On one of the panels I moderated on APTs, Dave Merkel from Mandiant put it best. “You are compromised, get over it”. Others in the US Government have come to the same conclusion.

We spend far too much of our information security budget on increasingly ineffective mechanisms designed to prevent intrusions including network and host-based solutions, firewalls, IPS and antimalware systems. Does that mean we give up on these Not at all. What we need are new capabilities in other areas.

Assume you’ve been compromised. How would you know? We don’t spend nearly enough on systems that help us to better detect a compromise after it has occurred. We can’t keep pretending that we can keep the bad guys out.

Where are net new investments needed? Here’s just a few of the specific areas I discuss in my research.

• More monitoring. Lots more. At all layers of the stack – packet, flows, sessions, transactions, applications, user activities – all of it.
• More context-awareness. To separate meaningful anomalies out from a sea of monitored events will require more context – identity, application, content, location, time of day, reputation and so on.
• Big data and analytics brought to information security. Information security is becoming a big data problem and we need the systems, algorithms and new sets of security skills to derive insight from this.
• Higher levels of automation. To free up time to focus on the really important stuff, security professionals have got to get out of the day to day programming of security policy enforcement points. Program policies? Yes. Program quintuples? No.
• Cloud-based security policy enforcement. If we don’t own the device or the network (think 3G, 4G etc) then we can’t always rely on traditional network and host-based security controls for protection.
• Applications that are designed to be securely operated and used from inception. DevOpsSec must and will become a reality.
• A shift in thinking from Security Information and Event Management to delivering Security Intelligence

I believe information security infrastructure is at a critical inflection point. The status quo isn’t cutting it. Changes are needed.

Are the vendors up to it if it means we spend less for increasingly ineffective legacy solutions they are selling us? (The good news is that we’ll spend more in the other areas highlighted above if they’d make these types of advancements)

Are we up to it? Are we prepared to admit that we are currently on the losing side of this battle and make the types of process, technology and mindset changes above?

In addition to three presentations, I had more than 30 fantastic one on ones with attendees over the four days.

What was hot? Many of the same issues I blog about. In order of priority, most attendee discussions were on:

1) Endpoint security, application control and whitelisting. Microsoft is causing significant disruption in this market with its new version of Forefront Endpoint Protection and its change in licensing policies.

2) Strategies for protection against Advanced threats (note that this overlaps with #1 a bit)

3) Security trends – what are the major trends we are seeing in information security and are they missing anything? What investments should we be thinking about for 2012?

4) Virtualization and security – trust/assurance of the hypervisor for separation of workloads of different trust levels as well as protecting VMs as they move offsite into Cloud-based providers.

Surprisingly, I only had one or two conversations on application security – specifically looking for best practices to push security testing further back in the SDLC.

In terms of “Cloud”, I think most organizations are moving beyond the ill-defined hype of “cloud security” and looking for specific advice and best practices for addressing specific cloud-related computing concerns. That’s a welcome step forward. Cloud is a computing style, not a location. It’s great to see people embrace this computing style and look to proactively build security in. Thursday afternoon’s presentation on securing private clouds had a good crowd for the final day. The biggest reaction was on the evolution of security to a set of software-based services delivered by programmable infrastructure. I think most IT security professionals have become so accustomed to their firewalls as a physical box, they have a difficult time imagining firewall services decoupled from the physical hardware underneath and shifting to security policies based on logical, not physical, attributes. Indeed, I believe the biggest challenges to the security of private clouds will be related to cultural and mindset change issues, not technical.

If you follow my thoughts from the conference on twitter (@nmacdona), you’ll see some of the feedback on my context-aware security presentation.Despite losing AC during the presentation (not good in Florida, even in October!), the crowd stuck it out with some hanging out in the doorways to watch the presentation and catch a breeze at the same time.

As I have discussed previously many times, all of information security is becoming context-aware and adaptive and this attribute will be a key characteristic of all next generation security offerings (IPS, FW, endpoint protection, IAM, DLP, and so on).

