I’ve been speaking with a number of virtualization pros lately and a couple of recurring threads have popped out of the discussion:

1. Many virtualization admins are concerned about reputation (their own and the reputation of virtualization as a platform) within their companies;
2. These same admins are often the “go-to guy” around virtual infrastructure and haven’t yet built a strong enough team around them where they’re comfortable enough to delegate what they do;
3. They don’t have the cycles to spend much “quality time” with their team, so it’s pretty tough to break this cycle.

Does this sound familiar to you?  If so, please share your comments here about how you’re dealing with this phenomenon.

If it doesn’t sound familiar, then you must have figured out a formula that works.  Please share any useful tips & techniques (or resources) here in the comments, or point us to your own thoughts in a public blog.

In a recent article — In Legal First, Data-Breach Suit Targets Auditor — Kim Zetter reported that PCI auditor Savvis Inc is being sued because it had certified CardSystems Solutions as being PCI compliant just 3 months before 263,000 card numbers were stolen from their system, and nearly 40 million numbers were compromised. Is Savvis to blame? Does CardSystems Solutions have some responsibility to maintain a PCI compliant state “after the audit”? These are tough questions that, in my view, belong in the Boardroom rather than the Courtroom.

PCI DSS is very prescriptive for best practice IT security. Auditors definitely need to be more exacting and tougher when evaluating a company’s adherence to the specification. But an audit is a point-in-time event that says “as of today” your security level and change and control processes are at an acceptable state. If Savvis did a poor job of auditing CardSystems and issued a PCI certificate when that company was not really compliant, Savvis is at fault for issuing the certificate. But what about the many companies who are compliant with PCI DSS with a point-in-time audit only to be breached a month later? The auditor is not at fault in these cases, the company is. The stated intent of PCI DSS is to “maintain” a compliant state and not just “achieve” a compliant state.

Maintaining a PCI compliant state is not easy, but it is doable and it is worth it. It is, in large part, an attitude of being committed to maintaining ongoing security best practices. Doing so delivers continuous compliance as a free byproduct. Making best practice security a daily rigor needs to be elevated to the Boardroom. Far too many company are putting all their eggs in “passing the audit” project rather than improving their daily security posture. More tone-at-the-top is needed to provide the oversight, funding and support to allow security, compliance and operations teams to get it done and get it done right.

Tripwire provides a continuous compliance solution for the 80 configuration control requirements of PCI DSS. Rather than just detecting when critical, high-risk files change, or rather than periodically assessing the compliance status of high-risk files, Tripwire monitors them in real-time and, if they ever change, for any reason, Tripwire immediately and automatically retests them to determine if they are still in a compliant state, according to PCI requirements and according to specific customer security policy. Alerts are immediately issues when any high-risk file drifts from a secure state and full remediation instructions are provided to allow the file to quickly be restored to a secure state. That is a long-winded way of saying that Tripwire automatically alerts on every high-risk change as it happens and where it happens, and provides the information needed to correct the problem.

Bad change happens most often in an hour or less. It is no longer acceptable to be alerted days, weeks or, as often happens, months later. Tripwire alerts on bad change at the speed of change.

On June 9, 2009 Tripwire officially embarked on a new adventure – vWire.  vWire is a product built from the ground up to inspire confidence in the virtualization professional by giving him the virtualization management tools that he needs.  This is something that a team of people within Tripwire have been dedicated to over the last 8-10 months.  If you are reading this and are a Tripwire Enterprise customer don’t worry – Tripwire is actually investing more in TE than they ever have.  We just happen to be doing some new things also.

 
Virtualization is a market that is growing quickly but lacking management for the virtual infrastructure.  We have spent months talking with virtualization professionals to understand what keeps them awake at night and how they manage the daily operations of their virtual infrastructure.  What we discovered was that one of the main concerns was around preventing and diagnosing daily operational issues.  We took some of our core IP from Tripwire and applied it in a new way, added lots of new stuff and out popped vWire - our first of it’s kind virtualization management solution.  We are very please to finally bring this public.  We have had this in the hands of alpha, beta and release candidate users for some time and we are excited to make it available to the masses. 

You can get a fully functional, completely free (you don’t even have to fill out a form!), 30 day evaluation copy of vWire at www.vwire.com.  There is also a community to support and add value to your evaluation.  We are selling this product exclusively online at our vWire online store.  If you have questions please reach out to us in the vWire community. 

