Why SNAC, when you can Cocktail?
Looks like Chris Hoff is back in form, and I'm grateful. There are few people that make me think EVERY TIME they write something, and Chris is one of them. This time he weighs in on the Shimel/Stiennon discussion that I mentioned in today's TDI (here).
Read Chris' post right now. The rest of this post will make no sense until you do. Don't worry, I'll wait...
[Romantic interlude]
See what I mean? Chris is funny and he makes you think. BUT, despite the fact that his points are all well taken, he doesn't take the discussion far enough. This was no draw. It was a KO. After thinking a bit more about it, Stiennon came into the battle with a foundation of quicksand. So it wasn't that tough for Shimel to dunk him under. Not that Alan is entirely right, Chris points that out as well. But on the continuum of correctness, Alan's got him hands down. And I am always right, just ask me. :-)
Basically, there are two key points that make Richard's analysis totally flawed - both of which Chris points out. First, the decoupling of host-based and network security. I said it this AM and I'll say it again. That is just stupid. The point of gathering data is to use it and correlate it in interesting ways. Sure some of the data is unrelated, but not all of it. I'll dig into that in a bit more detail in a minute.
Second, the idea of basing decisions entirely on Netflow is ridiculous. I'm not saying that there isn't value in L2/L3 information, there is. BUT it's no panacea. As Chris says, if you are looking at stopping a DDoS (the main value of anomaly detection solutions today), Netflow is what you need. But most attacks are not DDoS anymore but happen at the upper layers of the stack. Basically you're looking at the culprit only from the waist down. I'm not saying that a lot of motivation doesn't happen below the waist, but I wouldn't say it's based on higher order thinking.
So what's the answer? As opposed to Chris' proffered new SNAC acronym (kind of gives me the munchies, I say) - I'd rather we think about a COCKTAIL. And no, that's not just because I'm an alcoholic.
Since I started this gig back in January, I've been talking about losing the religion (Day of Incite post here, Incite Redux post here), but let me take it one step further and leverage something I know a little bit about - anti-spam.
Basically, there are about 30-40 different techniques you can use to determine if a message is spam. None work all the time, in fact most are downright abysmal across the universe of undesireable messages you get. But each can detect a certain type of spam with pretty good effectiveness. The Spam Assassin folks were really the first (regardless of whatever spin the vendors want to use) to take a bunch of those techniques and correlate them into an anti-spam cocktail that was much stronger than any specific technique on its own. Of course, the vendors have greatly improved the cocktail mixture(s), and given the core concept staying power. No one relies on only a single technique anymore.
So what? We need to see the same approach applied to the network security business. Whether it's data from Netflow, an anomaly detection engine, an IDS/IPS and/or an IP address' "reputation" - we should be gathering all this information, correlating it and using that perspective to figure out if something is amiss. And no, SIM is not the answer because they don't DO ANYTHING with the information beside pump out some reports, which don't help you stop an attack.
Now before I get a bunch of comments saying I'm an idiot and you can't do that, just think about it for a second. I know there are processing limitations of doing this in real time on big pipes that anti-spam boxes don't have to deal with. I know correlating this information is fraught with peril and if you get it wrong, half of your friggin' network will be quarantined. I also know that without some kind of standard for this data interchange, this will only work in a homogenous environment and that's a problem given the best of breed mentality of most large enterprise security folk. But Big is the new small, after all.
So, I'm not saying this is easy, but I also don't think the way we are doing things is working either. I'd love to get a dialog going on why this idea is wrong. It very well could be. But I'd rather some smart folks poke holes in the idea, so all of you brainiacs out there - sharpen your battle-axes and have at it. Why am I wrong? And more importantly, what is the RIGHT ANSWER?
Better yet, we'll do it right here. This sort of debate is better served by a couple of independent analysts. I would rather risk your skillful barbs then get into a pissing match with the Chief Strategy Officers of two vendors, one that sells NAC solutions, and one that thinks honk’n monster UTM’s is the answer to everything,
First of all Allen is right that I am still singing the same tune after two years. As far as I know I am the ONLY analyst that thinks the whole idea of end point data being used to grant access is worthless.
Let's take a simple scenario. A large enterprise (5,000+ users) running Symantec AV, Microsoft AntiSpyware, and a spanking new Cisco NAC infrastructure (I know, that does not exist yet but someday...)
It's the day after the Labor Day Holiday in theUS
Network IT people are not stupid. Their first mandate is "do no harm". The only reason they are looking at NAC solutions is they think it can help them *reduce* help desk calls from infections brought in by bad laptops. NAC requires your laptops, your AV vendor, your network vendor, your NAC vendor and Microsoft to play nice. There are too many opportunities for things to go wrong.
I consider myself a network security guy. Doing security in the network invariably is better than doing it on the desktop. Desktop AV is the biggest pain in the ass to administer. *Any* agent is a pain to administer.
So, yes, I have dreams. My dream is that an infected laptop brought on to the network will do no harm, yet will still be able to talk to the exchange server and be a productive device. Unlike Cisco I cannot turn my fantasies into billboards on highway 101 before demonstrating a single element of their CNAC fantasy. But I can continue to talk to people who have dumped their host NAC solutions for inline blocking and tackling. I can watch and report on network security vendors that are combining with switch vendors or introducing access switches of their own.
Keep in mind that even in the fantasy world of a complete NAC infrastructure there is still no defense against the malicious insider with credentials and perfectly updated laptop. Why would you spend millions to deploy a security solution that did nothing to defend you from malicious users? Huh?
I view NetFlow tools as an underutilized and powerful technology for understanding the corporate network and helping to harden it. You date yourself Mike when you equate NetFlow with DDoS defense. But it is important to point out that NetFlow on a carrier is used for tracking down and blocking DDoS as well as spammers. Why wouldn’t an ISP enforce NAC on its customers? Why wouldn’t they quarantine all zombies until they were remediated? Answer that and you will understand why just as NAC does not work in the cloud it does not work in theEnterprise
NetFlow is just one of the elements that can make the network secure. You mention a bunch of others. IPS, access controls, VLANs, firewalls, ACLs. I say work with those proven technologies; don’t fall into Cisco’s dream of owning the desktop as well as the network!