In addition to three presentations, I had more than 30 fantastic one on ones with attendees over the four days.

What was hot? Many of the same issues I blog about. In order of priority, most attendee discussions were on:

1) Endpoint security, application control and whitelisting. Microsoft is causing significant disruption in this market with its new version of Forefront Endpoint Protection and its change in licensing policies.

2) Strategies for protection against Advanced threats (note that this overlaps with #1 a bit)

3) Security trends – what are the major trends we are seeing in information security and are they missing anything? What investments should we be thinking about for 2012?

4) Virtualization and security – trust/assurance of the hypervisor for separation of workloads of different trust levels as well as protecting VMs as they move offsite into Cloud-based providers.

Surprisingly, I only had one or two conversations on application security – specifically looking for best practices to push security testing further back in the SDLC.

In terms of “Cloud”, I think most organizations are moving beyond the ill-defined hype of “cloud security” and looking for specific advice and best practices for addressing specific cloud-related computing concerns. That’s a welcome step forward. Cloud is a computing style, not a location. It’s great to see people embrace this computing style and look to proactively build security in. Thursday afternoon’s presentation on securing private clouds had a good crowd for the final day. The biggest reaction was on the evolution of security to a set of software-based services delivered by programmable infrastructure. I think most IT security professionals have become so accustomed to their firewalls as a physical box, they have a difficult time imagining firewall services decoupled from the physical hardware underneath and shifting to security policies based on logical, not physical, attributes. Indeed, I believe the biggest challenges to the security of private clouds will be related to cultural and mindset change issues, not technical.

If you follow my thoughts from the conference on twitter (@nmacdona), you’ll see some of the feedback on my context-aware security presentation.Despite losing AC during the presentation (not good in Florida, even in October!), the crowd stuck it out with some hanging out in the doorways to watch the presentation and catch a breeze at the same time.

As I have discussed previously many times, all of information security is becoming context-aware and adaptive and this attribute will be a key characteristic of all next generation security offerings (IPS, FW, endpoint protection, IAM, DLP, and so on).

Overall, it was another great Symposium conference (my 15th with Gartner!). They just keep getting better. For those of you that didn’t make it, I’m attending Gartner’s upcoming US Data Center summit in December in Las Vegas and we can catch up there.

In this 2010 research note that provided a definition and framework for understanding context-aware security The Future of Information Security is Context Aware and Adaptive, I used the term “next-generation IPS” to describe how advanced intrusion prevention systems were becoming context aware in order to make improved security decisions (faster, more accurate and better suited to detect advanced threats).

Network security solutions are evolving to incorporate “application awareness” and “identity awareness” into their offerings. Information protection solutions are evolving to deliver “content awareness.” Application, identity and content awareness are all part of the same underlying shift to incorporate more context at the point when a security policy enforcement decision is made.

In the research note, I provided several examples of how information security infrastructure was evolving to become context-aware, including next-generation IPSs:

Intrusion prevention systems (IPSs) — Rather than apply all IPS rules to all traffic flows, next-generation IPS systems are able to use real-time contextual knowledge of what version of an OS or application a workload is running and what vulnerabilities are present in the systems they are protecting (for example, Real-time Network Awareness (RNA)/Real-time User Awareness (RUA) integration with Sourcefire). This context improves the speed and accuracy of IPS decisions, allowing more-efficient use of processing resources, as well as reducing the chance of false positives.

We’ve just published this research note for clients that outlines the key attributes of a next-generation IPS. Context-awareness in the form of application, identity, content and environmental awareness is the foundation for a next-generation IPS.

As I have observed several times, all information security infrastructure must become context-aware – endpoint protection platforms, access control systems, network firewalls, IPS systems, security information and event management systems, secure web gateways, secure email gateways, data loss prevention systems … all of it.

The shift to incorporate “application awareness”, “identity awareness”, “virtualization awareness”, “location awareness”, “content awareness” and so on are all facets of the same underlying shift in information security infrastructure to become context-aware.

Is protecting a desktop different than a laptop? Yes.

