Security Pie

I usually do not like to quote films. But once in a while I see an old quote in a new light. In the superbly geeky Matrix trilogy there is a very likable character called “the Merovingian” or “the Frenchman” which falls nicely into the stereotypical bucket of a hedonist philosophical french person (in reality, the hedonism cloud has long left Gaul land and has settled nicely on the far East, and as for philosophy, well, it is in French, you know…).

In the following discussion (from “The Matrix Reloaded”, 2003) the Merovingian refuses to give up the keymaker to Morpheus, Trinity, and Mr. Anderson:

Merovingian: The question is, do *you* know why you are here?
Morpheus: We are looking for the Keymaker.
Merovingian: Oh, yes. It is true. The Keymaker. Of course. But this is not a reason. This is not a “why”. The Keymaker himself – his very nature is a means. It is not an end. And so to look for him is to be looking for a means to do… what?

The Merovingian think deterministically. He believes in causality. He believes that there is a reason for everything and that the answer to all questions lies in having all historical data and mining this data to understand the cause and effect. His belief is useless for untangling the complexity of real life, but serves well in the security world.

Merovingian and Persephone

Technical security does not care about the “Why”. Why is irrelevant. A spyware is a spyware, a bot is a bot, and a virus is a virus. None of these have any reason to be on any network (with the sole exception of the quarantined research labs of security vendors and security researchers), and wherever they are found they are promptly disposed of. They are the online equivalents of rats in the kitchen: the cook chases them with a hatchet.

However, when attempting to secure the business it is the “Why” that is important. Why does the employee need access to Facebook?  What is the risk associated with this access? And how does the security team empower (i.e. allow) the employees to do their job and make money – safely?

Why do employees leak data, need administrator privileges, or access websites? Well, in most cases it is to get their job done. Or to augment an employee 2.0 lifestyle with extracurricular activities. Whatever it is, it has a reason, a business process, or a habit behind it.

Without the “Why” business security is blind and can cause as much harm as good.

 The Merovingian also said: ”I love French wine, like I the French language. I have sampled every language, French is my favorite. Fantastic language. Especially to curse with. Nom de dieu de putain de bordel de merde de saloperie de connard d’enculé de ta mère. It’s like wiping your arse with silk. I love it. ”

Couldn’t agree more.

So the California state government is going to regulate olive oil (in this case, California will follow Connecticut). Case in point are adulterated cans of olive oil that are marked with 100% Extra Virgin Olive Oil (See http://news.yahoo.com/s/ap/20081121/ap_on_re_us/olive_oil_standards).

Now I am typically against government regulations, with a few exceptions. Maintaining integrity of everything from investment firms to branded products to olive oil pressings is one such exception.

Why? Well, take Bernard Maidoff, as example. SEC completely missed that one causing even more damage to a battered financial system. Our savings will bleed some more because of this. Phishing exploits the integrity of brands and reduces the usefullness of email. Etc. Integrity is key to confidence, and confidence propels humanity forward.

And as for olive oil adulterated with peanut oil? Well, apart from me frying something in what I believe to be Omega 3 rich stuff pressed by Italian farmers that may actually be inexpensive soybean or peanut oil, what about the poor sod who is allergic to peanuts and get an anaphylaxic shock?

Loosing integrity can (and will) turn fatal quickly.

Hurry up California. Purify my olive oil supply NOW. 

Speaking of olive oil, remember to stock up regularly. Oils are highly perishable, so replace every 6-12 months regularly (before they oxidize and turn rancid).

Yet another zero-day emergency patch released by Microsoft http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx following last months equally dangerous vulnerability. Patch it ASAP. This one allows remote execution of code on your machine, and it affects all versions of IE.

This is getting weary. Time for Microsoft to start contemplating IE infrastructure from a security perspective.   

Meanwhile, Mac OS users are contemplating whether an AV makes sense for a Mac or not.

