Interop attendees tackle network security risks associated with everything from cloud services to social networking.
Last week at Interop NY 2010, there was plenty of buzz about cloud computing, virtualization, enterprise 2.0, and green data centers. But for those focused on security, the hottest topic may have been social networking from policy development and controls to vulnerability management and compliance.
Social networks and security - Can you have both?
According to Ben Rothke, Senior Security Consultant at British Telecom, social network security is now imperative because these interpersonal forums have gone mainstream.
"Resistance is futile. Social networking is not a fad. It's a business transformation tool," he said. "Smart companies are learning to control, not block, social networks because employee use can be productive and millenials won't work at those [that block them.]"
Social networking is a game changer because it requires a shift from infrastructure protection to data protection, said Rothke. New ideas are needed to stop users from inappropriately sharing and leaking sensitive data to online "friends" and "connections." Through cumulative analysis of employee-posted data, outsiders can easily learn who your customers and partners are, what tools you use and more.
Because social networking is entirely user-based, effective risk mitigation requires a combination of technical, behavioral, and organizational controls. "This isn't something you're going to solve with an appliance," said Rothke. Instead, he recommended six steps.
Get in front of the wave by establishing a team dedicated to social network security. Task that team with identifying sites and services that could pose issues, keeping in mind that social networks change fast.
2) Risk Assessment
Evaluate social networks for site- and user-specific risks and set your organization's social media goals. For example, sites banned by the Marines ("Loose Tweets Sink Fleets") are embraced as marketing channels by Starbucks.
3) Strategy Design
Use goals and risks to shape strategy and corresponding policies. For example, decide who will serve as the public voice of your company and how employees should identify themselves and their work online. Consider specific social network scenarios and decide whether to block, contain, disregard, or embrace them.
4) Policy Creation
"Employees will do stupid things," warned Rothke. "Create a corporate policy to help them make rational, sensible use of social networks." For example, when the U.S. government embraced Twitter, it published a template for departments to use when defining their own strategy and security policies.
A policy without monitoring lacks teeth, but social network use can be difficult to monitor especially activities conducted off-site, on personal time. To address your organization's risk of intellectual property loss, decide what to check and establish personal privacy expectations.
Finally, educate your workforce about risks and policies by publishing social media guidelines. For examples, see Intel and IBM directives governing employee use of blogs, wikis, websites, and other virtual worlds.
Ultimately, Rothke believes that social networking and security can be compatible but accomplishing this requires serious effort, staff, and planning.
Decoding network security's past, present, and future
While vendors pitched wares on the exhibit floor, speaker Josh Corman, research director at the 451 Group, offered blunt views about security appliances that should and should not make your short list.
Security control spending skyrocketed at an unsustainable rate in recent years, with up to 80 percent devoted to satisfying compliance mandates. Meanwhile, as the economy tanked, 70 unique appliance categories collapsed into nine, leaving those funded by regulatory needs.
The result is a dangerously bifurcated market, said Corman "VCs aren't there to fuel innovation, and regulations force spending on some of our oldest, least effective controls," he said. "We've economically rewarded industry laggards and punished innovators."
Most of us have very lean investments to make these days, so we need to know where to put them. "If I only have time for one or two new [initiatives], how can I prioritize to move from just good enough to better, asks Corman.
It doesn't help that many security appliances wear hard-to-differentiate name tags. For example, what's the difference between a Web App Firewall and an Application Aware Firewall? (Hint: One is really a Web IPS.) What's the difference between a UTM and an XTM? (Hint: One is an extensible version of the other.)
In fact, Corman argued these should be feature upgrades to existing appliances adding Web attack detection to a network IPS or extensibility to a UTM firewall. "No more uni-taskers," he recommended. Instead of buying an appliance for each new threat, make better use of what you own. When exceptions are necessary, justify them using a defined decision tree.
But what if your existing appliance doesn't yet address emerging threats? "Put pressure on your vendors," suggested Corman. "Demand that big incumbents partner or OEM [to add features]. If you must go with a new product, invest using an OpX model" by paying for licenses, hosted, or cloud services.
Next, start retiring ineffective controls. Paying maintenance on products that have exceeded their half-life leaves nothing to improve security posture. For example, consider leveraging router firewall features instead of adding a firewall to every new network. Or demand that your endpoint security vendor throw in table-stakes like anti-virus. These alternatives are not as feature-rich, but they might be good enough for some use cases.
Finally, Corman suggested focusing new investments on "broadening your eyes and ears" and enabling "prompt agile response." Depending upon your business, this may include network forensics, SEIM, and application content/session awareness. In a nutshell, enterprises should spend less on network security so that they can set their sights higher to tackle today's top infection vectors: custom malware and SQL injection.
Putting policy into practice
Big brother Interop LV tends to hog new product thunder and this year's Interop NY was no exception. Exhibits at the Javits were lower-key than Vegas, accompanied by just a few network security announcements. Booths in the relatively cozy "Security Zone'" included SIEM vendor TriGeo and XTM vendors McAfee, Astaro, and WatchGuard.
