RSA: The Saw Six Of Tradeshows

This is the third year in a row I've gone to the RSA tradeshow. Since I don't cover security as a central part of my job, it's a lot to take in, drinking from a fire hose and all that. As I met with vendors, they generally wanted to talk about one or more of the following: trends in threats, trends in customer needs, new products they’re announcing or the overall business success they've had (they could spare me this, I know you'll find a way to tell me how great you are).

The first category is designed to scare the crap out of unsuspecting journalists so that they'll write about the findings of the vendor. For the most part it works, though after a while you can start to tell that not everyone claiming to have quantitative research does. For instance, we heard a couple vendors claim that malware was on the increase. Most say that's not true. The majority opinion is that malware attacks are becoming less frequent, more targeted, and more successful. The bad guys are organized, and they continue to get better and be more sophisticated about what they do.

Social engineering, particularly through social media sites like Facebook, is one of the newer and more rapidly increasing threats. Defending against it takes education for the most part. To a lesser degree, Web and email gateways can help to weed out some of this. The Web gateways have had to quickly become smarter about dealing with sites like LinkedIn and Facebook. It's no longer legit in most organizations to fully block these sites (some do it, and for good reason -- I know you're out there). More often you want to block certain aspects of the site. Sometimes it's identified malware like phishing attacks, in other cases you just may not want workers playing Farmville at work.

The threats follow the traffic and personal email traffic is indeed down, being replaced by traffic to social networking sites. For many it's a place they're becoming more used to interacting with friends and family, and at least so far, Facebook messaging isn't a place where you'll get daily emails from every online vendor with whom you've made a purchase. Functionally that means that Gmail or Hotmail is the place where you hear from your bank, your frequent flyer programs, your cable provider, and others that toe the line between junk and bulk email. The social engineers want to be in with your personal correspondence, and so targeting Facebook is now far more interesting to them.

Signature-based systems are still some of the most popular security systems in use. Whether it's host-based or network-based, chances are there's lots and lots of this sort of scanning happening in your environment. Polymorphic code has been the tool of choice for well-organized bad guys looking to get around scanners. Vendor Stonesoft believes we'll be seeing a twist on that concept in which TCP/IP features such as packet fragmentation, out-of-order delivery, or simple use of non-relevant features like setting type of service bits are used as a means to avoid signature detection. The bottom line is that analysis requires full processing of the TCP/IP protocol -- not just simple signature matching.

Most firewalls and IPS/IDS products look for at least some of these tricks. Whether they catch them all and whether attacks are based on ones they miss is a matter for some debate. Bottom line -- make sure that your firewalls and IDS/IPS systems fully reassemble TCP flows for analysis.

As social networking and other services like Gmail become more attractive attack vectors, the vendors are increasingly turning to encryption to protect their systems. SSL capabilities for gateways, firewalls, DLP products, and anything else that hopes to see inside the conversation is becoming critical, and of course the more watching you do, the more delay you'll incur and the more horsepower or specialized hardware you'll be throwing at a problem. If your thought is that all SSL encrypted traffic is inherently good, it's probably time to rethink that notion. The changing perimeter of defense caused by mobility and cloud usage resulted in a lot of warm air in our meetings. Most everyone who has a Windows client management or security product also has or is working on similar products for iOS, Symbian, Windows mobile, BlackBerry, and Android. Notwithstanding a Pinocchio moment that found a Juniper marketer claiming that his product, called Pulse, was always up to date, worked flawless, and took no effort to administer, others were more candid that the challenge of cross platform mobile device support is a fairly thorny one. Not all platforms allow the same level of management, so feature consistency will be an issue. Except for the smaller vendors who are picking and choosing platforms, most do see the open playing field as a welcome chance to differentiate themselves, and to increase revenue on a platform by platform basis.

The vendors know that most IT organizations can no longer say "no" to users bringing in their own devices or broadening the set of devices the company buys and supports. They see a nice new revenue stream in supporting that revolution.

On the cloud front, there's a renewed interest in authentication management and supporting strong authentication. Most of us have at one time or another thought about using the phone as a second factor -- though when authentication is for an app you're accessing through your phone, one might question if using it as your second factor really such a good idea. Nonetheless, SSO and authentication management for off-premises services is becoming a hot topic. Individuals are experiencing authentication fatigue from the myriad of username and password rules they must conform to. Some have taken it upon themselves to use password vaults, but a better bet is SAML based authentication so that IT stays in charge of the process.

One of the more major announcements was HP's entry into the security market in a bigger way. The TippingPoint IPS has been something of a lone wolf in HP's lineup. And while it's generally recognized to be a high-quality product, others, notably Cisco, with more complete product lines have been able to make the case for more complete and integrated systems. As HP unwinds years of strategic relationships with other vendors such Cisco and Oracle, it's making bold moves on a number of fronts to beef up its offerings including in security.

HP's big four are: TippingPoint, ArcSight -- a security event management system, Fortify -- an application level security assessment tool, and DVLabs, which is part of TippingPoint and monitors Web site reputations with its RepDV service. All of these products are leaders in their categories, and if HP is able to do a good job of integrating them (and that’s a big "if"), it’ll truly have made a stand as a leader in the security infrastructure space. Not that it's up for sale, but throw in the Palo Alto Networks firewall to this mix and you'd be hard pressed to find a vendor with better offerings across the major security systems (albeit all on separate hardware and with separate systems and teams). The concern here is the usual one for when large companies buy best of breed products -- don’t mess 'em up as you try to integrate them. HP also plans to offer managed services based on this product set managed by the capable hands of Jim Alsop.

HP claims that with this set of products it's much closer to offering a holistic view of risk for large IT organizations. It's hard to argue with that view. However, from the CIO's point of view, it'd be nice if HP introduced its security product team to its application performance management team (the Mercury folks) to produce a truly holistic view of performance and risk. This is the stuff that non-technical CxOs and even Boards of Directors will value in understanding the cost and benefit of technology spends.

SEE ALSO:

RSA: Defining Cyberwar And Rallying Defenders

RSA: HP Proposes Holistic Security

RSA: Working Together Works

RSA: Symantec Sees Stuxnet In Your Future

RSA: Microsoft Revises Computer Quarantine Proposal