Great craftsmen use tools to manipulate raw material into something great. Luthiers painstakingly select the proper wood for the application and work it into emotion inducing string instruments. Great chefs select great products and use various techniques to convert the products into something better. The better security professionals select the tools that will help them advance the state of security (of being secure) throughout their organization.

All this assumes great craftsment and professionalism in their art. Without a great Luthier, it does not matter how good the planes and cutters and bridge setter tools are. Or how long the Maple, Spruce, Ebony or other wood has been aged. The violin will just not sound right. Similarly, an awfulcook can take the best products and convert them to something that can be both disturbing and toxic.

Competent professionals work with determination and aplomb

An incompetent security professional can spend many resources on the wrong product and technologies. Even worse, the incompetent professional might lead their organization to a false sense of security (Which oddly reminds me of the famous Monty Python sketch about the “machine that goes ping” http://www.youtube.com/watch?v=arCITMfxvEc; I have this vision of John Cleese as a security guy saying ”we have this doohiky here and therefore we are secure – What? … Nah – Did  we need to install it?”).

What sets apart the great practitioners and professionals from the incompetent wannabees is a keen focus on the issues at hand and a mastery of the techniques and methodologies prevalent in the field. Good practitioners understand the focus and know what needs to be done and execute, while the best professionals are able to understand the ecosystem of the current techniques and methods and extend their boundries in order to adapt to a changing landscape.

And yet I keep hearing and reading generic discussions surrounding security that are uprooted from any meaningful scenario (a time and place, and sensitivity to risk). Current topics I read about on a daily basis are the security of cloud services and the security of virtualized applications/platforms. I call these “security quibbles”.

Discussing these topics without planting one’s feet on the terra firma of a scenario is utterly meaningless. For example, lets review a current discussion topic of which is better: SAAS or Hosted Server or Hosted Virtual Image. Let’s try to avoid the standard silly audiophile style discourse (my Mark Levinson Amplifier sounds better than your Krell; there is more “air” around the resin of the violin) so, let’s say, that the data is the codes for the US strategic defence ICBM missiles. For this scenario, all 3 are equally bad. In fact, anything that is connected to any public network is too risky for this application (IMHO). What about a banner ad server for Google ads? Probably all three work equally well, perhaps overkill. Another part of the equation is the quality of your security team – better teams can better provide security for their organization.

It is the fad/fashion of the day and thus better left to such professional magazines as People magazine and the National Enquirer. It has no place in the security discourse.

Product selection processes are yet another such area that is prone to qibble mentality of generalities and fads/fashions. But sales of any sort (be it toys, game console, car, house, submarine, nuclear missile, plane, ECG machine, power plant, AV system or any other “large enough to be substantial” expense) is more a matter of psychology than a scientific method. As a result, in many cases where needs should drive product selection the opposite happens.

Outsourcing is another oft blogged entry. Outsourcing is neither good nor bad for security. It has its risks.

The security professional should stop thinking about technology trends as good-or-bad. But instead analyze the risk, identify the critical business factors, and make sure they are articulated properly to the decision makers/vendors. The different options will be layed out with the associated risks, and any suggested modifications to SOP (methods and techniques) should be highlighted. Similarly, critical business factors should then drive the selection of any products that should compensate areas of increased risk.

I will concede on one point. the security quibble is what keeps us interested. The security quibble is the pornography of the security world. When I get some time, reading security blogs is amusing and fun. But the best has got to be Bruce Schneier. His books sometime read like a “coming of age” stories, except for the security “spin”. The cryptographer ”coming of age” and realizing that the world is not perfect. To which I agree – it is not.

So Sharon posts some on the imperva blog. A nice blog was about data loss at companies that do database monitoring. http://blog.imperva.com/2008/12/protecting-the-database-less-i.html 

It does not surprise me that people who monitor more lose less. They know more about where their data is, and how is it being used. And they assume less. So their time is better spent, focusing on “what is” vs. “Hmmm… perhaps they are doing this and maybe they are doing that“. It is somewhat a statement of the obvious.

