Survivor's Guide to 2007: Security

This year, security pros will finally get in the groove and refocus on security's primary task: Keeping corporate data safe. Easier said than done as insecure, albeit innovative, SOAs and Web 2.0 technologies take off like rockets in the enterprise, chased by incredibly motivated attackers. Beating developers and app vendors over the head while demanding impenetrable code may be cathartic, but it will get you nowhere. Instead of pointing fingers, look to innovative XML and SOA security appliances. Protecting endpoints will get easier as well, thanks to developments in active protection and scanning tools.

As for compliance, can we have some sanity? Rather than fighting the inevitable, embrace the spirit by reconciling internal and external security policies and postures, and welcome external auditing--face it, it's a good and underutilized practice. Yes, you'll still hear way too many product pitches that promise magic bullets. No, there isn't one, but vendors have made strides. Database protection is finally mainstream, for example. Now, you need to figure out where sensitive data resides on your network. The same is true of applications: Knowing what Web servers have been thrown up outside of IT and what data they're offering--and to whom--is a big job. Ensuring that those applications are locked down is an even larger task.

Then there's the people factor. On the end-user front, we're hoping IdM (identity management) can save us from ourselves. We've slowly but surely built silos of group-based policies and autoprovisioning, and now we have too many groups to manage effectively. Of course, the alternative--managing individuals--is simply untenable.

Finally, everyone needs a good guard dog. NBAD (network behavior anomaly detection) systems have filled that bill so well that their functionality is getting sucked into other product areas.

Thanks For The Memory Overflow

Insecure code is a problem that's been amplified by reuse of SOA Web services and Web 2.0 technologies--let's face it, SOA continues to garner mindshare, and the Ajax bug has bitten developers with a vengeance. But simply demanding more secure applications isn't the answer; most developers lack the formal training to improve coding security, and the sheer determination of attackers is frightening to behold.Later this year we'll review the latest crop of code scanners to see whether they're effective safeguards, or simply provide a false sense of security. For now, your best bet is endpoint protection products that detect and block suspicious runtime activity. It's very difficult to write code to defend against buffer overflows, for example, but developing driver-level systems that watch buffers like hawks and stop overflows is relatively easy. Vendors such as Privacyware, Sana Security and V.i. Laboratories are leading this charge, but McAfee and other antivirus vendors are right there in the thick of it.

Watch for this memory protection technology to find its way into mainstream desktop security products through antivirus and HIPS vendors; the functionality will also be in standalone packages. By year's end, all your nodes should be guarded by tools that protect APIs, watch for buffer overflows and control automated application modification of certain parts of the system registry.

Meanwhile, as traditional SOA security vendors, such as Forum Systems, IBM-DataPower and Reactivity, were off selling broad packages to the enterprise, newcomer Layer 7 Technologies not only invaded their turf, it picked up the Ajax security ball and ran with it. Layer 7 provides Web 2.0-specific security features, such as schema validation, data scrubbing and validation, plus basic DoS and schema tightening for the developer's newest darling.

Finally, there's the challenge of creating a consistent application infrastructure that adjusts to rapidly changing business and security conditions by letting apps share common services. Think about it: Moving SOA and Web 2.0 security functions into a network device makes sense, because it's wholly consistent with SOA's overall principle of reuse. An appliance can complement end-node memory protection products by preventing attacks and eliminating data integrity issues before they do any harm.

Scanners: Deployed Or Deplored?

The more your network is exposed to the public through Web access, the more critical the need for an automated means of finding security flaws. Fortunately, vulnerability and malware scanners continue to become more sophisticated, even as they are being subsumed into the NAC juggernaut, which we discuss in "Network Infrastructure," page 69. We're not ready to declare vulnerability scanners dead as a standalone product category, however--in fact, we expect to see their use grow and their maturity level improve in 2007. There are some places NAC systems just can't go.

Code scanners, on the other hand, have been around forever, and we seem to go through love-hate relationships with them. As we mentioned, we'll review these next year. For now, let's leave it at this: If a code scanner finds even one vulnerability, it was useful. But it's critical to remember that these tools are but one part of the overall security architecture, and the bad guys are not slowing down their attempts to find new attack vectors.

