So, when it comes to firewall requirements, Josh Corman, research director of enterprise security at security consultancy The 451 Group, says, though they may be mandated by compliance standards, they should not be solely relied upon for optimal security. "Almost everyone has a firewall and is using it; it's just not necessarily a relevant defense against the way people are actually being attacked," Corman says. "I'd like to think we're maturing and figuring this out, about how breaches occur. But there is a stunning lack of change in many of these standards. They are stabilizing, rather than evolving."
Corman says many attacks are making their ways in via SQL injections that go right through firewalls. "That's why we need to look at application-level security," he says. "Firewalls need to be augmented, with things like Web-application firewalls."
During this interview [transcript below], Corman discusses:
- Balancing compliance with actual security;
- Seven-layer visibility, and why it's necessary; and
- The role real-time forensics plays.
Josh Corman is the research director of the Enterprise Security Practice at The 451 Group. Corman has more than a decade of experience with security and networking software, most recently serving as principal security strategist for IBM Internet Security Systems. Corman's research cuts across sectors to the core challenges of the industry, and drives evolutionary strategies toward emerging technologies and shifting economics. Corman has spoken at leading industry events such as RSA, Interop, ISACA and SANS. His efforts to educate and challenge the industry recently lead NetworkWorld magazine to recognize him as a top Influencer of IT for 2009. Corman also serves on the faculty for IANS and in 2010 co-founded Rugged - a value based initiative to raise awareness and usher in an era of secure digital infrastructure. Corman holds a bachelor's degree in philosophy from the University of New Hampshire.
TRACY KITTEN: Firewalls, transparency and compliance mandates. How do the three fit together and are investments in Infosec being applied to the best solutions? I'm here today with Josh Corman, research director of security analyst firm The 451 Group. Josh, you and I have spoken in the past about firewalls and their diminishing value in preventing and detecting breaches. You have noted that they are effective as part of a layered security approach, but should not be solely relied upon for breach prevention. Can you explain?
JOSH CORMAN: I think the interesting thing about the compliance mandates is they are trying to cater to a very diverse set of maturity models for security and risk prevention. If you just take the PCI standard, for example, most of the targets that they were trying to raise up had previously been doing absolutely zero security. Some might have had a firewall and very little else. So, it's not state-of-the-art. It's not the most effective or modern response to the way people are actually perpetrating the attacks and breaches, but they are at least trying to get people to do something rather than nothing. Now, over time, how well those work and the role they play is diminishing as the technology changes and as the adversaries' sophistication changes. At this point, although some people would dread dropping their firewalls, we've been seeing some people do it, and advocate, instead, things that maybe use the firewall-like features in their existing, modern-router architectures. Almost everyone has a firewall and is using it; it's just not necessarily a relevant defense against the way people are actually being attacked.
Compliance vs. SecurityKITTEN: Complying with industry standards and mandates, unfortunately, has been the focus for many companies, rather than security itself. When it comes to compliance, using firewalls is standard protocol, as you've noted. Do you expect that to remain the case, Josh, or is a shift in thinking among industry regulators and standards bodies such as the Payment Card Industry Security Standards Council on the way?
CORMAN: You know, I'd like to think that we're maturing; that we're figuring this out as we get more breach data and the analysis gets done on how it's being breached. But as you've seen, and you and I have talked about in previous interviews, there's a stunning lack of change in many of these standards. In fact, they're stabilizing, not evolving. So, with PCI, for example, there were nearly no changes. The headline was for the 2.0 release in October, "Was No Surprises," and you know, to my chagrin, I thought there were quite a few changes necessary. If you look at the available data sources, things like the Verizon Business Data Breach Report, a lot of these attacks are coming in through SQL injection, so they're going to come in the kind of ports and services you have to leave open through a standard firewall, and that's why we have to augment these things to look higher up the stack, so to speak, for application-area attacks. It's not the only way they're getting in, but as the attackers have adapted to the more pervasive nature of firewalls, you need to augment them with things like IDS. And when IDS is value-based with things like data-loss prevention and Web-application firewalls, there are just so many point solutions and appliances now that it's hard for a new person entering security or someone whose using compliance as a guideline to know what they should do. They're basically sticking to what they've been told to do and nothing more, and they're continuing to be comprised.
