It is entirely possible that the Black Hat Conference was set in Las Vegas simply as an ironic statement about the state of information security today. Everyone is gambling. For hackers, the buy-in cost to attack a massive number of websites through simple Web scripts, spam, and malware is minimal. But with a slightly larger investment of time and resources, hackers can target large organizations for much bigger jackpots. Consequently, enterprise organizations are “all-in” whether they want to be or not. The stakes are high, as hackers conducting targeted attacks are not stopping at personal identification information (PII) and are now going for the “secret sauce” recipes. Security breaches that leak state secrets and intellectual property are difficult to measure in dollars but have major sociopolitical implications that can shape the modern world. Worse still, hackers and cyber criminals have stacked the deck and are able to penetrate network defenses through targeted attacks seemingly at will.

So, All is Lost?

For 2012, the prevailing tone underlying every major industry discussion has been defeatism. In the Keynote address given by Shawn Henry, former FBI-guy extraordinaire, we were told that we are all already breached and to accept this fact. Now, I understand the psychology here: that if we convince ourselves that there are malicious actors already in our system then we will be that much more motivated to go find them. However, a paranoid hunt for a phantasm hacker cannot possibly be an efficient use of very limited resources.

On the other hand this defeatist mentality has led other security professionals nearly to the point of surrender. This post calls for companies to cease security awareness training for end-users and to focus instead on security technologies. While it is important to prioritize efforts to focus on the security strategies that are most effective, the urge to give up on the human element is short-sighted. Training at all levels is an essential pillar in any security architecture, and I would argue that training requirements should actually increase for end-users higher up the management ladder. 

Who Should Take Responsibility

Henry also indicated that the government was not interested in (or capable of) protecting the private sector. The government considers information security to be the responsibility of each individual business. The idea is that businesses must ward off thieves and burglars in the physical world and should do so in the cyber world. In the very next briefing, Marcus Ranum voiced his concern and distaste for this notion, pointing out that the government should try to defend private businesses as well because the most sophisticated attacks are often perpetrated by nation states and foreign criminal organizations. These organizations could not conduct physical attacks against businesses without recourse, but are free to do so online.

(Henry also said that we should take the fight to the enemy as well, which is clearly not viable or even advisable depending on the attacker. But at that point I was certain he was just jumping the shark for entertainment value).

(Pictured: The Black Hat signal.)

Unfortunately, many businesses do not realize that they are breached until a business partner reports anomalous behavior from the victim’s systems. The FBI and other government organizations will only contact victims once the damage is done. The government is interested in finding and eliminating hacking groups which is admirable but does little to protect businesses from their attacks in the meantime.

Where Do We Go Now?

The point is: the threat is greater than ever. Businesses must implement the foundational layers of security, including next generation firewall, IPS, content filtering, and anti-virus. Leading security vendors such as Check Point and McAfee have been adding new features such as advanced anti-malware, anti-bot technologies, DLP, and threat correlation to better defend customers. Businesses should invest in vulnerability management solutions from innovative vendors such as Qualys and BeyondTrust (acquired eEye).

SMB companies can receive nearly all of these capabilities from UTM solutions, as UTM vendors including Fortinet and WatchGuard license technologies such as anti-virus and IPS from leading vendors such as Kaspersky. In addition, they also maintain a high level of internal product and feature development. Thus, there is no excuse for businesses to lack these essential technologies.

Additionally, new technologies are emerging that will empower businesses to block a large number of threats. Companies such as ClickSecurity and Critical Watch use advanced analytics and security intelligence to identify the most sophisticated and targeted attacks. Considering the massive amounts of log data generated in enterprise organizations and attackers’ skill at remaining undetected, these real-time tools are absolutely necessary to find the most persistent security breaches.

