Welcome to the BigFix Blog

It’s not surprising to see the last two acquisitions in the NAC world (as discussed here). Managed security providers are coming together with NAC product vendors. I’ve spent time in both markets, so I can see it from both sides. I have to admit that when I first entered the NAC market, it was a thrilling concept for a security geek like me (and I suspect I’m not alone here). Don’t let “dirty” computers connect to my network. Fix them first, then let them in. It’s even cooler when you can assign specific network privileges to a computer once you know who is using it. (Click on title to read full story.)

But in practice, it’s not trivial to implement. For each stage in that “simple” process, there are myriad decision points as well as enforcement points (at the network and system level).

First, the decision points:
Is the computer managed by me? If it is, then I want to remediate it. Okay. How do I do that? I need to give it enough access to remediate without impacting the network, and I need to validate the remediation. Okay. What if it’s not managed by me?  Do I offer up an opportunity for remediation? Or do I give just a subset of access that can’t totally destroy the sanctity of my network? These are just a few of the questions organizations struggle with and we still haven’t gotten to the “post-connect” discussion. And that’s the most critical part of the conversation, where constant assessment and remediation are essential.  It’s even better if I can assess, remediate and enforce using a single solution, but most technologies haven’t gotten to that level of integration.

Speaking of assessment and enforcement, at which level do I conduct the assessment? From the network perspective or at the endpoint? Which device should conduct the enforcement? And what technique should I use? For some vendors, it’s DHCP filtering, for others its 802.1x authentication. Which is better?  Under which conditions and use cases?

The industry has been arguing over NAC standards for years, and where have we ended up? A NAC vendor buys an MSP and an MSP buys a NAC vendor. It makes a lot of sense. Whenever I can’t figure out how to approach a project, I consult an expert. After bringing home a chew-crazy puppy a few weeks ago, I hired a professional pet trainer. Rather than agonizing over how to handle every hair-pulling behavioral pattern, I get to defer to a domain expert. And if a technique doesn’t work, I have someone else to blame.

There’s another lesson here.  Great security ideas remain theoretical – until and unless they can be managed effectively.

Jon Amato writes: In 1780, during the American Revolution, a cloth merchant named Hercules Mulligan ran a small but thriving business in New York City, selling fine cloth to British officers, from which they had their uniforms made. (Click title to read full story.) Mulligan had a natural rapport with his customers, as he was the son-in-law of a high-ranking officer in the British navy, and as a former barkeeper, had a talent for shooting the breeze with all who visited his establishment.

Very late one evening, the incomparably-named Mulligan was awakened by a knock on his door. He answered, and at his doorstep stood a British officer who urgently needed a new uniform suit for an expedition. Mulligan, ever the conversationalist, asked his customer why all the urgency. The British officer then told Mulligan that his commanders had discovered the location of a meeting where several American generals were to meet and discuss strategy. He was being dispatched to attack the meeting, and capture the rebel generals, including the Commander of the Continental Army, General George Washington.

What that British officer didn’t know at the time was that Hercules Mulligan wasn’t just a friendly sort for his own sake. In fact, he was a spy, working for the Continental Army. Mulligan immediately dispatched a messenger to Alexander Hamilton, then General Washington’s aide-de-camp, with the message that the generals’ meeting had been compromised. Needless to say, General Washington did NOT attend the meeting that day, and lived to fight another day.

Hercules Mulligan knew that if a trap was waiting for General Washington, knowing that the trap was there would certainly be useful information to him, so that he could avoid walking into the trap in the first place. To put it another way: Mulligan provided actionable intelligence to General Washington, and in doing so, changed the course of American history.

Now, fast forward a couple of centuries: Traps are being laid every day for people on the Internet. A large portion of attacks against the endpoint originate from seemingly-legitimate websites that have been compromised. It’s very difficult for the ordinary user to know when they’re on a site that contains malicious code.

Of course, the consequences aren’t quite as severe as those being faced by a General fighting a war against what was at the time the most powerful military on Earth, but the principle of how to protect yourself against those traps is still exactly the same: If you know that a trap is being set for you somewhere, don’t go there!

So, how do Internet users do that? They do it the same way that George Washington did – get warned ahead of time. The Trend/BigFix Web Protection Module is your Hercules Mulligan. It provides that actionable intelligence, preventing your users from going to the places on the Internet where the traps are, thereby preventing the attacks from taking place.

It’s been said that the best defense is a good offense. In this case, I would submit that the best defense is knowing enough to not even be there in the first place.