Security

Guide to VMworld 2013: Trust

Leave a comment

Trusted IT (or Trust for short) is a big topic this year at VMworld, especially with the recent release of Log Insight. Here is a sample of sessions related to Trust and that you can find online in the conference agenda.

Out of 590 total sessions

Availability (28 sessions, 13 speakers)
Security (72 sessions, 49 speakers)
Compliance (24 sessions, 6 speakers)
Data Protection (19 sessions, 6 speakers)

Availability
========
BCO1000-GD – High Availability with Duncan Epping and Keith Farkas
BCO1001-GD – Stretched Clusters for Availability with Lee Dilworth
BCO5047 – vSphere High Availability – What’s New and Best Practices
BCO5065 – VMware vSphere Fault Tolerance for Multiprocessor Virtual Machines – Technical Preview
BCO5160/2 – Implementing a Holistic BC/DR Strategy with VMware – Part One and Part Two
BCO5276 – Next Generation ‘Economical’ Data Protection for Business-Critical Applications
EUC5805 – Why Delivering Cloud-based Clinical Workspaces Makes Perfect Sense for Healthcare
SEC6850 – Achieving Security Agility in the Virtual Data Center
VCM5577 – Ensuring Clinical Trial Patient Safety with vCenter Operations Management
VCM7369-S – Uncovering the Hidden Truth in Log Data With vCenter Log Insight

Security
======
GS-MON – General Session – Monday – Gelsinger GS-TUE – General Session – Tuesday – Eschenbach
EUC5143 – Is 911 a Joke in Your Network? – How VDI Can Improve Threat Response
EUC5196 – Secure Mobility – FIPS, CAC and Beyond
EUC5369 – Beaufort Memorial Hospital Enhances Patient Care with Secure Mobile Solutions
EUC5805 – Why Delivering Cloud-based Clinical Workspaces Makes Perfect Sense for Healthcare
HOL-HBD-1302 – vCloud Hybrid Service – Networking & Security
HOL-HBD-1303 – vCloud Hybrid Service – Manage Your Cloud
HOL-PRT-1306 – Catbird-Hytrust-LogRhythm – Partner Security and Compliance
HOL-SDC-1315 – vCloud Suite Use Cases – Control & Compliance
NET1001-GD – vCloud Networking and Security & NSX for VMware Environments with Ray Budavari
NET5522 – VMware NSX Extensibility: Network and Security Services from 3rd-Party Vendors
OPT4968 – US Air National Guard – DoD Private Cloud Initiative – How Virtualization Saved $45 Million in Power\Cooling and Life Cycle Management
PHC5120 – Why Hackers are Winning and What Virtualization & Cloud Can Do About It
PHC5070 – vCloud Hybrid Service Jump Start Part One of Five: vCloud Hybrid Service: Architecture and Consumption Principles
PHC5409 – vCloud Hybrid Service Jump Start Part Two of Five: vCloud Hybrid Service: Networking and Security Basics
PHC5488 – vCloud Hybrid Service Jump Start Part Three of Five: vCloud Hybrid Service: Advanced Networking and Security
SEC1003-GD – Network Security Services New Model for IPS, URL Filtering, Forensics in the SDDC with Anirban Sengupta
SEC1004-GD – Agentless Security Antivirus, Vulnerability Management, File Integrity Monitoring in the SDDC with Azeem Feroz
SEC5168 – Dynamic or Dud? Why Software-Defined Data Centers Need Dynamic Security
SEC5178 – Motivations and Solution Components for Enabling Trusted Geolocation in the Cloud – A Panel Discussion on NIST Reference Architecture (IR 7904)
SEC5253 – Get on with Business – VMware Reference Architectures Help Streamline Compliance Efforts
SEC5318 – NSX Security Solutions In Action – Deploying, Troubleshooting, and Monitoring for VMware NSX Service Composer
SEC5749 – Introducing NSX Service Composer: The New Consumption Model for Security Services in the SDDC
SEC5750 – Security Automation Workflows with NSX
SEC5755 – VMware NSX with Next-Generation Security by Palo Alto Networks
SEC5889 – Troubleshooting and Monitoring NSX Service Composer (and Partner) Policies
SEC5894 – Deploying, Troubleshooting, and Monitoring VMware NSX Distributed Firewall
SEC5891 – Technical Deep Dive: Build a Collapsed DMZ Architecture for Optimal Scale and Performance Based on NSX Firewall Services
SEC6850 – Achieving Security Agility in the Virtual Data Center
STP1015 – Is Your Data Center Smart? – Improving the Security and Performance of Virtualized Environments through a Data Center Operating System
STP1018 – Secure and Monitor Sensitive Assets in Your Virtual Infrastructure
STP1020 – Solving the security and compliance challenges of a true Enterprise cloud
TEX5667 – Case Study: VMware vCloud Ecosystem Framework for Network and Security Enables Network Services Virtualization
VCM6065 – How to Manage Security Levels and Infrastructure to Provide IaaS / PaaS / SaaS Services Based on a Single Virtual Infrastructure
VSVC1007-GD – Platform Security with Mike Foley
VCM1005-GD – Log Insight with Steve Flanders
VCM4445 – Deep Dive into vSphere Log Management with vCenter Log Insight
VCM4528 – Tips and Tricks with vCenter Log Insight (NEW!)
VCM5034 – Troubleshooting at Cox Communications with VMware vCenter Log Insight and vCenter Operations Management Suite VCM7369-S – Uncovering the Hidden Truth in Log Data With vCenter Log Insight