Most importantly, companies must dedicate budget to improve the “human factor” through training, auditing, penetration testing, and analysis. As far as penetration testing goes, everyone should be doing it on a regular basis. Companies that don’t engage in auditing and penetration testing have no insight into their true security posture. Use these guidelines to find reputable and skilled ethical hacker companies. These days, companies such as Trustwave SpiderLabs make it easy to purchase, prioritize, and regularly schedule these engagements with retainer agreements.

The Last Word

The time has come: it is necessary to adapt. But this is not such as bad thing. The best known attacks, Operation Aurora, Stuxnet, and Flame, were based on techniques and vulnerabilities that have been known in the industry for years. We have known that this day would come, but we don’t need to feel like the sky is falling just because it is here. Instead, businesses must learn, understand, strategize, implement, test, and update their information security architectures.

Businesses are betting the house on a bad hand when they rely on outdated security technologies, ignore the human element, and fail to adapt to new threats. But that’s just me: I never gamble with my money—only with my life.

*****

Double down with Industry Analyst Chris Rodriguez by e-mail.

For additional information on hacking, check out the Frost & Sullivan white paper entitled The Importance of Ethical Hacking: Emerging Threats Emphasise the Need for Holistic Assessments or learn more about Network Security.

2011 ushered in a new breed of cyber threats that brought major organizations including Google, RSA, and Lockheed Martin to their knees and left many others searching for answers. These attacks were alarmingly sophisticated, effective, and elusive. Furthermore, the sophistication of these attacks indicates well organized crime syndicates and nation-states with deep pockets, which elicited the creation of a new industry term, the “advanced persistent threat” (APT). These threats and a new attacker profile have captivated the security industry’s attention as customers demand adequate protection tools.

It is no surprise then that entrepreneurial companies such as Critical Watch, FireEye, Bit9, and Click Security now offer solutions specifically designed to help customers defend against APTs. However, despite the widespread concern about APTs, IT organizations are still expected to block the thousands of traditional commodity threats that bombard their networks every day. Therefore, larger security vendors should develop new product functionality of their own to protect customers against APTs.

As multiple security companies attempt to combat these threats, a number of different security technologies and strategies have emerged such as “big data,” intelligence and analytics, anti-bot, advanced anti-malware, and APT detection solutions. While there remains much debate as to which technologies are most effective (or feasible) against advanced threats, there is the sense that every security vendor should be working diligently to block this attack vector.

Small, start-up companies have the benefit of a clear, specific goal such as APT detection and have the business agility to adjust strategies as the market demands. Too often, larger security companies are more reactive and will wait to identify best-of-breed product design and go-to-market strategies before developing a competing offering. Unfortunately, in the modern threat landscape, there is little time for major IT security companies to enjoy the luxury of a learning period.

That is why Check Point’s newest release of its R75 security operating system caught my attention. R75.40 offers compelling new security technologies such as ThreatCloud, Anti-Virus, and Anti-Bot protection. ThreatCloud is a collaborative network designed by Check Point to collect attack and attacker data from the company’s global install base of network gateways, sensors, third-party research, and internal research. This enables Check Point to dynamically deliver real-time updates to customers’ security gateways, thereby ensuring the highest level of protection possible. ThreatCloud also powers Check Point’s anti-bot and advanced anti-malware software blades. These blades utilize multi-tier APT detection and prevention capabilities to block threats that traditional IPS, firewall, and endpoint solutions cannot address.

R75.40 also offers a multitude of additional new features including data leakage prevention remediation and inbound SSL inspection. However, in a time when it seems that every company is vulnerable, Check Point’s advanced security technologies deliver valuable new functionality for customers.

*****

Industry Analyst Chris Rodriguez can be found knee deep in spreadsheets or e-mailed here.

For additional analysis of this market, check out Frost & Sullivan’s annual global market study entitled Analysis of the Unified Threat Management (UTM) Market and the Impact of Convergence or learn more about Network Security.

“Dude, you’re getting a SonicWALL!”

