Insider Threat

40% of the way there. Let's keep pressing forward.

Incite #4 - Trust No One

The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-4-trust-no-one
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-10-2007

Final grade: B

Yes, customers continue to struggle with the idea of protecting against the insider threat. They all know it’s a problem, yet with the sheer number of things that need to be done – many organizations are stuck in analysis/paralysis mode. Do they do DLP first? What about NAC? What about just contracting the perimeter and installing a whole mess more firewalls closer to the data that needs to be protected?

We’ll talk about DLP later (Incite 6), so let’s focus on NAC now. Suffice it to say, everyone is acknowledging that the technology disappointed relative to expectations in 2007. How could it not? But what will 2008 have in store? Probably not a lot different. Can you hear the wails of the VCs with hundreds of millions invested in the space? The early adopters will continue looking at how to overhaul their campus networks and do it in a more secure fashion.

Everyone else will wait until they clean up the other projects, which are ahead of NAC on the priority list. Little things like IPS and the like. Yes, there are still folks in the mass market focused on IPS and not some of these other shiny functions that we spend most of our time dreaming about. NAC standards efforts will continue to lag, although the new, open source OpenSEA 802.1X supplicant effort will pick up steam – basically because there aren’t any other options.

But to me, the last clause is what is most important about this Incite and the reason this was only graded as a B. The security monitoring philosophy is not spreading as quickly as it should. So many security folks are still married to the idea of blocking everything and have not grasped the folly of trying to outsmart the bad guys. In one man’s opinion, focusing on REACTING FASTER and doing that through a strong monitoring capabilities is a lot better (and more sustainable). Maybe some more folks will start to get that in 2008. One can hope, no?

Check out the other posts in the Report Card series.

NAC, NAC?
Who’s there?
Confused.
Confused who?

You know who, don’t you? NAC is this year’s PKI. Everyone wants to believe it’s the year of NAC. But I suspect most customers will be sorely disappointed in what they achieve to deter the “insider threat” with NAC this year.

Why? Because solving the insider problem is complicated and multi-faceted. It’s about more than just checking the AV and patch levels on devices connecting to the network. It’s also about more than access control and worm mitigation. And that doesn't even scratch the surface on the data/information security issues related to the "insider threat."

It’s about all three and architecturally, that’s going to be a hard problem to solve in 2007. Why? Because rip and replace is not an option. Unless you have a money tree out back.

The good news is that based upon numerous conversations and validating evidence, customers are starting to figure out what they need. Of course, knowing what to buy and actually buying it are totally different. NAC is still a very early market and will remain as such for another 2-3 years.

Can you hear all the VC’s shuddering? After throwing hundreds of millions of capital into a market sector, the last thing these guys want to see is a market still 2-3 years from major revenue acceleration. But it is what it is. You can’t push on a string, though many players in the NAC business will try this year.

Another dynamic that will muddle things is just the sheer number of vendors. If feels like the anti-spam business 2-3 years ago, but with a less defined value proposition. After the initial wave of buying, anti-spam leveled off (late 2005 to mid-2006). There were too many vendors, too much confusion, not enough differentiation. Customers waited for some consolidation and shake-out and it was only with the wave of image spam in Q4 of 2006 that they started buying en masse again.

The problem is the early adopters are only starting to roll their NACs, and the market is oversaturated. I don’t envy anyone trying to sell NAC nowadays. 10 vendors in a deal saying the same exact thing is no fun for anyone.

So what’s a customer to do? Tread carefully. Kick the tires. Figure out your real requirements. And probably repurpose existing devices (like SSL VPN) to do poor man’s NAC for the short term. Unless you have some very specific requirement that forces you to buy something today, don't. And if you do, don't get married to whatever solution you pick. It's TACTICAL. Manage expectations that you will be looking at other stuff in a year or two.

Something like network behavior analysis could also be helpful, at least to pinpoint some weird traffic patterns. In a perfect world, you’d like to actually block the weird stuff. But as a first step, knowing about it is useful.

Another benefit to more aggressive monitoring on the network is that the network doesn’t care who you are or what your job title is. There are no “freebies” for important folks. No ways to skirt the monitoring or enforcement mechanisms. And in an environment where the CEO is perhaps more likely to be dirty as a run of the mill worker – you can’t assume anyone is clean.

Trust no one. It will save your ass.