February 17, 2009

Mirage Networks Acquired by Trustwave

While one chapter ends for Mirage, another very exciting chapter begins for our Network Access Control (NAC) solution.  Today, we announce Trustwave’s acquisition of Mirage Networks.  

Based in Chicago with offices around the globe, Trustwave is the leader in Payment Card Industry (PCI) compliance management, with relationships both broad and deep among banks, merchant acquirers and service providers.  Trustwave also offers Managed Security Services (MSS), where Mirage’s NAC solution will join their current suite of Unified Threat Management (UTM), Intrusion Detection and Prevention System (IDS/IPS), log monitoring and secure e-mail offerings.

This is really a remarkable company, especially given today’s landscape; Trustwave is global and growing despite a market characterized by dismal financial news.  In addition to MSS and PCI compliance management, Trustwave also has a rapidly growing SSL certificate business, along with the really impressive folks at SpiderLabs who provide forensic analyses and network and application penetration testing.

Expect to see a general Trustwave blog in the coming months that will cover topics ranging from PCI compliance to network and application security and beyond.  I’ll happily contribute to that company blog whenever asked, but otherwise plan to dismantle this blog in the near future.  This blog has been a lot of fun, but I won’t be able to give it the priority it deserves as I look forward to getting to know the people within Trustwave and seeing our NAC solution thrive within our new organization.

This is Grant Hartline, former CTO of Mirage Networks and current VP of Business Development at Trustwave, signing off.

January 21, 2009

A Blast From the Past

Even as some 2 million people (myself included) descended on our nation's capital to party like it was 1999, enterprise network admins were reminded this week that the worm party is not yet over.  In the event you've been caught in an inauguration trance, Conficker (aka Downadup, aka Kido) has managed to infect over 9 million computers by some estimates, with the majority of those infections inside corporate networks.  While Conficker is highly blended (including backdoor command and control along with agressive propogation), the true intent of the malware's authors, beyond rapid spread, does not yet appear known.  However, at least one theory indicates that we'd rather contain and remove this threat before finding out what the authors are really up to.


While we at Mirage take some comfort in the fact that our customer base can detect and contain the Confickr worm with our default out-of-box ruleset, I must admit that I find this latest threat a bit surprising.  I, along with many others, have believed for some time that the days of rapid propagation were over, with malware authors opting for stealthy, long-lived botnets over headline-grabbing infection rates.  Time will tell, I suppose, where this goes and what the authors have in mind.  In the meantime, it's one more reminder that the ability to quarantine must be extended throughout the network access lifecycle, not just at connect time.  Traffic filtering as a post-admission strategy is insufficient for inside-inside propagation that leverages MS Networking (not to mention sneaker nets).  Infection via USB drives also renders fully patched systems vulnerable.  A deep defense is key, and NAC (applied fully throughout the lifecycle) should be the foundation upon which it's built.

January 14, 2009

Mirage Beats Cisco in 2008 Patents

Network World has an interesting article up on patents granted in 2008.  While the thrust of NWW's article is that over 50% of US patents in 2008 were granted to non-US based companies, I think they missed the real story.  In addition to having a vastly superior NAC product, Mirage beat Cisco in 2008 patents.  According to IFI, Cisco had 704 patents granted in 2008.  Mirage had one.  How is one greater than 704, you ask?  Simple math (unlike the goofy highly complex math of BCS rankings).

Mirage has 60 employees worldwide, which gives us a patent-to-employee ratio of .017.  Cisco, according to yahoo finance, has 66,129 full time employees worldwide, giving it a patent-to-employee ratio of .011.  Thus, it takes Cisco 94 employees to get a patent, where it only takes Mirage 60 (proving Mirage employees are 63.8% smarter than Cisco employees).  A decisive win, I would say.

How is that the mainstream press always misses the mark?

January 06, 2009

Rating College Football Teams (or NAC products)

It remains difficult for me to see how anyone can concentrate on work this time of year.  The first 7-10 days of January, it seems to me, are for spending time with friends and family, reflecting on the year past, and setting goals and plans for the year ahead.  Most importantly, of course, they're for watching college football.  For those of you who don't know, Mirage is based in Austin, Texas, home to The University of Texas Longhorns (yes, capitalization of the 'T' is required).  The Longhorns, as any true college football fan is aware, were utterly screwed out of a championship game this year, forced instead to watch a team they beat in heads up competition play for the national title.


