Burning question: How can VM sprawl be prevented?

Posted by on October 25, 2010Leave a Comment

Burning question: How can VM sprawl be prevented?.

VM sprawl, or virtual machine sprawl, is just what it sounds like: too many VMs sprawled across a virtual infrastructure, taking up processing power and storage space even if they are rarely used. Since spinning up a new VM can be done in a matter of minutes, users come to expect a new machine, on-demand, whenever they want it.

The issue is not necessarily to prevent VM sprawl, assuming all these VMs are serving valid business purposes. The issue is managing them and providing security. We recommend the following solutions:

  • Management - AccelOps automatically discovers new VM instances and new VMWare hosts. It then continues to monitor availability and performance and collect the appropriate logs and flows they generate.
  • Network and Server Security - Altor Networks provides a VMSafe-certified firewall/IPS which is embedded in the VMWare hypervisor. It protects the hypervisor itself, controls and protects all communication into and out of the associated VMs, and monitors the services running in each VM.
  • Database Security – Specifically for virtualized database servers, we recommend Sentrigo. It runs in the database VM to (1) protect the database from targeted database attacks like SQL Injection and (2) provides complete user access monitoring and control including activity generated by privileged users, stored procedures and triggers.
Filed Under: AccelOps, Altor Networks, Sentrigo, Virtualization Tagged With: , , ,

Debunking Five Reasons SIEM Deployments Fail

Posted by on October 3, 2010Leave a Comment

Dark Reading recently published an article about the problems that plague Security Information and Event Management deployments, Five Reasons SIEM Deployments Fail. First, I would say that you could use these five reasons to explain why almost any “enterprise” information technology project fails. Having said that, I would like to address each of the five points individually:

1. SIEM is too hard to use.

The nut of it really comes down to the fact that SIEM is not an easy technology to use. Part of that rests squarely at the feet of SIEM vendors, who still have not done enough to simplify their products — particularly for small and midsize enterprises, says Mike Rothman, analyst and president of Securosis.

There is no doubt that some SIEM products are harder than others to use. Ease-of-use must surely be one of the criteria you use when evaluating SIEM solutions. On the other hand, too hard to use may be code for not having the resources needed to deploy and operate a SIEM solution. For those organizations, there is an alternative to buying a SIEM solution. Use a Managed Security Service Provider (MSSP) to provide the service. This is a particularly appropriate approach for small and midsize enterprises.

“I think that we need to see more of a set of deployment models [that] make it easier for folks that aren’t necessarily experts on this stuff to use it. In order for this market to continue to grow and to continue to drive value to customers, it has to be easier to use, and it has to be much more applicable to the midmarket customer,” Rothman says. “Right now the technology is still way too complicated for that.”

There is an alternate deployment model which Mike seems to be ignoring. Incident detection and response is complicated. If you don’t have skilled resources or the budget to hire and train people, you need to go with a MSSP. A good MSSP will have multiple deployment models to support different customer needs.

A more correct statement might be that an organization has to decide whether it has the resources to select, deploy, and operate a SIEM.

2. Log management lacks standardization.

In order to truly automate the collection of data from different devices and automate the parsing of all that data, organizations need standardization within their logged events, says Scott Crawford, analyst for Enterprise Management Associates. “This is one of the biggest issues of event management,” Crawford says. “A whole range of point products can produce a very wide variety of ways to characterize events.”

There is no doubt that there is no standardization in logs. That’s like saying there is no standardization in operating systems, firewalls, or any of the other products for which you need to collect logs. Even if there were to be a standard, there would still be ways for manufacturers to differentiate themselves. Just take a look at SNMP. It represents one of the most used industry standards. Yet manufacturers always add proprietary functions for which systems management products must account. So logs may get somewhat more standardized if, for example, Mitre’s CEE were to become a standard. But the SIEM manufacturers and MSSPs will always be dealing with integrating custom logs.

3. IT can’t rise above organizational power struggles.

“One of the key challenges our customers face is really getting all parts of the company to work together to actually make the connections to get the right scope of monitoring,” says Joe Gottlieb, president and CEO of SenSage. “And the things you want to monitor sit in different places within the organization and are controlled by different parts of the organization.”

Yes, by definition SIEM cuts across departmental lines when the goal is to provide organization-wide security posture and incident visibility. As with most “enterprise” solutions, you need senior management support in order to have any hope of success.

4. Security managers see SIEM as magic.

SIEM expectations frequently don’t jibe with reality because many IT managers believe SIEM is about as powerful as Merlin’s wand.

“A lot of people look at SIEM like it’s this magical box — I get a SIEM and it’s going to do all my work for me,” says Eric Knapp, vice president of technology marketing for NitroSecurity. “SIEM has different levels of ease of use, but they all come back to looking at information and drawing conclusions. Unless you’re looking at it in the correct context for your specific environment, it’s not going to help you as much as it should.”

