me, to be quite frank with you, in interviews with these big customers, more often than not. You have got a bunch of people who want to do the right thing, who want to focus on the things that matter most, and they end up not being able to, which stinks.

Amrit Williams: Also, we have another problem is, we have a lot of precedence here, I mean, when we look at compliance. I mean, we are a common law country and so we always look for the last case that can help guide a decision, and unfortunately, I don’t think there is anything that’s unconstitutional with cloud computing, so we have to look for those cases we can turn to where something happens, and there’s just not a lot of them. So it’s a very, I think — it’s an unknown for a lot of organizations to say, well, what happens when the auditor comes, who do we look to, who has done this successfully, where is the model that I can turn to, to show, look, this is how it worked over there, why can’t that apply to me here.

Chris Hoff: Yeah, totally! What is worrisome about that is, is the spectrum of referential cases that we are looking at can span everywhere from being constitutional nature, down to tort law and below and basic elements associated with eDiscovery and forensics and preservation of — we talked about monitoring and management before, and the legal implications thereof.

Like how do you — I am waiting for the first time, for example, that somebody has something unfortunate happen to them in a public cloud environment, in an environment where multi-tenancy, Coke and Pepsi, right? Somebody gets charged for doing something wrong in a shared multi-tenant environment, and I am waiting for the first time somebody brings on an expert witness that asks for mathematical proof, that the isolate — or just proof, positive, that the isolation capabilities of a piece of software, vis-à-vis the hypervisor, is such that they can prove without any reasonable doubt that there was not corruption of memory, corruption of the networking space, corruption of storage, or leakage between them, that would in any way suggest that this could have been somebody else acting on my behalf or acting in proxy, as it relates to this image.

(00:09:52)

I mean, when we think about the trust model, with both virtualization and cloud, we predicate the entire operational sanctity of these environments on pieces of, albeit modern and thin, but pieces of software, that in many cases have not undergone a lot of public scrutiny and in some cases haven’t undergone any, because of the proprietary nature. And it’s a violation in some cases to even reverse engineer. So it could be a DMCA and other things.

So here we have, essentially, I can imagine the first day at court when somebody says, you know what, it wasn’t me, prove it was me. You can have all the logs you want saying, came from this IP address, and this virtual machine, and that person owned it, but it comes down to somebody saying, the isolation driven by software, and even in part by hardware, that’s why we have things like Common Criteria. With EAL it was up to 7, where people have to do this ridiculous mathematical proof statements, and these hypervisors aren’t certified under things like EAL or Common Criteria, because they just aren’t, for the most part.

I think the most we get up to is 4 and 4 plus for most of the commercially available hypervisor platforms, and some of the ones that are proprietary, like these mass market clouds, aren’t certified at all.

So that’s going to be really, really interesting when we start seeing the first cases of the abuse of these trust models from the perspective of modeling.

Amrit Williams: It’s going to be fascinating once these things happen, because they will happen. I mean, we are certainly going to see one of these big events. I am sort of surprised one hasn’t happened yet, or maybe one has and it hasn’t been made publicly available, I don’t know. But since we really are working at a trust model here, I think something like that will really start shaking up people’s perception of how viable something like this is.

And quite honestly, at the end of the day, this is a fantastic model. I think it’s very exciting to be a part of it, to see it happen, is really phenomenal. I mean, we are going to see things happen in the next 10 or 20 years leveraging this concept.

Chris Hoff: Yup, I agree. Now, you and I can both put on our security hats and issue the but, right? That’s the duality between that consumerized perspective and the IT perspective. Like there are so many awesome things that come out of this. Like I am so incredibly pro-cloud computing, it’s not even funny.

But then, most people disassociate my love for that, and the fact that I run — I happen to have applications that I have written and deployed on multiple clouds. I use it everyday, I use these consumerized service everyday. But that gets overshadowed by the fact that when I put my security hat on and I say guys, again, we are building — those who fail to learn from the past are doomed to build upon it, and we are building on 40 years of evolving, but imprecise and generally as secure as it was needed to be the function sets of infrastructure, metastructure and infrastructure.

And that’s the challenge, right? In general, enterprises don’t get a chance to do a do-over. This is where Amazon and Google and folks that get to start from scratch and build their own hardware, their own software, their own operating systems, and file systems, have been able to make leaps and bounds to where one could say that the operating system as a whole; the infrastructure, the applications, the protocols, all that sort of thing, packaged as a whole, probably are more securely run and operated than an enterprise, because they don’t have 20 plus years of legacy crap to maintain.

It would be great if we could all just kind of reboot. But that’s part of the problem, with, again, the expectations of the enterprise. We don’t just get to rewrite every single application and move it over to take advantage of this stuff. We have got so many — I think the average large enterprise has something like four-and-a-half versions of every app running on their networks, and there is somewhere on average of 600-2,000 applications per a large enterprise. That’s a boatload of anchors from the last 20 years, right? Lot of it custom-written, lot of it on platforms, mainframes even, things that just unfortunately don’t move over so easily or as quickly as we would like.

So I think the thing isn’t existing enterprise model for compute versus cloud, but it’s the messy stuff in between, that when I put on my security hat and maybe you put on yours, is the thing that really just starts driving me nuts.

Amrit Williams: I mean, one of the things we have in security, I mean — I think I was talking to Jeremiah once, and he is like, gosh, I hope we don’t solve this, because then I don’t have a job. And I said, Jeremiah, trust me, you are always going to have a job. Because even if we look at — there’s going to be a day where I can log onto the Internet and I can program my toaster to make sure I have warm toast when I get home, but as soon as that happens, some 15-year-old kid in Scandinavia is going to burn my toast, right?

Chris Hoff: Yes!

Amrit Williams: So there’s always some way that someone is going to figure out a way that will make sure security people have jobs. But what I find fascinating about all this, and I wanted to dig in a little bit in something you said is, a lot of the infrastructure that we use today is fundamentally flawed in terms of security. I mean, whether it’s our routing infrastructure, whether it’s the operating systems themselves, even some of the hardware capabilities that we have are flawed. And it’s because of all this legacy stuff that people are cramming on top of it.

(00:15:02)

You made a statement that a lot of these companies are able to start from scratch. Do you think that they understand the security implications and build out against those requirements as opposed to try and layer it on top later, which is the problem we are currently facing in most infrastructures?

Chris Hoff: In the example of the two companies I mentioned, specifically Google and Amazon, I think that of what I do know, both from the perspective of people that I have spoken to, as well as their general response and how their systems operate, in terms of being a consumer, I think that they have paid quite a bit of attention to security and security models. To the point that in many cases the things that would give you great amounts of concern have been abstracted to the point that they — it’s like rounding off the sharp edges on a table.

A lot of these things have been blunted, such that the attack surface has become much less pointy. Based on lessons that they have learned, and as well as what is required, in many cases, from their target audience which is good enough security, whereby — and it seems kind of counterintuitive, but in many cases, depending upon the service and what’s offered to you, and which delivery model, I think a lot of the new emerging truly cloud providers, and this gets into the technical detail, versus just kind of plain old web apps that have essentially grown out and had the word cloud plastered in front of them, a lot of these vendors like Amazon have really taken this notion of what works, what doesn’t, what do I need in terms of the bare minimum requirements to move traffic and move it as securely as possible?

And they have done a reasonably good job of designing and looking at like software-driven network fabrics, provisioning and governance and orchestration systems, all the automation and really programmatically addressed a lot of the things that we otherwise, with a much richer set of features and functions in an enterprise class product, so many more switches and knobs you can flip and turn, so many more things that, for example, with extra code have been there in bloat to support legacy requirements, I think they have actually done a pretty good job.

But again, I want to be really specific about the difference between somebody who utilizes technology and operational and infrastructure models that are truly cloud computing in nature, that were built from the ground-up, for scale, for extensibility, agility, self-service, those sorts of things, versus a service that has been around for 8, 10, 15 years, that started out as hosting or as an application ASP, that to be convenient from a marketing perspective has none of the characteristics of cloud computing from the perspective of how you might go through NIST’s definition; no measured service, no rapid elasticity, no resource pooling, not on demand. Doesn’t reflect any of the true kind of definitions on the technical side of cloud, but rather just had the word cloud splattered in front of it, because it was a good marketing term.