Overall, it was another great Symposium conference (my 15th with Gartner!). They just keep getting better. For those of you that didn’t make it, I’m attending Gartner’s upcoming US Data Center summit in December in Las Vegas and we can catch up there.

Is protecting a desktop different than a laptop? Yes.

Is protecting a server different than a desktop or laptop? Yes

However, does this mean that we need a different vendor, product and console for each of these? Or, is it better to use a consistent set (palette) of controls to pick and choose from and just choose a different mix to protect different types of endpoints based on their needs? For example:

• All desktops and laptops need AV. Some servers need AV (general purpose file servers) and most organizations require AV on all Windows servers by policy.
• Application Control is more easily applied to servers which tend to be more static. However, some fixed desktop scenarios are well-suited to application control (e.g. call centers) and leading application control vendors are innovating in how they manage trusted change in desktop scenarios.
• Host firewalling is important to both, but tends to be more valued on laptops that move out from behind perimeter protection. Servers in the data center behind fixed firewalls may not need this at all.
• Deep packet inspection based host-based intrusion prevention (HIPS) is of value to both desktops and servers, but the ‘virtual patching’ capabilities of this style of protection tends to be more valued on servers that can’t be patched as frequently.
• Rules-based HIPS tends to be used more on servers where rules about normal application behavior are more easily defined
• Behavioral HIPS tends to be used more on laptops and desktops to augment traditional signature-based AV and protect from zero-day attacks because these devices routinely deal with arbitrary code. This isn’t as important on servers as they don’t routinely deal with arbitrary code and organizations don’t want to risk an occasional false positive.
• Servers are great candidates for file integrity monitoring. Few desktops will use file integrity monitoring, but I’ve had clients with desktops that fell in scope of PCI where they used file integrity monitoring on their desktops.
• Laptops are great candidates for full drive encryption, but some fixed desktop and server scenarios make sense for full drive encryption as well.

The set (palette) of controls is the same – AV, firewall, HIPS, FIM, application control, encryption, etc etc working together as a system. You pick and choose which controls are used and which policies are enforced based on the endpoint (desktop, laptop, server and increasingly mobile devices) and its usage scenarios. Think of the information security professional as an artist with a palette of colors/controls.

Do we need a different product/vendor/console for server security versus desktop security? Or a single product/vendor/console with the ability to pick and choose the appropriate controls and policies?

How does your organization handle this?

Like Windows 7, Windows 8 will continue to raise the bar in terms of security capabilities of the base OS. Here’s a list I compiled of the new capabilities:

• Antimalware protection built into the OS – basically Microsoft’ Security Essentials (beyond just Windows Defender included with Windows 7)
• Earlier loading of security protection in the boot process to thwart rootkits and other boot-level malware
• File reputation services (SmartScreen) – was included with IE9, now expanded to protect the entire OS.
• Root of trust measurements of the OS based on UEFI – if we need this for hypervisors, why not all OSs? Microsoft has had something similar with BitLocker using TXT and has now extended this to all versions.
• Windows Refresh – to restore Windows back to a known good state, while preserving end user personalization, enabling Systematic Workload Reprovisioning.
• Windows now supports boot from USB – quite useful in specific scenarios. Combined with BitLocker and root of trust measurements, this becomes a way to place an unknown terminal device into a high assurance state.

For the new “Metro Style” side of Windows 8 (the WinRT side), it is clear that the security model of Apple and the iPhone/iPad has had an impact:

• Reduced rights and strengthening of mandatory integrity controls of the OS.
• Metro-style applications can only be delivered through the Microsoft application store which now includes security testing (a form of implicit whitelisting).
• Sensitive API access is proxied through a security policy enforcement mechanism which validates the application’s right to use them
• “Picture Password” as a touch-native way of authenticating yourself to Windows 8

Overall, Windows 8 provides evolutionary – not revolutionary — improvement in security capabilities and raise the bar in terms of what an OS should deliver in terms of security protection.

I’ve talked about this several times before – including here, here and here.

While it may not be feasible to remove administrator rights from all users, it is an absolutely achievable goal to continue to improve the percentage of Windows users running without administrator rights year over year for the foreseeable future. Make this your goal for 2012.