SIEM has been around for ten years now. Is it really possible that SIEM still has some kind of magical mystique about it? SIEM vendors that let their sales people sell this way don’t last because the resources the vendor has to commit to alleviate customer dissatisfaction is huge and profit-sapping. On the other hand, caveat emptor. Any organization buying SIEM without understanding how it works and what resources they need to make it successful, have only themselves to blame. Again, if you are not sure what you are getting yourself into, consider a MSSP as an alternative buying a SIEM solution.

5. Scalability nightmares continue to reign.

There is no doubt that scalability is a particularly important attribute of a SIEM solution. And there are SIEM products out there that do not scale well. If the vendor tells you, (1) We store log data in a traditional relational database, or (2) You only need to save the “relevant” logs, RUN. These statements are sure signs of lack of scalability. On the other hand, you do need to know or estimate how many events per second and per day you will actually generate in order to configure the underlying hardware to get reasonable performance.

There are SIEM solutions that do scale well. They don’t use traditional relational databases to store log data. As to which log events are unimportant? It’s practically impossible to determine. If you are in doubt, there is no doubt. Collect them.

For the reasons I’ve discussed above, and a key one not mentioned in the article, we partner with AccelOps. The issue not mentioned is context. Just collecting and analyzing logs by themselves will not provide actionable intelligence. For that you need context; as much as you can get. So in addition to ease-of-use, broad vendor log support, powerful analytic capabilities, and extraordinary scalability, AccelOps provides practically complete context. It includes device, software, and network topology discovery, directory integration, configuration change monitoring, availability/performance monitoring, and IT/Business Service Management.

As to a Managed Security Service Provider, we will be announcing a relationship very soon.

Filed Under: AccelOps, Business Service Management, Security Management Tagged With: , , , , , , ,

Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading

Posted by on September 20, 2010Leave a Comment

Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading.

Last week Forrester Research began promoting a new term, “Zero Trust,” to define its new security model. The new model’s underlying principle is “trust no one.” In other words, you cannot trust the servers and the workstations inside your network any more than you could trust external third parties.

Given the nature of the changes we’ve seen during the last 3 to 5 years in technology and the threat landscape, we agree. We have seen a huge increase in what we call “inside-out” attacks where insiders are lured to malware-laden web pages on, for example, Facebook, Twitter, YouTube, and even the New York Times. The malware gets downloaded to the unsuspecting person’s workstation along with the normal content on the web page. From there, the malware steals the person’s credentials to access bank accounts, internal intellectual property, customer records, or whatever the attackers can readily convert to cash. This type of malware is not the traditional single-purpose virus or worm. Rather it’s an agent controlled by remote servers that can modify its functions. These “bots” have gone undetected for days, weeks, months, even years.

From a security perspective, this type of attack looks very similar to a malicious insider, and information security must protect against it along with the traditional “outside-in” attack method.

From my perspective, Forrester’s Zero Trust model and Cymbel’s next-generation defense in-depth architecture are the same when it comes to network security. Our Approach, based on the SANS 20 Critical Security Controls for Effective Cyber Defense, is broader.

However, there is one area where I disagree somewhat with John Kindervag, the Forrester analyst discussing the Zero Trust model, who is reported to have said:

It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function.

Gee, how did he leave out packet shaping? I have no doubt that there are vendors attempting to do all these functions in a single appliance, but it reminds me of Network Access Control in 2007. NAC was going to subsume all manner of security functions in a single appliance. The complexity was overwhelming. Furthermore, most organizations really don’t want all that functionality in one box. There is still the need for a defense-in-depth architecture, in our opinion.

Some level of function consolidation is surely reasonable and advantageous to organizations with limited resources, i.e. everyone!! However the expertise needed to develop and advance all of these different functions is virtually impossible to assemble in one company. For example, full packet capture is really about innovative data storage and retrieval. High performance, stream-based, application level, firewall/IPS is about innovative deep-packet inspection combined with clever hardware design. And data loss prevention requires proxies and semantics-based data classification algorithms.

While I am surely not saying that we can achieve nirvana now, the components of Cymbel’s next-generation defense-in-depth architecture can provide major improvements in network security today:

  • Next-Generation Firewall with application- and user-level, internal network segmentation, integrated intrusion prevention, and bandwidth management – Palo Alto Networks
  • 0-day threat and botnet command & control communications prevention – FireEye
  • Cloud-based web and email security – Zscaler
  • Device/software discovery and configuration change detection – Insightix, AccelOps
  • Data Loss Prevention capable of blocking malicious evasive actions – nexTier Networks
  • High Performance Full Packet Capture – Solera Networks
  • Layer 2, 3, 4 encryption – CipherOptics
  • User-based, behavioral anomaly detection using net flows and logs plus high-performance event correlation – AccelOps

I look forward to learning more about Forrester’s Zero Trust model and working with partners who recognize the new landscape and respond with creative solutions for our clients.



