At RSA last week in San Fran, Chris Young, from Cisco, commanded the stage, he held the audience on the edge of their seats in anticipation, and he said all the right things. Well, that is he said all the right things to make Cisco sound perfectly positioned. And can we really fault them for being so network centric?
He did make some excellent points. Chris said “I believe that visibility and context aware enforcement are two of the things we all need the most in security” which I totally agree with. You obviously can’t take action against an attack if you can’t visualize it. And how do you know if it’s legitimate or not without the context. In fact this has been the premise of IPS and Anomaly Detection tools for over a decade. And yes, those are definitely network based tools.
Have you ever stopped to consider WHY those tools are network based? It’s because that was where the concept of an inline tap was developed. It was easy for an engineer to take the network signal off an ethernet cable and pipe it into an analysis tool without actually interfering with the connection. And that served as a much easier way of monitoring lots of systems communicating without the pain of attaching to every new system as they were added to the network.
The concept of a tap may have been born out of networking, but it can now be applied to a wide range of other technologies. The same idea has been applied and in-use with software agents for at least a decade as well to shim or tap the CPU, memory, storage, and networking stacks inside an OS. Those agents work fairly well, but in recent years they have succumb to attack from malware designed to disable these tools upon takeover of an OS. The reason the malware has been successful against a “host agent”, but not against a network agent comes from the context of execution. When a piece of malware takes over an OS, it has already taken control beyond the scope of what was originally designed. To say it another way, the malware plays with no rules or makes up its own rules on the fly, but the security software and OS are only going to ever adhere to the rules they know. So agent based tools are always at a disadvantage.
So with that context in mind, the security world has been split between network centric tools and software agent tools but because of the inherent dis-advantage of the software agents we’ve seen an uptick in network specific tools over the last several years. To articulate this point, Chris also said “the network is becoming the only constant source of intelligence we can rely on and the only control point we can depend on”. Unfortunately, this is where I will have to disagree with Chris and Cisco’s approach to using only network centric tools. What he failed to acknowledge is another form of tap available and in use today. This technology, like agent based solutions can intercept many different forms of data streams such as CPU, memory, network, or storage. However this solution does NOT have the problem agent based tools have and instead leverages the transparent inspection nature of a network based tap. Sounds like the best of both worlds right?
So what is this tapping tool that Chris neglected to acknowledge? Why of course it’s a Hypervisor! Yes, that’s right, it’s the core competency of virtualization and what I’m describing is an added benefit that has been overlooked by others for many years, but which we at VMware have invested heavily in for nearly half a decade now. All data processing in all forms that ever happens inside a VM is all passed through the hypervisor and all of that data is available to be inspected for any conceivable reason. And we’ve already been creating access methods for the security industry to use for the last 4 years. These tools could be API’s like VMSafe or EPSEC for partners to use, or even our own vShield suite of technology.
Even Cisco is using some of these technologies, like vNetwork and DVFilter, to do their own inspection and enforcement like Chris is advocating. In fact their own implementation while gaining access to these data streams in the hypervisor, they insist on moving the inspection back into their network centric tools via the Nexus 1000v and their Virtual Security Gateway (VSG).
The problem with that approach is that the depth of these protection tools is typically not comprehensive across all of the different threat vectors. What we need to do as an industry is work on ways to better integrate and adopt these tools more rapidly. The unfortunate truth is that each of the security vendors has a core competency and they let that small set of protection tools dictate the direction of their portfolio and development efforts. Whereas our adversaries recognize none of these limits, play with no rules, and exploit our unwillingness to properly implement our defense in depth and breadth strategies. As a call to action we should learn to embrace each of our various tool sets, make it easier for our customers to use our tools in conjunction with one another, and even someday to create an open management framework for shared policy constructs.
We don’t need to focus on the network and the minimal set of inspection points that has to offer in the traditional security model. Instead we should focus on the hypervisor and the near infinite and simultaneous inspection points now available. Only this level or cooperation will allow us to take off our stack specific blinders and instead Visualize the true threat landscape and apply the proper Context to implementing our Control boundaries in this new evolution of IT, we call it Cloud.
Rob Babb is a Senior Systems Engineer on the Security and Compliance Specialist team at VMware.