RSA: Securing the Network
Internet-borne crime, cloud service delivery, and compliance concerns continue to push network security vendors to aim higher to secure today's networks.
At last week's RSA Conference, dozens of network hardware, software, and service providers exhibited wares and announced security offerings. Internet-borne crime, cloud service delivery, and compliance concerns continue to push network security onto center stage, forcing vendors to peer higher into the protocol stack and drill deeper into packets for greater visibility and control. In this roundup, we highlight a few announcements and demos that caught our attention at RSA 2011.
Cisco: Borderless Security Through Context Awareness
RSA is large enough to draw network infrastructure heavy hitters, from Cisco to Juniper, IBM to HP. For example, Security Techonology VP Tom Gillis used his keynote to offer a glimpse into Cisco Systems' vision of the uber-connected future, where TrustSec-tagged traffic will enable appropriate handling, independent of location.
Dubbed SecureX, this framework represents an evolution of Cisco's "borderless networks" strategy which continues to rely on embedded security – based not only on packet/flow source/destination but now also this newly-added "context" (when and where available). The idea of context-aware policy enforcement sounds promising. But yet another proprietary solution that can really only reap benefits once traffic enters a homogeneous network seems, well, bounded.
McAfee: Pushing Anti-Malware into Silicon
During his keynote on driving security down the stack, McAfee CTO George Kurtz suggested reshaping defenses to better deal with contemporary threats. Kurtz told the audience that our protection models have to change. Being the sheep at the center of the herd is no longer enough to stop advanced persistent threats, he said.
Moreover, Kurtz warned that mobile and embedded devices are the new security frontier. "We literally ran out of IP4 addresses last week because there are so many of these devices out there now," he said. "Printers run embedded OS’s. Look at Stuxnet – those were air-gapped embedded systems. Ten million is the average number of lines of code in a modern automobile." To prove his point, Kurtz demonstrated a McAfee-crafted proof-of-concept trojan horse – an iPhone Flashlight app that surreptitiously connected to a command and control server to download Lua Code creating a remote control backdoor.
Countering such threats, said Kurtz, means migrating defenses from the application layer to the OS, from the OS to the hypervisor, and eventually into silicon. "Silicon [embedded security] would give us unprecedented visibility," said Kurtz. "If you can peer into the OS from below, you can see malware much easier." Kurtz also advocated white-listing on static systems like SCADA, medical devices, printers, smart meters, kiosks, and servers – reactive black-list signatures just can't keep up with the rising tide of malware, he argued.
Solera: Leveraging Integration to Reduce Time-to-Resolution
Back in the expo hall, we chatted with smaller vendors – many of whom specialize in just one or two segments of the overall network security market. For example, consider network forensics expert Solera Networks. Solera's line of DS Appliances hang from a network tap or span port, passively recording absolutely everything passing by (up to 10 Gbps) for later investigation and analysis. At RSA, we had a chance to watch the new Solera OS 5.0 in action.
Now in beta, slated for May release, OS 5.0 drills much deeper into recorded traffic, automatically classifying nearly 500 applications and over 5000 metadata attributes, indexed for rapid search and extraction. Using the DeepSee console, we quickly dialed into suspect flows, jumping right to Google Earth to visualize geographic relationships and readily eyeballing auto-reconstructed artifacts like PDF files and emails.
OS 5.0 also adds a Universal Connector plug-in to navigate right from security alerts generated by other-vendor products (e.g., firewalls, IPS, SIEM) into Solera-recorded details. In short, OS 5.0 should make forensic investigation faster and easier, speeding not only incident resolution, but spot-check verification of trusted traffic.
AppRiver: Combining Proxy Filters with DNS-Enforced Reputation
At RSA, we caught up with AppRiver CTO Joel Smith. This secure email and web cloud service provider recently announced an overhaul of their SecureSurf offering. "We designed SecureSurf to deal with web threats, but in our first pass we did it like everyone else – a full web proxy at the data center," said Smith. "But what we heard from customers was that approach was too intrusive, too slow – users felt it."
So AppRiver revamped SecureSurf to proxy only when needed, using DNS domain name blacklisting to fork suspect traffic to its data center proxy. "Our DNS look-up is fast and fully-transparent. We maintain our black-list using both internal sources [like AppRiver's spam filtering service] and third-party intelligence to avoid paradoxical blindness," said Smith. Admins can white-list domains, but SecureSurf stops end users from bypassing the service – for example, blocking URLs that contain IPs for black-listed domains.
Combining layered defenses is hardly novel. However, we found it refreshing to hear a provider not only acknowledge performance complaints, but respond by delivering a more transparent service that actually bolters overall security.
ForeScout: Counter-Acting the Mobile Onslaught
RSA also provided a chance to sit down with ForeScout CEO Gord Boyce and VP Scott Gordon. ForeScout specializes in Network Access Control (NAC), using CounterACT appliances to enforce policies that determine who can use a given network and specified set of resources, and under what conditions.
CounterACT 6.3.4 ups the ante by finger-printing unknown mobile devices – iPads, Androids – and mapping them onto access policies. "We can watch a domain login to associate an iPhone with an [authorized] employee. Or we can hijack its browser to force the user to complete guest login," said Gordon. "This is available today, and requires no prior knowledge of the device and no agent software."
This agent-less approach can deliver visibility into what and who can access a network. But ForeScout is now working on mobile agents to enable integrity checking – that is, Endpoint Compliance, which ForeScout offers for laptops. It will be interesting to see whether NAC vendors like ForeScout end up partnering with Mobile Device Managers which are now sinking their hooks into iOS and Android. We hope to see integration not duplication – laptops already run too many agents; smartphones can't afford that fate.