Compliance
=========
SEC5775 – NSX PCI Reference Architecture Workshop Session 1 – Segmentation
SEC5820 – NSX PCI Reference Architecture Workshop Session 2 – Privileged User Control
SEC5837 – NSX PCI Reference Architecture Workshop Session 3 – Operational Efficiencies
BCO5829 – Drying Out After Hurricane Sandy: Leveraging vCloud Director and Other Cloud Enablement Tools for Simpler, Faster DR Operations
EUC5196 – Secure Mobility – FIPS, CAC and Beyond
OPT5887 – How Does VMware Uniquely Enable Leaders in Healthcare Electronic Medical Records to Improve Quality of Care and Meet Unique Industry Requirements
HOL-SDC-1315 – vCloud Suite Use Cases – Control & Compliance
PHC5679 – Protecting Enterprise Workloads Within a vCloud Service Provider Environment
SEC1001-GD – Activity Monitoring Visibility into Users, Applications for Compliance Troubleshooting with Mitch Christensen
SEC1002-GD – Compliance Reference Architecture: Integrating Firewall Antivirus, Logging IPS in the SDDC with Allen Shortnacy
SEC5253 – Get on with Business – VMware Reference Architectures Help Streamline Compliance Efforts
SEC5428 – VMware Compliance Reference Architecture Framework Overview
SEC5589 – Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in Virtualized Infrastructure
VCM4838 – Automating IT Configuration and Compliance Management for Your Cloud

Data Protection
============
BCO1002-GD – Data Protection and Backup with Jeff Hunter
BCO4756 – VMware vSphere Data Protection (VDP) Technical Deep Dive And Troubleshooting Session
BCO5041 – vSphere Data Protection – What’s New and Technical Walkthrough
BCO5160 – Implementing a Holistic BC/DR Strategy with VMware – Part One
BCO5162 – Implementing a Holistic BC/DR Strategy with VMware – Part Two
BCO5276 – Next Generation ‘Economical’ Data Protection for Business-Critical Applications
BCO5851 – VMware Backups That Work – Lessons Learned and Backup Performance Tuning Based on Extensive VADP Benchmark Testing
BCO5855 – Leveraging Advanced Storage Capabilities To Meet Today’s Virtual Environment SLAs
HOL-SDC-1305 – Business Continuity and Disaster Recovery In Action
PAR6413 – Capturing the Backup and Disaster Recovery Opportunity with VMware
PHC5679 – Protecting Enterprise Workloads Within a vCloud Service Provider Environment

Sailing, Security

AC34 Team Oracle Caught Cheating…Again

Leave a comment

This is the third incident, as far as I can tell. The first incident, spying on competitor designs, resulted in a penalty for Oracle. The second incident was when Oracle tried to use the Artemis incident to force competitors to change their design, and was rebuffed. Now Oracle is accused of yet another design-related incident.

Skipper Max Sirena of Italy’s Luna Rossa is the latest America’s Cup competitor to accuse defending champion Oracle Team USA of cheating in what potentially could be one of the biggest scandals in the regatta’s 162-year history

As I’ve said before it’s obvious Oracle’s design is inferior. Team New Zealand has out-innovated the American team and Oracle is cheating to try and catch up.

