Neil MacDonald

In my previous post, I stated this:

One important note: Because many of the more popular security features such as BitLocker, BitLocker To Go, AppLocker, DirectAccess and so on require EA/SA, the cost of EA/SA must be factored into any cost-benefit analysis of migration. If you don’t already have EA/SA, this can be a significant expense.

Since the “Ultimate” version of Windows 7 is intended to be a superset of all Windows 7 features (including all of the security features of Windows 7) why not just buy machines with Windows Ultimate as an alternative to purchasing an EA/SA?

At least four reasons:

1. Windows Ultimate is officially a consumer version and has no volume license activation which means that each machine must be activated individually.
2. As a consumer version, Ultimate only gets 5 years of support and security fixes (versus 10 for the enterprise versions).
3. If you buy Ultimate preinstalled with a new machine, you don’t get reimaging rights which makes it harder to configure, deploy and manage in an enterprise setting.
4. You can’t buy the Microsoft Desktop Optimization Package (MDOP) which provides enterprises technologies like App-V and MED-V.

If you are considering this strategy, be aware of the limitations. Microsoft really, really wants you to buy EA/SA. Big time.

I haven’t posted in a while – I was preparing for and attending Gartner’s US Fall Symposium conference in Orlando which wrapped up yesterday. Coincidentally, yesterday was also the official launch of Windows 7.

As I talked about here, there are things that organizations can do today to improve the security of their endpoints that don’t require an upgrade to Windows 7.

However, there are a LOT of new and improved security capabilities with Windows 7. Some are completely new – like AppLocker and BitLocker To Go. Others are improved over what shipped with Windows Vista (like BitLocker), but are new to XP users.

The full Gartner research note on Planning for  the Security Features of Windows 7 has just published. In the research note, I look at most of the security capabilities of Windows 7, discuss their pros and cons as well as recommendations for deployment. If you are a Gartner client and planning on deploying Windows 7 (which will be just about every organization given how few actually deployed Vista), this document will be useful guide for testing and planning.

Here’s a list of the prioritized features discussed in the note (I’m sure there are more, these are the major ones that I get questions on):

• AppLocker
• User Account Control
• BitLocker
• BitLocker To Go
• Internet Explorer Version 8 Security
• DirectAccess
• Windows Services Hardening
• Windows Firewall
• ASLR, DEP and Safe Unlinking
• USB Device Control
• Kernel Patch Protection (formerly called PatchGuard) and Signed Device Drivers With 64-Bit Windows 7
• Network Access Protection
• Windows Defender
• Domain Name Systems Security Extensions Support
• Windows Audit Function
• Rights Management Services Client

One important note: Because many of the more popular security features such as BitLocker, BitLocker To Go, AppLocker, DirectAccess and so on require EA/SA, the cost of EA/SA must be factored into any cost-benefit analysis of migration. If you don’t already have EA/SA, this can be a significant expense.

I’m working on a detailed research note providing clients specific guidance on planning and deploying the 15 or so security features of Windows 7.

Two things you can do now to improve Windows security (regardless of your deployment timeframes for Windows 7):

1) Get off of IE6. I don’t care if you go to IE7, IE8, Firefox, Chrome, Opera, etc. Anything is better than IE6 from a security perspective. And this doesn’t require a move to Windows 7.

2) Continue to run more users as standard user. Ideally, all of them. It doesn’t take the User Account Control capabilities of Windows Vista or Windows 7 to enable this. Multiple third party products are available from BeyondTrust (acquired by Symark), Avecto and Viewfinity that enable elevation on exception (least privilege management).

I’ll post the link to the research as soon as it becomes available.

1) In this post, I discussed how Macs are indeed vulnerable and provided data showing exactly this. I observed:

The vulnerabilities are there, including users that can be tricked into doing things they shouldn’t. Mac attacks happen and will become more prevalent as the OS continues to gain adoption.

And then I see this article saying making exactly the same point:

During an eye-opening presentation at the VB Conference 2009 conference here, Sophos Labs researcher Dmitry Samosseikko provided a glimpse into the “Partnerka,” a Russian network of spam and malware affiliates that have turned their attention to the Mac platform — using social engineering tricks to load fake codecs and scareware programs.

Sorry to disappoint the Mac users. Your OS is vulnerable, there will be exploits and, just like on Windows, the unpatchable vulnerability (in the form of end-users) will be targeted.

2) In this post, I talked about how DRM and DLP aren’t really separate problems. I stated:

Digital Rights Management (DRM – alternatively Information Rights Management [IRM]) and Data Loss Prevention (DLP) are typically thought of as separate problems with different vendors and solutions targeting each. The market may have evolved this way, but that’s not the way it has to be.

Then I see the announcement this week from McAfee and Adobe. It’s absolutely the right direction, although there’s no reason why an integrated solution has to come from separate vendors.

