Greg Young

In Canada Nov.11th is Remembrance Day, the equivalent of Memorial Day and a holiday for Gartner associates in Canada.  Poppies are worn on the lapel by most everyone and it is a fairly significant event here.

Pretty much every male in our family served, so today we’ll take time at the 11th hour of the 11day of the 11th month to think of old army buddies, the thousands serving in nasty places, and military families worldwide who don’t have a dad or mom around for long periods.  To those serving today, thanks.

Grand-dad (middle) after liberation of Paris, Dad, my brother and I with mom.

Some unhappy bloggers ended up on the Wall of Shame at a recent security/hackers conference and (I summarize…) cried foul because it wasn’t pre-advertised that the network would be hostile.  There is a good post on the hub-bub here.

The yin of rubbing elbows with vulnerability researchers and semi-bad guys who reveal the most recent hacks on the the unassuming comes with the yang that you are the nearby unassuming one to these semi-bad guys and vulnerability researchers. 

Blogging is the new gonzo journalism.  To those crying foul, I suggest a lesson from the gonzo-est journalist Hunter S. Thompson who while writing his book Hells Angels he enjoyed the access and excitement which he knew would sell books.  At the end of his tale when he became the unwanted object of the excitement he made that a part of the story.

The object lesson here for me is really that OPN (other people’s networks) generally give you as much security as you pay for.  OPNs are the bad part of town, and it is a good idea to change your behavior accordingly, which could include not connecting.

John Pescatore and I published today “Defining The Next Generation Firewall” (NGFW).  The note ‘liner notes’ may help provide some context.  Gartner has been talking about Next Generation Firewalls (NGFW) for a while – in 2004 we had a note titled “Next generation Firewalls Include Intrusion Prevention”. 

We have been increasing the weighting for NGFW capabilities in each successive Enterprise Network Firewall Magic Quadrant (MQ), so there will not be a separate MQ for NGFW: this next generation is not a new product or an artificial label, but a progression of firewall and IPS technology.

The note was published now because the market is starting to see early versions of these enterprise class products: some firewall vendors waking up to a big IPS market, changes in network traffic to being squeezed through fewer ports and protocols, an emerging firewall policy management market, and the signaling between other network security products.  In the note we also specify what a NGFW is not, in response to inquiries from Gartner clients and as a further guide to where this market is heading.

Two items this week bring into focus the security issues around cloud computing.

According to an article on DISA’s RACE (Rapid Access Computing Environment), the comment is made that RACE is more secure and stable than the Google cloud.  Arguments aside about the definition of clouds and whether private clouds are really clouds, I find this interesting because it highlights that looking at clouds is not a “if you don’t like it, leave” security proposition, but you can have choices.  Just don’t try to shoehorn your requirements into an existing cloud that doesn’t meet those.

Second was the news from the BBC that an estimated 30k Gmail accounts had allegedly been compromised through phishing: 1) you get the security you pay for and 2) not much new here – this wasn’t likely a new cool super-sophisticated attack but an old one, and it just went where the fishing (arg) was good.

The child actor who died from drinking Pop Rocks candy and Coke and the Nigerian minister who just needs a little help with some money transfer.. I need to call someone at Snopes.com and pull in some favors to get “Enterprise UTM” added to the myths list.

The Loch Ness Enterprise UTM message has again been sighted in the security market.  At Gartner, we haven’t seen enterprises shifting to using UTMs or SMB multifunction firewalls, nor do we forecast that this will happen any time soon. 

Here are some of the tricks used in security marketing to make these claims:

Trick #1: Redefining what an enterprise is.  Enterprises are in fact about 1000 employees.  Between 500 and 1000 employees we consistently see IT buying behavior, including security, differ from the SMB.  For firewalls, companies shift from buying what we call SMB multifunction firewalls (what is also called UTM) and start moving consistently to point products at about that 750-ish employee mark and don’t go back.  Redefining by vendors of what an enterprise is in order to fit the product just games the equation.  The trend is the key: calling an enterprise 200 or 2 employees doesn’t change the selection trend. 

