This week is, well, rough, ServiceNow buys threat intelligence company, memory scanning in the hypervisor, and next-generation network segmentation and NAC, and John and I discuss the evolution of IDS and IPS.
Enterprise Security News
- http://www.businesswire.com/news/home/20160601005700/en/ServiceNow-Acquires-BrightPoint-Security - ServiceNow expands their security offering by adding threat intelligence. They offer a solution which combines configuration management, vulnerability data, and not threats (from threat intelligence sources provided by recently acquired Brightpoint) to respond to threats. Whew, sounds like a lot of moving pieces and its difficult to tell *exactly* how this can help. ServiceNow announced is foray into the security space in February of this year. Derek Du Preez of Diginomica had this to say about the expansion: ServiceNow wants to get security teams using the same platform as its IT buyers, bringing the two functions closer together, reducing the time it takes to respond to threats. This, believe it or not, makes sense to me. However, there are still people issues to be dealt with as traditionally security folks and operations operate independently. Why is this the case? The watchers can't be the doers. There needs to be balance, and IT security must be the monitoring and auditing function and IT operations still needs to focus on making things work. It will be interesting to see this dynamic play out as more IT (traditional and cloud) companies make there way into security.
- Brocade Buys Ruckus Wireless - I remember using Brocade switches to provide the fiber networking backend for a storage array. Really cool technology, but I believe much has already been, and will continue to be, replaced by cloud. No big news there, but now with Ruckus, there are many different product offerings. Wireless is one of those things that will always be in your local environment physically. On the security front, Ruckus received a patent for Wifi authentication and encryption.
- http://www.channelemea.com/spip.php?article38150 - Memory scanning inside the Hypervisor for Xen! Sounds awesome, but here we go adding another layer. And each time we do so, we increase risk. What happens when there is flaw in Bitdefender's code that leads directly to the Hypervisor memory? All your instances are belong to us. On the flip side, good to see new products coming out to help secure virtualization and cloud, though A/V for the hypervisor just sounds wrong!
- http://prwire.com.au/pr/60189/fortinet-expands-security-fabric-and-defends-enterprise-access-networks-from-iot-to-the-cloud - Sounds like glorified segmentation and NAC to me. Not a bad thing, depending on the complexity. For example, in a "large" network, its not easy to segment and determine what can talk to what on the internal network. Its also not easy to authenticate all that crap to the network, and THEN make a decision where it goes on the network. I was early on the NAC front, and it seemed to have died. However, the optimist in me hopes we've figured this out and there are organizations doing it. Do you segment and authenticate devices to your network successfully? If so, we'd love to hear from you. One last thing, this is all about IoT and controlling these devices. However, we've been doing this with printers for years, so still nothing really new.
In 2003, Garner analyst Richard Theimen declared IDS dead, and completely obsolete by 2005. IDS managed to hang for some time after that, but eventually Richard's prediction was correct. If not dead, it was to be included in other technologies such as firewalls. Then along came Palo Alto, and rest, we we say, is history.
While "dead" is an overused term, lets look at first the IDS concept. Detecting an intrusion. I believe security has eveolved and spread the intrusion detection into several different categories:
- Detect the vulnerability - Is there a vulnerability in my environment? Can I scan for it? Can I detect it on the endpoint, the network or through logs? Yep, solutions exist for this.
- Detect the exploit - Is there an exploit coming at my network or system? Yep, smart devices exist and do just this, most are now integrated into your firewall.
- Detect the infection/execution - Once an exploit is launched, can you detect how it gains code execution on the system? Yep, solutions exist here too.
- Detect the malware - Using signature or "behavior" can you detect the payload itself? A/V tries to do this...
- Detect the callback - Ignoring everything above, can you detect the phone home? yep, we've talked about this too.
So, now you have to pick, how are you going to detect intrusions given all of the items above? Pick something that looks at the 1) network 2) on your firewall 3) on the endpoint and hope you get it right!
Now, IPS is still somewhat interesting, and likely a topic for a different show. Network IPS has evolved, but few rely heavily on it. However, when we look at web applications, the concept of IPS has evolved greatly, including some solutions (such as RASP) that you must take a look at. Not perfect, but something to consider.