So we are back to what most practitioners of security know (or should know): That governance is key. In order to do security right, you must KNOW what the crown jewels are, where are they, what are employees doing with these jewels, etc. At that point you can secure, you can prevent, you can assess risk, you can make decisions based on factual data (not imagined ones).

Pamela Fusco continually drives this point forward. In her presentations (and example of which can be found at http://www.securedenmark.com/2007-Presentations/Fusco%20Denmark%20final.ppt) she typically reflect on a multi year strategy for the correct way to build a security practice. She actually recommends starting higher than governance – she starts with the business drivers (you can’t have governance without understanding the business). She is dead on!

Governance can exist without security (it is merely a decision based on acceptable level of risk). But security without governance? No chance.

Are SMTP messages the cockroaches of the Internet?

1. There are lots of them
2. They multiply exponentially
3. They have been around for a very long time (in Internet years)
4. They are extraordinarily resilient

/al

PS since are readership is global, I want to ensure that everyone is aware of which cockroach we are talking about: Periplaneta Americana (American Cockroach). Below is a picture of an adult female

There are other cockroaches (like the German Cockroach and the Madagascar Hissing Roach which makes for an adorable hissing pet for other people). But they are not the topic of this discussion.

I would expect plumbers to be doing some good business with all the $100 bills clogging the sewers of downtown New York city (under the smoldering ruins of Bear Stearns and Lehman Brothers).

Well, today it became clear that some of these dollars came from Bernard L. Madoff the former Chairman of NASDAQ and head of Madoff Securities LLC. Some $50b were flushed down the toilet. Madoff admitted to his employees that his hedge fund was “one big Ponzi scheme”. Which means that investors who got their money out early f****d the investors who were late to pull out. As always, timing is not everything, it is the only thing.

This action is sure to help restore confidence in the financial management of our stock exchanges.

C’mon guys. There are rules. People who wear Italian suits and shoes, walk around with leather bound notebooks, sign cheques with elaborate fountain pens, and drive Bentleys should not lead $50b ponzi schemes. Especially if they operate from well appointed mahogony trimmed offices in lower Manhattan. Offices with rows of computer displays that provide real time market analysis data. I mean: How would we differentiate them from the experts?

NB. Sharon will let me know in a reply to the post that:
1. “Flushing money down toilets” is not a literal statement. It is a figure-of-speech, and figures-of-speech do not clog sewers. But even Sharon will have to agree that had New York bankers tried to flush the paper equivalent of the amounts of money that they destroyed, the sewers would have been clogged shut.*
2. Sharon would claim that I am wrong: Bernard Madoff’s $50b ponzi scheme is NOT sure to restore investor confidence but is actually most certain to cause it to drop even more. To which I retort: Can it?  How low can confidence go?

*Note: Lucky for them that the only thing that suffered in their office was a shift register that no longer uses (or needs) the MSB. That and the 500,000 American employees who are newly converting to stay-at-home bloggers (damn competition).

Security is broadly defined as the quality or state of being secure. To be secure, one must invest in ensuring a secure future. So what do you do when you have the most award winning, successful seat in the industry, and your patent is about to run out?

Well, Herman Miller, a US manufacturer of office furniture (rather expensive furniture some might say) is a couple of years away from losing its patents on a seat that has a place of permanence in the MOMA collection: The Aeron Chair. Like it or hate it, the Aeron chair is responsible for much mullah for the Herman Miller corporation.

The somewhat ugly but very functional Aeron chair was designed by Don Chadwick and Bill Stumpf, and was released in 1994. Give 17 years or so for a patent, and the Aeron’s patent expires. Perhaps Knoll (a competing manufacturer of seating) will create an Aeron look alike? Here is the breakdown of the chair for you home tinkerers.