Trick #2: Calling a non-enterprise an enterprise.  Sure a branch office may use a converged device, but that isn’t the enterprise.  As  a sidebar, branch offices generally aren’t doing mail security in the firewall (the mail servers aren’t usually out in the branches).  Also, carriers, ISPs, and hosting companies aren’t enterprises: they are carriers, ISPs, and hosting companies and serve up security in a very different manner than both enterprises and SMBs. 

Trick #3: Holding up the recession as a reason to see unicorns.  During the last year some vendors have claimed that enterprises can now use SMB products or UTMs because of the recession.  In fact, the recession may have been a reason to seek a less expensive enterprise product.  If your construction company has come upon tough times, the solution is not to start hauling gravel in minivans.  Maybe a vendor who is selling the enterprise UTM message can find a reference customer to hold up as proof, however this is them having sold into their niche and have found the exception rather than the rule.

Trick #4: Calling a few point products together a UTM. Getting fuzzy with the definition of what is this mysterious UTM is the biggest trick.  This is why Gartner doesn’t use the term “UTM”: we expressly separate products into “SMB Multifunction Firewalls” and “Enterprise Firewalls”.  UTMs and SMB multifunction firewalls are generally understood to be all the network security products in one appliance.  Enterprise firewalls are generally firewall, VPN, and maybe IPS: that isn’t the same as the SMB product or what has generally been called UTM.  In our Gartner research, we provide some considerable detail to this topic, however a firewall and IPS together is not a UTM.  The unicorn-solvent is email anti-virus: if they mean to propose doing email anti-virus on the firewall then good luck with meeting your firewall latency SLAs (see below), otherwise they are being realistic but tricksy by just calling what is a firewall or next generation firewall a UTM.

There isn’t one big convergence happening in network security products.  In our Gartner research, we provide some considerable detail to this topic, but enterprises won’t be deploying UTMs as their firewall anytime soon because:

• Buying and operations centers.  In enterprises, mail security and network security are different security operations groups, and the safeguard is usually required in different places: i.e. firewall at edge and anti-spam in the data center.
• Latency sensitivity and inspection differences.  You can wait a little while for mail anti-virus and not for network packets.  It also turns out that the types of inspection for handling packets quickly and doing deep inspection and expression matching are very different.  At the lower bandwidth and connection rates of the SMB this inefficiency isn’t a big problem, but at true enterprise throughput and iMix the inefficiency quickly becomes a service-killer.
• Best of breed requirements.  Enterprises continue to favor getting good protection, and a single vendor offering 10 safeguards in a single appliance is likely not be to great at all of them.  If you look at the Magic Quadrants (MQ) for messaging security, firewalls and IPS you will very little overlap across quadrants in the MQs.

Greg Young| Research Vice President | Gartner
Network Security
http://blogs.gartner.com/greg_young/
http://twitter.com/Gartnergreg
Browse my published research

People, it turns out, are really bad at dealing with uncertainty and randomness.  We are pre-programmed to see direct causes between independent factors and to treat direct links as unrelated or random.  Likelihood, causation, and randomness are fundamental to IT security, and humans having blind spots in these areas are but one reason why we aren’t better at IT Security.

For a jaw-dropping read on these blind spots, read "The Drunkard’s Walk: How Randomness Rules Our Lives", where Leonard Mlodinow shows through example and history how likely we are to take the wrong action dependent on the degree of uncertainty, and how we usually draw the wrong conclusions in response to false positives, regression to the mean, and ‘recency’ of bad events. 

Think you’re immune?  Quick – tell me what the odds are of one of a set of twins being a girl.  If you answered anything other than 75% you have passed the Turing test and are a flawed human (and then go on to wrestle with knowing that the odds of one of them being a boy is also 75%…).

Security budgets cannot continue to outpace IT spending indefinitely at the rate have through this recession.  Enterprise security budgets are limited, and tradeoffs mean making the right choices based on what is best for your company.  These choices have to be made with a great degree of uncertainty and having to defend them to people who are by nature are not good at dealing with uncertainty  and handling the random.