Is protecting a server different than a desktop or laptop? Yes

However, does this mean that we need a different vendor, product and console for each of these? Or, is it better to use a consistent set (palette) of controls to pick and choose from and just choose a different mix to protect different types of endpoints based on their needs? For example:

• All desktops and laptops need AV. Some servers need AV (general purpose file servers) and most organizations require AV on all Windows servers by policy.
• Application Control is more easily applied to servers which tend to be more static. However, some fixed desktop scenarios are well-suited to application control (e.g. call centers) and leading application control vendors are innovating in how they manage trusted change in desktop scenarios.
• Host firewalling is important to both, but tends to be more valued on laptops that move out from behind perimeter protection. Servers in the data center behind fixed firewalls may not need this at all.
• Deep packet inspection based host-based intrusion prevention (HIPS) is of value to both desktops and servers, but the ‘virtual patching’ capabilities of this style of protection tends to be more valued on servers that can’t be patched as frequently.
• Rules-based HIPS tends to be used more on servers where rules about normal application behavior are more easily defined
• Behavioral HIPS tends to be used more on laptops and desktops to augment traditional signature-based AV and protect from zero-day attacks because these devices routinely deal with arbitrary code. This isn’t as important on servers as they don’t routinely deal with arbitrary code and organizations don’t want to risk an occasional false positive.
• Servers are great candidates for file integrity monitoring. Few desktops will use file integrity monitoring, but I’ve had clients with desktops that fell in scope of PCI where they used file integrity monitoring on their desktops.
• Laptops are great candidates for full drive encryption, but some fixed desktop and server scenarios make sense for full drive encryption as well.

The set (palette) of controls is the same – AV, firewall, HIPS, FIM, application control, encryption, etc etc working together as a system. You pick and choose which controls are used and which policies are enforced based on the endpoint (desktop, laptop, server and increasingly mobile devices) and its usage scenarios. Think of the information security professional as an artist with a palette of colors/controls.

Do we need a different product/vendor/console for server security versus desktop security? Or a single product/vendor/console with the ability to pick and choose the appropriate controls and policies?

How does your organization handle this?

I’ve talked about this several times before – including here, here and here.

While it may not be feasible to remove administrator rights from all users, it is an absolutely achievable goal to continue to improve the percentage of Windows users running without administrator rights year over year for the foreseeable future. Make this your goal for 2012.

Case in point – I talked with a client today that had removed administrator rights from 90% of their users. This is a noteworthy achievement as they are only in the planning process of migrating to Windows 7. They had achieved this on Windows XP and for large numbers of XP-based laptop users. Impressive.

Better yet, I worked with this client on a strategy to move this to 95-97% using the migration to Windows 7 as a catalyst for further improvements – some coming from improvements in the Windows OS (like a new printer driver model) and some coming from the selective use of a third party tool for Windows privilege management.

If you are struggling with malware infestations and are considering switching out vendors, take a look first at removing administrator rights. For Gartner clients, I’ve outlined the best practices for achieving this in this research document.

Remember, if done correctly, removal of administrator rights does not have to equate to “lockdown”.

Full drive encryption should be considered mandatory for laptops and most organizations have implemented this – either with Windows 7 and BitLocker, by adding encryption into their endpoint protection platform contract or by purchasing a point solution.

However, there are several use cases where the use of FDE makes sense for fixed desktops:

1) For areas where physical security is lacking and there is a risk that the hard drive and/or physical machine may be stolen

2) For defense in depth as machines are retired to ensure that data is wiped completely. By ensuring that the key is destroyed, access to the data is impossible. Without the keys, they don’t have your data. This would supplement (and potentially replace) any manual wiping that is performed as machines are returned/retired/recycled/destroyed.

3) For protection of images in transit being shipped to remote locations – for example to remote offices.

With advances in hardware processing making the overhead of FDE nearly negligible and with the significant downward pricing pressure in the market (in the case of BitLocker. “free” if you are purchasing Software Assurance on the Windows OS), FDE may make sense for many of your fixed desktops as well.

If you are licensed under Microsoft’s Core Client Access License program, it now includes CALs for Forefront Endpoint Protection. For many organizations that are already licensed under Core CAL, this means that FEP is essentially “free”.

I’ve been getting dozens of inquires from large and small organizations in the last 6 weeks on whether or not Forefront makes sense for them. However, “free” doesn’t mean no cost. First, you have to be licensed under Core CAL. Second, you have to consider the cost of deployment and testing as well as the cost of removing whatever you have in place. Also, Microsoft has no solution for non-Windows platforms (as you might expect) and many organizations will be forced to use another type of solution to protect these systems.

There are many other pros and cons which I go into detail for clients in this research note that I just published:

Microsoft’s Forefront Endpoint Protection: Good but not Great

For some organizations, FEP will be a good solution. For others, it will be a not be a good fit. Which are you?

Attendees have the ability to book one on one conversations with the analysts and my schedule was completely full. One of the conversations with a client was quite interesting and validates my recent research on Systematic Workload Reprovisioning (SWR).

