December 2009 Archives

« November 2009 | Main | January 2010 »

Top 10 Security Predictions for 2010

By Dimitri McKay, Log Evangelist

Verizon Security recently posted a set of 10 predictions for 2010 on their security blog. I have my own opinions about their predictions as you'll read below.

To see Verizon’s original predictions, click here:2010 Security Predictions

Our friends at Verizon Security feel that services like Facebook, Google, Twitter, and TinyURL will work to get better controls in place regarding criminal content. They believe that their business model is at stake if they don’t attempt to flag or eradicate nefarious activity... advertisers will start pulling their dinero. And my response to that is "of course they will!" It's an obvious statement. The online services will absolutely do more to try to curb illegal behavior. If they don’t do it, who will?

The recent FaceBook"apps" scandal has made everyone scratch their heads and realize that they're allowing a number of different programs to have access to their accounts and with that, some level of personal information. Twitter has been hacked over and over again. MySpace has vulnerabilities left/right and center. So to say that services will protect themselves is obvious. Whether these hacks or illicit behavior take place to them or on their networks is a variable. It all depends on the vulnerabilities discovered. The web after all is Swiss cheese. Admitting that is the first step.

Our friends at Verizon also feel that Malware will not evolve this year, that Botnets will stay the same as a whole, and there won't be any mass outbreaks or targeted attacks. Personally, I don’t see evolution as necessary when the same ole vulnerabilities still exist. Security best practices weren't followed until specific verticals created requirements to do so. The result was PCI, HIPAA, SOX, ISO17799, and more pop up every day. If businesses would stop thinking of security as an outflow of cash, and instead think of it as a necessary cost of doing business, we'd all be a whole lot safer. The outbreaks will happen when yet another bored 14-year-old finds a vulnerability and decides he’s going to be the next big thing. And chances are, he’ll be rewarded with a big security job somewhere. Funny how that works.

The security team at Verizon also feel that consumers are getting smarter. The impression that there are fewer newbies on the internet, and services are more secure, and that people are generally more aware might be true. In one respect, however, I wholeheartedly disagree. As P.T. Barnum once articulately stated, "A sucker is born every minute." This hasn't changed. Sure, people aren't responding to instant messages on AOL asking for usernames and passwords, but the phishing sites are getting better, the vulnerabilities are becoming more public and people are still falling victim. Think back to the days of "Don't open executables!" which became "Don't open .SCR files!" followed by "Don't open macros!" and then the ActiveX nonsense for malware. At the end of the day, although the public is getting a wee bit wiser, the trojan writers are getting better-er. Claiming that people are more intelligent because your friends haven't been scammed in a while says little about the state of public affairs.

Number four on Verizon’s list states that Windows7 (not necessarily IE8) will prove to be more robust than anticipated (vs. Vista), and that applications are the new targets. These are two completely different statements, and I’m not sure why they ended up in the same paragraph together.

First off, I should warn you – take what I’m about to say with a grain of salt as I am a world-class Windows hater. I will do my best not to let my absolute loathing of all things Microsoft seep out. Oh well. So much for that.

Windows7 is more robust than Vista, but that's not saying much. It’s like saying a 2009 Honda Civic is more robust than a 2008 Honda Civic just because there's new standard leather trim. It's still a Honda Civic. It's still the same car. It’s just dressed up prettier. Windows fans will go on and on about this-and-that device support and stability. We’ll all stay tuned for that one.

Attacking applications as the next step is fairly obvious. Of course crooks are going to go for applications. Applications aren't written to be secure. Writing for security is much more time consuming and therefore more expensive. Coding for security has to be the next evolution in application development. Write for security as the first step. Make security the high priority. Don't write the app, then go back to see if it's secure. This is what causes world class /fail.

Number five on Verizon’s list of 2010 predictions is that government and non-tech organizations worldwide will become increasingly frustrated over SMTP, DNS and SPAM, and they’ll find phishing more and more difficult to thwart. They believe that Microsoft’s legal efforts to can-that-spam, along with a high-profile arrest will somehow cause all the other SPAMMERS in the world to shake in their boots and think twice about their line of work.

*yawn*

Spammers are nothing more than ticks on the backside of the internet. They exist. They suck off their hosts. And then they fall off. If we want to end SPAM tomorrow we have to make the punishment for spamming so severe that the mere thought of it will make these hoodlums shake in fear. Follow the money. Who is profiting? Is it the manufacturer of said product? Is it a reseller? Follow the money. Then once you get them, go after the people who actually BOUGHT something due to a SPAM email. The only reason spammers still SPAM is because someone is buying. Those people should be prosecuted for even responding to SPAM.

