Big Data and Security: Expert Panel at RSA Conference

By 2020, EMC Greenplum estimates that the world will have some 35 trillion gigabytes of electronically stored data -- what amounts to a forty-fold increase from 2009. This is Big Data, for sure. Moreover, McKinsey Quarterly notes that in 15 of our economy's 17 sectors, companies with more than 1,000 employees store on average more data than the Library of Congress. McKinsey also mentions, perhaps not so surprisingly, that academic research suggests that companies using Big Data to guide decision making are more productive and have higher returns on equity.

The potential of Big Data is so impressive that the topic was discussed recently at the World Economic Forum in Davos. Davos has discussed how to harness and put Big Data to use for societal good. However, Big Data can also be put to use for other pressing global issues - such as protecting against global cybersecurity threats. This is why an upcoming discussion on "Big Data and Security: The Rules Have Changed" at RSA Conference in San Francisco is so critical.

Derrick Harris of GigaOM has come to the conclusion that Big Data and security may in fact be "soulmates," but could this be?  Is big data technology ready to stand up to IT security prime time? Bill Brenner of CSO Magazine, who will moderate the discussion, has already begun mulling over the topic on his blog, here.

Bill Brenner will be joined by Sourcefire's chief architect, Adam O'Donnell, Andrew Jaquith of Perimeter E-Security, who also authored his own take on the topic; John Adams from Twitter and Rich Mogull of Securosis.

For those attending RSA Conference in San Francisco this year, please join us at the session in room 301 at 3:50 pm on Tuesday February 28 where the discussion will continue.

Information Superiority as an Enabler of Continuous Capability

Recently we at Sourcefire have been doing a good deal of talking publicly about our ideas around Information Superiority. The concept is not particularly difficult – the basic idea is that network security is a battle that is fought around who can bring superior intelligence to bear on network and device security problems. The goal of an attacker is to gain local Information Superiority – leveraging knowledge of an exploit, default password, topological flaw, etc. – to access a defender’s network or devices. A defender’s job is much more difficult because there is so much to know about modern network environments and they change so rapidly. The fundamental security problem that many defenders face is not securing their environment but gaining sufficient understanding of what they’re protecting and how it’s arranged so that they can begin the continuous process of securing it as it evolves.

The traditional methods of network and asset discovery have been ill-suited to Information Superiority requirements because the scope of their operation is transient. For example, one of the chief network discovery methods used by many security vendors is to use active scanners to interrogate the environment for devices and their configuration which is then followed by more in-depth port scanning and credentialed access to form a picture of the network’s composition. The problem with this method of collection for the purposes of Information Superiority is that it only produces a picture at a moment in time. Further evolution of the environment is unknown until the next discovery scan and changes that run their lifecycle between scans are completely unknown.

In the traditional model of security this results in poorly configured security infrastructure, reduced protection and an increase of false positives (noise) as well as false negatives (missed attacks). At Sourcefire, we pioneered continuous network discovery using our RNA and, later, RUA technologies (now FireSIGHT) almost 10 years ago as a counter to this fundamental weakness in many security models that has lead to objectively improved results. With the acquisition of Immunet last year we significantly increased the level of awareness that we brought to the security equation due to its vantage point on the network and continuously updated telemetry about security-interesting events on devices. At the point that I really understood what we could bring to the table in terms of increased awareness I came up with the term “Information Superiority” to describe where we were headed with it and why I thought it was important.

There is another side of the problem as well that has only become apparent to me recently.

If you look at the vast majority of “blocking” products (IPS, FW, NGFW, AV, etc.) that are available today, what you will see is technologies whose opportunity to provide protection is transient in nature. An IPS only blocks an attack when it is in progress and has no follow-on capability if the attack definition isn’t in its signature library. An anti-virus system acts in much the same way. Firewalls, too. Even many of the new network-based client-side malware prevention systems are the same – except they have the ability to discover previously unseen attacks themselves (after letting the initial attack go through in many cases).

The problem with this approach is that the security technology only has one chance to do the right thing, after which point is has no ability to do anything about the attack or its after-effects. A good recent example of this is many of the newer network-based client-side malware protection technologies that are on the market. Frequently these technologies rely on methods like sandboxing or other binary analysis techniques to do their jobs and in many cases when they see a novel piece of content they analyze it out-of-band after letting the content continue on its merry way to its recipient. If an attack is missed it’s gone, these systems have no ability to keep track of “what happens next”. In the case of modern advanced malware the problem with this approach should be self-evident, that initial foothold is all that’s required to become deeply embedded in the environment and then mutate and spread.

As the Immunet technology was turned into what as become FireAMP, our advanced malware protection solution for enterprises, it has occurred to me that we might be on to something that’s almost entirely new in our industry. FireAMP has a number of really interesting features and capabilities but the one really strategic thing that it’s doing that I don’t think I’ve ever seen before is providing Continuous Capability. What’s that and what’s it got to do with Information Superiority? Let me explain.

FireAMP contributes to our overall Information Superiority picture by providing us with insight into the devices in a network environment and the executable content on those devices. Over time we gain a very detailed picture into what’s in an environment and what it’s doing since part of it is resident on the devices in the network and generating continuous telemetry that is received by our FireCLOUD infrastructure. The other side of the coin is that FireAMP also provides the ability to control and quarantine content on a device. Not only can we do that, we can do it at any time based on information that the operator of the product has available.