I was honored to be the lead author for the 2009 Hype Cycle for Infrastructure Protection (limited to Gartner customers).

First in thanks and second to demonstrate the depth the depth of work and research we do at Gartner, I’d like to thank my 15 co-authors:

Vic Wheatman, Joseph Feiman, Neil MacDonald, Adam Hils, Jeffrey  Wheatman, Peter Firstbrook, John Pescatore, John Girard, Kelly M. Kavanagh, Lawrence Orans, Mark Nicolett, Arabella Hallawell, L. Frank Kenney, Ray Wagner, and David Norton.

Infrastructure Protection is composed of the ‘keeping the bad guys out’ security technologies. This year we see considerable forward movement in the technologies as driven by the relentless and constantly changing threats. 

The technologies listed in this edition include(in no particular order):

Web Application Firewalls
E-Mail Security Boundary
DDoS Defense
HIPS on Servers
Stateful Firewalls
Software Composition Analysis
Application Inspection
Penetration Testing Tools
"In the Cloud" Security Services
Security in the Switch
Database Activity Monitoring (DAM)
Open-Source Security Tools
SMB Multifunction Firewall
Endpoint Deep Packet Inspection
Endpoint Protection Platform
Network Security Silicon
Application Control
Mobile Data Protection
Data Masking
Static Application Security Testing
HIPS on PCs
Network Access Control
Network IDS
Next-Generation Firewalls
Secure Web Gateways
WLAN IPS
XML Firewalls
Dynamic Application Security Testing
Network IPS

There is a great top level summary in the Gartner’s Hype Cycle Special Report for 2009.  The Infrastructure Protection Hype Cycle is a companion to the other security Hype Cycles:

• Hype Cycle for Governance, Risk and Compliance Technologies, 2009
• Hype Cycle for Data and Application Security, 2009
• Hype Cycle for Identity and Access Management Technologies, 2009

My colleague and guest blogger Lawrence Orans joins me today in giving his take on the DNS BIND vulnerability:

Another July, another DNS vulnerability.  Last year, it was the Kaminsky vulnerability.  Yesterday, the ISC announced another vulnerability in BIND.  It’s serious — a specially-crafted dynamic update message can crash your BIND 9 name servers.  According to the ISC, “an active remote exploit is in wide circulation at this time”.  Fortunately, the ISC has released BIND versions which address the vulnerability.  BIND users should upgrade immediately to one of the three BIND 9 versions specified in the ISC announcement. 

I can count on one hand the number of Gartner clients that scheduled inquiries with us last year to discuss the Kaminsky vulnerability.  At first, that surprised me.  But, after thinking about it, I realized that clients weren’t calling because there really wasn’t anything to discuss.  If you were running a vulnerable version of DNS, you had to apply the patch – it’s that simple.  You don’t ask the dentist if you need to brush your teeth, and you don’t need to ask Gartner if you should patch the Kaminsky DNS vulnerability.  I imagine that with this DNS vulnerability, Gartner will also see a similar lack of inquiries from our clients.  Sure, two serious DNS vulnerabilities in two years will stimulate lots of discussion and debate about best practices for securing DNS, but the immediate priority is to get those BIND 9 name servers upgraded – there is no need to discuss that.  So, go out there and brush (and floss) your teeth!   

- Lawrence Orans is a research director in Gartner’s Research organization. His research focuses on the integration of security within internal networks, with a particular emphasis on network access control, VoIP and content filtering.

TMI: Too Much Info.  Sure the below example isn’t as egregious (i.e. bad) as the others I’ve posted recently, but it falls into that soft gray category of TMI.

See the other posts on this thread:

Social Media Data Leaks: Password Reset Helpers

Social Media Data Leaks: The Polarity of Security Models

and Social Media Data Leaks.

There are some slightly sensitive things which if leveraged can be turned into more sensitive things.  Ye olde Mother’s Maiden name is one of those often used in attacks on password reset challenges, of the likes of which have been reported on here.

Here is an example via Twitter of making an account reset attack that much easier.