I divorce the latter examples from my answer and say that, no, they deal with all of the problems that automation brings and all the crap that they had to maintain with their legacy hardware, at least the newer guys do not.

Amrit Williams: And it also looks — I mean, some of the stuff I have looked at shows an abstraction of what was previously very interconnected elements in two disparate units, which I think is really good. And then taking those disparate units and isolating them from each other, so they are limiting the ability for sort of this cross viral infection type of thing that we have seen a lot of lately.

So that’s exciting, and I think that’s something that will hopefully get adopted into regular commercial practices as well, and not just offered by the cloud computing guys. Because that is a model that, unfortunately, I think we need right now. Everything is so interconnected, even just at the operating system level, that this ability to isolate abstract and try to segment things off from each other, it’s sort of key to how, when you go back to what you were talking about with multi-tenancy and trust, those things become really key, and so hopefully we will see that better adopted as well inside of just commercial practices.

Chris Hoff: Yeah. I mean, we have a lot to thank at the infrastructure and platform level. We have a lot to thank virtualization for in that regard, in the last four or five years has really taken the lessons we have learned with virtualization from the past and made a lot of this stuff a reality.

The counterpoint to that is, when you look at some of the Software-as-a-Service models, they are not actually based on, or they don’t utilize virtualization, their definition of multi-tenancy is something done at the application or database layer.

(00:19:54)

So again, I think I agree that ultimately this isolation is a good thing. How it’s done and how transparent the methodology and technology used to implement that stuff, I mean, a great example is Joanna Rutkowska; somebody that originally had a hard time accepting the way in which some of the research was marketed. But I kind of looked at ultimately the evolution over time of what the message was supposed to be, which is, look, even when we start trusting hypervisors or even the chipsets that do some of the extended virtualization capabilities, her research, and her team’s research, that kind of introduced the notion of reasonable doubt relating to your trust and how these isolation mechanisms are deployed, ought to give us pause, even when we look at how good one of these new style cloud providers may be in terms of their ability to isolate, they still have to deal with the laws of physics, and they still have to deal with the fact that in many cases they are using commodity hardware, and software in some cases, to deploy their services.

So I am not writing a blank check saying, by default they are more secure. I am saying, they have done I think a better job in threat modeling, in understanding what has worked and what hasn’t in the past, and what has introduced security problems. And most of these providers who are staking their business on the fact that they have to maintain integrity and availability, and in most cases confidentiality too of the stuff running on them, their entire business model is based on that.

Could you imagine? I mean, all it would take today to set the entire cloud market back, and I mean that holistically, in that one ugly bucket of everything cloud, and I pray this never happens, but if Amazon Web Services were to suffer, for example, an attack, or even just suffered from a vulnerability, not even maliciously exploded, but one that’s accidentally exploded, whereby the isolation provided, which is the entire core tenet of why you should trust doing business with them, but if they suffered a breach or an issue there, that allowed or exposed one customer to talk to another or vice versa, the entire premise for why you should trust any amount of cloud or virtualization would be set back ten years.

So for all of us, from the perspective of using and consuming, as well as securing and providing cloud-based services, I hope they have done a very, very good job. But we, in some of these cases, don’t know, because they are not — these companies operate in a very nontransparent, non-communicative way, which unfortunately, for the security community is the worst thing you can do, right? Not talking to us, not telling us how you do things, and just pointing me at a SAS 70 Certificate, that’s not going to help your cause.

Amrit Williams: Thanks for joining me today Chris. And everyone, thanks for listening. If you want to get more information from Chris, you can find him on Twitter at Beaker. You can visit his blog, Rational Survivability. You can also get more information on the Cloud Security Alliance at cloudsecurityalliance.org. And for those interested in working and teaching and learning about how to get kids to hack, and by hack we mean just learn cool stuff, you can visit hackid.org.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPTS

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”; and today I am joined by Chris Hoff, who leads the Virtualization & Cloud Computing Strategy with Cisco and has quite a prolific career that I will not be able to repeat here today. So I will simply say, welcome, Chris.

Chris Hoff: Thanks, man. How are you?

Amrit Williams: I’m good, man, I’m fantastic; how are you?

Chris Hoff: Excellent.

Amrit Williams: Excellent. So just coming off 0:22 Con, I know that was a fantastic event. We won’t drill into that here, but you’ve built up quite a following and put out some fantastic research and some thoughts on cloud computing, especially as it relates to security. So I thought we would dive right into that.

But before we do, because I have a varied audience and I don’t know all of their understanding of the space, maybe you would just give a quick high-level review of what cloud computing means and what it doesn’t mean, because as you know a lot of people argue about that, and we will just get that off the table and then move on.

Chris Hoff: Yeah, awesome. I am just so glad we have six hours to do that. So let me get right on it.

It’s very interesting. I think there are two valid but diametrically opposed perspectives to what cloud computing generally means. And on the one hand, you have a very kind of IT, geeky, empirical Visio/OmniGraffle version of what cloud computing means with lots of boxes and requirements that talk about elasticity and self-provisioning and all of the kind of very technical perspectives on what is or isn’t cloud computing. And it’s interesting and it focuses on infrastructure. For folks in the technology field, it’s a great way to fire up debates on Twitter.

The other perspective, which I think is equally as interesting and valid and in many cases is actually one of the true reasons that cloud computing is so interesting, is the consumerized view, which is that pretty much anything on any platform that interacts with my data using the Internet or, in many cases, any type of ubiquitous network is also cloud computing; so, my Xbox LIVE, Twitter, Gmail, anything that essentially provides me network-based access to applications and content.

So the problem is when you lump everything into one bucket, it becomes very, very difficult to figure out in many cases, depending on the perspective you are coming from, what is or isn’t cloud. The reality is there is — you can’t 2:30 a dead cat without somebody giving you a definition. I am not going to offer one up other than to say that in many cases, it’s the natural evolution of a lot of stuff we have been dealing with for decades with some cool sprinkling of technology with a great confluence of socioeconomic, political and technology happenings converging at the right point in time. And we will just leave it there, right? I mean, I don’t think we need to get any further geeky than that.

Amrit Williams: Well, I think that’s actually a great definition. I even love how you threw in the political thing there, too. That was fantastic, because we all know how much the Federal Government is pushing cloud computing, especially there.

Chris Hoff: Yeah, very much so.

Amrit Williams: So what do you personally focus on, then, in your role?

Chris Hoff: Oh, at Cisco?

Amrit Williams: Yeah.

Chris Hoff: Yeah, so I report into our Security Technology Business Unit, which is responsible for most of the physical as well as cloud-based security offerings everyone knows and loves, everything from the ASA firewalls to Ironport Scan Safe, those sorts of solutions. And my job is to work with our Strategy Team, our Product Teams, Engineers, Marketing and as a vertical within that Business Unit to help build and deliver solutions specific to how we take what we do today and make virtualized and cloud solutions out of them or in conjunction with them. And then since we also leverage those technologies across all the other Business Units in the company also figure out how to make sure we solve those problems for other Business Units so they can take that technology and deploy this part of the  solutions. So that’s what I do internally. I talk to a ton of customers, and I go out and speak a lot.

Amrit Williams: And externally you’ve got a very… probably not a radically different persona than you do internally, I’m sure; but just one that’s probably more vocal.

You focus a lot of attention on the security side of cloud computing, and so I think you gave not a definition but a very broad stroke of what could potentially be termed or fall under the umbrella of cloud computing; but I think ultimately at its core, a lot of organization are looking to take advantage of resources that are provided by third parties that allow them to very quickly bring up or bring down basically computing power.

Chris Hoff: Yep.

Amrit Williams: And that’s pretty powerful, but it also brings up this whole question of what happens when you lose control. And it’s not necessarily that something is insecure because you lose control; but as we know, humans tend to be a irrational. This whole concept of fear of flying versus fear of driving is probably a good representation of a loss of control where one could easily argue that it’s safer to do one over the other, regardless of the level of control.

So when you look at security in cloud computing — and I know that you had some work with the Cloud Security Alliance, I believe that was the organization you were involved in — what are the key things or the key aspects of cloud computing that change the dynamic for how IT is approaching security in general?