On Tuesday, March 13, 2012, Dell announced its plan to acquire a leading vendor in the Unified Threat Management (UTM) market, SonicWALL. This will allow Dell to rapidly advance its security portfolio with the addition of next generation firewall, intrusion prevention (IPS) capabilities, SSL VPN, gateway anti-virus, anti-spyware, and content filtering. Dell’s previous foray into the network security industry was its acquisition of managed security services provider (MSSP) SecureWorks and vulnerability/patch management vendor KACE.

The acquisition provides a number of growth opportunities for SonicWALL. First and foremost, this enables SonicWALL to leverage Dell’s vast and mature channel partner program. This also provides SonicWALL with stronger economic stability and name brand recognition from Dell. Additionally, stronger financial backing will facilitate new product development. These factors will help SonicWALL to increase its penetration in the enterprise market, which has been a central focus for many UTM vendors’ growth strategies. As a result, Dell SonicWALL can potentially shake up the UTM market as we know it.

Further still, this announcement is additional evidence of the convergence of IT and security. The goal to achieve “built-in” security has been demonstrated by the acquisition activities of Cisco, Juniper, IBM, and HP, and was most evident with Intel’s acquisition of McAfee.

Fortinet, who has been the market leader in UTM sales for multiple years, has excelled due to its product quality and ongoing product development. Check Point has a highly competitive strategy for the UTM market that focuses on modular solutions. This makes every firewall sale a potential future UTM sale. Both companies have demonstrated solid financial growth in recent years. However, Check Point and Fortinet are also some of the last large dedicated network infrastructure security companies.

So the big question is: how long will stand-alone security vendors find success with “security-only” strategies? At what point will enterprise organizations determine that they should be purchasing security solutions from their IT provider? Can security ever truly be “built-in” considering the constantly evolving nature of network-based threats?

*****

Industry Analyst Chris Rodriguez can be found knee deep in spreadsheets or e-mailed here.

For additional analysis of this market, check out Frost & Sullivan’s annual global market study entitled Analysis of the Unified Threat Management (UTM) Market and the Impact of Convergence or learn more about Network Security.

Bounty hunter. The term conjures up images of anti-heroes and rogues with awesome weapons and tactics in pursuit of the most dangerous criminals (or maybe just mullets). So it may be a surprise that the network security industry has its own version of these vigilantes for hire. Only, instead of searching out dangerous criminals, independent researchers are tasked with discovering and reporting software vulnerabilities.

Unlike modern bounty hunters, an independent researcher only needs to decide that they would like to hunt for software vulnerabilities, then go out and do it. When researchers discover a software bug they can then choose to report it to the appropriate authority (a software vendor, a security company, or the US-CERT). For years, independent researchers did this for peer recognition or from the goodness of their heart.

However, it soon became clear that less scrupulous researchers did this to find and exploit vulnerable programs or to sell these vulnerabilities to criminal organizations. The value of these black market transactions can only be estimated but the most high-impact vulnerabilities can sell for as much as a million dollars. To combat this practice, security vendors developed bounty programs to encourage responsible disclosure and increase research efforts.

While many security companies have offered bug bounty programs, there is now a growing trend of vendors offering rewards of their own. For example, Facebook announced its own program in 2011 and has already awarded $190,000 for original, responsibly-disclosed vulnerabilities. Google has awarded $700,000 since its bounty program debuted in 2010. Microsoft refuses to pay for vulnerabilities, but is focusing on a new strategy to block an entire class of vulnerabilities for a single lump sum of $250,000.

Whether it works or not, Microsoft’s strategy focuses on a long-term solution, which is admirable. Unfortunately, this strategy neglects to address the immediate threat. In effect, vulnerabilities are the keys to a successful cyber attack; therefore the search for these bugs is a constant arms race. By refusing to pay for vulnerabilities, Microsoft reduces the available outlets for responsible disclosure. Fortunately, companies such as HP TippingPoint and VeriSign iDefense are able to pick up this slack with their highly successful vulnerability bounty programs.