Case in point – I talked with a client today that had removed administrator rights from 90% of their users. This is a noteworthy achievement as they are only in the planning process of migrating to Windows 7. They had achieved this on Windows XP and for large numbers of XP-based laptop users. Impressive.

Better yet, I worked with this client on a strategy to move this to 95-97% using the migration to Windows 7 as a catalyst for further improvements – some coming from improvements in the Windows OS (like a new printer driver model) and some coming from the selective use of a third party tool for Windows privilege management.

If you are struggling with malware infestations and are considering switching out vendors, take a look first at removing administrator rights. For Gartner clients, I’ve outlined the best practices for achieving this in this research document.

Remember, if done correctly, removal of administrator rights does not have to equate to “lockdown”.

Full drive encryption should be considered mandatory for laptops and most organizations have implemented this – either with Windows 7 and BitLocker, by adding encryption into their endpoint protection platform contract or by purchasing a point solution.

However, there are several use cases where the use of FDE makes sense for fixed desktops:

1) For areas where physical security is lacking and there is a risk that the hard drive and/or physical machine may be stolen

2) For defense in depth as machines are retired to ensure that data is wiped completely. By ensuring that the key is destroyed, access to the data is impossible. Without the keys, they don’t have your data. This would supplement (and potentially replace) any manual wiping that is performed as machines are returned/retired/recycled/destroyed.

3) For protection of images in transit being shipped to remote locations – for example to remote offices.

With advances in hardware processing making the overhead of FDE nearly negligible and with the significant downward pricing pressure in the market (in the case of BitLocker. “free” if you are purchasing Software Assurance on the Windows OS), FDE may make sense for many of your fixed desktops as well.

We spent some time at Hilton Head Island in South Carolina. They’ve got a pretty amazing flat beach where the difference between high tide and low tide can be about 300 feet of beach. We’d use this to have a daily sand building exercise before the tide would come in.

The first day we tried a traditional design – a big, thick wall around the inner castle (a lot like the one above – I didn’t bring my cell phone down to the beach for a pic). It lasted about 20 minutes before a large wave breached the wall. Once that happened, subsequent waves took no time in leveling the rest.

The next day we tried two walls by adding a second, smaller inner wall around the castle inside. That added maybe all of 2 minutes of survival time. Once the outer wall was breached, the inner wall stopped a wave or two, then it fell.

By the third day, we tried a different mindset. Assume the castle will be breached. So we tried a radically different approach. We designed a castle that gets the breached water back out through a system of moats and canals. Sure, there were walls as well – lots of them, but gone was the dependence on one or two walls.

The result? Well, the tide ultimately won – this is vacation after all — but we lasted a good 50 minutes before the castle was leveled.

As I battled the tide, I couldn’t help but think about our increasingly futile attempt to keep the bad guys out (you can see why I needed the vacation!)

For example,

Are you overly dependent on one or two layers of (fire)walls to keep the bad guys out?

Have you changed your mindset in how you approach information security? Assume you will be breached. You probably already have been, you just don’t know it yet. It’s time to change our thinking in information security.

The best protection = prevention + detection. We tend to be overly dependent on the prevention side to keep the bad guys (tide) out, but have invested little in detecting when an advanced intrusion has occurred.and minimizing the dwell time of attackers.

Strategies like Systematic Workload Reprovisioning aren’t a silver bullet, but do offer new approaches to information systems design to minimize the dwell time of advanced persistent threats.

Food for thought.

We have reached a point where our systems must be considered to have been compromised, even if we don’t have a signature to prove it. All workloads are suspect, even if they appear to be healthy.

How do we protect ourselves in such an environment? There are multiple ways (defense in depth) to counter the threat of APTs; however, one important and radically new approach is to systematically reprovision server OS and application workloads from high-assurance repositories and templates. We call this SWR – short for “systematic workload reprovisioning”.

Rather than having to trust every production server, we can reduce the scope of trust to the high-assurance libraries, models, templates and files that are used to periodically reprovision the servers. This reduces the ability of the hacker to maintain their undetected foothold in our systems.

