On one of the panels I moderated on APTs, Dave Merkel from Mandiant put it best. “You are compromised, get over it”. Others in the US Government have come to the same conclusion.

We spend far too much of our information security budget on increasingly ineffective mechanisms designed to prevent intrusions including network and host-based solutions, firewalls, IPS and antimalware systems. Does that mean we give up on these Not at all. What we need are new capabilities in other areas.

Assume you’ve been compromised. How would you know? We don’t spend nearly enough on systems that help us to better detect a compromise after it has occurred. We can’t keep pretending that we can keep the bad guys out.

Where are net new investments needed? Here’s just a few of the specific areas I discuss in my research.

• More monitoring. Lots more. At all layers of the stack – packet, flows, sessions, transactions, applications, user activities – all of it.
• More context-awareness. To separate meaningful anomalies out from a sea of monitored events will require more context – identity, application, content, location, time of day, reputation and so on.
• Big data and analytics brought to information security. Information security is becoming a big data problem and we need the systems, algorithms and new sets of security skills to derive insight from this.
• Higher levels of automation. To free up time to focus on the really important stuff, security professionals have got to get out of the day to day programming of security policy enforcement points. Program policies? Yes. Program quintuples? No.
• Cloud-based security policy enforcement. If we don’t own the device or the network (think 3G, 4G etc) then we can’t always rely on traditional network and host-based security controls for protection.
• Applications that are designed to be securely operated and used from inception. DevOpsSec must and will become a reality.
• A shift in thinking from Security Information and Event Management to delivering Security Intelligence

I believe information security infrastructure is at a critical inflection point. The status quo isn’t cutting it. Changes are needed.

Are the vendors up to it if it means we spend less for increasingly ineffective legacy solutions they are selling us? (The good news is that we’ll spend more in the other areas highlighted above if they’d make these types of advancements)

Are we up to it? Are we prepared to admit that we are currently on the losing side of this battle and make the types of process, technology and mindset changes above?

Both approaches have their pros and cons and, until recently, the market for these tools has evolved separately with different vendors and solutions. Even when a single vendor offers both DAST and SAST solutions, they have not historically been integrated.

In the latest research for clients – Gartner Magic Quadrant for Dynamic Application Security Testing – one of the criteria we looked at was whether or not the vendor’s solution provided Interactive Application Security Testing (IAST). Specifically, we are looking for ways that application security testing solutions combine dynamic and static techniques to improve the overall quality of the testing results. The information gathered by this instrumentation agent gives the hybrid solution an inside-out view that complements the outside-in view of a purely DAST solution — for example, identifying the specific line of code where a security vulnerability occurred, or providing detailed visibility into code coverage. There are a couple of ways that Dynamic and Static testing techniques can be integrated and made to be interactive:

1) The web application platform (IIS, Apache, or other) can be instrumented to observe the application as it is being tested dynamically.

2) The web application can be instrumented via injected code (.NET, Java, or other) so that it can be observed during dynamic testing

3) The output of a static code/binary analysis could be used to create and “tune” the dynamic test that is subsequently performed.

4) The results of observing an application under dynamic test or in use could be used to modify the dynamic test that is being performed in real time. In this way, the dynamic test can be made much more “intelligent” in how it tests an application. This is exactly the approach used by Quotium – a vendor we wrote up in 2011 as a Gartner Cool Vendor.

Multiple DAST solutions now provide IAST capabilities.  Some of the vendors evolving their offerings in this direction and offering IAST include Acunetix, HP, IBM, NTO, Parasoft and Quotium. However, most IAST solutions also requires that an agent be deployed on the application platform, which relegates the technique largely to QA and also requires that the vendor explicitly support the platform or language being instrumented (such as PHP, Java or .NET/ASP).

Look for IAST capabilities in your next evaluation of Dynamic Application Security Testing solutions.