Chris Hoff: Yeah, and as a speaker I still am involved in Cloud Security Alliance. I am one of the Founding Members and I am also the Technical Advisor. So I spend a lot of time with the various research projects that we do, and one of them is the guidance that is enjoying its current second rev and embarking on a third rev, which basically addresses the very questions you just asked, like what is the difference between what I do today and what we’ve been doing for years versus what both virtualization as an enabler for some elements of cloud computing and then, more specifically, cloud computing, what do these differences look like, what’s the same? What do I have to look out for? What new risks or threats come out of that?

And in many cases the things that people have trouble with emotionally are, as you allude to, kind of the traditional server-hugging approach of loss of control; but in any case when you lose control, that’s not the same thing as potentially not being able to trust the fact that these systems or the things you’re losing control over are, as you said, any more or less secure.

So a lot of this has to do specifically and unfortunately with some of that definitional nuance we went into before, which is when you are talking losing or, as I say, gracefully giving up operational control in many cases in cloud-computing environments, what kind of cloud computing are you referring to? Your expectations differ, based on the delivery and deployment models of the cloud offering you are using. For example, in Infrastructure as a Service, the line of demarcation in responsibility for what you as a, quote/unquote, “consumer” of that service and what a provider is responsible for is very much different than if you were to use a Software as a Service.

The classical example there is if you used Amazon Web Services, anything within the AMI, the virtual-machine bundle, meaning the operating systems, the applications and the content, are up to you to still deal with in terms of security. Compliance, privacy, all those things are still your problem.

The things under the covers, the mechanisms that make all of that work that is abstracted from you, are the responsibility of the provider. All right, so they get to maximize availability — confidential integrity, if you want to use the GQC/SSC definitions of their platform — but anything above that is you.

In Software as a Service, let’s say like Gmail, the reality is your expectation is the security thereof, is the responsibility protecting your confidential integrity privacy short of settings and buttons that you can do in terms of provisioning and giving others access to it, is the responsibility of the provider.

So we have to be a little bit more clinical and specific about when we talk about the differences of models of both security when we talk about the deployment and delivery models of cloud, because they differ and your expectations do. So on one hand, your only option is to RFP or contract it in, stipulate what you expect with remuneration and penalties if something goes wrong on the Software as a Service side. On the Infrastructure as a Service side, in many cases you have to contract chunks of it; but then you have to build in a tremendous amount of it.

So everything that we deal with in non-virtualized, non-cloud environments, we still have to deal in one form or another; it’s just who gets to deal with it, right:  the accountability versus responsibility piece. That’s the thing that’s critical for people to understand.

Amrit Williams: And I appreciate that. So we will break both of those down in a second; but I think a lot of organizations because of just the sophistication of the threats have really fallen back to trying to expand the level of visibility they can get through monitoring. So they will sit there and they will watch ingress and egress traffic to try to determine if there is any anomalies that are present in the network or the traffic, if there is anyone trying to do something to compromise the systems, and then from that try to respond to an incident to limit its impact.

That becomes incredibly difficult when the traffic is not traversing the network — the network that you control as an IT Administrator, for example, and I am a Security Administrator. So you have a corporate asset, for example, that’s outside of your network that’s traveling the world like you and you happen to be somewhere in a hotel and you are accessing corporate resources that are housed by a third party.

And it’s not so much, you’re right; I think it’s not that these problems go away; but they do shift the accountability. Accountability in the SaaS model is really on the provider to tell the consumers of the technology that, “Listen, we are doing the appropriate thing, and you can trust us that we are monitoring that traffic for you”. But they don’t expose that data, and I think that causes some concerns for an organization that has really fallen back on monitoring as being key.

Chris Hoff: Sure. Well, and in many cases, you said an interesting thing, which is depending upon the platform and the level of abstraction that the cloud provider has settled on building their infrastructure on, the ability for you as a consumer to actually gain access to what would normally be described as the network can be incredibly limited.

In the case of many of the mass-market kind of good-enough-is-good-enough cloud providers where you’re dealing with the topic of my backup talk is this kind of notion of omnipotent infrastructure, which is really maximized for scale where homogeneity at the infrastructure layer is critical for operations. The reality is, you get a dumbed-down single virtual interface, right? And the ability for you to plumb in compensating controls or use technologies like even logical or physical taps are an impossibility, given some of these choices.

There are other cloud providers that are differentiating based on their ability to expose, via API or direct hooks or virtual tapping capabilities, and give you back some of the capability and plumb in virtual appliances, right? But again, you’re dead-on. A lot of the monitoring, say squeezing the balloon problem or, as I call it in my reference diagrams, the Security Hamster Sine Wave of Pain, right, where we invest and how we invest in the compensating controls is really a function of what is made available to us in terms of speeds and feeds being able to keep up and actually peer inside the data.

So as the definition of the network changes from a physical network that gets abstracted into a logical representation thereof where you only see chunks of it and you can’t really get good coverage, you may have to essentially redeploy things at the host level, which gives you a security-scalability problem from a management perspective, right?

And we’ve been playing this game for a long time, right? Host-based agents, 27 agents, 1 super agent, and then the network speeds and feeds catch up and they do well for a while; but then we encrypt everything we can’t see inside it again, and we go back and forth. That’s kind of what’s happening with cloud, and the notion of baselining what is normal when, as you say, a lot of this traffic doesn’t traverse the, quote/unquote, “network” and it’s external to the things you manage and have visibility for, makes monitoring and management in the traditional sense very, very difficult.

In fact, Rich Bejtlich just brought up a post last night that was talking about monitoring in IDS and, in fact, forensics in the cloud and using things like let’s just say a NetWitness product that does full packet capture and replay. The need to, for example, deploy big, fat reverse proxies that cloud providers are doing in order to capture trends over VPN so you can actually truck that back to a central site to do capture and replay or apply policy is kind of what’s happening again. It’s the reinvention of the inside-out model via overlay VPN. It’s a very interesting dynamic that we’ve seem a couple of times before but is happening because of cloud again.

Amrit Williams: Well, let me — you said something very interesting I want to dig at just a little bit because we, having Security backgrounds that we do and also dealing with infrastructure management, it’s not uncommon for organizations to look at Security in a very different way than we would. And you said that there were a set of providers that were differentiating on providing APIs that would allow folks or hooks into the applications that would allow folks basically to plug in their own virtual appliances so that they could get some level of visibility back.

Do you see that as really becoming quite a prolific requirement, or is this still on a fringe? I mean, clearly guys like Bejtlich, I mean, that’s his life, right? His life is monitoring for the most part. So it’s not — I wouldn’t be surprised if he’s dedicating a lot of time to try and evangelize ways that people can get better monitoring with cloud computing. But do you think the average organization or the average folks within that organization that are infrastructure-management people understand or have the desire to make this a criticality, that this is a critical requirement?

Chris Hoff: I will answer this in the only way I know how, which is in the scope of the customers I’ve talked to, which are for the most part very large enterprises. And the barrier to entry for public –

Amrit Williams: Just to set that prerequisite, I mean, when you say “very large”, I mean, you’re talking about very large organizations anyway; so, people, this is not something you’re — you’re not generally interacting with a small –

Chris Hoff: SMB, yeah, yeah. No, I’m talking like Fortune… there isn’t really success a thing, but Fortune 2000, Fortune 500, Fortune 100, Fortune 50, that kind of size; nation-state government type, that sort of thing too. And I bring that up only because it’s to set context and appropriate levels of comments relating to the question you asked, which is the barrier to entry for using public cloud or private clouds that happen to be managed or hosted offsite from their physical premises. The barrier to entry is trust, and trust in this case I define as security, compliance, control, availability and reliability and privacy. So you kind of take all these pieces up and you look at this and see Enterprise Security Teams look at how they are currently regulated, which compliance frameworks they’re under, what their auditors and/or the compliance services allow them or don’t allow them to do.

