On one of the panels I moderated on APTs, Dave Merkel from Mandiant put it best. “You are compromised, get over it”. Others in the US Government have come to the same conclusion.

We spend far too much of our information security budget on increasingly ineffective mechanisms designed to prevent intrusions including network and host-based solutions, firewalls, IPS and antimalware systems. Does that mean we give up on these Not at all. What we need are new capabilities in other areas.

Assume you’ve been compromised. How would you know? We don’t spend nearly enough on systems that help us to better detect a compromise after it has occurred. We can’t keep pretending that we can keep the bad guys out.

Where are net new investments needed? Here’s just a few of the specific areas I discuss in my research.

• More monitoring. Lots more. At all layers of the stack – packet, flows, sessions, transactions, applications, user activities – all of it.
• More context-awareness. To separate meaningful anomalies out from a sea of monitored events will require more context – identity, application, content, location, time of day, reputation and so on.
• Big data and analytics brought to information security. Information security is becoming a big data problem and we need the systems, algorithms and new sets of security skills to derive insight from this.
• Higher levels of automation. To free up time to focus on the really important stuff, security professionals have got to get out of the day to day programming of security policy enforcement points. Program policies? Yes. Program quintuples? No.
• Cloud-based security policy enforcement. If we don’t own the device or the network (think 3G, 4G etc) then we can’t always rely on traditional network and host-based security controls for protection.
• Applications that are designed to be securely operated and used from inception. DevOpsSec must and will become a reality.
• A shift in thinking from Security Information and Event Management to delivering Security Intelligence

I believe information security infrastructure is at a critical inflection point. The status quo isn’t cutting it. Changes are needed.

Are the vendors up to it if it means we spend less for increasingly ineffective legacy solutions they are selling us? (The good news is that we’ll spend more in the other areas highlighted above if they’d make these types of advancements)

Are we up to it? Are we prepared to admit that we are currently on the losing side of this battle and make the types of process, technology and mindset changes above?

Conventional wisdom believes the agile nature of the DevOps vision is fundamentally at odds with the historically static and cumbersome nature of information security. I disagree. I believe that security can support a unified vision of DevOpsSec, but to do this, information security must change in multiple ways including security infrastructure becoming more adaptive and programmable and making information security representation an integral part of DevOpsSec teams from the genesis of new applications and services.

I’ve just published a research note for clients DevOpsSec: Creating the Agile Triangle that makes the argument for DevOpsSec and outlines the major areas of change for information security to support a unified DevOpsSec vision. My colleague, Cameron Haight, from the IT Operations side of Gartner research joined me on the research note. He has pioneered much of the research on DevOps for Gartner and increasingly he is being asked how DevOps can be adopted without sacrificing security. Increasingly, I am being asked how to rationalize the agile nature of DevOps with the need for security testing. Together, we teamed up to deliver the first in a series of research notes on how to deliver DevOpsSec.

Development, operations and security are fundamentally intertwined. A well-designed, developed and managed system is the foundation of a secure system. DevOps must evolve to a new vision of DevOpsSec that balances the need for speed and agility of enterprise IT capabilities with the enterprise need to protect critical assets, applications and services.

Here, I want to outline the top security-related  issues and concerns that I discussed with attendees at the conference:

• Interest in securing the next-generation virtualized data center remains high with most of the questions focused on the separation of workloads of different trust levels (e.g. PCI, DMZ, dev/test) in virtualized environments. In most cases, this will involve the use of software-based virtualized security controls. Specific to PCI, one attendee indicated their QSA had accepted PCI and non-PCI related workloads on the same physical host without all workloads being considered in scope (in this case, they used externalized physical firewall-based separation).
• Several attendees asked if I was aware of any publicized incidents of hypervisor breaches. I’m not, but that doesn’t mean that they won’t (or haven’t) happened. The vulnerabilities are there. It will happen, it’s just a matter of time – hackers are quite aware that a successful attack at this layer represents an opportunity to penetrate the entire machine regardless of the security controls within each host.
• I had several questions on optimizing antimalware scanning in a virtualized environment. Trend Micro has been an early innovator here with its integration with VMware’s vShield Endpoint APIs, but there are other options and approaches, each with pros and cons.
• In terms of cloud security, most questions revolved around extending enterprise virtualized data centers to public cloud IaaS providers in hybrid scenarios and how to protect this.
• The second most common cloud security issue discussed was the use of encryption and other approaches to securing data in the cloud. Since cloud isn’t one thing, our approaches to securing data in the cloud will be different at different layers.