In the end, there is a market for everything. The reality is that software vendors face deadlines, budget constraints, and increasing pressure for new features and capabilities. All of these factors ensure that software vendors will not be able to produce flawless programs. Software vendors must improve secure development processes, increase quality testing, and hire penetration testers (and overall have shown tremendous improvement in this area already). This will reduce the number of vulnerabilities and especially the “low-hanging fruit.” But there will always be software bugs. Vendors must be ready and willing to reward researchers for their efforts or prepare to lose business after the next data breach.

****

Industry Analyst Chris Rodriguez can be found knee-deep in spreadsheets or messaged here. 

For additional information about vulnerability research, check out Frost & Sullivan’s quarterly study entitled Analysis of the Global Vulnerability Research Market in Q3 2011 or learn more about Network Security.

In recent years, the fiercely competitive UTM market has focused on increasing its penetration in the enterprise market. However, UTM has traditionally been considered a small business play due to limited performance and integration but compelling price points. After years of improvements and innovations, UTM vendors now offer enterprise-grade products that compete with leading point products. While the focus on the high-end market is a respectable strategy, it is not unique. So when a UTM company announces a different strategy, it warrants further discussion.

Cyberoam NetGenie

Cyberoam, an India-based UTM vendor recently announced its NetGenie HOME UTM product. This device provides home router capabilities such as wireless b/g/n, 4 switch ports, and 3G support. NetGenie also includes essential UTM capabilities such as 20 Mbps of firewall throughput, anti-virus (AV), anti-spyware, intrusion prevention (IPS), and web filtering. More importantly, much thought has gone into the user interface to ensure that non-techie customers can deploy this in their homes. NetGenie accomplishes this through a Web page-style management interface with intuitive visual controls and reports. Web content is predefined and categorized based on age group and content to enable different access policies based on the user and time. Thus, parents can ensure that their children do not play games all day and are not exposed to inappropriate material. The $180 price tag may seem steep for a home product but it does include 3 years of AV, IPS, and content filtering updates.

Challenges

However, Cyberoam faces a number of challenges. First, how do they increase customer awareness about a product like this? The average end-user will be unaware of the value of IPS or gateway AV. Most consumers are already well invested in endpoint security software and are not aware of the importance of layered defense. NetGenie’s gateway AV and Web filtering can greatly complement these investments and provide defense-in-depth for laptops and desktop computers that already have security software installed. The bigger selling point will be its ability to address tablets, smartphones, and gaming consoles. These devices are increasingly capable and are rarely protected by endpoint software. I firmly believe that these devices will be increasingly targeted by hackers over the coming years.

Furthermore, resellers don’t typically sell to consumers. The best channel for this product would be retailers, which is a rare channel for enterprise security vendors to interface with, including Cyberoam. Until this product gains momentum, NetGenie’s success hinges on Cyberoam’s ability to gain traction with service providers. Service providers seek to offer value-adding services to their customers and should consider the value of offering “Safe and Secure Internet Access” to their customer base. NetGenie could easily be bundled as a value-adding service or offered as an optional upgrade.

Conclusion

Now, Cyberoam is not the first UTM vendor to offer a small home router/firewall product. However, few products at this price/performance point have shown evidence of careful consideration to consumer-specific needs. Despite the user-friendly interface, it will take some time to increase customer awareness of the product’s value and importance. Additionally, the majority of consumers will fear the requirement for replacing existing routers, as well as the configuration process. Thus, it seems that the primary market for this will be limited to the more tech-savvy consumers for now.

****

Industry Analyst Chris Rodriguez can be found knee deep in spreadsheets or e-mailed here. 

For additional analysis of this market, check out Frost & Sullivan’s annual global market study entitled Analysis of the Unified Threat Management (UTM) Market and the Impact of Convergence or learn more about Network Security.