And in many cases when they try to match up the readiness and availability of cloud providers against the need to be compliant, they notice a couple of things. They notice for the fact that, for example, if you want to pick — pick anything; but pick, let’s say, PCI, which talks about the need for either a WAF or code review, right? If their answer to that has generally been, “Oh, we’ll deploy a WAF”, well, the ability to do that in a certain cloud provider’s network in ways that don’t require them to completely re-architect their applications, which in many cases you have to do anyway for cloud, or buy a new product that fits in a cloud environment that prevent them in many cases from — this is just one example of what could be hundreds — of actually deploying in that environment. It’s a kind — I’ve kind of dumbed-down the case; but as a counterargument, these other cloud providers who take a platform that looks very much like the same virtualization and/or cloud platform or cloud-like platform is being deployed inside their infrastructure, and if these cloud providers deploy that, which allows them to get flexibility in how much of the network they expose, that the hypervisor exposes APIs to allow them to do virtual introspection, that they can plumb in virtual appliances, the same virtual appliances that they might start deploying internally, then not only do I have the ability to more easily pick up a workload from my internal infrastructure and move it out, but I can also pick up the corresponding compensating security controls or require that the provider deploy one, too.

So in the scope of the customers I am talking to, this is an enormous piece of the puzzle and is an absolute requirement, because they require monitoring, they require VPNs, intrusion prevention detection, firewalls, NTX, WAF, all of that stuff in a virtualized context or in a context where even if it’s not a virtual appliance that the provider has integrated the same capabilities — regardless of technology, the same capabilities — and exposed that via the platform. That’s the difference between today’s maturity of mass-market public cloud providers who claim to be, quote, “enterprise-ready” but don’t actually run any critical or heavily regulated compliance-based applications in their networks from customers who simply can’t or won’t, because those things don’t exist.

So reading between the lines here that this whole public/private cloud battle is really about the need to satisfy compliance requirements associated with how these enterprises are measured, which is whether you are compliant or not, period. I mean, that’s the first hurdle you have to get over. It’s not about is it more or less secure for most — in many cases; it’s do I pass the compliance sniff test first? Then we’ll talk about Security.

Amrit Williams: Yeah, that sounds very similar to how people look at internal security as well, unfortunately (laughing).

Chris Hoff: Yeah, exactly (laughing).

Amrit Williams: So let me before I dig into question I wanted to ask you, I wanted to just take a moment, and for the audience’s sake, could you give a brief description between public and private cloud? And by the way, I know this is another very contentious area of definitions.

Chris Hoff: Oh, I don’t know if I –

Amrit Williams: But at a very high level (laughing), for the purposes of the conversation when you describe a public or private cloud, what are you referring to?

Chris Hoff: Well, let’s see. The great part about this conversation is that, as you say, it engenders lots of fabulous emotion that goes along with the answers; but I am going to make this as non-emotional as possible. So within the scope of how I like to refer to public versus private, I kind of build my definitions off of the NIST model, only because I think ultimately that it’s done the best job of unifying language associated with giving meaningful answers to this question.

So public cloud is really cloud-based infrastructure that is made available to the general public, where the notion of multi-tenancy means that you could have Coke and Pepsi sharing the same physical infrastructure isolated from one another; but you don’t necessarily have separately reserved or carved-off sets of infrastructure.

Private cloud, when we talk about that same level of isolation and control and ultimately ownership, what private cloud really talks about is that the infrastructure is operated solely for a single organization within the construct of how it’s governed, how it’s managed and how it’s carved off. That doesn’t mean that I can’t expand or contract within a known scope of compute network and storage resources — because I can, I can scale up and down — but it generally means that these are sets of infrastructure that is in some way dedicated either by policy, isolation or otherwise from mixing Coke and Pepsi.

So that’s why you can have — people confuse the word “public” and “private” with the words “internal” and “external” all the time. And “internal” and “external” are just adjectives that talk about where the resources are located. The things you should be focusing on are ownership and control, right? Who owns the infrastructure and/or who controls it? And when I mean “control”, I talk about policy, governance, that sort of thing.

So two great examples would be Amazon Web Services’ public cloud. allows anybody basically who meets certain requirements like having a credit card or whatnot to sign up and use shared compute network and storage resources. You don’t know who you are sitting next to, you don’t have to worry about that; but the multi-tenant model is that, is a shared one.

Private cloud could be — a good example would be an enterprise that has been building their highly virtualized infrastructure where the notion of multi-tenancy talks about supporting different business units, and the evolution from just heavily virtualized infrastructure to true private cloud really talks about adding chargeback availability and self-service portals, both of which are now arriving on the scene to give you this true private-cloud capability.

I should also say that you don’t have to locate that infrastructure behind your firewall. It can be located and housed and even owned by somebody else but operated and controlled by you. That’s about as short as I can make it, but I wanted to provide some context for how I arrive at those conclusions.

Amrit Williams: And I think that’s completely fair, and I think the audience gets that.

Thank you for joining me today, Chris; and, everyone, thanks for listening. If you want to get more information from Chris, you can find him on Twitter @Beaker,      B-E-A-K-E-R. You can visit his blog, Rational Survivability. You can also get more information on the Cloud Security Alliance at cloudsecurityalliance.org, and for those interested in working and teaching and learning about how to get kids to hack — and by “hack”, we mean just learn cool stuff — you can visit hackid.org; that’s              H-A-C-K-I-D.org.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter’” and today I am joined by Philippe Courtot, Founder, CEO and President of Qualys.

Philippe, thanks for joining me today.

Philippe Courtot: Thank you for inviting me.

Amrit Williams: We’re sitting here in Infosec Europe, and there’ll be a bunch of these podcasts coming up; but Qualys, you know, one of the things that I found interesting, Philippe, about Qualys was the drive that you guys had for moving things into the cloud. And when it was first introduced, I think there was a lot of resistance to it, and you must be feeling a little bit of vindication that cloud computing and these types of approaches to securing infrastructures are becoming much more accepted.

Philippe Courtot: I would not say vindication, but what I would say is today that we have a significant market adoption. In fact, today more than 40% of the Fortune 100 companies have standardized on the Qualys VM platform and are all very excited with the fact that we have brought now PCI as really one of the most powerful platforms. 62% of the VHVs are now using Qualys, 48% of the QSAs. And then, of course, we have our policy compliance that we have introduced about a bit more than a year-and-a-half ago and which is now starting to be mature and taking traction; same thing for the web-application scanning. And of course, we now have the malware detection service, which will be free for all and for every website on the planet.

So people start to see that we have really built a platform today which can essentially simplify and abstract the complexity of security which is, obviously as we very well know, building security application is very hard. And delivering them at the scale, it’s even harder. I think that’s what Qualys has done.

So the support of our customers, to answer your question, is really… what customers which have followed us, most of our customers, in fact, have followed us since ten years so we have very little erosion of our customer base and, in fact, are really welcoming business services.

Amrit Williams: Those three services that you mentioned, I’d like to focus a little bit on the one, the free malware-scanning technology. Can you talk a little bit about the details of that? I mean, what does the service actually provide, and how do people get exposed to it?

Philippe Courtot: Yes, absolutely. So what the service provides essentially if you subscribe to the service, which is free — and will be, by the way, free forever; we have absolutely no intentions of charging for that service, and I would explain to you why after that.

So if you subscribe to the service and then want them to scan daily your website to detect, to ensure that that website is not being compromised and therefore is not serving malware to the visitors to your website. What is also very unique with that technology is that the way it’s done and built, it has no false-positives.

So we may still have some false-negative, missing some malware which has been very cleverly hidden into some deep down into your website; but we will not generate essentially false-positive because of the very nature of the implementation of our solution. And that is what allows us to really make it available for a large population; in fact, we built it to the scale of the planet, as everything that we have done at Qualys. In fact, we do more than 500 million IT scans per year today. And so now we could essentially scan every website on the planet. Currently we do 5 million URLs per day and could do 20, 50 million URLs.

So by now I think you realize the difficulty if you’ve got a lot of websites and you receive all these phone calls for false-positive, you would drive everybody nuts to start with; and second, you have a huge support cost behind that. So the fact that the technology itself doesn’t generate false-positive, or at least it’s very, very rare, and if it is, we can go immediately back into our code, understand where the problem was and then fix it for everybody at the same time. That’s the power of the model of this technology.

Amrit Williams: And how often are you scanning these websites?

Philippe Courtot: Every day.

Amrit Williams: Oh, okay, on a daily basis?