Verizon Security also believes that breaches will increase, but on a smaller scale with fewer records compromised. They feel that more money theft will take place with account staff credentials being compromised. And they also believe mid-size businesses will be hit with some sort of compliance mandate to force them to do the right thing. Where Verizon and I disagree is that I see this going in the opposite direction. I see more breaches, more records compromised, more insider threats, more phishers, and more crooks using Western Union to transfer money.

What I'd love to see is a better than best practices compliance mandate to supersede all mandates. From small business to large enterprise, make everyone play by the same rules regardless of vertical, regardless of industry, regardless of income. One compliance mandate to rule them all. That compliance mandate should not only represent best practices, but step it up a few levels.

Also, if there was blanket worldwide legal policy that applied to ALL cyber-crooks globally, these scoundrels would no longer go unpunished. A couple of thousand dollars stolen from an account in the U.S. goes a LONG way in some other countries, and not only is it relatively easy to commit these crimes, but there are really no legal deterrents in place to discourage these high tech pickpockets in other countries. Hoodlums can make millions (yes, millions) without any fear of prosecution, and the temptation to pick such low-hanging (albeit forbidden) fruit is very difficult to resist. Let's get downright hardcore on the legal front. Let’s take down these wrongdoers.

Verizon Security went out on a limb when they stated that nothing of note is going to happen to phones, PDA’s, and Macs. Really? Uh…no. Just two weeks ago we all learned about a sneaky little trick to invade unlocked iPhones who have SSH enabled with default passwords. This is just step one. If you look at how many iPhones are on the market, you can see the huge motivation for delinquents to act-a-fool. I see the mobile phone market getting its fair share of security issues.

Although I think Verizon Security has a high level view of what takes place on the side of security, it seems some of the predictions are off in left field somewhere.

One prediction I believe nobody will dispute though, is that 2010 will be a very exciting year in security. And if we're lucky, a few people will realize they need log management to keep an eye on the security of their infrastructure. Stay tuned.

Posted December 28, 2009 in Security , Top10 | Permalink | Comments (0)

« November 2009 | Main | January 2010 »

Citibank, Cyber-Goons and SEM

By Lex van den Berghe, LogLogic Customer Evangelist

The Wall Street Journal today broke news with a story detailing an FBI probe into the possible theft of tens of millions of dollars from Citigroup by a Russian gang of cyber-crooks. But what strikes me as odd and controversial isn’t the theft itself or even the growing trend of this kind of crime, but that Citibank and the "government source" are at odds.

What gives? Are we looking at a bit of irresponsible, shoot-from-the-hip reporting by the Wall Street Journal or something else? This story is clearly a big deal – I mean, we’re talking about *tens of millions* of dollars…and the FBI has allegedly gotten involved.

There’s no denying that priority and urgency continues to escalate as cyber-crime transitions from science fiction to hard reality and cyber-crime has become top-of-mind with consumers of all demographics.

According to the WSJ story, the Citibank attack was initially detected over the summer, but reports seem to indicate that the attack may have actually occurred a year earlier. So, how is it that all that cash went <poof!> and we haven’t heard about it until now. Or even stranger, what’s behind Citigroup’s claim that the thefts never occurred and the WSJ’s report is not true. Joe Petro, managing director of Citigroup's Security and Investigative services, said, "We had no breach of the system and there were no losses, no customer losses, no bank losses." He added later: "Any allegation that the FBI is working a case at Citigroup involving tens of millions of losses is just not true." One important thing to note is that Mr. Petro is not in PR, but rather part of Citi’s security arm. This gives his assertions more credibility. (Sorry PR folks).

I’m no conspiracy theorist by nature, but something definitely smells fishy here.

Folks…the truth is out there. And finding it ain’t rocket science. LogLogic’s log management and security event management tools literally record everything as it happens in even the most complex IT environment, leaving a convenient breadcrumb trail behind that anyone can follow. This breadcrumb trail includes every key stroke, file movement, login, breach, etc…like DNA left behind at the scene of a crime. Deploying these tools in your business IT environment is equivalent to installing one of those black boxes, or flight recorders that they put in every airplane.

As a consumer, I’m always relieved to hear that institutions like Citi bear the burden of absorbing financial losses resulting from these sorts of cyber-crimes, and those of us whose accounts have been cleaned out, usually do get our money back. But that’s not enough. I want these cyber-scumbags to pay for their crimes and more important, I want future cybercriminals to think twice before they choose the dark path. If every institution out there that we trust to guard our money or personal information start using the right tools to safeguard these commodities, things might be a bit different.

Posted December 22, 2009 in Security | Permalink | Comments (0)

« November 2009 | Main | January 2010 »

Cloud Computing and Log Management

Since my posting on public and private clouds, I have been getting email from people asking about the specifics of how LogLogic’s products really participate in “The Cloud”.