There is irony in these incidents. The Oracle captain recently said in an interview that their design changes were done, they were focused on sailing. In fact, he emphasized that making design changes at this late date could interfere with his ability to focus and become a better sailor; arguing that design change could actually have a trade-off or hurt their chances.

There also is a question of what Team Oracle management is going to do about being caught cheating on design, yet again. Here’s how their CEO has responded:

“I don’t think it’s right that if a few people break a rule on a team of 130 people, that the whole team gets branded as cheats,” Coutts said in his first public comments in the week since Oracle announced that it was forfeiting its overall championships from the first two seasons of the ACWS after the violations were discovered.

[…]

Coutts used the latest performance enhancement drug scandal in Major League Baseball as an analogy, saying that if certain players were suspended, “does that mean the whole team are cheaters? I don’t think that’s right to draw that conclusion.”

That is an interesting ethical question for the CEO to pose. I would rather hear him say “I take responsibility for the actions of my team” or “I am in charge and this is unacceptable, this will not be tolerated and will not happen again.”

Instead, we hear that Team America is going to play victim to their own team? In risk management terms, that should be a giant red flag. This is precisely why the U.S. government moved forward the Sarbanes-Oxley regulation. Too many CEOs had claimed they had no idea about fraud under their watch and objected to “the whole team” being branded cheaters.

It is possible that some rogue member of the team was acting independently. That seems unlikely given that it is not an isolated incident. It also seems unlikely, given the response from the CEO is to play victim and tell other teams to stop pointing fingers.

I don’t think it’s right that other teams should use this as an orchestrated PR campaign to slander another team when there’s a jury process going on and the facts haven’t been established.

Strange perspective. Cheating doesn’t require PR orchestration. Fraud doesn’t require PR orchestration. When it’s discovered, when an investigation begins, the expectation and the norm is negative press. It would require orchestration to do the opposite, for competitors to be complimentary and supportive; to say “don’t judge” or “don’t blame management, everyone has bad apples”.

More to the point when the CEO of UCLA tried to say that patient privacy breaches were the result of isolated staff it turned out to be exactly the opposite. A sting operation by Farah Fawcett and her Doctor proved that management wasn’t taking responsibility. Widespread and systemic security failures continued despite firing “isolated staff”. Eventually outside investigators were brought in and not long after the state of California passed two new laws to hold executive management accountable.

The sad fact is Team Oracle management is not talking about how they abhor cheating or how they will stake their reputation on a fair game. They are most likely trying to cheat their way through a design failure. They’ve tried spying, they’ve tried blocking the other designs, and now they’re accused of making unauthorized changes.

After decades of Americans trying to hold top management accountable for the actions of their entire team, it is the statements by the CEO of Team Oracle that are making America look bad.

Coutts admitted last week that someone with the syndicate illegally placed weights in the bows of three 45-foot catamarans without the knowledge of the skippers or management. One of the boats was loaned to Olympic star Ben Ainslie, who is sailing with Oracle Team USA this summer in hopes of launching a British challenge for the 35th America’s Cup.

Coutts said then that it was “a ridiculous mistake” because the weights “didn’t affect the performance.” Oracle forfeited its results from the four ACWS regattas in question, and its two overall season championships.

Someone made a mistake. Don’t blame the team. There was no real need to cheat. These are not phrases that engender trust. Quite the opposite, they lead to distrust of management.

Coutts’ risk approach does not sound far from what the utility industry once used to skirt regulations — hire a “designated felon” to the team. A CEO could claim she/he was “without the knowledge” of violations and basically pay someone else to go to jail or take the fall on their behalf.

History, Sailing, Security

#AC34Fatigue “Look at My Penis Go”

1 Comment

Seems like most people I run into lately in SF ask me what I think of the America’s Cup. Maybe it’s a generic conversation starter. I take it as a serious question. Usually the conversation centers around the lack of public interest, the huge amount of money…

I thought it was hard to sum up the event until a friend described it like this:

It’s a “Look At My Penis Go!” event

That, in a nutshell, is what we have now. Who wants to watch? Oracle seems to have created a giant embarrassment.

But seriously, the sailing community has left the show, the general public isn’t coming. Some members of the teams even tell the public the event for them is “like being in jail”…so what is going on? Here’s a few guesses based on recent experience.