Philippe Courtot: Yes, because I think with malware, if you want to have that, we probably may have some paid services if you want to scan every hour, because some companies are in such a sensitive market that they would want to really know every time. So the reason why we make it for free is the obvious reason: it’s publicity brand recognition; but more importantly, it’s because what that service is is essentially a huge 4:42 on the Internet. And so the more people we have and the more website we scans and the more we look at the malware, the more knowledge of the malware we’re going to have. And then our intent, and we’ve already started to do that, is to share that malware knowledge with other companies which would want to share with us.

(00:05:02)

So with that we create for the community a much better understanding of the type of malware, its evolution, et cetera, et cetera. As you very well know, we are competing against extremely organized individuals, and they share that information between themselves. The Security industry has not had the habit of sharing. It has been much more about “Oh, I’ve got more knowledge than my competitor; therefore, you should buy from me”. And I think that was working well in the past. Today, against the threats that we all have to cope with, that model doesn’t break when you have a much more community approach. Then, of course, except for the people to have the derivative, if you prefer, business models whereby you can obviously recoup the costs.

Amrit Wiliams: It seems like that would be a very natural tie-in for the data that you guys might be able to collect on potential malware, in fact, stations and then feeding that into something like the Trend Smart Protection Network, right…

Philippe Courtot: Absolutely.

Amrit Wiliams: … and allowing them to send it out into their web reputation services.

Philippe Courtot: Absolutely. And you have also additional synergies, like immediate synergies with our web-application scanning, which now also is becoming mature and can essentially scan all of the applications on an enterprise. So we have that scalability again that our model is. So then when you start to realize that obviously, we have now the knowledge of the malware, we have the knowledge of the vulnerabilities on the website, the other PCs is the web-application follow-up. So today we are also like everything that Qualys does, also we interpret; in other words, we always pass our data to others. So in this case, specific case, we are creating integration with Imperva, and we’ll do the integration with other passing of data. So now you have that trilogy of trinities, if you want to call it like that. And then we also will be starting working on building a the web-application follow in the clouds, as well.

Amrit Williams: And folks interested in receiving a service, they can get it from the Qualys website?

Philippe Courtot: Absolutely. So you go to the Qualys website. And then we have not still — it’s in there as of today. So we have not been broad mass distribution yet; it will 7:13 hours a day. We are going to go production mostly likely in June, and then we are going to make it even more broadly available through our partners, et cetera; so make sure that almost, you know, collecting as much malware as we can essentially.

Amrit Williams: So Qualys has been in the business of providing vulnerability assessment and management data for quite some time.

Philippe Courtot: Correct.

Amrit Wiliams: What have you noticed changing, if anything, radically over the past three to five years?

Philippe Courtot: So this is here you go into my favorite subject here. So this is something that I’ve addressed of the keynote that I gave at RSA, in fact, last year and even the year before. The fact that fundamentally today securing the current computing environment, which is your network and the enterprise, as we all know — and I call that “the inconvenient truth in security” — has been and is continuing to be harder and harder and harder. And this is by the very nature of the network itself, the fact that for the business having to open up the network even more. So locking down things becomes impossible either, and then the technology is moving so fast. In the enterprises of today, totally how could you add the talent and even attract and retain the talent who has to understand all these many different facets of security? So everybody now is conscious that the problem is getting bigger.

At the same time, you have now more regulations, which forces you to disclose the averages, which forces you to in fact pay more attention to compliance. So it’s becoming almost impossible to solve. So Qualys, obviously we have a large customer base of very large companies and very small companies, as well.

So we have been, in fact, helping to cope with that by bringing security and compliance together and delivering that as a service, which facilitates the task. But this being said, this is still not fundamentally enough, and I personally believe and I always believe that, in fact, cloud computing is offering a huge opportunity to the Security industry and I would say to the Security professionals through the practitioners to build the security into the infrastructure of the cloud — which is something, by the way, that we, Qualys, as you have had to do early on, because our customers — if you discuss with Marc Benioff, the CEO of Salesforce.com, when he launches his CRM in the cloud model, Salesforce.com, the resistance was coming not from the businesspeople who all wanted to adopt that form of facility, the deployability, the fact that you could connect with your suppliers, with your customers, with everybody into one single place in the cloud; but the people who were resisting were the IT people, who say, “Wait a minute, I don’t have anything anymore to do here”, and then the Security people say, “Wait a minute, my job is to protect the data inside the company, the data is going out”.

Amrit Wiliams: Right.

Philippe Courtot: So these were our customers. So in order to satisfy the very natural, if you prefer, requirements of our customers, the Security people want to essentially not only build the security into the fabric of what Qualys has done, but also demonstrate and be very open and transparent about how we are taking good care of the data. So we have learned that since the very beginning; if we would not have done that, we would have not be where we are.

But this being said, I maintain that today securing the cloud, which we have experience obviously of, is much easier to do than securing the enterprise. The reason is because you have the data in one place. You can therefore control the access. The cloud-computing vendors like Qualys and others can attract and retain the specific talent, and we can amortize a significant cost of building the security into the fabric of what we do across our many, many users. And furthermore, if we are breached, this is a huge threat to our business.

Amrit Wiliams: Right.

Philippe Courtot: So we have absolutely a significant business interest of doing the best we can. So as we see more and more companies moving their application to the cloud, that’s the good news, because it means that the complexity to secure the current networks will be reduced while you pass the responsibility of securing to others.

Amrit Wiliams: To third parties, right.

Philippe Courtot: So we are going, I believe, at some point in time, which I think will be probably in a couple of years now that there is more and more Software-as-a-Service or cloud-computing offerings available in the marketplace, we’re going to start to see that shift accelerating and then at last be in a position where we can gain ground against the bad guys, where today it’s very clear that if you look at the Aurora attack and others, we are losing the battle.

Amrit Williams: Have you seen, because I know that we’ve had lots of conversations in the past, Philippe, and I know maybe 2003, 2004 I made some comments to you that a lot of companies would be resistant to allowing data to go to a third party, and I think you guys have done an excellent job of providing that transparency. Do you still get that type of resistance, or is there much more acceptance that this is really the natural path and the way that things are evolving? Is the resistance dying down? Do you still deal with that in terms of adoption?

Philippe Courtot: We still have to deal with the resistance; however, we see two things that in the past before — I think the turning point for us was about two years ago, so I would say 2009, end of 2008 — where before that, we were not invited to the dance, if I may say so, for many –

Amrit Williams: Just because you were a cloud?

Philippe Courtot: Just because we were a cloud.

Amrit Williams: Yeah, yeah.

Philippe Courtot: Since then, we have been invited and only invited, and those who didn’t have a cloud solution were not invited. So we saw that change.

Amrit Williams: That’s interesting, yeah.

Philippe Courtot: We still see the resistance; however, what it’s doing now — and I think it was very clear at the RSA 2010, and then I went to the CSA Conference in Barcelona in Europe, and then I recently went to the European Commission in Brussels — you could see today that I think the Security people have understood that that movement into the cloud is absolutely inevitable.

Amrit Wiliams: Right.

Philippe Courtot: So even they are still reluctant fundamentally because of their culture, if you prefer, they know now that resisting, in fact, is becoming dangerous, because the business now, again especially with again more regulation, more data breach disclosure, now certainly Security has been elevated at a much higher level. So now it’s not anymore “You don’t tell me I cannot go to the cloud here, because I have to do that for business reasons; so you better now tell me and show that this is going to be secure. And by the way, you still have to secure your enterprise”.

So I think the debate has elevated, which I think gives a very fundamental opportunity again to the Security practitioners. If they elevate themselves so and adopt the cloud, then certainly they’re going to become the ally of the business.

(00:14:55)

I would not say that it’s good news of moving the cloud for the IT people, because they are the ones which are essentially going to be dislocated as more and more of the cloud computing takes very similar — if you look at that cloud-computing phenomena, it’s nothing new. This is exactly the Internet doing to the high-tech industry and the Security industry in particular what it has already done for many other businesses, like the publishing industry:  totally dislocating the business.

Amrit Williams: And it means the practitioners need to evolve.

Philippe Courtot: Absolutely. So those who will evolve will thrive; those who don’t want to evolve, it is going to be harder and harder for them to fight that battle.