Conventional wisdom believes the agile nature of the DevOps vision is fundamentally at odds with the historically static and cumbersome nature of information security. I disagree. I believe that security can support a unified vision of DevOpsSec, but to do this, information security must change in multiple ways including security infrastructure becoming more adaptive and programmable and making information security representation an integral part of DevOpsSec teams from the genesis of new applications and services.

I’ve just published a research note for clients DevOpsSec: Creating the Agile Triangle that makes the argument for DevOpsSec and outlines the major areas of change for information security to support a unified DevOpsSec vision. My colleague, Cameron Haight, from the IT Operations side of Gartner research joined me on the research note. He has pioneered much of the research on DevOps for Gartner and increasingly he is being asked how DevOps can be adopted without sacrificing security. Increasingly, I am being asked how to rationalize the agile nature of DevOps with the need for security testing. Together, we teamed up to deliver the first in a series of research notes on how to deliver DevOpsSec.

Development, operations and security are fundamentally intertwined. A well-designed, developed and managed system is the foundation of a secure system. DevOps must evolve to a new vision of DevOpsSec that balances the need for speed and agility of enterprise IT capabilities with the enterprise need to protect critical assets, applications and services.

In Gartner’s latest Magic Quadrant for Dynamic Application Security Testing (DAST) solutions for clients, one of the evaluation criteria we looked at was whether or not the vulnerability knowledge of the DAST solution could be exported and used by a web application firewall (WAF – for example Imperva, F5, Citrix, Barracuda, DenyAll, ModSecurity, Bee Ware, etc ) to protect the vulnerability application from attacks (note that this is conceptually identical to using network or host-based IPSs to shield from attacks on endpoints until patches can be applied)

Before I start a firestorm of comments, let me be clear: we believe the vulnerable application should be fixed if possible (just like vulnerable endpoints should ultimately be patched). WAFs should be viewed as a way to shield vulnerable web applications until they can be fixed/patched. However, this isn’t always possible in a timely manner. Sometimes the backlog of applications in development prevents a timely fix. Sometimes the organization doesn’t have the expertise to fix the application because the person that wrote it has left (or the development was outsourced/contracted). In other cases, there may be limited access to the source code. Regardless, what if we’ve got a vulnerable web application that we can’t fix in a timely manner?

That’s where DAST/WAF integration comes in. Most DAST solution providers will link directly to WAF providers to provide specific protection from a vulnerability. The DAST tool discovers the vulnerability and the WAF helps to shield from attacks on that vulnerability. Makes sense doesn’t it?

Here’s a couple of things to keep in mind:

• Look for explicit WAF support. Some DAST solution providers will talk about exporting vulnerability knowledge in XML and how this could be consumed by a WAF… leaving out the part where you have to perform the translation from a generic XML-based representation of the vulnerability into the native WAF rule syntax. Make sure both your WAF provider and DAST solution provider state explicit out of the box support for this integration.
• Even with explicit integration, don’t expect DAST vulnerability information to flow to a WAF without requiring human intervention and testing.
• Favor DAST solutions that allow you to quickly and easily retest/replay a specific vulnerability with the WAF in place to confirm that the protection is working as expected.
• To check for false positives, use testing scripts or recorded sessions to exercise the web application with the WAF rule in place. Favor WAF solutions that can place new rules in a “monitor only” mode for a period of time before being placed into blocking mode.

If you haven’t evaluated DAST solutions recently, it is time to take another look. The market continues to evolve rapidly. If a vulnerable web application can’t be fixed in a timely manner, don’t leave yourself exposed. Look for explicit, out of the box support for WAF rule generation in your next DAST or WAF solution evaluation.

DAST solutions have been around for years, so you’d might think the market is fairly static. Not at all. DAST solutions must and have evolved well beyond the security testing of back-end web applications. In order to dynamically test the next-generation of applications, new DAST capabilities are required and not all vendors support them equally.