Sailing community

Ellison told the esteemed St Francis Yacht Club many years ago he wanted to take over and run the Cup his way. When the local club balked at total-control negotiation, he walked a few steps to the next club. Golden Gate actually heard the fight and invited him over. Golden Gate openly admits they did it for the money; Ellison could do whatever he wanted if he gave them enough money to stay open.

Some have tried to describe this union as a poor guy and a rich guy working together, or the community working with a big company; but everyone knows Oracle doesn’t play that way. They took the place over and run it their way.

Oracle’s split from the St Francis community could have been a chance to pressure an old stodgy club to become more relevant to experimentation and innovation, becoming more inclusive. That would have been interesting. Instead, it looks like Ellison fell out with them for the opposite reason. St Francis is not exclusive enough — it has people he doesn’t want to listen to!

It’s perhaps worth adding here that when the AC45 were racing in front of the St. Francis clubhouse I walked up to the entrance with my reciprocal membership card in hand. A old man at the door stopped me and said “sorry, when the America’s Cup is here we don’t honor reciprocal membership status.”

Annoyed but not dissuaded I walked 100 feet away and sat on the rocks by the water with 100s of other people gathering. Soon I became the unofficial announcer for the shoreline. I explained why China’s roundings were slow and uncoordinated, people asked me for blow-by-blow sports-casting…it turned out to be an amazing experience helping the public understand what was happening.

The strangest part of all, perhaps, is when a guy I had sailed with on long-distance coastal races walked up (he was rejected from St. Francis also) and started to ask me about the dynamics of multi-hull speed and handling. I realized at that moment the most experienced, seasoned mono-hull racers didn’t see what I could see after years of racing an A-Cat. We became a sort-of sports-cast team, he would ask general sailboat racing questions and I would color with specifics and stories. The crowd loved it.

Who is the Steve Madden of sailing? We need one. Someone funny, who gets the game, who speaks at the common person’s level; someone who can’t be and doesn’t want to be locked up inside some exclusive club for hat-less VIPs. The club commodore since then (perhaps after realizing there was low demand) has sent a letter inviting us lowly reciprocal members to come visit during the races.

After the club denied me access I had a great time sharing the Cup experience outside with the unwashed, the uninitiated, the non-sailors. There was no sailing community connection. Even professional sailors I contacted to come watch at the club were off sailing in other events, unimpressed with the AC34 races.

General public

Number 3 (just behind LA and Muni) in the list of Things SF Love to Hate is Larry Ellison:

There really aren’t many beloved billionaire CEOs out there, but the Oracle one takes the booby prize. If his lavish lifestyle and conspicuous mansions weren’t enough to sour his standing in the city, Ellison’s campaign to bring the America’s Cup to town has done the trick. There’s been more headache than economic benefit from the Cup so far.

I walked down to the waterfront recently. A very active and respected member of the local sailing community asked me to have lunch. As I arrived, an AC72 ambled in the water nearby. There was no crowd. The general public simply didn’t come.

He was looking out across the empty water when I asked “what happened to race day”. He laughed and said “We hoped for twelve boats but with only four total and three working…nobody wants to watch a race of one. Today is no different than any other day — there you see a boat sailing on the Bay. The crowds won’t come. So let’s eat…”

Insiders

To put it bluntly, I was invited to the America’s Cup backstage. I brought with me someone instrumental to America’s Cup history and present success — a legend in sailboat racing. I was honored to be there with him. In fact, I couldn’t believe this was happening.

For 30 seconds it was momentous, as if my entire life of sailing had led up to this moment. We arrived and shook hands with an official of the AC34 sales team. And then we were asked…”have you ever heard of the America’s Cup before?”

*screeching record needle*

Awkward. We then were told by this used-car salesman looking guy with a giant diamond ring and popped white collar that the Cup is under new management and they’re doing things right now — they are lining up a target audience of “generic sports enthusiasts who can pay $40K for exclusivity seats and don’t really care what they’re watching.”

*car driving off cliff and exploding fireballs*

I flew out of that meeting like an AC72 downwind in the Bay on an August afternoon. St Francis seemed quaint and community-focused compared to this nauseating group that stood for what? Where did the love of sailing go? Who was this idiot talking with me (I still have his card) and his sidekick (she later turned her back on us, literally, to give us the sign we should leave).

