The Lippis Report

The conventional wisdom in IT threat mitigation is to build a layered "œdefense in-depth" approach with security technology such as firewalls, IPS, network access control, anti-x client software, alarm aggregation and event correlation, etc. And while the layered approach to defense is a useful threat mitigation strategy, the threat landscape has changed, forcing conventional wisdom to shift toward a systems approach to protecting corporate assets.

The traditional layered approach was built upon deploying best-of-breed products, which were best-of-breed only until other products emerged and relegated them to either stand-alone appliances and/or loosely coupled security silos such as the linking of IPS and firewall devices. The systems approach builds upon this IT security investment by wrapping it with System Management for policy, reputation and identity that transcend end-pointss, networks, content and application security. The systems approach promises to:

1. Enforce business policies and protect critical assets
2. Decrease IT/secops administration burden and reduce TCO
3. Reduce IT security and compliance risk
4. Protect corporations from new pervasive threats

Complex World With A New Threat Landscape

We conduct business in a complex and ever-connected world. New applications such as unified communications, collaboration and conferencing drive deeper levels of engagement between employees, partners, suppliers and customers. Mobile and nomadic workers connect to their business network from any geographic point on the planet. Web 2.0 applications enable new combinations of dissimilar content and communications, which were once separate, to offer new ways to communicate and connect. All these trends are wonderful new economic productivity advances but they also create a new set of security threats and challenges.

Net Security 2.0: What Are The New Threats?

Network Security 1.0 infected the communication and collaboration tools dominant at the time, that being email, IM, the web and infrastructure with exploits such as malware, worms, viruses and other exploits. Hackers attacked using these communication tools to cause damage, so IT leaders built a perimeter defense with firewall and IPS network security technology. But hackers were able to bypass perimeter defense by targeting employee behavior of using IM, email, visiting websites or using other applications which become a great target for hackers to attack with spam, malware, etc. In short, hackers found new ways to target behavior and circumvent firewall policies and rules reducing the perimeter's defensive strength. Thus Network Security 2.0 was born.

Hackers have matured well beyond thrill seeking mischief to cyber-criminal which is the basis of the new threat landscape called Network Security 2.0. Clearly, organized on-line crime groups are profit-driven and motivated to cash in on their exploits. On-line crime groups seek ways to access corporate databases rich in identity, social security and/or credit card information and either sell or mine this information. Other on-line crime groups seek to run a service bureau by building a large botnet to send spam or engage in other illegal activities.

From a corporate perspective the main IT security concern is loss of data and data theft as this damages corporate brand and complicates business relationships with customers, partners and suppliers, not to mention regulatory and legislative consequences. For business leaders, data loss and theft is a lose, lose scenario since executives are obligated to communicate a breach to their customers and government officials in the most public of arenas even if they only think or assume a data loss has occurred. Even if the data loss is not maliciously used, the board of directors (BoD) is required to communicate the loss via mass media, which creates the same risk as if the data loss is actually used maliciously. At times the lack of malicious use can be worse for corporations as customers are left wondering when their identity will be stolen thanks to the breach.

Because of the new type of brand and reputation threat environment that is associated with Network Security 2.0, network security is now a high-level business issue. Business and IT leaders have responded with risk management and in particular IT risk management positions, which focus on defense, compliance and security management which are funded through compliance and departmental budgets appropriated at the board level. In particular the payment card industry (PCI)projects, which refers to the Payment Card Industry Security Standards Council, are BoD top down projects which dictate specific network security requirements to safeguard debit, credit, ATM, POS, confidential information, et al.

Most boards around the globe are worried about compliance, PCI compliance in particular, data loss and theft and they are asking their IT and business leaders what are we doing to defend against these exploits and be compliant? What are our policies, what technologies do we have in place or need to acquire to build up our defenses against malware, spyware, botnets or something inside our corporation potentially contributing to data leakage or non-compliance?

What's different about Network Security 2.0 is that the defenses of the year 2000 era will no longer work. In early 2000 if a corporation was infected with an Internet worm propagating through its network, IT could simply buy an IPS with good signature coverage, deploy it, and it would block the worm and the problem went away. There are multiple Network Security 2.0 threats with imbedded policy to circumvent single purpose defenses such as firewalls, spam filters, IPS devices, etc. To defend against "œsmart threats" the totality of network security devices need to work together. To defend against smart threats or exploits a systems approach to security that builds upon prior investments of layered defense security is required. In short, an orchestration function is needed that uses the defense intelligence already in the network to mitigate against this new class of threats.

Systems Approach To IT Security

End-point, network, content and application security are the four architectural components to the systems approach of network security. Each of these components are part of a layered security defense. End-points are protected with anti-x software. Networks are defended with firewalls, IPS, NBAD, NAC and NAP security technology. The network needs to be defended at the protocol level to look deep into flows for anomalistic behavior and act upon it.

Content security is a new and emerging threat defense approach, which protects users from content in email, web sites, IM etc as it's the content flow that can be the threat needing mitigation. New email servers come on line and go away very rapidly, as do web servers that host malware. This requires a reputation-based defense approach versus one based on signature, and the ability to respond to a very large number of variants since the attacks are often very targeted, yet changing rapidly based on environments. This requires the capability to address many different unique attacks, as each attack is different. Gone are the days of wide spread, single pattern attacks like NIMDA, being replaced with varying attacks with policy affording them to change to defeat defenses. These collaboration applications attacks come from email, web, IM or other emerging communication applications. With the attacker now relying on users to propagate attacks, versus self-propagating, content security focuses on inspecting the content to protect users from actions that may fuel a successful attack.

