Mar 16 2007
By Jim Reavis
There has been an evolution in my thinking about the security appliance. The high performance, purpose-built, rack-mounted boxes that supposedly turn security into “the blinking lights” don’t solve everything, but they do certain things very well and in some cases are a big improvement over onerous software alternatives. When a security task must be performed quickly, more often than not it is the appliance that rises to the occasion. I have often characterized the appliance at the top of security process maturity models: a security process is defined and made repeatable, at some point the process is automated in part or in whole with software, later, the appliance makes this process even more efficient. Appliances are great, they are improving apace with Moore’s Law, they just aren’t what they used to be.
The growing threats we face and the technical defense we have instrumented have echoes of World War I, when old school generals ordered cavalry charges into machine guns. Our defenses, simply put, are overwhelmed. Small organizations create terabytes of information that is virtually impossible to catalog and control. The average employee has a half dozen network egress points with which to remove sensitive data. Spam, which Bill Gates said we would conquer by 2006, thrives with techniques like image-based spam, the equivalent of a simple bit shift by the bad guys in their tactics. Botnets, comprising thousands and perhaps millions of infected computers, are very difficult to dismantle and are capable of unleashing withering attacks. Monster appliances with multi-processors and multi-gigabit feeds seem like lonely samurai with outdated weapons facing Darth Vader and the Empire.
For the many, many problems that we have ahead of us, the model of a security infrastructure where all of the components operate primarily with a local operating system connected together by a thin layer of network management is simply a model that has run its course. Our defenses require a quantum leap in their capabilities, and every appliance on our networks needs to both leverage and be a part of a collective intelligence. Our future depends on the Grid. We need to apply super computing, grid computing – massive amounts of computing power to attacking security problems. If every firewall,
Related posts:
Posted by Jim.Reavis on Friday, March 16th, 2007, at 11:03 am, and filed under Articles, Future Forecast.
Follow any responses to this entry with the RSS 2.0 feed.
You can post a comment, or trackback from your site.
Kurt.Seifried | 18-Mar-07 at 4:55 pm | Permalink
I agree, it reminds me of the same problems faced by intelligence agencies right now. You have an analyst that specializes in a certain geographical area, another specializing in chemical weapons, another in terrorist networks, another in smuggling using baltic sea ports and finally a field agent that saw someone arranging for a shipping container that supposedly contains chinese pottery. If you got them all in the same room and mentioned a few key data points they’d connect the dots, but sadly chances are they are not in the same room, and even when they are the key datapoints are buried in the avalanche of data and noise.
Anti-spam systems typically rely on a handful of techniques, but do not for example work with anti-web phishing packages, for example anything containing a link that resolves to a specific IP known to belong to a bullet proof hosting company in China which is probably spam makes it through instead, or a user that never recieves gif or jpg images legitimately starts recieving hundreds of stock touting spams using images.
I think we need to start thinking about a standard language/descriptors for security events so that devices can share intelligence and behavior, i.e. if IP X tries to spam you do you block it, or based on the fact that it belongs to a domain that users send legitimate email to (i.e. aol.com) do you allow it anyways but try to block the spam based on other identifiers? If a host nmap scans your network do you look at blocking that entire subnet, or do you actually have legitimate use coming from or going to that network? All these things are impossible since there is no way for devices to share information sadly.
Much like warfare attackers typically evolve much faster than defenders, guerilla warfare vs. a traditional set piece battle, cavalry vs. long bows, or machine guns, insurgents and IEDs vs. convoys and civilian contractors. It doesn’t work to well in warfare and it certainly won’t work for computer and information security.