We look forward to seeing you there.
-Matt

I’ve always loved the ISACA CACS conferences.  Why?  I guess because I love auditors.  Not all auditors, mind you, but auditors that have a risk-based orientation, and who understand that the achievement of any goal (regardless of whether we’re talking about information security, operating effectiveness, or compliance goals) hinge on effective controls.

And IT auditors congregate at the fantastic ISACA conferences and chapter events.  It’s one of the few conferences that have a good balance of IT risk and business risk.  I don’t know of any other conference where you can not only learn about application and network security, but also bone up on how to audit and secure SAP and PeopleSoft systems!

I’m a fan of this conference.  I usually like to make sure I attend the entire week.  After all, it’s been years since I’ve actually touched an SAP instance, and knowing more about SAP makes me feel smarter.

Image courtesy: copydesk.org (this is not a real pic from CACS conference, btw…)

Given the throngs of people at the Infosecurity Europe conference, I expected a similarly huge crowd at the ISACA North American CACS conference, held on April 27-May 1.  Alas, this wasn’t the case.

The last NA-CACS conference I was at was probably three years ago, when it was in Las Vegas at some huge hotel.  I’m guessing there were about 3500 people at that conference, which was one of the largest ISACA events I had been to.  This was around the same time as the huge buildup/panic around SOX-404.

This year, I’m estimated that there were only around 1300 attendees.  It was a fantastic program, with lots of senior practitioners, spanning information security, IT audit, even some chief audit executives speaking, and IT governance.

Given that this is probably one of the best put together curriculums, I think it’s unfortunate that it didn’t attract the numbers of Infosecurity Europe.  Why?  These are only my speculations:

• IT audit training budgets are shrinking, unlike the bushels of money being thrown around in information security
• ISACA is not effectively reaching the radar screens of information security practitioners

If true, this is too bad.  Information security could use a good dose of learnin’ about risk-based application of IT controls.

A couple of weeks ago, I gave three talks at the Infosecurity Europe conference in London, which was held on April 27-29.  I was pleasantly surprised to see how well-attended it was.  No, that’s an understatement.  It was a packed conference.

Based on attendance, you’d be forgiven if you thought it was 1999, during the middle of the dot-com boom.

Image courtesy: gem66/Flickr

Oh, wait.  We are in the middle of the security/compliance boom!  IMHO, this is made more amazing that it landed in the middle of one of most capital-starved periods for IT in nearly a decade.  If you think that all these hard-earned dollars are being spent on truly creating continuous compliance, this is money well spent.  Yay.

If you think that these capital dollars are being thrown at a huge Band-Aid, and that information security breaches will continue to occur, and that equal dollars will be need to be spent passing next year’s audit, then not so much.  Boo.

I observed the following…

• Tons of attendees: 12,500 visitors, according to their website.  And according to the fliers they passed out on Day 2, 4441 visitors on Day 1, representing a 7% increase over 2008.
• Tons of vendors: Holy cow.  Like in Chris Orr points out in his post about RSA, there were a ton of vendors there.  I’m guessing there were, I can hardly believe it, 700 vendors.  And most of them had basically the same messaging: security, compliance, controls.

It’s difficult to imagine talking to over 100 of these vendors, and keeping track of how they’re different.  I guess that would explain all the marketing investment on, umm, scantily clad people marching around with picket signs, lots of huge, flashing signs, big speakers blaring propaganda like in George Orwell’s 1984,  etc.

The Startling Contrast To Service Desk & IT Support Show

I got a wake-up call when I wandered over next door to the other conference being held at Earl’s Court, which was the Service Desk & IT Support Show.  Compared to Infosecurity Europe, it was like a ghost town.

I estimated that there were about 100 vendors, and maybe a total of 600 attendees.  It was a much, much smaller event.

This reinforced my conclusion that these economic times are starving ITIL projects, and that compliance deadlines are driving huge date-driven projects, which our industry is benefiting from.

Other Benefits Of Being In London

I got a chance to meet up with our UK-based colleagues, and hang out with my good buddy, Steve Chambers from VMware (@stevie_chambers).  He is one smart dude… (Who apparently can drive a sub-10m lap at Nurburgring!)

Oh, and I finally met Tom Howarth (@tom_howarth), who I thoroughly enjoyed talking to, about our respective journeys, the state of our vocation, using social media, etc.  Oh, and talked a lot about vWire evangelist Steve Beaver (@sbeaver), another great guy.

Questions or comments?  Feel free to send me a note on Twitter!  I’m @RealGeneKim.