I’ve just published two research notes for Gartner clients that detail the SWR strategy. The first explains the concept and the second explores the implications and considerations for information security and operations management where SWR is adopted.

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Concepts

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Considerations

For some curmudgeonly information security and operations professionals, this approach will seem radical. “Take down perfectly good (ostensibly) server workloads? Heresy!”

However, there is a precedent in human physiology. The human immune system has a similar challenge with cancer — a situation where the instructions within the body’s own workloads (cells) are compromised and cause damage from within. Much like APTs, cancer isn’t detectable by the human immune system using traditional signature-based (antibodies) and the adaptive immune system (T cell and B cell) mechanisms.

The human immune system uses apoptosis — programmed cell death — as one of its strategies to counter the advanced and persistent threat of cancer (if apoptosis is inhibited, then cells have a greater chance of becoming cancerous). With apoptosis, all workloads (cells) are autonomically regenerated from a high-assurance set of instructions (DNA) located in the nucleus of the cell or another location within the body, such as the bone marrow for blood cells. Similar to an SWR strategy, apoptosis occurs when cells appear to be damaged, as well as when they appear to be healthy.

Why can’t information security take some lessons from the human immune system? We’ve been dealing with advanced threats for millions of years and routinely deal with threats that have bypassed our perimeter protection mechanisms.

Food for thought.

I’ll be talking about SWR next week at Gartner’s Information Security Summit in Washington DC. I hope to see you there.

The trouble with Advanced Persistent Threats is that, by definition, they have evaded our traditional network and endpoint security controls and now reside undetected in our IT Systems. How many advanced intrusions will it take (such as RSA, Lockheed, Google, IMF, …) before you reach the same conclusion that many of us already have:

Your systems have been compromised. You just don’t know it (yet).

To counter APTs, new approaches are needed. Using virtualization of OS and applications as well as taking advantage of resilient web- and cloud-oriented scale out application architectures, we can take a new approach: periodically rebuild and reprovision server and desktop workloads from a high-assurance library of base image files. In short, periodically killing live workloads and restoring them to a high assurance state – even if they appear to be healthy. I call this “systematic workload reprovisioning” – SWR for short.

A SWR strategy reduces the dwell time of an intruder and will appeal to information security professionals looking for new ways to counter advanced intrusions for high-risk workloads,

It sounds straightforward, but embracing SWR requires a radical change in mindset for information security professionals: live workloads are no longer fully trusted. Instead of having to trust thousands of live workloads, our trust model is collapsed to the high-assurance libraries and templates that are used to periodically reprovision the workloads. Thus, SWR has several implications on the ongoing management of workloads that must be considered.

I’ve just published two research notes for Gartner clients that detail the SWR strategy. The first explains the concept and the second explores the implications and considerations for information security and operations management where SWR is adopted.

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Concepts

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Considerations

There is no silver bullet in information security, but SWR will become an accepted strategy and part of a defense-in-depth strategy for dealing with APTs in forward-leaning information security organizations over the next five years.

I’ll be talking about SWR next week at Gartner’s Information Security Summit in Washington DC. I hope to see you there.

Does this mean that IT Operations and Security are converging?

I believe “convergence” is too strong of a word to describe what it going on. Convergence implies that one or the other goes away. That isn’t the case here. IT Operations and Information Security are like Ying and Yang. A healthy but necessary tension exists between the two.

While there may be convergence of the infrastructure underneath that carries bits out to the endpoints (in this case, the SCCM servers and agent), this shouldn’t be confused with convergence of policy administration. In other words, while the operational infrastructure might be used to deploy and update the policy enforcement mechanism (the Forefront agent in this case), this doesn’t mean that the need for separation of duties of policy administration has gone away. Leveraging operational infrastructure for security policy enforcement makes sense as long as separation of duties is maintained.

“Integration”, Interoperability” and “Reducing redundant infrastructure” are much better ways to describe what is happening – and it’s not just with the security and management of endpoints that this integration and leveraging of common infrastructure is happening.