Firewalls Are Not Created EquallyKITTEN: That's an interesting point that you've raised. When we talk about firewalls, they're not all created equally, though the lines oftentimes are blurred. Why is that, Josh, and why are many companies now investing in different technology?
CORMAN: Well, you know without getting into a technical lesson on seven-layer security or whatnot, if you look at this much like airport security, you know that we had almost no security before. We had metal detectors for guns and knives and they weren't good enough. So, we added scanning our bags, and then we had a shoe bomber, and so we had to take our shoes off. We had a gel threat, so we had to use smaller shampoo bottles. The underwear bomber has led to the nude scanners and the pat downs, because people didn't like the nude scanners. So the same kind of matriculation has happened with information security. A firewall was pretty much all you needed. It was there to reduce your attack surface. If you locked down all the ports and protocols you didn't need to do your business, then you could only have a reduced attack surface for, say, Web traffic or other limited ports that were necessary. The challenge was attacks evolved to the point where they were attacking you over the ports and surfaces you did need. That's why we had the introduction of intrusion-detection systems, and then subsequently intrusion-prevention systems. There were climbing the stack with the attackers and saying, "For the ports and services you do need open, let's inspect that traffic for good versus evil," and that worked pretty well for a time. But attackers climbed the stack further and were doing things like application attacks, like SQL sequel injection and cross-site scripting, or they were extracting data that isn't really visible at the individual packet or protocol level. You need more processing than these appliances are capable of doing, looking deeper into the packets and sessions. So every time there is a new hot threat, we've thrown a new security appliance to stick behind our firewalls, our IDS and so on.
Firewalls and Risk ManagementKITTEN: Now, how can companies balance the investments that they make in firewall requirements -- those that are mandated for compliance -- while also ensuring security? How can they balance the investments they're making?
CORMAN: Well, that's the tough part. I think when people are looking at how to evolve their risk management and their security frameworks, they are looking to diminish investment in some of the older, less-effective technologies and start looking at some of these full seven-layer session inspection engines, whether they're online or out-of-band. Some of the DLP vendors have session awareness, which isn't just looking deeply into the packets, more deeply than firewalls and IDS, but also across conversations and sessions, to see things that can only be detected at the application or content layer. So they were looking to branch out and, unfortunately, a lot of those budgets that could have gone to superior visibility got canceled, in lieu of paying the expensive fees to be assessed and confirmed as complying with minimum standards for the industry. So, it's a fairly tough problem.
We don't have a lot of available and actionable intelligence in information security. We have very few data sources and a lot of debate over which technologies are effective and which ones are not, and that's the role we try to play with our research -- to try to highlight which things are best suited to handle modern adversaries or modern business technologies. But it's very tough when we're competing with backwards-looking technologies that were pretty good and state-of-the art many, many years ago but are pretty long in the tooth at this point.
Visibility and TransparencyKITTEN: Visibility or transactional transparency are, you've said, necessities. Seven-layer visibility, you say, should be standard practice, even if it's not mandated. Can you explain what seven-layer visibility is?
CORMAN: Sure. This firewalls idea isn't really looking at cursory information at the port and protocol levels. I was suggesting a lot of these attacks are sophisticated malware, which you really can't detect within individual packets or ports and protocols. It may not even come in over the network. It might be through USB keys. Some of these things are sensitive materials and regulated data which can be done in a limited fashion with some of these older technologies, but they often require looking at all parts of the packet and traffic and all parts of the session and conversation. So, ultimately, as the attackers climb the stack to the top, we've had to follow, and there are good technologies out there that can do anomaly detection across these sessions and conversations or packet capture. They can offer analysis and forensics; they're really not blocking anything, but they're recording all the conversations on every port and protocol, doing some analysis and then offering information that later can be searched to see if you were burglarized and where was it; or if you had a suspicion that it is a new, sophisticated, stealthy attack that you heard about from a peer in the industry or on the news, you can go back and look at your videotape, so to speak, and find if you've been compromised. So, it's kind of like we're fighting blind right now, so we need more floodlights and more cameras and more door sensors, and some of these seven-layer visibility tools are very effective at getting a lot more information, even if it's for historical, after-the-incident kind of reasons.
Too Much Encrypted DataKITTEN: Now, you've noted before that IT departments must have the ability to see encrypted information. Of course, that goes back to transactional transparency and visibility that they must have. But how do companies balance protection with transparency? Doesn't that defeat the purpose of encrypting data in the first place?