One take on this situation that we found very interesting is Blue Lane Technologies' eponymous security appliance, a passive scanner that watches the network and buys time in the patching arms race.Who Are You Again?

As any old-school network guy will tell you, it's a losing proposition to manage individual users. Of course, you'll always have that manager who insists that everyone on her team needs different rights, and normal growth and change within the enterprise make group-level management problematic as well. Fortunately, in 2007, IdM (identity management) vendors are shifting focus from the individual to the group, and we expect to see sound solutions emerge that will help all of us manage a sane balance.

Both old and new companies, including Novell and Applied Identity, are driving the IdM market, with CA, Microsoft, Oracle, and Sun Microsystems sucking up smaller companies in order to add to their portfolios.

Ideally, we'd like a standard IdM schema that extends into the hardware infrastructure, so that we can maintain a single identity store. The problem arises with network device and appliance vendors that insist on managing valid users in proprietary ways. As you contemplate purchases, ensure you know the architecture of your name stores, how they relate and how IDs relate across them. This will streamline adoption of meta-group management products.

Bad Network!

NBAD systems use passive sensors to watch your network for strange behavior and attempt to determine who's doing what--and whether they should be doing it or not. Some IPS products have recently pulled in NBAD functionality, as have security event information management vendors.

We approve of this trend; NBAD is a valuable piece of an overall security architecture. For example, while the focus of an IPS is to block illegal activity, and the focus of SEIM is to log security events and incidents while watching those logs for anomalous behavior, NBAD tools watch for abnormal behavior on the wire, attempting to determine when some activity should be disallowed. If a host that's normally connected only to a database and a directory server suddenly starts creating connections to other machines, the NBAD should detect the activity. IPS and SEIM products are more likely to ignore such behavior, especially if the connections are few and the traffic appears benign.

In time, NBAD as a standalone product will decline, as people consistently choose more complete architectures. We expect an increase in anomaly detection in SEIM products in 2007 and a move by NBAD vendors like Q1 Labs, Arbor Networks and Riverbed to be more firmly in the SEIM camp.Still About The Data

The recent focus on external compliance issues has reinforced the view that protecting customer data is essential to your enterprise's health. Vendors have stepped up with products that attempt to detect, control and report about access to all of those databases you didn't know were out there (and yes, you do have them). On the surface, these products may seem superfluous: All major databases control access to specific tables and columns and generate logs that tell you who's doing what. But that built-in access control is very programmatic, rights-oriented protection, and its logging is not intuitive and subject to tampering.

Database extrusion detection products by vendors such as Application Security and Imperva attempt to watch for common access violations. Why is the Southeastern U.S. sales rep dumping the entire Pacific Rim customer list? Why is that Web application server suddenly requesting 25 customer records at a time, instead of one? Add to this the increasing capability of these products to map internal user names to a Web application that normally uses a generic database login, and you've got a powerful tool that will find all known and unknown locations of your data, tell you who's requesting what through applications, and monitor for anomalies. These tools are a powerful addition to your arsenal, and will help you keep critical data in the hands of legitimate business users.

In addition, placing the application on an appliance that watches network protocols to determine activity, or copying and footprinting database logs, will make it difficult for malicious insiders to cover their tracks by tampering with log files. We're excited about this technology--it keeps your eyes on the important stuff. The few employees who may commit insider data theft will get tagged. The vast majority who are just trying to do their jobs will rarely notice the system. And people with legitimate business reasons for generating abnormal database activity can quickly explain their actions.

Monday Morning QuarterbackSECURITY

We said UTMS (Unified Threat Management Systems) were not cool in 2006. Sure enough, they're just surviving, while IPS and NAC are thriving. On the other hand, we also said pure-play IPS was disappearing, and yet, they're still around. Chalk that up to timing. We stand by the prediction, it's just taking longer than we thought.

We said security spending would be based on regulatory requirements, and that's all we've heard all year. Of course, that was an easy one. Sadly, the "Return on Security Investment" spending methodology we predicted did not come to pass. We're still spending on ROI and compliance. But compliance is awfully close to ROSI, isn't it?

Finally, we noted an uptick in organized attacks as opposed to the lone script kiddie. This trend will, unfortunately, continue.

Don MacVittie is a senior technology editor at Network Computing. Write to him at dmacvittie@ nwc.com. 0