I continue to hear comments that PCI DSS doesn’t work and that it should be modified or even eliminated. My favorite recent criticism was from Rep. Yvette Clarke (D-N.Y.) when she said “the standard by itself is simply not enough to protect cardholder data… I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure.” I find it interesting that so much fault can be leveled at PCI DSS in light of the facts that Verizon Business puts forth in their 2009 Data Breach Investigations Report. Here are some of their findings after investigating data breaches that compromised 285 million records in 2008 alone:

· Payment Card Data was the target in 81% of the breaches (98% of the records were Payment Card Data)
· 74% of breaches were caused by external sources
· 75% of the breaches were from 3 industries: 31% Retail; 30% Financial Services ; 14% Food Service
· Point of breach entry to actual compromise: 27% in minutes; 21% in hours; 29% in days
· Compromise to discovery: 16% in days; 25% in weeks; 49% in months
· Discovery to containment: 37% in days; 42% in weeks; 15% in months
· 81% of the victims were not PCI compliant

The last point—81% of the victims were not PCI compliant—speaks volumes about the spirit, intent and effectiveness of PCI DSS …. if it is treated as security best practice and followed on a daily basis rather than treating it as a checklist that must be passed annually. Until each of the above percentages changes dramatically, I think PCI DSS should be seen as a good security best practice to follow continuously.

In the past few weeks, I have been at a VMware partner conference, the RSA security conference, and (this week) the Microsoft Management Summit (MMS) event.  This has meant travel to Orlando, San Francisco, and Las Vegas.

It’s been interesting to see what themes or trends are the same across these three events, and which are different.  By the way - I’m talking about differences in the conferences – not the cities; the cities are all similar in their love of costumes if nothing else.

Some observations:

• Compliance is top of mind. 
  • While the details of what people meant by “compliance” varied a bit, all of these events had a strong theme of compliance. 
  • It’s no mystery that PCI, NERC, and other regulations continue to be a force.  One surprise (to me, at least): SOX is still a significant driver / concern for enterprises.
  • Internal compliance (process compliance, security standards, etc.) is experiencing a resurgence.  I think “lean & mean” staffing along with virtualization (which blurs Segregation of Duties lines), and concerns about disgruntled employees / ex-employees are all contributors here.
• Vendor consolidation is happening.
• Consolidation is happening in companies, in that they are looking to reduce vendor counts and move to fewer vendors with broader capabilities.
• Consolidation is happening in the industry, as big fish are buying smaller vendors.  This is happening primarily for two reasons:
• Less-viable or struggling vendors can be acquired at bargain prices in this economy.
• Growing, prosperous smaller vendors are clearly on to something valuable and can be added to a larger portfolio to expand market share & execution capabilities.
• Service-impacting events and breaches are big drivers.
• Many people are funding IT projects based on problems they’ve experienced or have seen in other, similar companies.  This is no surprise, as they say people buy to move away from pain or toward pleasure and there is plenty of pain in outages & breaches. 
• This item is related to the first point about compliance, but a subtly different in my view – the difference often being that many audit requirements are more prescriptive and “check box” oriented, whereas protecting yourself from downtime and breaches is more about “posture” and process maturity.  Addressing these issues tends to span more operational silos than externally driven compliance from what I’ve seen.
• Management is key.
• Everyone has a lot of stuff to manage, and everyone wants to get the most out of it with the least thrash and effort.  This is pushing re-evaluations of management tools (whether for Ops or Security) everywhere.
• People are moving from brute force or “one off” approaches to policy-based management schemes, which are essential for consistency and scalability.  Policy- or standards-based approaches also insulate you somewhat from staff turnover because they make it more likely you can find someone who can step in and take over when knowledgeable staff exits the business.
• Philosophy on Physical vs. Virtual vs. Hybrid
• VMware is very focused on their own virtual platform, while Microsoft (once very homogeneous) is starting to embrace other OS’s, supports non-Microsoft virtualization platforms, and focusing on support for mixed physical & virtual environments.
• Security vendors are having to choose carefully – some are developing for single virtualization vendors, others are still rooted in physical, and others are seeking to conquer both aspects.  This is making the landscape very crowded, a bit confusing, and may (in the short term) increase the cost & effort of securing.
• Clouds, clouds, everywhere
• Security vendors are pushing more and more SaaS-based security tools, as well as hybrid approaches that involve cloud-based management & monitoring of locally deployed agents.
• VMware has announced its “Cloud Operating System” approach, while Microsoft is increasingly offering cloud-based implementation of its products for desktops, servers, and management (like System Center Online which looks pretty interesting).  This will create FUD in the short term, but I believe it will decrease operating costs and make it easier for enterprises to achieve more consistency of practice (particularly those who are distributed or grow through acquisition).
• Clouds will create complexity in compliance, as they will make it easier to inadvertently create compliance problems (such as an offshore provider accessing US or European personnel information or personal health/financial information, which could violate the law).