Amrit Williams: Yeah, I absolutely agree. So what’s on the horizon? Anything interesting coming that you’re willing to talk about with Qualys?

Philippe Courtot: Oh, I mean, there’s one thing which we are already pushing more and more, as you saw with that initiative with the malware-detection services, that I really believe that we have to really build a much stronger community of Security professionals. And so that I think is a kind of a mission that Qualys has embarked on. I think we want to really show that by bringing more minds into the problem and really creating a kind of an openness, as opposed, if you prefer, to the… I would say that old high-tech industry which essentially was very proprietary, we have seen since the very beginning where the 16:31 APIs when I look at the data that we have, this is not our data. The way we look at it is that this is the data of our customers, and it is our responsibility to do two things:  one is to ensure the security of the data and, the second, make that data available to them to do whatever they want with it. So we use that data to create some application; but we have no reasons of preventing these customers of doing what they want with that data; after all, they pay us to collect that data.

So it’s a very different mindset, and the mindset difference is fundamentally because we are not a product company. When you’re a product company, you’ve got to put your gears there first, because once you have put them there you cannot be displaced, or if yours are not there you cannot displace easily others. When you’re a service, you can interestingly significantly much more easily be switched. It’s like when you rent a car:  if Avis doesn’t give you a good service, you can go to Hertz or vice-versa. So you’ve got to have that security in mind. In other words, you have to have the customer in mind.

Philippe Courtot: So we are not product-centric, so we are a service-centric company, and that’s the fundamental difference that cloud computing also brings, you know, to the market.

Amrit Wiliams: Yeah.

Philippe Courtot: So the Security vendors will have to start to think about service, not about product. And those who don’t evolve, so if you look back, interesting enough, at IBM, what happened with IBM. IBM survived the mainframe, and the only company when you look at it — there’s a lot of very big, powerful companies which were delivering mainframes; none of them survived. And people believe that IBM survived, because they were the biggest. That’s not true. They survived because they evolved, and how did they evolve? Essentially, Steve Mills, which is in my book the unsung hero of IBM, did the technical revolution by embracing Linux $1.5 billion that IBM invested 20 years ago — I don’t remember the date exactly — and everybody thought IBM had gone totally crazy to invest in what? That kind of open-source thing? And, yes, but they were using Linux to capture all their old mainframes and architecture and then emerged as a media ware and a service company. So from a product company, they became a service company.

And then the second hero, obviously, which everybody knows, is Lou Gerstner, which did the cultural revolution and essentially eliminating a lot of the old management of IBM which were product-centric to replacing them by people coming from bottom up and also adding new talent, which were more like him as service-minded people. And that’s why IBM is what is IBM today. If they would not have done that, IBM would have disappeared like everybody else.

Amrit Williams: And it’s interesting. The IT industry, Security specifically, really requires these companies to evolve and evolve quickly, because there’s so much change and it is so dynamic.

Philippe Courtot: Correct, correct, and that’s a very good point that you have. That’s the big difference. It took –

Amrit Wiliams: Yeah.

Philippe Courtot: In fact, I had a discussion on this very subject with Bill Gates like five years ago at the speed of change, because, yes, it took 25 years to have the mainframe-to-enterprise computing revolutions. Today, the argument I was making then was, “It’s not going to take 25 years; it’s going to take 10 years”.

Amrit Wiliams: Oh, yeah.

Philippe Courtot: So that was about five years. So if I’m relatively right, then in five years look at where we are going to be. And some of the arguments that I’m giving to highlight that is if you look today at the cost of mail, it costs about         $84 billion a year to maintain 400 million Microsoft Outlook clients. It doesn’t cost a few millions to Google or Yahoo! to maintain 200 million each, I think, of web-based clients, and it’s not the cost of the software. Even if Microsoft will give away, you know…

Amrit Williams: It’s the cost of the infrastructure.

Philippe Courtot: … it’s the cost of the infrastructure: the servers, the people needed to maintain that 24×7, et cetera, et cetera. And people make a false argument in saying, “Oh, but my mail is not secure at Google”.  Is your mail secure in your company?

Amrit Wiliams: Yeah.

Philippe Courtot: In reality, the mail that goes across the Internet is not encrypted, because encrypting mail is very difficult. In fact, Google could very easily if they wanted to essentially provide a totally encrypted mail as a solution, because the mail is in one place, and then they could encrypt in the similar type of encryption scheme so the user would login essentially; the mail stays encrypted and the user, in fact, when he connects decrypts with his key.

So that I think is one of the examples I think of how disruptive to cloud computing it is, and this is going to be more and more visible every day. You look at the iPod and iPad, iPhone, et cetera, this is a perfect example of a cloud-computing application. Now certainly, who would have believed that Apple would bring thousand-plus applications on the iPhone, which overnight are going to be enhanced significantly because of the new format of the iPad, and it’s the delivery.

So the Internet, what it brings to you is that it’s a fantastic delivery mechanism to deliver technology. So you have that, as long as you balance that Qualys did the resources that you need, the computing power that you need in the cloud, with whatever computing power you need at the client side. So in our case we have appliances totally remotely managed; then that’s the power of distribution that cloud computing has.

Amrit Williams: Yeah. Well, Philippe, I really appreciate you spending time with me today, and hopefully I’ll get a chance to talk to you again on the podcast soon. Thank you so much.

Philippe Courtot: Absolutely. Thank you very much.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am very excited to be joined by John Flowers, also known as kanendosai.

And, John, thank you very much for joining me today; it’s just a great pleasure to spend some time with you, and I appreciate it.

John Flowers: We’ve been doing some really exciting things, everything from traveling to parts of the world that I personally had a lot of connection with and love for, like Thailand and Southeast Asia.

Amrit Williams: As well as doing some digital media work which you discussed briefly earlier. You have credits on such films as “Star Wars, Episode 3”, “King Kong” and “Wasting Away”.  And you’ve been out there; you went into a different industry, left Security altogether. You formed a search company, a natural-language search company called Kozoru.

I’m curious, before I dig into any of these, how much did these experiences influence you in terms of what you’re doing with Kane Box? I mean, what would you say that this world view has done, this sort of looking at the world in a different way through different lenses that don’t really have anything to do with Security? How do you think that’s informed or provided insight for you in terms of how you might approach getting back into the Security world and potentially, you know, starting another company?

John Flowers: Well, I mean, at the risk of sounding a big cheesy, I think it’s the reason I was able to see Kane Box in the way that I am, you know, in the way that I’m seeing it. You know, I did a lot of workflow automation, I did a lot of automated color correction for films.

You know, you mentioned “Wasting Away”. “Wasting Away” was a fun film. I worked with these two guys who were doing the zombie comedy from the perspective of the zombies, and they had this color-correction person who wasn’t quite as good as they might have indicated in their interview (laughing). And I came in at the last minute and, you know, the film needed color correction and it needed all these different things, and we had a very short period of time before we were going to Screamfest.  And we were going up against “30 Days of Night”, if you recall that film.

Amrit Williams: Oh, yeah.

John Flowers: Big budget, you know, Hollywood film; and here we are, this little half-million-dollar zombie film going up against that.

And so I came in and I wrote a lot of software to automate the color-correction process so that these guys could get the film ready for Screamfest. And I’m proud to say — I mean, this was a… I don’t know, two weeks of work, which if you know anything about coming in and color-correcting film from scratch, especially when you’re automating it, that was insane. I actually slept on their couch, I think, every night for all two weeks.

Amrit Williams: (Laughing.)

John Flowers: But we ended up getting it done, we went to Screamfest, and it won the Audience Award at Screamfest against “30 Days of Night”.

And so I started thinking about that and, you know, the film went on to win something like 21 other festival awards and all based on this automated color correction, meaning I didn’t touch a color wheel on that film. I wrote software that looked holistically at what flesh tones look like and what all these other different colors look like; and then we used some pictures that the directors had taken of how they wanted the film to look, and we used that as a model and let the software color-correct the film and drive everything to the right, you know, area.