The application and data they access are forecasted to be the next target attackers go after. With more and more Web 2.0 and SOA/Web Services enabled in organizations, attackers are expected to target these applications, especially given the customer information, business data and intellectual property that resides there.

The systems approach is focused on orchestrating these existing threat defense technologies to work together as a system much like Tivoli does for IT. To achieve this, system management capabilities tie all four components together via policy, reputation, services and identity. System management can push common policy across all four components. Products such as Cisco's MARS 6.0 aggregate alarm information creating correlated events delivering either automated or actionable remediation suggestions to network operations. These security alarm aggregation and event correlation security products upload alarm information from each of the above four components and correlate the data providing scenarios of possible threats in the network and then proactively either address a policy or respond to a threat.
The system's approach is based upon exploiting "œbest-of-breed" security products already implemented within a corporation but managing them via system management. The systems approach enforces business policies across the four components and protects critical IT assets while decreasing IT operational burden and cost. The end result is reduced security and compliance IT risk. This approach frees security buyers from the dilemma of do I buy "œbest-of-breed" or build a systems approach to IT defense?

Start-ups Can't Keep Up

Every new wave of security threats has provided a market for start-ups to develop a best-of-breed product designed to mitigate that threat. These firms are usually very good at engineering a defense to a particular threat but do not possess the resources to address the next wave of threats. In short, these start-ups are in an arms race with attackers and as the attackers have evolved to on-line criminals equipped with large financial resources which outpace that of start-up budgets, the on-line criminals always win. The result of this cycle is that best-of-breed-products by themselves are dead ends. They become a stand-alone device/appliance such as a firewall, NBAD, IPS, NAC appliance etc or they attempt to expand their threat mitigation portfolio in a small number of areas via internal development or partner and build a loosely coupled security silo. For example, 3Com's IPS Tipping Point partnership with Lancope's StealthWatch is a loosely coupled security silo of IPS and NBAD threat mitigation.

Mitigating Emerging Threats or Pervasive Threats?

This is not to say that best-of-breed is bad. But best-of-breed when implemented as part of a holistic system approach extends the life of these security products and improves the security posture of the company. For example, consider Cisco. Cisco offers a NAC appliance that is a best-of-breed product but to gain greater value from the NAC appliance it can become part of the systems approach, which allows the NAC appliance to work with other security products such as Cisco's TrustSec. In a systems approach, the NAC appliance touches everything the network connects extending its diameter and usefulness. For Cisco, their security strategy is to offer both best-of-breed products that can operate and migrate over time into a systems approach delivering greater value to customers. For example, a Cisco customer may implement Cisco's IronPort, which may not be part of its common management framework, or Cisco Security Manager may not manage IronPort at day one, but it is a best-of-breed email security product that over time will become part of the systems approach. In short, Cisco has developed a vision and strategy for a network security platform that places their customers on a journey.

Cisco promises that the security posture of this company will improve as they move through this journey. For example, to provide data loss prevention (DLP), a customer can leverage their IronPort email security best-of-breed solution with CSA (Cisco Security Agent) capabilities, plus storage media encryption and put these best-of-breed solutions together as a system to deliver an effective DLP solution. That's a systems approach built on best-of-breed products. This approach increases the value of best-of-breed solutions, which excel at mitigating existing and near term emerging threats to providing a defense to pervasive threats such as DLP.
Don't look to any standards bodies to define standard security interfaces or architecture. The industry does not have such an organizing principal. Business and IT leaders need to look toward large IT providers such as Cisco, EMC, IBM, HP, Microsoft et al to provide vision, a platform and partners to address these smart threats. All the big IT providers are realizing that security is a common thread throughout IT and needs to be a part of an overall systems approach. That's good because to defend against Network Security 2.0 exploits, a systems approach is needed. Don't think of the systems approach as providing automated threat response by shutting down ports, IP address, subnets or changing ACLs. Think in terms of an autonomic system to understand the new direction is system wide threat defense.

Autonomic Network Security

The industry vision is to think in terms of an autonomic effect which increases over time as more and more of the four components are connected into the system approach. As the four components start to work together under system management, the autonomic effect will increase. Much like the human nervous system which automatically responds to sensors, action the brain doesn't need to think about before it is taken. For example, a person places their hand on a hot stove, the nervous system automatically responds by telling your hand to get off the hot stove. There is no thought needed. Nor is there thought required for the immune system to mitigate a virus or infection or for the lungs to breath air and the heart to beat. These are autonomic systems. This is the way that networks will start to behave as best-of-breed security products are plugged into the systems approach.

How to Start Building A Systems Approach to Network Security

The beauty of the systems approach is that it builds upon existing defense infrastructure and does not require early retirement of exiting security investments. Cisco is leading this approach with investments in its MARS Monitoring, Analysis, and Response System and CSA products. Existing customers of these products can start their deployment without the acquisition of new products. Other large security and IT suppliers such as IBM, Microsoft, HP and CA will respond with offerings and an ecosystem of their own. What will differentiate these solutions will be the particular company's strengths. Microsoft's solution will be desktop and server-based while IBM and HP may be data center focused; CA could be application-based. Cisco is the only firm that will be network-based and with all IT assets connected via the network, it's a strong position to defend against threats.

Business and IT leaders need to make a systems management supplier decision. Cisco's MARS is mentioned above, but there is Q1 Labs QRader too which is a security event management and correlation system which may evolve into a Systems Management system. Nortel and Juniper partner with Q1 while Enterasys OEMs its system to provide its Dragon Security Command Console. Independent of a feature set to deliver policy, reputation and identity, Nortel, Juniper and Enterasys lack the vision, platform, ecosystem and completeness of solution to realistically deliver a systems approach to network security.