Don’t get me wrong, I love the America’s Cup, I love sailing. In fact, my entire house has been decorated for decades with the history of America’s Cup contenders (Tommy Sopwith’s 1934 Endeavour, Vanderbilt’s 1903 Reliance, the amazing Enterprise of 1930). And I’ve grown up sailing, and been fortunate enough to have sailed with and raced against many of the people working on the current campaigns.

In fact, I may still write up a detailed explanation of how the boats work, the amazing transformation in technology and teams, or do some impromptu race commentary. There’s so much to talk about.

But WTF Larry? We’re losing the audience, including me.

Security

Update: Putting and End to the End of Active Defense

Leave a comment

I recently read an article, “Putting an end to “strike back” / “active defense” debate, and another it linked to, “Managing The Legal Risks Of Active Defense,” wherein my friend Bob Clark was quoted.  Here is my response: 

Why in the world would we end the debate?  Security sucks and the bad guys have a huge advantage.  Our hands are tied.  Any debate that moves the discussion forward is a good thing. 

In the first article a guy calling himself Jericho chastises those who advocate Active Defense.  He equates it to strike back and hack back.  I have to say, I agree with two of his points; many companies are now trying to capitalize on this new term, yes new term, by offering what they call active defense or hack back tools.  In many cases this advertising is deceptive since the tools merely offer the same old software defenses under a new name.  I also agree that if your defenses don’t meet the basic standard, Active Defense is not an option.

I disagree with is his characterization of Active Defense.  I wish people would stop equating it to hack back.  Hack back is the last 1% of Active Defense.  See my definition here: http://www.titaninfosecuritygroup.com/_m1698/blog/Active-Defense-definition

It is a method for companies who find themselves persistently attacked to collect the intelligence needed to evaluate the attacks, develop courses of action or options, and then enable the leadership to make well-informed decisions to move forward in an effort to protect the company.

On a spectrum the options could be anywhere from do nothing or the other extreme of hack back to either find the attackers or disrupt or deny the server(s) being used to launch the attacks. The intelligence collected will allow company leadership to make decisions at pre-determined checkpoints based on risk, liability and legal issues.

The initial decision whether to simply proceed with incident response versus Active Defense is based on determining whether the attack is a one-time incident or persistent, and how much money is being lost since. Active Defense will require the company to bring in a team of experts to accomplish the various tasks: intel collection, malware analysis, tool/technique development, evaluating legal, risk and liability issues, and therefore the cost involved must be weighed against the damage to the company or loss due to the attacks.

Also, I disagree with the many people who write in opposition to Active Defense and make broad statements about how it is illegal without defining Active Defense or detailing what they believe to be illegal or why.  If you’re not an attorney stop saying it is illegal because the legality of Active Defense is not black and white. 

Jericho’s assertions strike me as hypocritical by jumping on the bandwagon of the Active Defense flurry, making broad assertions and offering NO solutions.  If defense is so easy then provide the solution, a solution that hasn’t been tried and one that will work and not subverted by hackers within a few months.  Second, see my friend Davi’s response, here: “Putting and End to the End of Active Defense”.  Good luck.

As for the article in which my friend Bob is quoted, I agree with Bob, for the most part.  You need a team of experts who know what they are doing, to include one or more attorneys who know what he/she is doing, but more than just an attorney you believe you can explain the technology to. 

This is not the kind of stuff you can just brush up on over the weekend.  This takes years of experience to understand the technology, apply the law and foresee the results or consequences.  Don’t believe it?  Ask your lawyer if he/she would be willing to put their law license on the line and provide advice in cyber security, hack back, the CFAA, ECPA, trace back, open-source collection, etc. 

What I disagree with is his comment that this is a no-win situation.  If you are a company owner and losing a lot of money or intellectual property, have tried everything else, and the attacks continue, you have a fiduciary responsibility to do something and self-defense may be your only option. 

Now, this does not mean jumping right to hack back.  My definition for Active Defense and what it entails is at the link above.  What it does mean is following a process, similar to incident response on steroids, and as the company leadership making critical decisions to protect the company.  In the end it may mean taking actions in self-defense and blocking or disrupting a CnC server or deleting your IP on a compromised server.  These options though are merely that, options in a process that requires a lot of Intel, thought and decision-making.

So, keep the debate going and don’t dismiss Active Defense as a no-win situation or illegal activity.