What does this mean? It means that FireAMP can detect and block advanced malware attempting to execute in an environment if it’s recognized as being hostile. However, if it’s not recognized via the automated detection engines in FireCLOUD and enters the environment its every action is still tracked and the full suite of response available from the FireAMP technology is available at any time. FireAMP never loses visibility of the content and is also tracking all of its actions continuously. This enables the user to respond comprehensively across the entire deployed FireAMP infrastructure at any time – users can clean up not just an initial infection but every mutation and additional piece of malware that it deployed in the user’s environment.

This is what I’m calling Continuous Capability, the ability to respond comprehensively and systemically across a deployed security infrastructure and it relies on Information Superiority in order to work. It is made possible because FireAMP has continuous visibility and tracking of activities by malware (and everything else) at the device-level of a network. Once continuous and comprehensive visibility is attained, Continuous Capability becomes possible.

The next frontier of these ideas should be explored at the network level. Today IDS/IPS and Firewalls/NGFW provide a lot the control mechanisms for the comprehensive, systemic response to identified hostile activity but the telemetry stream isn’t there in a timely fashion because we’re working on pure rule-based and signature-driven models instead of activity-driven telemetry collection and analysis as the foundation of rule/signature models. If engineering problems are worked out then perhaps someday network-based security technologies will also offer Continuous Capability.

Chris Peterson - 2012 CRN Channel Chief

Sourcefire is very pleased to share the news that Chris Peterson, our Senior Vice President of Worldwide Channels, Services, and Support, has been named a 2012 Channel Chief by CRN Magazine. Chris calls on more than 20 years of experience in channel and sales management in his role in which he assumes overall responsibility for Sourcefire's worldwide channel programs.

CRN’s list of Channel Chiefs is a prestigious group of the most influential and powerful leaders in the IT channel. The list recognizes those responsible for driving channel sales and growth within their organization, while evangelizing the importance of the channel throughout the entire IT industry. The reasons why Chris made the cut this year are numerous – but all demonstrate that Chris puts our partners first.

In the past year, Chris directed the roll out of Sourcefire’s new Agile Security vision to the partner community. This is vital for partners so they are armed with not just strong products, but also a strategic vision that will allow them to grow their businesses. With this, they can solidify their role with clients as strategic advisers who consult around the key tenants of Agile Security to keep their clients' businesses profitable and secure—not merely standing up boxes for them.

Sourcefire has never viewed channel communications as a one-way street. This is why Chris spearheaded the creation of our global series of Partner Advisory Council meetings for new and existing partners to garner their feedback on product strategy, direction and the program itself. We rely on partners to provide input and feedback in Council discussions to gain insight into the issues they face so we can further tailor our offerings to their needs and concerns.

CRN selected this ninth year of Channel Chief winners based on channel experience, program innovations, channel-driven revenue, and public support for the importance of IT channel sales. As we have seen, Chris has shined in all of these areas.

To read more, see CRN Magazine’s online section on this year’s winners at www.crn.com. Please join us in extending a hearty congratulations to Chris.

Who Is the Real Security Engineer?

James Bond, MacGyver, or somebody locked in a dark room with a computer? Let us know who you think the real security engineer is. If you know somebody who may have an opinion, please share.

Agile Security - The VRT Perspective

Sourcefire's Vulnerability Research Team (VRT) spends most of its time examining the latest in hacking, intrusions, malware and vulnerabilities. The VRT is more familiar than anybody with the fact that security environments undergo constant change, necessitating a very dynamic approach to security - which is how Sourcefire's Agile Security vision came about. Matthew Olney of the VRT offers his own take on Agile Security, from the perspective of someone heads down day-to-day on real security issues.

Truth be told, the VRT is a rather pragmatic bunch when it comes to security - the less spin, the better. With this being the case, please have a quick read of the VRT's take on Agile Security in the real world.

Are IPS and NGIPS the same? Introducing Next-Generation Network Security 'Fact or Fiction?'

Today's post introduces a video series called "Next-Generation Network Security: Fact or Fiction?" that will be shared over the course of the coming months. In the series, we will showcase brief videos that examine debates germane to the security industry with topics from network security appliances to what advanced persistent threats (APTs) really are. Each video will ultimately reach a conclusion that determines whether the proposition is fact or should be written off as fiction.

In our first installment, vice president of security strategy Jason Brvenik examines whether or not intrusion prevention systems (IPS) and Next-Generation IPS (NGIPS) are one and the same. Are there fundamental technology differences between the two? Hear what Jason has to say and let us know what you think.

Sourcefire FireAMP: AMPlify Your Security! [Video]

FireAMP from Sourcefire is an enterprise malware analysis tool that analyzes and blocks advanced malware. FireAMP has many attributes, such as file trajectory, outbreak control, retrospective remediation, and so on, but is also lightweight and about 1/3 the size of traditional anti-malware solutions. The comparison, as evidenced by this video, is stark. For more information, visit http://www.sourcefire.com/FireAMP.