Now, much like with the Electoral College system, I try to avoid getting sucked into conspiracy theories over the current BCS system.  This year's, however, seems beyond the pale, for the simple reason that play on the field was ignored.  With two teams as closely competitive, as well performing and well respected as OU and UT, it is simply inexplicable how anyone can ignore the results of heads up play.  Here's the 5 point speech:

1.  Oklahoma and Texas each finished the regular season with the same 11-1 record.
2.  The strength of schedule of the two teams is virtually identical:  same number of games against opponents with 9 or more wins (5); Oklahoma played one more top 25 ranked teams than Texas did (5 and 4, respectively); but Oklahoma also played more games against teams with no more than 4 wins (3 and 2, respectively)
3.  Texas beat Oklahoma 45-35 on a neutral field in the annual matchup
4.  Texas destroyed Ohio State University 24-21 in the Fiesta Bowl
5.  Number 4 is a bit dodgy; did I mention that Texas beat Oklahoma on a neutral field?

The point is that what happens on the field matters.  Or at least should.  If Oklahoma beats Florida Thursday night, people will refer to them as the National Champions of college football.  Yet they lost to a BCS bowl winner.

That just doesn't make sense to me, any more than the generally taken reference that Cisco has the "Number One" NAC product, when we continue to replace them in account after account.  And can anyone give a coherent description of Cisco's migration plans surrounding the discontinuance of CCA?  Or a "tie-breaking" system that favors the loser over the winner?  Anyone?  Bueller?

December 20, 2008

Don't Just Let them On

In the wake of the second out-of-band patch in two months (and during the holiday shopping season no less), I'm reminded of two NAC truisms.  The first is that, whatever your general view of patch checking in the NAC cycle, there are times when you absolutely need to check for the presence of a specific KB patch.  The second is that relying solely on IPS technologies for post-admission protection is foolish.

Don't get me wrong.  There remains an obvious place for IPS (though UTM seems a better fit), including a place in the NAC lifecycle.  However, as most data-stealing exploits indicate, there are times when you simply need to remove network access for an endpoint.  In these times, and especially at this time, allowing a data-stealing trojan infected endpoint onto the network under the premise that the "bad traffic" can be dropped remains the very last choice you'd want to make.

December 09, 2008

Economical With The Truth

I once interviewed a guy from Scotland and asked him what he thought of the movie Braveheart.  He said (in a thick Scottish accent), "It was a very good movie, but a bit economical with the truth."  I love that phrase.  It has nothing to do with the topic of the day, but every time I hear anything about the economy or the word economic or economical I think of that phrase.  Needless to say, it's getting too much air time in my head these days.  Which brings us to the economic downturn and why I'm writing about it.

This really shouldn't surprise any of us.  I've been speaking and writing about the dissolving network perimter for some time now, but as a natural evolution of corporate/organizational networks.  I recently highlighted the October SC Magazine cover story, The New Perimeter, which includes customers and analysts validating the assertion.  Well, the economic downturn isn't helping; in fact it is accelerating the evaporation of the perimter.  And the absence of a nice big wall around the network is lending itself to an increase in attacks from the network interior.  Dark Reading recently published two articles, one on insider threats and one on cyber crime, and how both are getting higher poll numbers in the current economic conditions.

I am completely against fear mongering to get people to buy security products they don't need, but I think there's a genuine issue here that needs to be addressed.  I truly believe that organizations who don't prepare themselves for a measureable increase in network breaches over the coming months (if not years) and financial losses due to those breaches will pay the price.  


Think about it.  On top of the disgruntled employees and the increase in phishing attack success due to financial instition failures (and phishers preying upon an increasingly concerned & confused public), there is a more concerning trend.  That trend is the fluidity of network boundaries and the prevailing transcience of the people and devices accessing the networks.  With budget crunches in effect or looming, more organizations are outsourcing, experiencing higher employee turnover rates, hiring temporary employees, and in general relying more on contract resources.  This means more people and more unmanaged devices coming and going from corporate networks than ever before.  The dissolving perimeter trend that has continued at a regular pace is about to take a sharp turn upwards.


I don't think anyone needs to panic but saying that there is no issue to be addressed would be a bit economical with the truth  If you don't have a serious plan to control who can do what on your network it's time to think long and hard about it.



December 04, 2008

MS08-067 Botnet

If you haven't already, it's time to get serious about applying the patch for MS08-067, and quarantining Windows endpoints that don't have the patch.  Darkreading has an article that a botnet based on the Windows Server Service vulnerability has grown to 500,000+.  As noted in the darkreading article, Microsoft security researchers have also noted a recent increase

in attacks targeting this vulnerability.

Let's be careful out there.