And, in fact, I actually have something I haven’t released, which I was calling        HD Instant Color, right, which was a plug-in for final cut where you could just drag a picture in it and it would color-correct your film. It’s buggy, it’s gross and, you know, it was cranked out so fast it’s primarily useless; but that technology, obviously you can see some parallels between that and between Kane Box:  this idea of just looking at everything. And you know enough about film when I say to you “Oh, this is a 2K film” or “This is a 1080p, you know, frame”, you understand just the sheer number of pixels per frame, and then there are 24 frames per second.

Amrit Williams: Okay.

John Flowers: So you know how much data is being pushed through when I start talking about those numbers. I mean, you look at a red camera shooting 4K — and actually they shot on a 2K camera — but, you know, the sheer volume of pixels being pushed through per second, right?

And that helped me understand what I needed to do to synthesize all of this information and look at it globally, right, rather than at a pixel-by-pixel level, and do something interesting with it or mathematically interesting, something that was fast.

So when you ask did it inform me, yeah, like I say, I think it all informed me.

Amrit Williams: It’s interesting, too, because the movie industry, I think a lot of folks in Security, the personality type of the people that traditionally go into Security — I know it’s changed over the years, but in the earlier days — I think they’re drawn to the industry, the movie industry as a whole. I don’t think that they fully understand how difficult that industry is and how complex it is to navigate. So it’s very interesting to hear you talk about it.

I’ll send you a link after the podcast. My cousin has a film that they’re working on called “Blue”, and they struggle with a lot of these same issues, being, you know, compared to a big-budget film with the budget constraints, but definitely with all the post-editing work is quite tedious. And when they talk about it, I don’t think everyone realizes how much work absolutely goes into even dealing with something as… as what we all might think as benign as color correction, and it’s fascinating.

John Flowers: Absolutely. The other thing I think people may or may not realize, it typically takes let’s say 6 weeks to shoot a feature film; and then it takes 18 months to edit that film, add music, color-correct it, do all the things that you’re talking about in the post-production world. So a film takes let’s say 18 to 24 months to complete, and the lion’s share of that work is definitely in the post-production side, just telling the story.

Amrit Williams: Yeah, no, it’s — I could go on this whole subject for a long time.

John Flowers: (Laughing.)

Amrit Williams: You know, brothers are sharing a comic and that kind of stuff; some relationship with folks in that industry.

But I wanted to turn it just a little bit back to Security again, because you have such a fascinating background there: your take on the state of Security today. I mean, you were out of it for a while; definitely you still had some tentacles in it even when you were gone, I’m sure, and had communications with folks. But you left, you clearly saw when you came back that there were still problems to be addressed. But if you could — if you could sort of high-level it for the audience, I mean, what’s your take on what’s going on in Security? It certainly hasn’t improved much from the protection side; but give me some of your thoughts based on, you know, leaving and coming back, what you think about what’s going on right now.

John Flowers: Well, I was fortunate enough to have Stephen Northcut interview me as a SANS Network Security Thought Leader. He interviewed you, as well; I read your interview, it was fantastic. I think you and I agree on a couple of fundamental big-picture things about Network Security. It’s not getting better. It’s definitely not getting better.

I have the misfortune of having picked up a net book in Latin America when I was in Panama right around — oh, I was in David; but it’s in Panama, outside Panama City. And I picked up this net book, and aside from it having a Spanish keyboard, which I found infuriating (laughing), it came with on the Spanish language version of Windows a virus. By the time I had powered the system on, the virus had Trojaned my system and was reaching out to places in Canada and Europe and was starting to spam and do spam relaying because of this Trojan, or this bot, I guess, that was installed on my system. And this was before I even downloaded an update.

I found that… well, I found it ridiculous, obviously. I mean, the only reason I booted Windows was to install Linux, no offense (laughing).

Amrit Williams: (Laughing.)

John Flowers: But here I am, I can’t even do that, right? I have to go to an Internet café just to download Linux just to put it on this system, because the system is already compromised.

And we’re hearing stories about other systems that are compromised. There is a cell-phone manufacturer who probably doesn’t want to  be named who released over a million cell-phone units that had a virus installed in them. If you plug the cell-phone into your Windows system, viruses go everywhere.

You know, and so you start hearing about all of these things; but the one thing that you and I both know is that traffic has a pattern: it has a signature, it has a statistical representation from the Trojan to the bot net to all of these other things. And you have to start asking yourself, “Why is no one solving that problem in a way that is not looking at the host as an atomic unit, but looking at the network instead and the traffic on the network as an atomic unit?” And what I mean by that is I really expected this concept of scrubbing, of traffic scrubbing, to be much, much, much further along, and I’m really, really saddened and disappointed that it isn’t. This idea that let’s say your system is compromised. Heaven forbid, we know it never happens; but you’re compromised. If you had an unobtrusive device on your network that knew what normal network traffic looked like — and I know that’s a tall order — that device could scrub out abnormal network traffic. And then the Trojan system becomes a matter of patching, not a matter of DEFCON 1, red alert, threat level orange freak-out (laughing), trying to yank it from the network and then figure out what happened in a forensic way.

So that’s my perspective. And that’s just one aspect of a thousand things that frustrate me, but that’s probably at the top of my mind right now.

Amrit Williams: It’s interesting, too, because there’s been promises that a lot of this stuff would be addressed, and in fact we saw some movement towards that in key areas; but fundamentally the organizations themselves revert back to the old way of doing things, and we get stuck in this… really, I don’t know how else to describe it but just this continuously non-ending circle of reacting and responding and not really thinking about how to look at the organic, what potentially could be thought of as organic elements inside of an environment and addressing those in a much broader way.

And we still have the same divisions: we still have the Security guys being antagonistic with the Network guys, who won’t talk to the Server Ops guys, and the Application guys are sitting in a different room and they won’t communicate. And so everything just boils back down to these stovepipes, and so it’s interesting when you talk about, you know, Kane Box bringing back up these elements that you’re also talking about potentially solving another major problem in Security, which is around language.

And one of the things that when I — when I was with nCircle, one of the things that frustrated me a little bit was it was very difficult to communicate vulnerable conditions and exposures to the IT Ops Teams who ultimately had to make the modifications and the remediation actions, because the output of the data we were providing at the time, as it should have been, was oriented towards the Security guys, and so we would show them information on unique, distinct vulnerabilities and there really… even today, there really is not a good mechanism for providing information that both Security and Operations people can consume and react to. And fundamentally, it’s because there is a large language barrier for the way that the folks interpret data. Anything that can be done to resolve that I think will greatly advance how folks maintain the health and security of their computing environment; so definitely going to be interested to see how that’s received and how that’s developed and evolved. But I think that is a fundamental issue, as well, and it’s interesting to see how that’s gonna be resolved, and it just hasn’t yet.

John Flowers: I agree. And one of the things that I’ve talked about quite a bit in the whitepaper and in other discussions is this concept of the counting game. I cannot believe we’re still playing the counting game; it’s infuriating. And what I mean by that is CDE numbers and CWE and all these different things is just… it’s amazing. It’s like, “Oh, well, look at this: the open-source vulnerability database has 67,000 unique (laughing)… you know, signatures, if you will, for these unique conditions.” Never mind the fact that 15,000 of them are fundamentally the same thing that has a few different words or has a slightly different modification.

And what I’m happy to see is that someone else recognized that, and ironically the person who is working on that project was one of the first employees at nCircle, this guy Tom Stracener, who I’ve been friends with since I was around eight. 12:49 has a solution called CAPEC, the Common Attack Pattern. Have you seen this, www.capec.mitre.org?

Amrit Williams: I have not. I’m actually writing it down.

John Flowers: It is fantastic, and if this were an R-rated show I would use very strong words that started with an F to talk about how fantastic it is (laughing).

Amrit Williams: (Laughing.) Phenomenal if it was spelled with F, right?

John Flowers: Right (laughing). Freaking fantastic, there you go.

Amrit Williams: (Laughing.)

John Flowers: So what it does is it looks at Network Security issues from a big-picture perspective, and it classifies issues at a macro level. And so there are just a few hundred of these CAPEC issues. And one of them be, let’s say, Directory Traversal.