Here are several areas where DAST solutions are evolving:

(1) Dynamic application security testing as a service. The market for dynamic testing as a service is growing and some of the DAST solutions we evaluated – Qualys, Veracode and WhiteHat – only offer their solution as a service. However, many organizations tell us they prefer to use a product and a service from the DAST vendor — for example, testing their more-sensitive applications on-premises using a DAST product, and testing their less-sensitive applications via DAST as a service, or testing deployed applications as a service, with testing of applications in the QA phase of the development process using on-premises DAST products.

(2) The ability to crawl and test Rich Internet Applications (RIA). A hallmark of Web 2.0 applications is the use of RIA, mostly in the form of JavaScript (The “J” in Ajax) and Ajax frameworks. In addition, many applications include large amounts of client-side logic in the form of Adobe Flash, Flex, and Microsoft’s Silverlight. The use of client-side RIA logic complicates how applications are crawled and how traditional DAST testing is performed, since the JavaScript and other types of code are rendered at the client, not at the server.

(3) HTML5  More recently, interest has shifted to the use of HTML5 for RIA. HTML5 isn’t a single standard and the multiple standards that collectively represent HTML5 are at different levels of maturity and adoption. Testing HTML5 and keeping up with the fluid standards is an emerging requirement for all DAST solutions.

(4) The ability to crawl and test applications that use other types of interfaces carried over web protocols. For example, many DAST solutions test Web services using protocols and formats, such as Simple Object Access Protocol (SOAP), representational state transfer (REST), Extensible Markup Language (XML) and JavaScript Object Notation (JSON).

(5) Static application testing capabilities (SAST). For comprehensive application security testing, applications should be able to be tested from the “inside out” using static analysis and from the “outside in” using dynamic analysis. Several vendors now offer organizations both DAST and SAST solutions.

(6) Interactive Security Testing. Building on #5, some of the testing providers enable interaction between their static and dynamic security testing techniques. One of the most common ways is to instrument the application while it is being tested dynamically. This provides more detailed information (such as identifying the line of code where a vulnerability occurs and assessing the code coverage of testing). While this may not be suitable for production applications, this approach is quite useful in QA testing in order to provide more meaningful results to developers.

(7) Comprehensive fuzz testing. Some DAST solutions are designed specifically to expand well beyond Web protocols to include non-Web protocols (for example, remote procedure calls, Server Message Block, Session Initiation Protocol [SIP] and so on) as well as data input malformation. This is especially critical for the dynamic security testing of applications used within embedded devices, such as storage appliances, telecommunications and networking equipment, directories, automated teller machines, medical devices and so on.

(8) Testing mobile and Cloud-based applications. Ideally mobile applications would be tested with SAST and DAST; however, pure DAST testing can add value. Beyond the use of RIA and HTML5 discussed previously, most Android and iOS applications (even when written as native applications) are Web-like in nature and communicate over Web or RESTful HTTP-based protocols. At a minimum, the exposed interfaces of the applications should be testable using DAST. Many of the mobile applications communicate with cloud-based applications on the back end, which must also be tested. In addition, many applications have specific code paths for supporting mobile devices. In order to test these properly, DAST solutions must emulate a number of mobile browsers.

These are just a few examples of how the market for DAST solutions is anything but static. The market is evolving rapidly and requires that successful solutions here continue to adapt as well. If you haven’t evaluated DAST solutions in a while, it’s time to take another look.

Here, I want to outline the top security-related  issues and concerns that I discussed with attendees at the conference:

• Interest in securing the next-generation virtualized data center remains high with most of the questions focused on the separation of workloads of different trust levels (e.g. PCI, DMZ, dev/test) in virtualized environments. In most cases, this will involve the use of software-based virtualized security controls. Specific to PCI, one attendee indicated their QSA had accepted PCI and non-PCI related workloads on the same physical host without all workloads being considered in scope (in this case, they used externalized physical firewall-based separation).
• Several attendees asked if I was aware of any publicized incidents of hypervisor breaches. I’m not, but that doesn’t mean that they won’t (or haven’t) happened. The vulnerabilities are there. It will happen, it’s just a matter of time – hackers are quite aware that a successful attack at this layer represents an opportunity to penetrate the entire machine regardless of the security controls within each host.
• I had several questions on optimizing antimalware scanning in a virtualized environment. Trend Micro has been an early innovator here with its integration with VMware’s vShield Endpoint APIs, but there are other options and approaches, each with pros and cons.
• In terms of cloud security, most questions revolved around extending enterprise virtualized data centers to public cloud IaaS providers in hybrid scenarios and how to protect this.
• The second most common cloud security issue discussed was the use of encryption and other approaches to securing data in the cloud. Since cloud isn’t one thing, our approaches to securing data in the cloud will be different at different layers.

