Finger 79/tcp # Ted Julian on Gartner IT Security Summit

Dave G. | June 7th, 2007 | Filed Under: Guests, Industry Punditry

Login: ted                   Name: Ted Julian      
      Org: App. Security, Inc.     Title: VP/Marketing
      Directory: /guests/dhbg      Shell: /bin/sh
      On since Wed Jun 6 15:55:00 EDT from www.appsecinc.com
      No Mail.
      Plan:
      ----------------------------------
      Views expressed by guest bloggers not necessarily those held by
      Matasano Chargen.

Quick Disclaimer: Some readers will find it odd that we have a VP/Marketing writing a guest blog post. He may describe himself as vendor scum, but we listen to him. You should too. For the record, we are vendor scum too.

To know Dave and Tom is to love them. So when we were at the Gartner IT Security Summit this week and they asked me to write a post about the goings on here I just couldn’t say no. So here you have it, your post from the field on what you missed if you couldn’t join the festivities in DC.

First some disclosures are in order, however. Years ago I spent nearly 8 years as an industry analyst. And one of the only places I didn’t work was Gartner. Safe to assume it will be hard for me to resist finding at least some flaws in their logic. Second, while Dave and Tom can post here with some semblance of vendor neutrality – I’m vendor scum, plain and simple. There’s a better than decent chance you’ll find some comment in here about how database security is the most critical and strategic investment enterprises need to make because the threat has changed, attackers have gone pro, they’re after data they can sell and the most efficient way to harvest the maximum amount of this data is by compromising your databases. If you’re not protecting against this threat, you’re throwing good money after bad, or at least putting data security lipstick on the network security pig. Hey, at least I told you up front. That’s more forthcoming and more provocative than when at RSA this year Art Coviello’s big idea was that there’d be no more stand alone security companies – right after RSA got bought by EMC. Or yesterday when Bruce Schneier’s key take-away was that security products will disappear because you’ll buy them with your infrastructure – now that CounterPane is part of BT.

So what are the Gartner gang’s key take aways?

1. It’s all about Application Security, sorry, I meant application security You’ve heard the argument before: it’s far less expensive to remove security issues earlier in the development cycle than at production or even worse after a breach. Gartner (and others) have said this before, but to Gartner’s credit, they drilled down quite a bit on this notion. Joseph Feiman did the best job I’ve seen of segmenting the development process (design, architecture, coding, etc.), highlighting the security issues at each stage, approaches you can take to address them, etc. This charming guy has just been made a research fellow so he can chase this idea which is great because I know that by the end of his session I was dying for the next step. That is, drill down into each of these areas to nail the people, process, and technology details. He’s got another session today – so maybe we’ll get more detail. That will be critical since the challenge for IT on this front is to identify quick wins that tide you over while architecting the proverbial great leap forward. Because if payback is restricted to new code working through the whole process and then getting broadly deployed, we won’t be able to witness it. It’ll take 10 years and we’ll all be off to different jobs – a few times over.

2. The collision of security and compliance. Essentially, it boils down to building a control framework, identifying the universe of controls within that framework, and then mapping them to your disparate compliance initiatives. Don’t run 38 scans for your 38 compliance initiatives. Do run an uber-scan once and take what you need from it for each initiative. This way, you can minimize the redundant gruntwork associated with a one-off, reactive approach and minimize the risk that you’re so busy getting the auditors what they need that you take your eye off the security ball. Good security should make compliance easy. Other than getting the auditors off your back, I don’t know what good compliance gets you.

   Here too, the idea is not new or particularly unique, but Gartner drilled down to make it more actionable. For example, the “distinguished” Mark Nicollet and much respected (and ironically vendor-scum turned enlightened analyst) Paul Proctor detailed how this works, frameworks you can use (ex. ISO 27001, COBIT), infrastructure you might apply this to (like databases – hey, maybe these guys aren’t so bad?).

   I’ve got two nits to pick on the many compliance discussions. One is the notion of audit. Like security, auditing is a process, not a product. It spans scanning, monitoring / detection, configuration, logging, and god knows what else. Actually, he/she probably doesn’t know or care, but you’re auditor might tell – for some cash, on a quarterly basis. Anyway, in the same way you can compliance yourself out of security; you can audit yourself into oblivion. In my simple mind, audits are simply an awesome corollary benefit of good vulnerability management. Specifically, scans get you the reporting you need to document that you’ve established the appropriate controls. Meanwhile, monitoring helps you flag violations of those controls in a timely fashion. To Gartner’s credit they’ve bolted this notion on to their vulnerability management lifecycle – they just need to be consistent by carrying this through the rest of their research and keep running with it. I think this is a big idea and from a writing cool research perspective, so far they’ve buried the lead.

   My second gripe is the notion of privileged user monitoring. It came up a ton. Ironically, so did the conflicting but spot-on notion that knowing the true user is virtually impossible given account pooling and other crippling complexity. So, how are we supposed to monitor privileged users if it’s impossible to know who they are?

   More achievable and probably more valuable is simply monitoring privileged activity. For example, in my “I’ve got a database security hammer and all I see is nails” world, it isn’t too hard to identify what columns in the database matter most (like maybe the credit card number column) and then simply monitor all activity against it, independent of the user. The wily external hacker compromises wireless to get on the corporate LAN and gain privilege on the database? The insidious insider DBA runs a select * against the credit card column? It’s all the same to us, they try to rob the database – we’ve got ‘em.

   Over time monitoring systems will integrate with other infrastructure (SIM / SIEM, directories, IAM, and so on) to help get to the true user. But at least today you can get an early warning system which if you’re lucky will flag a reconnaissance attempt so you can avoid a breach altogether. If you’re not so lucky, you’ll still know fast and can do some quick old-fashioned forensics to contain the damage and try to catch the bad guy.

3. The bad guys are crafty and you should be VERY scared. Details about different break-ins have been sprinkled throughout this thing, but as usual Avivah Litan’s prezo was chock-a-block with details about who the bad guys are, how they’ve pulled off different heists, and what they got away with. And Greg Crabb from the Postal Service (the guys who deliver the mail, not the band – though that’s also a worthy topic) had some great war stories - including pictures! Later today, Rich “The Mogul” Mogull looks to add to the booty with his talk, “Involuntary Data Security Case Studies.”

   Even jaded security veterans can’t resist fodder like this. It’s a necessary reminder that threat has changed and more of the same won’t save us.

The major gripe I heard from attendees was the increased amount of vendor advertising –vendor prezos at meals, vendor tracks throughout the day sandwiched between the Gartner prezos, and so on. A few people I talked to said they’d pay more to do away with it.