Now, let’s take a step back in the Network Security world and ask ourselves, “Have you ever seen a vulnerability that was so broad and wonderful as Directory Traversal?” Other tools talk about the very tiny and specific microscopic detail that is creating a Directory Traversal problem; but the problem is Directory Traversal. And so one of the things I’m doing with Kane Box is I’m leveraging this; I’m leveraging this beautiful and greatly constructed, very holistic look at Network Security issues. And I can’t believe more people aren’t. And, yeah, you can take 1 CAPEC issue and relate it to 6,000 of these other, you know, CDEs or whatever. And that’s good and that’s fine, and I think that’s great; but the idea of being able to look at something from a big-picture perspective is exciting to me.

You know in that example that I just used, imagine if you had a Trojan horse on your newly installed Windows system, and the technology told you, rather than a bunch of crazy alerts that don’t do anything, it told you, “By the way, a new system came online. That system was running Windows. That Windows system had a Trojan horse, and so I blocked outgoing traffic from that application signature until you fix it”. And that’s the problem I’m trying to solve.

Amrit Williams: And that’s a wonderful promise. You know, as you were talking, I think I realized something. It’s not so much of an epiphany more than something I think I knew but just didn’t articulate well. You mentioned the frustration you had with this… you know, the industry’s wanting to count everything: everything is about quantity — “I have more data files than you” — and we experienced this at nCircle with our competitors: “I have more checks than you do”. It keeps the industry very much focused on the primitive conditions, and focus on the primitive conditions is not reflective of the abstract things that people actually need to do. And these abstract, the abstract versus the primitive or the macro versus the micro I think is reflective of how much difficulty most organizations just have in Information Security.

So it’s definitely… definitely resonates with me, those comments, and I hope that folks listening understand that difference and are able to adopt it and look for tools that are better able to help them move from very primitive, detailed conditions to much more abstract macro-level conditions so that they can take action; and they’re not able to right now.

So, John, I wanted to ask you one thing, because I was going through the airport the other day and I was… I was both shocked and happy and saddened all at the same time. We’ve seen Security — and I don’t like using the term “cyber”, but I’m going to — cybercrime, cyberwar, cyber espionage, cyber blah, blah, blah starting to get mainstream media attention. And there’s a part of me that always just sort of starts shaking and wanting to run into a fetal position because of the way that it’s communicated is so bad. At the same time, I’m excited that it’s getting the attention of the broader world.

I picked up two magazines. The first magazine was Rolling Stone, and the only reason I grabbed it was because the headline on the magazine actually said “The Biggest Cybercrime in History: Sex, Drugs, and Hackers Gone Wild”; so I had to pick up that and read what that was about.
And then I picked up Discover Magazine, and I picked that up because it had an article on paleontology that I thought my son would enjoy; but as I was looking through it, you know, they had a big interview with Richard Clarke and it was all about cybercrime.

So here are two magazines that are certainly not trade journals for Information Security and I think are not read by most Information Security professionals that are touching on Information Security. And there’s… I’m really torn with how much I like or don’t like that.

So I’m curious. What are your thoughts as you see Information Security go mainstream?

John Flowers: Well, that’s a really interesting question (laughing). I guess… I’ve been kind of blinded by my position in life, which is to say, you know, we… we were the first company back at nCircle, we were the first company to come up with this idea of network security scanning combined with intrusion detection. I mean, we may have even coined the phrase “intrusion prevention”, right (laughing)? That’s this whole crazy sort of world that I lived in for years and years and years. And so to me it’s kind of funny, because I sort of always thought it was going mainstream. I always felt like patterns are things that you find when you’re looking for them, and so when I’d flip on the TV and I’m in the Network Security space I say, “Oh, well, look, there’s a CSNBC or a CNBC article about how girls can be hackers, too”. Never mind how offensive that show was, but (laughing)…

Amrit Williams: (Laughing.)

John Flowers: You know, you see the sort of things that you’re looking for, you know. There’s a Buddhist ideology or a Buddhist idea that is, you know, we see as we are, right? So whatever we’re focused on, we sort of see those patterns.

So I kind of always thought, “Oh, wow, it’s going mainstream.” But I have to say, Rolling Stone is a step in a direction that I didn’t expect, and it tells me that Network Security — and this is an unfortunate thing, and it’s one of the reasons I think the good guys are losing — being a hacker somehow, even though it is illegal and it’s a crime against the government and it’s all of these different things, somehow it got sexy over the last four years. And I can’t… I mean, being a hacker was always interesting and dangerous and all of these different things; but being a bad guy is somehow sexy now. And I don’t know if people are watching too much of “24” or what they’re doing, but Rolling Stone kind of proved that, right, with this idea of “Oh, it’s kind of sexy to… you know, ‘Sex, Drugs, and Hackers,’” you know.

And I think that’s a bummer, because I think that means more people are going to be driven toward the glamorous side of it than already are, and less people are gonna be driven toward the side of — the prevention side.

Amrit Williams: Yeah, I mean, I got the same feeling, too. I was disappointed that the article had been written in such a way that it made it sound sexy and cool and, you know, it was outlaw in a way that you would see young teenage boys looking up to, as opposed to outlaw like, you know, the criminals that end up in San Quentin (laughing).

So it’s unfortunate; but at the same time it’s nice that it’s getting more attention from traditional media, and hopefully that attention will equate to actual problem-solving and not just more ridiculous hacking.

Any last thoughts that you’d like to give to the audience before we end the podcast here?

John Flowers: Well, I think one of the things that — and this touches on what we just talked about. One of the things that I would encourage people to take a deep breath and think about is the idea that because vulnerability discovery and disclosure has gone underground, and the idea that the kinds of things that — you know, when we were doing nCircle, the kind of things that were out in the open: on BUGTRAQ and on focus ideas’ list and on Security folks and on all these other places, the kind of things where you could freaking read the source code, right?

Those aren’t there anymore. You know, I fear that a lot of the guys who are doing the really innovative black-hat work are being paid by various nefarious organizations, and they’re being paid well. And, you know, it’s this kind of idea that, you know, when you outlaw guns, only outlaws have guns, right? This idea that we’re sort of outlawing the idea of disclosure, then the only people who are sharing them are these underground organizations, essentially amounting to the bad guys because, you know, if you do disclose something there’s a really serious potential that you could get into trouble for it.

What that means is we have to find different ways of finding vulnerabilities and exposures than relying on the community to disclose them to us. And if I were to say that there was one driving force behind why a tool or technology like Kane Box is the future, I think that would be it. We just… we don’t know what we don’t know, and we have to teach the systems what looks like normal traffic, what doesn’t look like normal traffic and teach them how to alert on it and how to give us meaningful data from that. We sure… we sure aren’t able to play the counting game the way that we used to by sending exploits out in the wild.

Amrit Williams: You know, it’s funny, too, because I just did a podcast with Marc Maiffret from eEye a couple of weeks ago, and he made the same observation about sort of the vulnerability research and disclosure not only going underground; but a lot of the folks that had been involved in exposing that information, a lot of the information that we used when we were nCircle, they just don’t exist. It’s not that they don’t exist; clearly, they’re still alive. But they just don’t do that type of work in the same way, and it’s been at the detriment of the folks that are trying to do good with Information Security that have been impacted, and that’s unfortunate. It’s unfortunate because that — this is a self-created condition.

So hopefully, you know, either the system will correct itself so that the information that was being used can be returned to use, or the technologies that are created in its absence will help folks better understand the environment that they’re in. We shall see.

Well, John, you’ve just been a fantastic guest; I can’t wait to get ya back on, I can’t wait to see ya live ‘cause it’s been, I don’t know, six-plus years since I think we sat in front of each other.

John Flowers: (Laughing.)

Amrit Williams: And I know you’ve definitely… you definitely have some great stories, so I can’t wait to dig into a lot more of ‘em.

Those folks who wanna learn a little bit more about Kane Box and the work that John’s doing, they can find that at www.kane-box.com; again, that’s www.kane-box.com. John also maintains a personal blog at www.lifezero.org, which has information on Kane Box and some of the other stuff he’s involved in. You can follow him on Twitter at kanendosai. You should check out his thought-leadership article on SANS; you can just Google SANS Thought Leadership to pick that out.

John, I’m just really happy you were on; I just had a great time, and I look forward to talking to you again soon. Thanks a lot, man.

John Flowers: My pleasure, absolutely. Loved being on, and love talking to you anytime.

Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix, Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!