Astaro chose Interop NY to announce its new wireless security offer: an optional package added to any Astaro Security Gateway to centrally provision, manage, and monitor 2.4 GHz 802.11n APs. Designed for SMBs, the Astaro AP10 supports up to 10 users; the AP30 up to 30 users. With this, Astaro joins a fast-growing club of vendors with integrated platforms for securing network access by wired and wireless endpoints.
WatchGuard used Interop NY to demonstrate its next release, which adds fingerprinted application control to any WatchGuard XTM appliance. Application Control leverages WatchGuard's proxy firewall platform to deliver in-depth, granular control over 1500+ Web 2.0 applications, including specific interactions with social networks, including Facebook, Twitter, and LinkedIn. WatchGuard Application Control will start at $155 for a one-year subscription, available in Q4.
At Interop LV, SonicWALL announced Project SuperMassive, a firewall combining reassembly-free deep packet inspection with cloud-sourced threat intelligence. In NY, SonicWALL used briefings to demonstrate SonicOS 5.8, adding real-time visibility into fingerprinted app streams. A free upgrade for customers with support contracts, SonicOS 5.8 will let admins drill down into over 3000 known apps to quickly visualize bandwidth consumption, user/group, and visited URLs. Armed with this insight, admins will be able to create and validate very granular rules that apply app-aware actions, from allowing Facebook while blocking Farmville to tagging email for DLP purposes.
These announcements are part of a continuing migration away from media, IP, and port-based controls. With so much riding ports 80 and 443, from endpoints inside and outside the enterprise, controls simply must be app and identity-aware. But, as Rothke noted, it's no longer enough to allow or deny entire apps or sites. To enable productive business use, enterprises must enforce and monitor rules that reflect site-specific data exposures and threats, customized to each user's needs and risks.
Next generation vulnerability management
Of course, security controls are just one part of deploying an effective cyber defense. Reactive countermeasures should be complemented by proactive threat and vulnerability management. But the latter is proving increasingly costly and difficult.
According to Tas Giakouminakis, CTO at Rapid7, the volume of disclosed vulnerabilities is growing faster than everespecially new Web app and virtualization vulnerabilities. Simultaneously, we are experiencing an explosion in client-side vulnerabilities like PDF exploitation attacks. These trends are combining to create a much larger attack surface further aggravated by vulnerabilities resulting from misconfiguration.
Old vulnerability management practices must evolve to be effective in today's threat environment, said Giakouminakis. To do so, he recommended several best practices:
Focus on Security
Avoid checkbox compliance "Compliance is a byproduct of a well-managed security program," said Giakouminakis. Instead, devote your attention to resources of greatest risk, working to identify and eliminate associated gaps.
Don't focus so much on data center security that you neglect to train developers and end users. For example, avoid blind reliance on security controls complement them by conducting social engineering and user phishing exercises.
Avoid throwing assessment reports at your operations staff. False positives are time-consuming and costly to research. Instead, conduct your own authenticated scans and penetration tests to confirm reported vulnerabilities and determine whether they are, in fact, exploitable in your environment.
Integrate Pen Tests
Don't rely solely on independent scans like PCI Audits, said Giakouminakis. Use tools like Metasploit at multiple points and layers throughout your network to identify vulnerabilities that might not be apparent to auditors.
The Common Vulnerability Scoring System can be a good starting point for risk-based prioritization but don't stop there. "Factor in overall risk," said Giakouminakis. "You won't fail PCI for DoS risk, but your business could depend on a server with DoS exposure." Instead, prioritize based on a combination of CVSS, weighted risk, vulnerability age, and availability of private or public exploits.
Define Remediation Policies
Over-reactive automated patching can waste a lot of energy or leave you unprepared to respond quickly to zero-day attacks. "Optimize for both efficiency and responsiveness," recommended Giakouminakis. "Not all vulnerabilities are created equal as such, not all patches are of equal importance."
Buy Time, Then Remediate
Don't confuse mitigation with remediation. Use mitigation to buy time for permanent vulnerability remediation, but ensure that mitigation is aligned with risk exposure and is correctly deployed.
Automate Vulnerability Management
"When you're relying upon too much manual vulnerability processing, it either costs you too much or it's not really happening," said Giakouminakis. Automate as much as you can throughout the entire vulnerability management lifecycle, from discovery and risk detection to testing, validation, remediation, and actionable reporting.
Giakouminakis called this fully-integrated approach next generation vulnerability management. "It's not just vulnerabilities that are exploding exposures are increasing. By pursuing proactive risk-based vulnerability management, you can reduce the size of the problems you're trying to solve," he said.
Not your father's network security
Despite a down economy and faltering recovery, Interop is still going strong. But Interop topics have evolved over the years; network security is an excellent case in point. Gone are the days when speakers pondered adding spam filters or VPNs to firewalls been there, done that, moved on. As evidenced by these sessions, the network security playing field has grown bigger and rockier, requiring combatants to evolve methods and solutions. Three years ago, who would have thought businesses would be fretting over how to safely enable social networking? To succeed, network security professionals must be agile and open to new ideas which makes us look forward to Interop 2011.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.
Keep up-to-date on network security news--follow eSecurityPlanet on Twitter @eSecurityP.