Faced with an uncertain future Herman Miller did the three things they could to secure their future:
1. Add features to extend the patent period: Herman Miller added their posturefit lumbar support attachment in around 2001. Designed by Dr. Brock Walker, who in defiance to his name prefers skiing to walking, the posturefit attachment is a more comfortable version of the lumbar support pillow.   
2. Copyright/Trademark the design: Copyrights and trademarks, unlike patents, don’t necessarily expire. So while competitors will be able to copy the mechanics of the chair, they will not be able to copy the tell-tale shape of the chair. So a copy will look “different”, and the comfort of the differently shaped seat might be different as well. 
3. Design a whole new seat: The Embody chair, at almost twice the cost of the Aeron, is Herman Miller’s last aspect of the atrategy to secure their future. Also designed by the late Bill Stumpf, with Jeff Weber, is as prominent as the Aeron Chair by being, well, different.  And as ugly.

That is Herman Miller’s strategy for Security. Security that is securing their future. Not firewalls, no locks, no DLP and no database security. But a security strategy nonetheless (with investment, and resources, and secrecy). Just an audacious resolve to keep ownership of the ergonomic seating market. With this kind of focus on securing their future, I sense that Herman Miller with its ugly seating is here to stay for the forseeable future.

When is a widget a solution, a system and/or a product? Is my car a product: a box with 4 doors? or is it a system consisting of liquids and gasses and salespeople and servicing dealers? or is it a solution to my problem of getting around Los Gatos, or from Los Gatos to SJC?

When I buy this car, what should be my POV? Should I be looking at it as a solution to the problem of getting around? Most cars fit that bill well, so perhaps I should by the first car I see. Should I regard it as a system and consider after sales support? Or should I just be looking at it as a product as measured by the torque or MPG?

Now to the point: How do I judge security solutions/systems/products?

For products, the old “feature/function/benefit” deal works. A firewall is a firewall. Perhaps easier to manage, but all that affects is the TCO which is difficult to forecast anyway.

Is it a system in that it is important that an AV company has a process to find new viruses and product features that allow them to provide upgrades? Or is it sufficient that the AV just has an upgrade feature with no discernable way to get new viruses from the field? Many security researchers will agree that it is the system behind the AV that is important. Otherwise the AV would be outdated.     

In the AV case, the system is hidden by the product. When choosing an AV, it is difficult to ascertain which AV provider has better methods, better processes, better and faster analysis and better access to virus sources. So how do we choose? Well, for most security professionals, the answer is to either choose based on “out-of-bound” parameters, such as “who is my strategic vendor” or “who is faster”.

An interesting approach is taken by Benny Czarny, who’s company, OPSWAT makes an aggregator that integrates most of the virus engines into one. Called Metascan http://www.opswat.com/metascan.shtml, this engine cleverly resolves the problem of assessing the back end of the AV provider by eliminating the need to make a choice. Just license them all, or a subset, and your risk will be reduced.

But what about other solution/systems/products out there? As a decision maker, how do you gauge the service aspect of the product?

Comments welcome.

/al

So Amrit is not the first to write a doomsday prediction for the current outcome of wall street greed-meisters (http://techbuddha.wordpress.com/2008/10/18/technocalypse-the-economic-crisis-and-its-impact-on-innovation/). But his predictions are indeed bleak.

But then – I think about security:

Won’t security become even more necessary now that cash is king, and CFO’s routinely tote a bag full of $100 bills? Won’t companies need security even more (to protect what’s left of the dreams, even if, as Amrit predicts, they are provided as a service) now that order is gone? Have we not learnt that from the doomsday films of the 70s?

Perhaps all security professionals should hear this message and make themselves visible. Buy a fur hat, large rings and a pimp suit. Or maybe not.

If you ask me – it is hooey. True: if you happen to be at retirement age, and kept all of your money in stock (geesh, what were you thinking?) then retirement is hereby postponed. Also, people who owned house they couldn’t afford could afford even less of them now. Get out quickly. But overall, Cargill still slaughters a humongous numbers of cows a day; ADM still harvests many tons of corn, and Kellogg’s still bakes cereals. Overall, we are still in a country with lots of resources and brainpower. When that is about to change, I’ll be writing this blog entry from Mumbai.  

/assaf

PS – The meisters who created this mess are now hiring lawyers. Perhaps justice will be served. I am still looking to when Dick Fuld gets his share.