CORMAN: Unfortunately, we don't have enough conversation about this. I have been on panels and in debates about this. The irony is that the awareness of more breaches and more theft of property and sensitive things, it's encouraging more encryption. Now, the vendors that supply the network security appliances actually hate this because it's blinding them; so the degree to which you're doing more responsible encryption, it has, at least temporarily, blinded a lot of these other investments you've made. If I'm looking at traffic for breach data or regulated information, and I'm dependent upon seeing that network in the clear, I've now got a new challenge, because all I see is gobblygook. So these guys are adapting by partnering with SSL proxies or by doing key brokering or inserting themselves somewhere where they can analyze the traffic in the clear; but it is an additional hurdle and challenge.
What is Deep-Packet Inspection?KITTEN: And what about deep-packet inspection? How is it pushing the evolution of the solutions that are out there on the market? How does it fit into the overall forensics picture?
CORMAN: So, it's a bit of a nebulous term, "deep-packet inspection." How deep do you mean by "deep"? So, everyone is going to have deep-packet inspection within their marketing collateral. The question is going to be: "What layers of the conceptual seven-layers, or what size stack, are they looking at and once they are tearing apart those different layers. What are they doing once they've gotten into the deep packet? They are, in fact, deep-packet inspection products that do nothing but the disassembly. They're not actually doing anything with it. Some people are using it to look for malware. Some people are doing it to look for network attacks. Some people are looking for intellectual property. So, how deep you go matters, and what you're doing with it matters. It's more of a feature than it is a product category, and the other thing is, at this point, some of these attacks, some of these slower and lower attacks or even the data-loss prevention appliances, they really need to look beyond individual packets through the seven-layers and into more session-awareness and conversation analysis. So, it's even beyond DPI at this point.
A Need for Real-Time ForensicsKITTEN: Now, I tied some of this DPI conversation in with forensics. When it comes to real-time forensics, how critical do you see that being for the industry today?
CORMAN: I think it's pretty critical. We have a little bit of a challenge, where the bottleneck is not so much the technical capabilities. There are some really decent technologies out there. The challenge is having skilled people now, operators that can look at the feedback and output of these things and make good use of them. So, I can have surveillance equipment all over my house, but if no one is watching the video consoles, then I won't even notice that I've been attacked. So, what we have to do is really notice these talented and persistent adversaries, these state-sponsored attacks, the industrial espionage, all the things that made the news for the first time, prominently, last year. They're not new phenomena, but they've become mainstream, more prominent now. These types of things are really going to require a whole lot more eyes and ears. So, I see this as a critical investment. I just want to find ways that individual organizations can have a talent pool that can extract the value that they present, so the bottleneck is going to be finding and posturing the talent to do so. Most of the players in this space are trying to make it more useable and easier, more obvious for less-skilled analysts to extract that value.
KITTEN: And in closing, Josh, could you give our audience three to five takeaways that should be considered when choosing a vendor and/or solution that really doesn't have security?
Rugged Code: The Real SolutionCORMAN: Well, right now, given the economy and given the attention being paid to passing an audit, you're probably going to have very, very little discretionary budget for things beyond that which will cause a fine. I mean, we said before, this industry is acting in a way that they clearly think more about the auditor more than the attacker. Now, for those of you concerned about more than just passing an audit, it's really tough to find what's the maximum impact with my skill set and my team for the minimum investment, and there are a whole lot of interesting technologies, like some of these more advanced data-loss-prevention tools, like the network forensics, like next-gen firewalls, Web-app firewalls; and no, they're not the same. I think a lot of this is going to have to be based on what you're most concerned about. I think Web-app firewalls are not necessarily the most strategic, but they certainly could address the most acute pain points right now. Something like 89 percent of the breach records last year from Verizon involved SQL injection, and most of us are leaving our applications wide open. So, that's a tactically intelligent decision.
The real solution is to write more rugged code in the future and have a lot more of a culture of developing defensible infrastructure. Web-app will always have a purpose, but I think the most strategic thing is to have this seven-layer visibility, whether it's online or for forensic purposes, because with more visibility, we'll be able to detect and respond more quickly in the future and hopefully avoid a lot of these point solutions and spread our budgets and our staffs too thin maintaining these solutions that maybe addressed last year's threat but might not be as hot or relevant next year.