“It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function
Filed Under: AccelOps, Botnet Command & Control Communications, Boundary Defense, CipherOptics, Data Loss Prevention, FireEye, Log Management, Malware, Next Generation Firewall, NexTier Networks, Palo Alto Networks, SANS 20 Critical Controls, Security Management, Security-Compliance, Solera Networks, Zero-day, Zscaler Tagged With: , , , , , , , , , , , , , , ,

SIEM: Moving Beyond Compliance

Posted by on August 15, 2010Leave a Comment

Dr. Anton Chuvakin recently wrote a white paper for RSA entitled, SIEM: Moving Beyond Compliance. While I am no fan of RSA’s Envision product (Cymbel partners with AccelOps), the white paper is quite good. As its title says, it discusses “use cases” for SIEM beyond the basic compliance requirements that drive a lot of SIEM projects. Here is the list with my comments:

  • Server user activity monitoring – It’s not always possible to collect the logs from all servers. Sometimes a network-based product like PacketMotion is needed to complement log collection.
  • Tracking user actions across disparate systems – Same comments as above.
  • Comprehensive firewall monitoring – Key capability needed by the SIEM is Active Directory integration for mapping IP addresses to users and generating reports by AD groups.
  • Malware protection – I think this would be better termed “Malware behavior detection” since a SIEM cannot actually detect malware itself as an Intrusion Protection/Detection System would. Ideally, the SIEM should provide a behavior anomaly detection capability.
  • Web server attack detection - A SIEM can provide “detection” capabilities to complement the “protection” capabilities of a Web Application Firewall (Cymbel partners with Barracuda) whose logs also ought to be captured and correlated.
  • Incident response enablement – In addition to SIEM, Cymbel recommends a Full Packet Capture product be deployed. Cymbel partners with Solera Networks.

Anton closes with the three “worst practices” he has seen. Based on my six years of SIEM experience, I agree:

  • Storing logs for too short a time
  • Trying to prioritize logs and store “just what’s important”
  • Trying to use advanced SIEM features before establishing success with basic log collection and reporting
Filed Under: AccelOps, Barracuda, Log Management, PacketMotion, Security-Compliance, Solera Networks Tagged With: ,

NetworkWorld discusses next-generation log management

Posted by on July 5, 2010Leave a Comment

As over-used as the term “next-generation” is, it is a genuinely valid adjective to describe a new class of log management products. Jon Oltsik, in a recent Network World opinion piece describes several of the characteristics of next-generation log management – consolidation of logs and flows, location awareness, and deeper granular visibility.

I would go further. Having been involved in log management and security information and event management since 2002, the value add (beyond compliance reporting) is actionable intelligence. And actionable intelligence depends on adding context to the logs. One way, as Jon states, is correlating logs with flows. But context can further be enhanced by adding configuration, availability, performance, virtualization, and business service information.

The first and only product I know of that does all this for less than seven figures is from AccelOps. They did a nice blog post that goes into more detail.

Filed Under: AccelOps, Business Service Management, Log Management, Security-Compliance Tagged With: ,

Is unified Security Operations and IT Services possible?

Posted by on June 21, 2010Leave a Comment

In this era of limited IT budgets, can organizations afford separate Security Operations and IT Services? In reality both groups benefit from common services such as discovery, configuration management, availability and performance analysis, flow analysis, log analysis, and business service management.

AccelOps has a nice blog post discussing this issue called Security Operations and IT Services, Competition or Cooperation?

Filed Under: AccelOps, Business Service Management, Security-Compliance

California Casualty replaces Cisco MARS

Posted by on June 6, 2010Leave a Comment

Network World has a story about California Casualty replacing Cisco MARS with AccelOps, a Cymbel partner. The AccelOps founders were the founders of Protego, the company that developed MARS and sold their company to Cisco.

One of the key issues was California Casualty’s frustration with Cisco’s appliance business model. If you are running on an older MARS appliance, apparently you have to buy a new appliance at a price significantly higher than the underlying server would cost from a server vendor. AccelOps is sold as a virtual appliance or SaaS.

While we at Cymbel surely like the virtual appliance approach, there were other important reasons we selected AccelOps for Log Management, Security Information and Event Management (SIEM), and IT/Business Service Management. Once you can meet an organization’s scalability and compliance reporting requirements, the biggest value add this class of solution can provide is actionable information.

Actionable information requires context. And there is no better solution than AccelOps at providing context. It starts with Device and Software Discovery. If you don’t know the devices on your network and the software they are running, you are working in the dark. Next you must be able to understand configuration changes. For that you need a Configuration Management Database (CMDB). Device Discovery, Software Discovery, and Configuration Management are the first four controls defined in SANS Twenty Critical Controls for Effective Cyber Defense; Consensus Audit Guidelines (TCC). Cymbel uses TCC as a core component of its approach to Defense-in-Depth. And you must be able to group your devices by Business Service.

Prior to AccelOps, you were looking at a seven figure capital expense to get there and a huge amount of professional services to integrate several different tools. AccelOps provides all of the above plus performance and availability management in one unified solution.

According to Network World. AccelOps unified solution enabled California Casualty to decommission several monitoring tools they were using because they had become redundant. Read the whole story here.

Filed Under: AccelOps, Business Service Management, Partners, Security Management, Security-Compliance