It was a great conference with record-setting attendance. It’s clear to me that virtualization, mobilization and cloud computing are transforming the enterprise data center and that information security needs to evolve to support this. Based on the interests from attendees of the conference in information security, I’d say they feel exactly the same way.

In addition to three presentations, I had more than 30 fantastic one on ones with attendees over the four days.

What was hot? Many of the same issues I blog about. In order of priority, most attendee discussions were on:

1) Endpoint security, application control and whitelisting. Microsoft is causing significant disruption in this market with its new version of Forefront Endpoint Protection and its change in licensing policies.

2) Strategies for protection against Advanced threats (note that this overlaps with #1 a bit)

3) Security trends – what are the major trends we are seeing in information security and are they missing anything? What investments should we be thinking about for 2012?

4) Virtualization and security – trust/assurance of the hypervisor for separation of workloads of different trust levels as well as protecting VMs as they move offsite into Cloud-based providers.

Surprisingly, I only had one or two conversations on application security – specifically looking for best practices to push security testing further back in the SDLC.

In terms of “Cloud”, I think most organizations are moving beyond the ill-defined hype of “cloud security” and looking for specific advice and best practices for addressing specific cloud-related computing concerns. That’s a welcome step forward. Cloud is a computing style, not a location. It’s great to see people embrace this computing style and look to proactively build security in. Thursday afternoon’s presentation on securing private clouds had a good crowd for the final day. The biggest reaction was on the evolution of security to a set of software-based services delivered by programmable infrastructure. I think most IT security professionals have become so accustomed to their firewalls as a physical box, they have a difficult time imagining firewall services decoupled from the physical hardware underneath and shifting to security policies based on logical, not physical, attributes. Indeed, I believe the biggest challenges to the security of private clouds will be related to cultural and mindset change issues, not technical.

If you follow my thoughts from the conference on twitter (@nmacdona), you’ll see some of the feedback on my context-aware security presentation.Despite losing AC during the presentation (not good in Florida, even in October!), the crowd stuck it out with some hanging out in the doorways to watch the presentation and catch a breeze at the same time.

As I have discussed previously many times, all of information security is becoming context-aware and adaptive and this attribute will be a key characteristic of all next generation security offerings (IPS, FW, endpoint protection, IAM, DLP, and so on).

Overall, it was another great Symposium conference (my 15th with Gartner!). They just keep getting better. For those of you that didn’t make it, I’m attending Gartner’s upcoming US Data Center summit in December in Las Vegas and we can catch up there.

In this 2010 research note that provided a definition and framework for understanding context-aware security The Future of Information Security is Context Aware and Adaptive, I used the term “next-generation IPS” to describe how advanced intrusion prevention systems were becoming context aware in order to make improved security decisions (faster, more accurate and better suited to detect advanced threats).

Network security solutions are evolving to incorporate “application awareness” and “identity awareness” into their offerings. Information protection solutions are evolving to deliver “content awareness.” Application, identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made.

In the research note, I provided several examples of how information security infrastructure was evolving to become context-aware, including next-generation IPSs:

Intrusion prevention systems (IPSs) — Rather than apply all IPS rules to all traffic flows, next-generation IPS systems are able to use real-time contextual knowledge of what version of an OS or application a workload is running and what vulnerabilities are present in the systems they are protecting (for example, Real-time Network Awareness (RNA)/Real-time User Awareness (RUA) integration with Sourcefire). This context improves the speed and accuracy of IPS decisions, allowing more-efficient use of processing resources, as well as reducing the chance of false positives.

We’ve just published this research note for clients that outlines the key attributes of a next-generation IPS. Context-awareness in the form of application, identity, content and environmental awareness is the foundation for a next-generation IPS.

As I have observed several times, all information security infrastructure must become context-aware – endpoint protection platforms, access control systems, network firewalls, IPS systems, security information and event management systems, secure web gateways, secure email gateways, data loss prevention systems … all of it.

The shift to incorporate “application awareness”, “identity awareness”, “virtualization awareness”, “location awareness”, “content awareness” and so on are all facets of the same underlying shift in information security infrastructure to become context-aware.