It was a great conference with record-setting attendance. It’s clear to me that virtualization, mobilization and cloud computing are transforming the enterprise data center and that information security needs to evolve to support this. Based on the interests from attendees of the conference in information security, I’d say they feel exactly the same way.

I’ll place the top security-related issues from non-vendor attendees in a separate post.

On the vendor side, I had several information security providers ask me about the potential impact of the Euro crisis on information security spending. Many of the vendors are right in the middle of their 2012 revenue forecasting and budget planning process so the question is top of mind. My recommendation to them was to bound their forecast and budgets with a worst case and best case envelope around their most likely forecast.

Gartner is following the developments closely and we have several resources available to clients and vendors to navigate this turbulent period. First, there is a webcast planned to discuss the impact of the Eurozone crisis that is open to all. Second, there is a special report being developed for Gartner clients that addresses the issue from multiple angles across all of Gartner research. The first research note for this set has already published for clients “CIOs Should Address the Impacts of the Euro Crisis on Their Enterprises Now”. Third, my European colleague has a just posted a survey to gather data for use in his research and his blog posts on the topic.

Security was front and center of attendee interests. We had a total of 23 security sessions throughout the 4 days. Like US Fall Symposium, I was fully booked with 1-1 sessions where attendees are able to meet and discuss their issues and questions with analysts.

The top issues of our European attendees differed from those at Gartner’s US Fall Symposim. Here’s what was top of mind in Europe:

1) Protecting information. I had a large number of discussions on how to move information security beyond just a “bottoms up” approach to information security. These organization felt they had a good handle on traditional firewalling, IPS and endpoint protection but hadn’t done much for information protection beyond encrypting laptops. In addition to encouraging them to think about information security protection as a process, we also discussed specific technical controls such as database activity monitoring, file activity monitoring and web application firewall/monitoring solutions.

2) Cloud security. Cloud isn’t one thing, security isn’t either, so these discussions varied. Most were focused on how to better secure access to cloud-based services at the Software-as-a -service level. There were some questions on IaaS, but only one on securing PaaS. In that case it was a leading -edge client moving their entire business as a service provider to Microsoft’s Azure platform and we discussed encryption options within Microsoft’s Azure.

3) Hosted Virtual Desktop  (or if you prefer, Virtual Desktop Infrastructure). In these conversations, the interest was driven primarily as a way to provide access to legacy Windows applications while maintaining control of the information. Several conversations were on the pros/cons of VDI as compared to traditional terminal services.There are strengths and weaknesses to each approach. In a separate roundtable on virtualization and security that I moderated, the preference of the attendees of the session was to use full VMs (VDI/HDV) rather than terminal services..

4) Application security This is really a form of #1 above, but focusing on securing the applications that handle the sensitive information. Most had adopted some amount of security testing, but were interested pushing testing further back into software development. There was a significant amount of interest in testing as a service offerings, many of which are quite inexpensive as compared to testing in house. In most of these cases, testing as a service wasn’t replacing what they were doing, just augmenting it.

Overall, the biggest difference I saw in the interests of European attendees from US attendees was the intense interest on specific ways and mechanisms to augment traditional “bottoms up” security mechanisms with a “tops downs” approach to protecting information. Both are needed.

That’s a good sign that information security organizations are understanding that in a world where IT increasingly doesn’t own or control much of the IT stack (end user device, network, server, OS, etc), our focus absolutely must shift up to various ways to protect the information.