LogLogic’s architectural premise is to handle the ingestion of logs from unknown sources, and to have flexibility as to the kinds of devices, logs or target locations. Additionally, we even offer a unique feature allowing automatic identification of log sources. This is where the system can match a stream to a type of log for agile reporting and normalization.

We’ve also designed our licensing model to embrace such agile or fluid computing models, and not be tightly licensed to a specific target, device or log source. In this way we’re not only the leader in Log Management, but we’re also enabling many ESSP, MSP and cloud enabling Telco clients to have flexibility in their logging demands. This is being done all while tracking data that’s dynamically moved around their asset pool.

With LogLogic, we leave no log left behind, and there’s no cloud too opaque.

Posted December 14, 2009 in Cloud Computing , Guy | Permalink | Comments (0)

« November 2009 | Main | January 2010 »

Why the Public and Private Clouds Don’t Mix

By Guy Churchward, LogLogic CEO

Cloud computing tops Gartner's “Top 10 Strategic Technologies for 2010.” They define a strategic technology as “one with the potential for significant impact on the enterprise in the next three years.” Gartner is somewhat right here. The fundamental problem I have is that the industry has bucketed anything that can be loosely defined as cloud, virtual, consolidatory, or anything on the network in the same term being cloud. All of us loosely interchange public, private and cloud services to our whims which quite frankly confuses the general public.

To be fair, Gartner does predict that through 2012, “IT organizations will spend more money on private cloud computing investments than on offerings from public cloud providers.” This is great, but I long for the day where this nebulous or opaque term can be segmented into public clouds, private clouds and more importantly ITaaS. This is not only a trend for 2010 but has been feverishly worked on through the last 24 months. It has been wrapped up in a pretty bow and proclaimed as ‘cloud’ for the convenience of propping up the ‘invisible dog leash’ fad-based early startups that infest the wannabe public cloud offerings (or so they think).

Getting back off my hobbyhorse, there are two primary reasons (amongst many) why the enterprise will not make major strides towards the public cloud– lack of visibility and multi-tenancy issues which cloak the real concern over critical data security.

Lack of visibility

The public cloud is opaque and lacks a level of true accountability that will paralyze any enterprise account from releasing their prized data assets to a set of unknown entities. Look at the value proposition - no one consuming the service has visibility into the infrastructure. The provider themselves aren’t looking at the infrastructure. Are SLAs relevant? And if so, who can enforce or even monitor them?

The public cloud has received so much buzz in large part because it professes to offer significant cost savings over buying, deploying and maintaining an in-house IT infrastructure. While this is massively appealing, it doesn’t answer any of the fundamentals of Quality of Service, network and data security to name a few. Imagine the concern of opening up your internal systems with a direct pipe into the ‘cloud’. This is the equivalent of leaving your data center door open, while your data center adjoins a ‘how to hack systems’ symposium .

Multitenancy Issues

The second reason why businesses of any real size will not make the leap to the public cloud is: Multitenancy. Wikipedia (the font of all knowledge) defines multitenancy as “a principle in software architecture where a single instance of the software runs on a server, serving multiple client organizations (tenants).” In other words, many people using the same IT assets and infrastructure.

So here’s the rub, EC2, Google, etc., provide true multi-tenancy but at what cost to compliance and security? What about such hot topics such as PCI or forensics? How safe are the tenants on a system? Who is on the same system as you, a hacker or perhaps your dearest competition? How secure is the isolation between clients? What data have you trusted to this cloud? If you buy the argument, it will be your patient records, payroll, client list, etc. It will be essentially your most important data assets. I have to think this would be a good test of data asset Darwinism.

Cloud computing needs to cover its assets

Until the public cloud can provide visibility all the way down to the IT infrastructures most simple asset – logs - enterprises simply won’t risk it. To be deployed properly, a public cloud needs to understand logs and log management for purposes such as security, business intelligence, IT optimization, PCI forensics, parsing out billing info, and the list goes on.

Until then, in the grand scheme of risk mitigation, enterprises will fear the cloud and per my recommendation, segment public cloud from ITaaS in a private cloud. It’s a shame but as we’ve clubbed all the terms into a single bucket. It turns all the lights red and in fact there’s a tremendous value in cloud computing. But public clouds and enterprise computing are a world apart and should be treated as such. And there are whole rafts of risks to be consider along the way.

Posted December 08, 2009 in Cloud Computing , Guy , Log Management & Intelligence | Permalink | Comments (0)

« November 2009 | Main | January 2010 »

The One Supreme Court Case You Should Pay Attention To This Session

In the High-Tech industry, the machinations of the US Supreme Court are, at best, fodder for dinner party trivia questions. There is one case on the Supreme Court docket this year that has the potential to change the way intellectual property protected in the United States, and have a major effect on the software companies who rely on the patent process. It could also have a devastating effect on innovation.