3) Finally, in this post and in this Gartner research document, I talked about the impact of (then-beta) Microsoft Security Essentials.  The no-cost antivirus/antispwyare protection package was officially released this week. 

Free antivirus and antispyware protection is a good thing. At a minimum, it helps to keep pricing rational for the rest of us, including enterprise users. No one should be paying extra for antispyware in 2009. Demand your Endpoint Protection Platform vendors to deliver more at the same price – just like the rest of IT has gotten for years (Moore’s Law and all).

Why should information security be immune to the trends of commoditization and downward pricing pressure?

Do Macintosh machines need AV?

My answer: Forget the OS. Do users download and install arbitrary code/applications? (don’t forget, this includes browser plug-ins as well). If so, I don’t care if you are running Macintosh, Linux, or Windows the answer is you need protection from malware, including signature-based mechanisms (historically referred to as AV…). Just like on Windows PCs signature-based detection mechanisms are not enough and we need to augment this with firewalling, application control and other styles of endpoint protection within an endpoint protection platform.

Don’t misinterpret a lack of publicized Mac attacks to mean that there is an underlying lack of vulnerabilities. There are plenty. See this chart from the latest IBM ISS X-Force security report:

This table shows the Operating Systems with the most security vulnerabilities in 2008. Compared to any single version of any other OS, Apple OS X takes the top spot.

Safari? It’s running neck and neck with IE in terms of the sheer number of vulnerabilities. Here’s similar data from the latest Symantec Internet Threat report:

And, it had the highest window of exposure in the last reporting period of the other major browsers. The vulnerability data should be a wake up call to Macintosh users.

To me, the data shows Apple needs to put more focus on security in its development (and response) process.

The vulnerabilities are there, including users that can be tricked into doing things they shouldn’t. Mac attacks happen and will become more prevalent as the OS continues to gain adoption. Most Mac users run with de-elevated privileges so that helps to mitigate some risk, but even if the attack runs in the context of the user, today’s financially-motivated attacks are happy to quietly harvest end-user data, send it out over standard ports and not try to infect system files.

Macs are not immune to today’s threats, nor does Apple’s code contain significantly fewer vulnerabilities than other OSs.

To me, its a matter of when, not if, large numbers of Apple users will be affected with an outbreak.

I’ve talked to several organizations (commercial and federal governments) that have banned the use of all USB flash drives as part of a data loss prevention (DLP) strategy. This may indeed be necessary and provides immediate protection of data loss. However, its a blunt, coarse control that really doesn’t solve the underlying problem. Such drastic policies get in the way of legitimate users trying to do their job. Worse, such policies are merely “security theatre” if other ways that information may escape (email, instant messaging, fax, FTP, VoIP, printing and so on) aren’t also addressed.

So what is the root of the problem? Consider what we’ve learned with application security. There is broad industry consensus that shielding and patching after the fact are symptomatic of a faulty development process. For example, we can put up a web application firewall to shield a vulnerable application but we really haven’t solved the problem. To properly address application security issues we must change the way we produce (and procure) applications. We have to get back further into the development process when new applications are created.

Let’s apply this insight to information security. Banning USB flash drives is symptomatic of a faulty information security lifecycle process. Rather than treat the symptoms, we must get back further into the information lifecycle to understand how, when and where sensitive information will be created or acquired. It’s at this point in the information lifecycle that we need to define (and enforce) policies on the information as it moves on to be consumed by systems and users.

Instead of a policy like “nobody is allowed to use a USB flash drive”, a control that enforces a policy like “anyone can use a USB flash drive, but don’t allow sensitive data to be copied to a USB drive” makes more sense. Better, how about a control that enforces a policy like “don’t allow sensitive data to be copied to a USB drive unless the data (or the drive itself) is encrypted”.

The problem is, we don’t really have a good handle on what data is sensitive, how it is used, how if moves around, what systems and users rely on it and how and where it is stored. That’s the real problem DLP projects need to tackle.

Instead, we treat the symptoms… like banning USB flash drives.

A proxy-based model for externalizing and enforcing security policy is the right approach and becoming more, not less, relevant.

To be clear, I’m not just talking about network traffic proxies. I mean everywhere up and down the IT stack. For example, when web users talked to web applications, we use load controllers, web access management gateways and web applications firewalls to apply network and operational policy. All of these technologies allow us to inject our policy as traffic goes back and forth.

Ditto for web proxies, URL filtering and web security gateways enabling us to interpose policy between users and the web as they surf.

Ditto for SOA gateways (e.g. Amberpoint, Layer7, SOA Software, DataPower and so on) between services.

Conceptually, its the same with virtualization and APIs that enable the enforcement of security policy for virtual machines. If you think about it, the hypervisor / virtual machine monitor layer is like a proxy. This layer mediates all of the requests for memory, network and storage requests and so on. Introspection techniques and VMM-level APIs such as VMsafe let us inject policy here as well – both for server *and* desktop workloads.