In addition to three presentations, I had more than 30 fantastic one on ones with attendees over the four days.

What was hot? Many of the same issues I blog about. In order of priority, most attendee discussions were on:

1) Endpoint security, application control and whitelisting. Microsoft is causing significant disruption in this market with its new version of Forefront Endpoint Protection and its change in licensing policies.

2) Strategies for protection against Advanced threats (note that this overlaps with #1 a bit)

3) Security trends – what are the major trends we are seeing in information security and are they missing anything? What investments should we be thinking about for 2012?

4) Virtualization and security – trust/assurance of the hypervisor for separation of workloads of different trust levels as well as protecting VMs as they move offsite into Cloud-based providers.

Surprisingly, I only had one or two conversations on application security – specifically looking for best practices to push security testing further back in the SDLC.

In terms of “Cloud”, I think most organizations are moving beyond the ill-defined hype of “cloud security” and looking for specific advice and best practices for addressing specific cloud-related computing concerns. That’s a welcome step forward. Cloud is a computing style, not a location. It’s great to see people embrace this computing style and look to proactively build security in. Thursday afternoon’s presentation on securing private clouds had a good crowd for the final day. The biggest reaction was on the evolution of security to a set of software-based services delivered by programmable infrastructure. I think most IT security professionals have become so accustomed to their firewalls as a physical box, they have a difficult time imagining firewall services decoupled from the physical hardware underneath and shifting to security policies based on logical, not physical, attributes. Indeed, I believe the biggest challenges to the security of private clouds will be related to cultural and mindset change issues, not technical.

If you follow my thoughts from the conference on twitter (@nmacdona), you’ll see some of the feedback on my context-aware security presentation.Despite losing AC during the presentation (not good in Florida, even in October!), the crowd stuck it out with some hanging out in the doorways to watch the presentation and catch a breeze at the same time.

As I have discussed previously many times, all of information security is becoming context-aware and adaptive and this attribute will be a key characteristic of all next generation security offerings (IPS, FW, endpoint protection, IAM, DLP, and so on).

Overall, it was another great Symposium conference (my 15th with Gartner!). They just keep getting better. For those of you that didn’t make it, I’m attending Gartner’s upcoming US Data Center summit in December in Las Vegas and we can catch up there.

In this 2010 research note that provided a definition and framework for understanding context-aware security The Future of Information Security is Context Aware and Adaptive, I used the term “next-generation IPS” to describe how advanced intrusion prevention systems were becoming context aware in order to make improved security decisions (faster, more accurate and better suited to detect advanced threats).

Network security solutions are evolving to incorporate “application awareness” and “identity awareness” into their offerings. Information protection solutions are evolving to deliver “content awareness.” Application, identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made.

In the research note, I provided several examples of how information security infrastructure was evolving to become context-aware, including next-generation IPSs:

Intrusion prevention systems (IPSs) — Rather than apply all IPS rules to all traffic flows, next-generation IPS systems are able to use real-time contextual knowledge of what version of an OS or application a workload is running and what vulnerabilities are present in the systems they are protecting (for example, Real-time Network Awareness (RNA)/Real-time User Awareness (RUA) integration with Sourcefire). This context improves the speed and accuracy of IPS decisions, allowing more-efficient use of processing resources, as well as reducing the chance of false positives.

We’ve just published this research note for clients that outlines the key attributes of a next-generation IPS. Context-awareness in the form of application, identity, content and environmental awareness is the foundation for a next-generation IPS.

As I have observed several times, all information security infrastructure must become context-aware – endpoint protection platforms, access control systems, network firewalls, IPS systems, security information and event management systems, secure web gateways, secure email gateways, data loss prevention systems … all of it.

The shift to incorporate “application awareness”, “identity awareness”, “virtualization awareness”, “location awareness”, “content awareness” and so on are all facets of the same underlying shift in information security infrastructure to become context-aware.