To say he is an evangelist for security is an understatement. He has spent the best part of a quarter of a century in or around the cyber security field. It all started with a PhD. Computer Science, then a high level of involvement with various professional standards associations like ISACA, IEEE Computer Society, Association for Computing Machinery, and many more.
He has also worked for RSA Security, EMC, Configuresoft, as an Assistant Professor of Computer Science, and as CTO in a BioMed Computation and Visualisation Laboratory where he learned that visualisation was one key to identifying security behaviour.
So much of what we spoke about is above my pay-grade so let’s just say that I am glad he is on the good guy’s side.
His opening, rapid-fire gambit was to say that we have made security too complicated. To counter every threat, we layer different defences (software tools) on top of others and must set up copious rules and actions. “We need to simplify things.”
The bad guys know this and have developed custom malware to evade things like signature-based antivirus scanners. They use social engineering techniques to spear phish unsuspecting employees to circumvent organisations perimeter defences. They cover their tracks within systems leveraging techniques they have perfected across multiple targets.
I asked him how to simplify things.
Security teams are inundated with disparate data from log files, IDS/IPS alerts, network management tools and SIEM platforms and are looking for innovative ways to achieve the situational awareness needed to combat advanced threats.
The answer is more about moving from attack prevention (yes, it is important, but it must be simplified) to attack detection and rapid remediation.
Some security teams are deploying “big data” tools (machine learning) to ingest and normalise large volumes of security data to spot unusual patterns and behaviours. It is easier to identify bad behaviour if you know what good behaviour looks like for everything in the network – firewall, router, switch, workstation, app and users and develop contexts that can say “Hey this is not normal behaviour – let's either create a new normal (if it is good) or stop it (if it is bad).”
He is a great believer in moving protection to the app “edge” or micro-segmentation as it is often called.
We know that an app/program should be able to do a finite number of things, it should only talk to an approved set of devices, it should only do what is was designed for, it should only run in a certain way … These things constitute known good behaviour. If that app steps outside that, then we know there is an issue.
It is far easier to define what it can do than to try to define the amazingly huge scope of what it cannot do. Imagine that we can spin up a virtual machine with a specific set of policies and spin it down equally quickly when it has done the job. Those resources, compute, storage, network and more can be returned to the “pool” to be re-used as needed.
I asked him to elaborate on micro-segmentation. This was the only time he referred to VMware and its NSX (technology it acquired from Nicira in 2012, a software defined networking and virtualisation company based on OpenFlow, Open vSwitch and OpenStack networking).
The standard approach to securing data centres has emphasised strong perimeter protection to keep threats on the outside of the network. However, this model is ineffective for handling new types of threats – including advanced persistent threats and coordinated attacks. We are spending more on security than IT and breaches are still outpacing that.
What’s needed is a better model for data centre security: one that assumes threats can be anywhere and probably are everywhere, then acts accordingly. Micro-segmentation, powered by VMware NSX (and other products), adopts such an approach and delivers the operational agility of network virtualisation that is the foundation of cloud, hybrid and modern software-defined data centres.
I found a good read on micro-segmentation here. To the layman it is about giving every virtual computer, every VLAN, app and more individual security workload defined policies at “spin-up”. It defines everything that can be done in the entire network stopping everything that cannot be done.
Moreau thinks the entire enterprise security system will move to micro-segmentation as it has embraced virtual computing.
“But it is less about VMWare getting into security than helping the entire security community to do a better job. There will always be a need for example data loss prevention, governance, data sovereignty, email scanning, data-validation, anti-phishing and to counter all those nifty ideas dreamed up by cyber criminals. We think we can simplify security and make it more resilient at the network level through open collaboration with the security community.
We work with most of the major security companies on NSX technology. The list is here.
He also mentioned the move to support VMWare on the cloud and its recent announcement to offer VMWare cloud on AWS (iTWire article here)
His take was that it offered flexible, hybrid cloud infrastructure allowing the best use of each -VMware Cloud on AWS integrates the world’s leading private cloud and the world’s leading public cloud. It is powered by VMware Cloud Foundation, a unified SDDC platform that integrates VMware vSphere, VMware Virtual SAN and NSX virtualization technologies.
His closing thoughts
Complexity is at the heart of today’s security challenge. Cloud and data centre security needs to be simplified, and the “behavioural model” or micro-segmentation is the key. It should simplify things without making security too “brittle” as it is today.
Security is no longer about geography or tied to a machine ID – it is about identifying the boundaries.
Whatever the good guys do, say machine learning, etc., the bad guys are doing too, perhaps better and they are better now at making errant behaviour look normal to machine learning.
Define what is known good behaviour and lock out the rest – micro-segmentation.
And it is about improving security visibility, security analytics, system resilience and actionable context by leveraging technologies like containers, network/endpoint virtualization technologies, and virtualized security instrumentation—concurrently!
So ends a chat that covered much more ground than reported simply because there is no stopping this evangelist.
If you are interested his 50-slide presentation titled, “Transforming Security: Containers, Virtualization and Softwarization” to the RSA Conference 2016 is here. It goes deeper into a lot of what we spoke about.