The case, known as ”Bilski v. Kappos” (AKA “In Re Bilski”), has to do with what subject matter can be protected by a patent. In this case, the inventors, Bernard L. Bilski and Rand Warsaw, filed a patent application for a process of hedging risk in energy contracts. The requirement is that invention must be “concrete” and” produce a useful result”.

The US Patent and Trademark Office (USPTO) rejected the inventors’ application, on the grounds that it was too ill-defined. In legal terms, the claimed invention was an un-patentable abstract idea. The inventors appealed to the patent appeals board, and this was rejected as well.

The inventors then appealed to Federal Court, which decided the case “en banc.” When an appeals court decides a case “en banc” this means that the entire appeals court, not just a subset of the sitting judges (which is the norm), writes the decision in the case. En banc decisions are typically reserved for the most important cases – cases where precedent setting law is likely to result.

The case affects a class of patents know as "business methods" patents. While business method patents have been around for a very long time (the Piggly-Wiggly supermarkets were founded based on a patented business process), the case State Street Bank v. Signature Financial Group in 1998, widened the scope for patenting of business processes.

“The Bilski case is particularly important to tech companies, because their technological advances that are software-based processes will have to satisfy Bilski's test for whether such processes are eligible for patent protection under § 101 of the Patent Act,” said Bradley D. Blanche, an intellectual property shareholder in the Orange County office of Greenberg Traurig, LLP.

It should be noted that some companies have a business set up around their intellectual property and licensing. IBM has reported a more than $1B annual intellectual property business, and frequently rewards employees who submit patents. Indeed, IBM joined Novartis in supporting Bilski before the Supreme Court, arguing for “patent protection for broad categories of cutting-edge innovation” rather than link the protection to “primitive physical technology.”

On the opposing side are companies such as Google and Symantec who argue that expanding the scope of business-method patents could expose them to infringement lawsuits over basic mental processes and ideas that are the building blocks of innovation.

I think that Google and Symantec are right. They represent the true innovative spirit of Silicon Valley where entrepreneurs are rewarded for risk taking and embrace the thinking of Austrian economist Joseph Schumpeter and creative destruction. If the Bilski application is allowed to go forward, it effectively lowers the bar for patenting all sorts of vague processes. This will create legions of new patent trolls with ill-defined patents, who storm around the high-tech industry looking for companies to use the legal system to extort licensing fees.

At LogLogic we were faced with a similar choice about what path to take when the USPTO granted us a sweeping patent on collecting and managing logs. We at LogLogic could have asserted our patent rights to cast a chilling effect on our competitors. Rather, mindful of our fiduciary obligations to our investors, we chose to adopt a defensive posture instead.

The issues around patents are critical to the high-tech industry and innovation and “In Re Bilski” is sure to have reverberations no matter which way it is decided. Look for a decision to be announced by the Supreme Court in spring 2010.

Posted December 01, 2009 in Innovation , Legal Nerd , LogLogic News | Permalink | Comments (0)

« November 2009 | Main | January 2010 »

What Bilski Means To High-Tech Companies

By Barbara Rogan, LogLogic General Counsel

While we all wait with bated breath for the decision of the Supreme Court in Bilski v. Kappos, I had a chance to ponder the impact this decision could have on LogLogic and other private technology start-ups.

If the Supremes decide that the Bilski “invention” is in fact patentable subject matter, as in-house counsel for an innovative technology company, I am going to be forced to spend a lot more of my time filing new patents.

Why? LogLogic is an innovative, start-up company and we can’t afford to let another company patent our business processes. Rather than just looking at getting patents for our core technology, I would then need to think about getting patents for all our businesses processes – how we handle RMA’s, how we handle technical support calls, etc.

While I won’t mind spending more time on patents, as a shareholder in LogLogic, I wonder if that is the best use of LogLogic’s engineers, product management, etc. time. I would rather that they spend their precious hours in the day innovating and creating the next generation of log management products and services or providing support and services to our loyal customers.

Yes, patents are important and our engineers at LogLogic should spend some time on patent applications. But if the Supreme Court widens the scope of patentable material to the extent that the Mr. Bilski and Mr. Warsaw ask, then we will need to think about protecting with a patent all of our business processes, lest someone else patent the process ahead of us.

What’s interesting is that most of the developed world does not offer patent protection for businesses processes. My question would be whether it would be better for US competitiveness to have such extensive patent protection?

I think not. Such extensive patent protection would inevitably lead to more legal wrangling. More discussions with patent trolls, er patent licensing firms and more payments of licensing fees. I would rather we spend our time innovating and competing globally, rather than rushing to the patent office every time we come up with a new business process.

Posted December 01, 2009 in Innovation , Legal Nerd | Permalink | Comments (0)

Visit loglogic.com