To net it out, there is a lot going on – some converging, some diverging.  Choosing from different solutions to the same problems is what our jobs as business and IT practitioners are about.  That’s why we get paid the industry-adjusted, median bucks.

What about you?  What are you seeing?  Does what I’ve observed resonate or rankle you?  Would love to hear your thoughts.

@thatdwayne

So…I am speaking to a customer today, and this actually happens quite often, when he mentions that he is looking for one tool that does everything from log analysis, to patch management and even change auditing and configuration assessment…a magic bullet if you will…

Argh!  Would a real Ninja go into battle with just one weapon?  Nay!  They have all sorts of sharp and pointy things to stab and kill you with…  The Pirate doesn’t have just one sword…usually they have all sorts of other implements of personal destruction…so why do IT Ninjas have this need for the proverbial single magic bullet…I don’t know about you but if I am going into a fight I want LOTS of bullets…and I want all of my friends to have LOTS of bullets.

That is what security in depth is all about…LOTS of bullets.  Companies that try to rely on the single bullet method are doing themselves and their users a major disservice.  Its the whole Jack of All trades, Master of None thing…

Get the best Network Intrusion Detection, the best anti-virus, the best Change Audit and Configuration Assessment Software (hopefully ours)  If anything…RSA was a shining example of the myriad of software and hardware technologies (bullets) that are available to you…

tweet me:  twitter.com/theorrminator

The announcement of the Lieberman/Thompson bill called the Critical Electric Infrastructure Protection Act is the latest response to a series of news-worthy events about the power industry and cyber security. These include:

1) a NERC survey of utilities where over a third of whom cannot identify any “cyber” assets which could be classified as critical to the power grid,

2) then the Wall Street Journal reports that the national electric utilities are being actively mapped out and examined by foreign states for weakness in cyber controls, and

3) Congressman Edward Markey’s firm memo (April 9) to the FERC about apparent lack of good cyber controls in the utility sector.

The press release quotes Thompson “This legislation addresses these critical issues by providing a common sense approach to ensure continued security of the nation’s electric infrastructure”

The new bill, according to news release from the house committee, says it will issue three new instructions:

1.      New authority to the FERC to issue “emergency rules or orders” to address cyber security threats (after agency agreement on the threat)

2.      Requires FERC to assess and establish interim standards deemed necessary to protect against known cyber threats to critical electric infrastructure.

3.      Requires DHS to conduct an investigation to determine if the security of Federally-owned critical electric infrastructure has been compromised by outsiders.

Are these instructions common sense?  Doesn’t FERC already have this authority and responsibility?  Isn’t DHS already investigating cyber security threats to the nation?

Don’t get me wrong. I thing pressure should be applied to change the process of protecting our nations cyber infrastructure, including utilities. But this solution doesn’t sound new. The problems are systemic, starting with not understanding the threat, knee-jerk reactions to fearful statements, and underfunding of security programs.  A real solution should address these failings.  I might recommend:  apply a true security czar to the domain who can understand the magnitude of the problem and apply guidance and leadership, make the task of cyber control based on an agile process that can change quickly to address changes to threats, and fund security programs that are mandated by that process.

RSA is a long conference.  Holy cow…day four was the final stretch of the marathon of security tracks and other talks.  Virtualization was of interested to nearly everyone of course.  At this point of the show though it was mostly roving bands of shirt hunters.  It was almost like a scene from Mutual of Omaha…you could imagine Marlon Perkins perched on the top of his truck with binoculars looking over the terrain as packs of feral IT Ninjas flitted from booth to booth hunting for shirts and other bits of schwag…

Joining the packs were other vendors looking to barter their goods for the goods of other vendors.  My favorite was the Whack a Fraudster.  Imagine the old whack a mole game with crooks instead of moles.  The high score for the day won a hand held video camera.  After getting jacked up on Mountain Dew I managed a 39 which held up for most of the day until a 41 came along…must have been Jolt or Red Bull…

Ultimately I think we generated a pretty good list of potential leads for Tripwire.  Virtualization Security, Change Audit and Configuration Assessment were demoed quite a bit despite the shirt hunters… Marlon Perkins would have been proud… 

tweet me: twitter.com/theorrminator