<digress> You noticed I didn’t use the term “DLP”. That’s because I believe data loss prevention is just one of many controls that need to be mapped to a broader data lifecycle protection process that I believe is the real “DLP”. I digress – that’s another discussion…   </digress>

I had an interesting request for a client a while ago. They wanted to look through all of their file shares for inappropriate data. In their case, an employee had been discovered with dozens of gigabytes of pirated music that was being stored on their enterprise servers that represented a potential legal liability for the organization.The client wanted to search all of their repositories for potentially inappropriate data – such as music files, video files, sexually explicit images and so on. We already have data loss prevention tools that rummage through our systems looking for sensitive data, why not expand this capability to inappropriate data? Taking this further, how about inspecting source code files and scanning these for potentially unlicensed or insecure open source libraries (lPalamida, Black Duck and others provide this today as a point solution).

At the time, none of the data loss prevention tool vendors provided this capability and I directed the client the single enterprise third party tool I was aware of that specialized in detecting inappropriate content.

I don’t see how these use cases are so different that it requires different tools for these use case. Learn a data pattern or signature and look for it by crawling through data repositories. Could be sensitive, could be unlicensed, could be inappropriate – same problem. It seems like a security no-brainer for data loss prevention tools to evolve to support the use case of identifying potentially inappropriate data usage in addition to sensitive data usage.

Is protecting a desktop different than a laptop? Yes.

Is protecting a server different than a desktop or laptop? Yes

However, does this mean that we need a different vendor, product and console for each of these? Or, is it better to use a consistent set (palette) of controls to pick and choose from and just choose a different mix to protect different types of endpoints based on their needs? For example:

• All desktops and laptops need AV. Some servers need AV (general purpose file servers) and most organizations require AV on all Windows servers by policy.
• Application Control is more easily applied to servers which tend to be more static. However, some fixed desktop scenarios are well-suited to application control (e.g. call centers) and leading application control vendors are innovating in how they manage trusted change in desktop scenarios.
• Host firewalling is important to both, but tends to be more valued on laptops that move out from behind perimeter protection. Servers in the data center behind fixed firewalls may not need this at all.
• Deep packet inspection based host-based intrusion prevention (HIPS) is of value to both desktops and servers, but the ‘virtual patching’ capabilities of this style of protection tends to be more valued on servers that can’t be patched as frequently.
• Rules-based HIPS tends to be used more on servers where rules about normal application behavior are more easily defined
• Behavioral HIPS tends to be used more on laptops and desktops to augment traditional signature-based AV and protect from zero-day attacks because these devices routinely deal with arbitrary code. This isn’t as important on servers as they don’t routinely deal with arbitrary code and organizations don’t want to risk an occasional false positive.
• Servers are great candidates for file integrity monitoring. Few desktops will use file integrity monitoring, but I’ve had clients with desktops that fell in scope of PCI where they used file integrity monitoring on their desktops.
• Laptops are great candidates for full drive encryption, but some fixed desktop and server scenarios make sense for full drive encryption as well.

The set (palette) of controls is the same – AV, firewall, HIPS, FIM, application control, encryption, etc etc working together as a system. You pick and choose which controls are used and which policies are enforced based on the endpoint (desktop, laptop, server and increasingly mobile devices) and its usage scenarios. Think of the information security professional as an artist with a palette of colors/controls.

Do we need a different product/vendor/console for server security versus desktop security? Or a single product/vendor/console with the ability to pick and choose the appropriate controls and policies?

How does your organization handle this?

We identified PacketMotion as a cool vendor in Gartner in this 2009 research for clients. Essentially, PacketMotion uses standard Intel-based hardware appliances  (as well as a virtualized probe implementation that runs inside of virtualized environments) to deliver full layer 7 decodes of sessions, providing context-aware security monitoring with application and identity awareness.

So why the acquisition?

VMware’s vShield App offering already provides some amount of application-awareness in vShield App that was acquired from its acquisition of BlueLane, PacketMotion’s application decodes will augment this capability. The more important capability is related to delivering identity-awareness. In this recent research note for clients on vShield (“VMware Pushes Further Into the Security Market With Its vShield Offerings”), I identified identity-awareness as a key need for vShield App:

VMware provides only basic application awareness in the first release of vShield App. Richer application, identity and content awareness capabilities are expected in future releases.