Increasingly we don’t own or control all of the pieces of IT (the users, the devices, the components, the services, etc) that composite together to build a system. Are proxy-based models the best way ensure the application of security policy moving forward? I believe in most cases they will be.

Symantec recently announced the latest release of its consumer protection technology which includes a new malware technology code-named “Quorum”. Essentially the technology uses visibility (or lack thereof) of behavior of executable code across a community to aid in the determination if a given piece of code is “good” or “bad”. We are working on our full analysis and recommendations for our enterprise clients but here are my initial high-level observations.

Despite Symantec’s rhetoric, the idea of using visibility of executable code across a community for better security decision making isn’t new. Prevx (which I wrote up in Gartner research as a Cool Vendor in 2006 because of its community approach to endpoint intrusion prevention) has been using “herd” intelligence across its community for years. McAfee’s Artemis announced more than a year ago uses a similar approach.

The good news is that Symantec understands that signature-based detection alone is increasingly ineffective and that it needs to do more at the application level. Rather than take an approach solely rooted in whitelisting or building a global whitelist, Symantec is instead using the Quorum technology to focus on the vast greyspace between blacklists (which can’t keep up) and the whitelists (which also struggle to keep up and are too restrictive for many end-user desktops – especially consumers which have no IT department to manage the whitelist).

By using visibility into code behavior (usage, propagation patterns, prior user history, system calls and so on) across a larger population, Symantec is able to build more accurate models as to whether a given piece of code is “good” or “bad”. No behavioral modeling-based approach for security is perfect, but it is a fact that the more data points you have, the better the model you build and the fewer false negatives and, more importantly, false positives that result when the model is used to make security decisions. Quorum taps into the large Symantec installed base for precisely this reason.

There are no silver bullets in security, but Quorum is a welcome innovation in endpoint protection which has fallen woefully behind the bad guys by relying too heavily for too long on an increasingly ineffective blacklisting-based protection model at the application level.

In a previous post, I discussed VMware’s differentiated message of choice in Cloud-computing infrastructure. That post talked primarily about enabling infrastructure as a Service (IaaS) providers (using the same technology VMware delivers for enterprises) to build and deliver flexible infrastructure services with scalable networking, storage and compute underneath.

But what about the ability to support newly developed scale-out applications? This is at the heart of what VMware will do with SpringSource – providing organizations a way to develop their own scale-out applications that can run in their own datacenter or run in a Platform-as-a-Service (PaaS) provider built on VMware’s infrastructure. Gartner’s initial analysis is here. Below are my observations on the acquisition of SpringSource (and, interestingly, there is a security slant)

• By acquiring SpringSource, VMware gains immediate access to 2-3M Java developers that have adopted the framework. Unlike Microsoft, VMware didn’t have an installed base of developers to target. Now it does. Also, SpringSource beings application-level expertise and credibility to VMware.
• In much the same way that virtualization decouples operating systems and workloads from the underlying hardware, SpringSource decouples the applications from the specifics of their deployment environment, enabling mobility and portability of the applications (including to Cloud-based providers). It also enables unique security capabilities using aspect-oriented programming techniques to inject and enforce consistent policies across the application with limited developer involvement.
• If VMware remains committed to SpringSource’s relationship with the open source community, it will battle at the PaaS level in a way that Microsoft cannot.
• There are limits to what VMware can infer and introspect from the outside of a VM container. By instrumenting the application platform layer to communicate with the virtualization layer, VMware will gain the visibility needed to build applications that can scale out dynamically in bidirectional cooperation with the infrastructure underneath.
• The acquisition of SpringSource brings along the Hyperic management fabric capability (also open source) which Gartner wrote up in detail here as a Cool vendor. Hyperic’s technology has the potential to transform traditional systems/security management (including performance monitoring, logging, change management, updates and so on).
• Finally, as the framework evolves organizations could build and deploy the same elastic-infrastructure-enabled application internally or externally, or in a hybrid deployment that spans both.

It’s a bold and strategic acquisition on VMware’s part:. As always, the key will be in the execution.

When someone talks undertaking a “Data Loss Prevention” (DLP) initiative, they are usually talking about deploying a product from one of the DLP vendors such as McAfee, Symantec, EMC/RSA and so on. Much like I talked about in this post on application security, a product cannot solve what first and foremost is a process problem. The same is true with data protection.

Data protection is the process of identifying and understanding where and how sensitive information is created, used, processed, moved, shared, stored and retired and protecting it throughout this lifecycle.

Endpoint DLP is a possible technical control to map against this process. So is endpoint encryption. So is endpoint device control. So are email and web security gateways that support basic DLP functions. Start first with the process, identity and prioritize gaps, then decide where a tool is needed.