November 25, 2008

New Cliches for Shimmy

The man with the longest domain name ever (compensating for something?) has decided to pick on last week's blog post.  His main point seems to be our "lack" (perhaps he missed my truth meter) of pre-admission compliance checks, but in it, he uses his favorite hammer-nail turn of phrase.  Now, we all have our favorite cliches, and it has to be especially tough for Alan given how prolific his entries are.  So, in the interest of helping out a fellow blogger, I have a few suggestions:


When you're a cat, everything looks like a canary
When you're a dog, everything looks like a hydrant
When you're Ted Stevens, everything looks like an earmark
When you're the Church Lady, everything looks like Satan (this one's my favorite; who wouldn't want to be compared to the Church Lady?)

Now, then, here's my three-point rebuttal to Alan's post:

1.  What part of "you can always get fancier" was unclear?  My post was not at all intended to represent the sum total of admission checks we can perform.  It was simply to advocate that IT and Security staff take the low hanging fruit first, then move up the tree (see how I did that?  A brand new cliche).

2.  Setting up and configuring a NAC solution should not involved rocket science.  Presenting NAC administrators with a laundry list of 1800+ pre-admission checks is, at least to me, not a benefit.  Solving 80% of the problem out of the box, then providing enough flexibility (via additional pre-admission checks, behavioral controls and a web services API that integrates other security tools) strikes me as a better approach.  Granted, StillSecure is more VA focused than we are, but that makes sense, given their product suite.  After all, when you're a VA company, everything looks ... Never mind.

3.  I continue to wait for a post from Alan, or anyone over at StillSecure, on how DHCP based "quarantine" (StillSecure's primary methodology) is so much more secure than ARP based quarantine.  See here for an example of what I mean.  And have I mentioned that if the switch vendors would get off their collective keisters and implement RFC 3576 we could leave this particular argument behind and fight about other things?

In addition to wishing everyone (yes, even Alan) a happy Thanksgiving, I'll leave you with these parting thoughts.

I'm just glad to be here, and hope I can help the ball club
You have to play them one game at a time, and the good Lord willing, things will work out.
Sometimes you win.  Sometimes you lose.  Sometimes it rains.

Think about that for a while.

November 19, 2008

Pre-Admission NAC

I thought this might be a good time to revisit the often controversial topic of pre-admission NAC policy.  While every enviornment is different, I think there are two basic goals any pre-admission policy, including initial installations, should look to accomplish.


1.  Course-grained classification at entry

We tend to think about network devices in three broad classifications:  Managed (general purpose computing devices owned by the organization), Unmanaged (general purpose computing devices not owned by the organization), and Unmanageable (special-purpose computing devices).  Additional, finer-grained classifications exist to be sure; however, the minimal goal should be to put every entering device into one of these three broad buckets. 

MAC address lists seem to be the most common way to do this, though lists of MAC addresses are cumbersome, especially at scale.  Technologies such as Active Directory integration (watching the machine get a Kerberos ticket, for example), 802.1x and clientless OS detection can help fill out this model in a way that is less cumbersome to configure and maintain over time.

The end result should be broad classes of endpoint descriptors that help inform what assessment information is gathered next and what the ultimate entry success criteria is.  Think of it as a (hopefully better managed) TSA line.  Some endpoints get the blue carpet; some get the stall for additional screening; and others come in the "normal" flow.

2.  Eliminate on-going risks first

Much of the debate over pre-admission assessment has been around what you check (OS patch, FW status, A/V currency, etc.), and whether you should restrict users based on the data, rather than why you want to check it.  The primary focus, at least at initial deployment, should be the elimination of systemic, on-going risks.  Many policy statement examples exist; here are a few:
  • OS Update Agent (WUA, SMS, whatever) must be active and configured properly
  • Antivirus Agent must have valid license and show successful scan within last 30 days
  • Desktop computers must not be mail servers
  • No general purpose computing devices in Voice VLANs
You get the idea.  All of these are examples of onging, systemic risks that extend beyond a device's specific session on the network.  Fix those first.

You can always get fancier, as you move the deployment along, but these two steps should be your first two.

November 11, 2008

The Devil Inside

Last month brought a data leak survey from Compuware, sampling 1,112 IT professionals.  The report is covered by ars technica and has some interesting data points.  I agree with the ars technica article that the "79% of organizations experienced a data leak" is not really a fair headline, though admittedly it's a tempting one for organizations like Mirage.  The two really interesting data elements out of the report are that (a) 56% of IT organizations surveyed are nervous (at best) about their ability to detect a data leak; and (b) 75% of respondents identified "Negligent Insiders" as the most likely vector for a data leak.


The bottom line seems to be that the need for governing what employees can access, as well as what employees do with the information once they have it, is not going away.  Call it Network Access Control; call it Controlling Network Access; call it a lunar landing if you want.  It's not going away anytime soon.