The attendee’s organization was a multinational organization with thousands of end users.

They have been hit with multiple APTs recently that targeted their end-users and that had bypassed their traditional security controls. Enough was enough for this attendee.

The organization is now embarking on an explicit SWR strategy for all users worldwide. Rather than using hosted virtual desktops in the data center (which is the more common approach for SWR I identified in my research), the client is using bare metal reprovisioning to periodically deliver a high assurance image to the physical machine over the network.

This attendee had reached the same conclusion I have reached and that many of you have: You have been breached. You just don’t know it (yet).

I’ve just published two research notes for Gartner clients that detail the SWR strategy. The first explains the concept and the second explores the implications and considerations for information security and operations management where SWR is adopted.

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Concepts

Systematic Workload Reprovisioning as a Strategy to Counter Advanced Persistent Threats: Considerations

It’s time for new thinking and new approaches to information security. SWR should become part of your defense in depth strategy to protect against advanced threats.

We’ve updated our advice to clients using SecurID tokens in this First Take.

For current customers, RSA has published guidance that focuses on putting in place better protection of the systems that maintain the userid-to-token mappings and of the token seed values.

However, the risk here is higher than it first might appear. Two thoughts:

1) Protection strategies absolutely must include better protection of endpoints where reportedly the hackers were able to obtain the user-to-token mappings using a keystroke-logger or Zues-like Trojan. It is typically much easier to target end-users as a weak link rather then enterprise servers. This problem is compounded when contractors, home users and other non-enterprise managed assets use SecurID for strong authentication. On these systems, the enterprise may or may not have a security stack present (like an endpoint protection platform), the users may run as administrators and the patching discipline is unknown. End-users are the weakest link and end-users coming from unmanaged devices make this even weaker.

2) The attack on RSA was an organized attack, likely a state-sponsored Advanced Persistent Threat. The assumption that the hackers would obtain the seed key values from RSA and then go target enterprises may be far too optimistic. It is quite possible that the hackers obtained at least some of the user-to-token mappings before the attack on RSA occurred, knowing that once the breach at RSA became public, enterprises would place stronger controls on the systems that contained the user-to-token mappings. In other words, we might be trying to close the barn door after the horse is already out.

Does this mean that IT Operations and Security are converging?

I believe “convergence” is too strong of a word to describe what it going on. Convergence implies that one or the other goes away. That isn’t the case here. IT Operations and Information Security are like Ying and Yang. A healthy but necessary tension exists between the two.

While there may be convergence of the infrastructure underneath that carries bits out to the endpoints (in this case, the SCCM servers and agent), this shouldn’t be confused with convergence of policy administration. In other words, while the operational infrastructure might be used to deploy and update the policy enforcement mechanism (the Forefront agent in this case), this doesn’t mean that the need for separation of duties of policy administration has gone away. Leveraging operational infrastructure for security policy enforcement makes sense as long as separation of duties is maintained.

“Integration”, Interoperability” and “Reducing redundant infrastructure” are much better ways to describe what is happening – and it’s not just with the security and management of endpoints that this integration and leveraging of common infrastructure is happening.

• Standard users can install and execute well-written software on XP and Windows 7. For example Google’s Chrome and Firefox install just fine when users don’t have administrator rights.
• With Windows 7, standard users can install printer drivers.
• With Windows 7 and AXIS (Microsoft’s ActiveX Installer Service), standard users can install ActiveX controls that conform to policy within Internet Explorer.
• With Windows 7, standard users can now perform most of the standard day-to-day Windows functions that they couldn’t do on Windows XP including such things as changing time zones, changing monitor resolution, looking at (but not changing) firewall configuration, renewing a DHCP address and so on.

Net/Net – removing administrator rights from Windows users is not “lockdown”. This leads to two pieces of advice:

1) If you are removing administrator rights during the migration to Windows 7, don’t call this “lockdown”. For some reason, the term “lockdown” rubs users the wrong way.    As an alternative, how about telling users they are receiving a “security-enhanced desktop”? Seriously, they aren’t administrators on their iPads or iPhones and you don’t hear too many complaints. We can achieve a similar outcome on Windows. For some situations, a third party tool for privilege management may be needed, but it can be done.

2) If you truly want a “locked down” environment where users cannot extend their workspace, you’ll need additional policies and controls to implement this such as Application Control / Whitelisiting technology.

I discuss how to successfully remove administrator rights from Windows users in detail in this research note for clients complete with a list of the top 14 or 15 best practices for this initiative.