Why context? In this research note for clients “The Future of Information Security is Context-Aware and Adaptive”, I stated:

Rapidly changing business and threat environments, as well as user demands, are stressing static security policy enforcement models. Information security infrastructure must become adaptive by incorporating additional context at the point when a security decision is made, and we are already seeing signs of this transformation. Network security solutions are evolving to incorporate “application awareness” and “identity awareness” into their offerings. Information protection solutions are evolving to deliver “content awareness.” Application, identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made. To enable faster and more-accurate assessments of whether a given action should be allowed or denied, we must incorporate more real-time context information at the point when a security decision is made.

Adding identity, application and content awareness to information security policy decision making are all examples of the same fundamental shift to make information security context-aware and adaptive.

If you think about it for a bit, most of information security policy enforcement is in the form of software already – it’s just embodied (entombed?) in physical hardware.

Unfortunately, the rigidity of hardware slows down our ability to support rapidly changing computing environments. As data centers are increasingly virtualized, as users become more mobile and as organizations increasingly adopt public cloud-based services, security controls must shed their physical shackles and exist as software-based enforcement points that can be placed when and where needed.

If you are a science fiction fan, it’s kinda like “ascension” – as intelligent species evolved they shed their physical bodies and exist as pure energy – like this example in StarGate (and I’m sure there are many other examples). As described in the StarGate Wiki:

Ascension is a process that allows beings to be able to separate from their physical bodies and to live eternally as pure energy in a superior plane with greater amount of knowledge and power. It can be a mental, spiritual or evolutionary process—a direct result of obtaining a certain level of wisdom and knowledge…

Superior plane? More knowledge? Wisdom? Bring this to information security! OK, so the analogy may be a stretch.

Regardless, the future of information security is a set of context-aware, software-based security policy enforcement points that can be placed when and where needed within a virtualized or cloud-based computing architecture. Depending on the context, there may be a need to embody the control in hardware, at other times as a virtual appliance in my own data center and in other situations as a cloud-based service provided by someone else. Supporting hybrid scenarios will be an absolute requirement.

Even when embodied in hardware, many architectures are shifting to x86 based hardware foundations with proprietary hardware typically only required for encryption offload and even here, the latest Intel chipsets support encryption instruction acceleration.

The core value proposition and differentiation of security vendors will come from their software, not hardware, and their ability to use context to support dynamic computing models with adaptive security policies that can adjust in real-time as users and devices move between on-premises and cloud-based services.

We spent some time at Hilton Head Island in South Carolina. They’ve got a pretty amazing flat beach where the difference between high tide and low tide can be about 300 feet of beach. We’d use this to have a daily sand building exercise before the tide would come in.

The first day we tried a traditional design – a big, thick wall around the inner castle (a lot like the one above – I didn’t bring my cell phone down to the beach for a pic). It lasted about 20 minutes before a large wave breached the wall. Once that happened, subsequent waves took no time in leveling the rest.

The next day we tried two walls by adding a second, smaller inner wall around the castle inside. That added maybe all of 2 minutes of survival time. Once the outer wall was breached, the inner wall stopped a wave or two, then it fell.

By the third day, we tried a different mindset. Assume the castle will be breached. So we tried a radically different approach. We designed a castle that gets the breached water back out through a system of moats and canals. Sure, there were walls as well – lots of them, but gone was the dependence on one or two walls.

The result? Well, the tide ultimately won – this is vacation after all — but we lasted a good 50 minutes before the castle was leveled.

As I battled the tide, I couldn’t help but think about our increasingly futile attempt to keep the bad guys out (you can see why I needed the vacation!)

For example,

Are you overly dependent on one or two layers of (fire)walls to keep the bad guys out?

Have you changed your mindset in how you approach information security? Assume you will be breached. You probably already have been, you just don’t know it yet. It’s time to change our thinking in information security.

The best protection = prevention + detection. We tend to be overly dependent on the prevention side to keep the bad guys (tide) out, but have invested little in detecting when an advanced intrusion has occurred.and minimizing the dwell time of attackers.

Strategies like Systematic Workload Reprovisioning aren’t a silver bullet, but do offer new approaches to information systems design to minimize the dwell time of advanced persistent threats.

Food for thought.