Deb Radcliff filed this RSA wrapup.

Everyone’s always asking those of us from the trade press about trends we see at RSA.

Some will tell you RSA this year was all about virtualization, which already seems like an old story with vendors like Blue Lane Technologies and Reflex Security stepping in to monitor the heretofore unwatchable layers created by virtual machine managers and their guests.

Others will say it’s all about data leakage protection, and we sure saw a lot of that at the conference this year, with Symantec, Trend Micro and others taking leakage protection to a more comprehensive level at the endpoint and gateway.

Unified authentication and use of federated identity frameworks are also gaining momentum, with Microsoft discussing its unified access approach, TriCipher announcing over 50 web applications (SalesForce, WebEx, Google, etc.) in its user single sign-on portfolio, and so on.

Ultimately (true to RSA President Art Coveillo’s Tuesday morning keynote), the overall conference boiled down to more holistic management of risk under the following bullet points:

• Looking at security from inside out instead of outside in (protecting data instead of the network)

• Driving protections deeper into the infrastructure to make it more of an operational function rather than a separate security function

• Using security as an enabler for new types of business

All good and necessary aspirations. But one theme that subtly carried across and outside the conference was this nuance of surveillance – surveillance of children (Symantec’s upcoming family security suite), surveillance of IP traffic, including  through the ISPs.

The theme of being watched resonated outside the conference, starting with hotel rooms booked through the RSA block. On Monday night, little piles of colorful conference bling and fliers appeared on doorsteps of all RSA attendees who registered through that block. They know where you are, and so does everyone walking down the hallways looking at the bling in front of all those doors. RSA used a middleman to deliver the bling to the doors, according to a spokesperson, but that’s still creepy.

That same feeling also carried over to the end of RSA bash Thursday night, in which RSA Conference organizers put a lot of work and expense into setting up different forms of entertainment in the Marriott ballrooms. In the Karaoke room, for example, local entertainers set up a 20-foot black pyramid topped with a giant, 12 by 10-foot face-shaped screen with a nose protruding. Onto that screen was projected the face of a real person taking questions, acting all knowing like the Wizard of Oz, while looking ominously down upon them. (See my friend Liz Safran’s picture of said face here.)

Then there was the face painting room. With security and privacy blended so closely together, it was amazing how many security practitioners blithely stood in line to get barcodes painted on their foreheads. Not only did the fake barcodes wreck their coiffures, they made their bearers repulsive – every time one walked by it made you think of the ‘mark of the beast’ predicted in biblical revelations.

All in fun, one might say. But given the level of desensitization among this crowd, it looked more like a parody of things to come.

The press has been locked out of RSA’s Friday keynote by Al Gore, and the registrar says it was at Mr. Gore’s request. That’s gonna be difficult to enforce, thousands piling into this massive auditorium, but the handful of us with the green tags on our badges aren’t allowed? Meanwhile, at least 20% of those thousands with the general conference tags do some type of blogging and they still get in.

Patrick J Conte, CEO, Agiliance

The need to map security to the business has been an ongoing topic of conversation for quite some time.  While that might mean different things to different people, the common denominator is that it requires a change in how IT and security professionals think about and approach security.

Regulatory compliance has been a great enabler in forcing this sea change.  SOX tied executive-level accountability to IT and compliance spending tied “gaps” in the IT infrastructure to a dollar amount.  The need to prioritize what gaps to fix first helped to crystallize the discipline of risk management.  According to Forrester, when you combine effective risk and compliance management, what you get is good corporate governance.

While the Governance, Risk and Compliance (GRC) market is extremely broad and still being broken down into more manageable components by analysts (and everyone else), one could argue that it inherently links security to the business, and in doing so, is helping to shepherd the industry along.

A recent survey from The Deloitte Center for Banking Solutions tracked what 20 of the top 50 banks spent on compliance from 2002 to 2006.  No big surprise, spending increased each year, rising from 2.83 percent of total net income in 2002 to 3.69 percent in 2006, a jump of almost a third in just 4 years.  That translates to about $83.5 million per bank spent on all aspects of compliance, with $14 million of that spent on IT.

The survey also said that one of the main reasons compliance costs are on the rise is because they are overspending on people (more than 60% of their budgets) and under spending on scalable technology.  In other words, it’s time to automate IT compliance processes.  It’s a good crossroads to be at because it shows we know what’s broken.

We also have some lessons learned.  SOX was reviled for being too vague, which is one thing you can’t say about PCI (although it might be reviled for other reasons.)   Plus, after five years of SOX and its regulatory and private sector brethren, compliance, security and risk — while far from fused — are no longer mutually exclusive.   As a result, CSO’s can justify security investments based on business ramifications and operational efficiencies instead of FUD.

While as an industry, we’re still at the beginning of the learning curve, the Deloitte report and plenty others like it will continue to help us understand what doesn’t work.  Moving forward, one way to further align security to the business will be to not only continue to innovate and automate IT compliance management, but to increase the ability to appropriately articulate the benefits that delivers across the organization.

Mark Sunner, chief security analyst, MessageLabs –
As categories of malware go, targeted trojans occupy the sharp end of malicious activity.

The mainstream viruses we read about in the security press have no particular target in mind but are rather aimed at a blanket audience. However, lurking behind the scene are the targeted trojans — victimizing a specific company or perhaps even a specific individual. Because their numbers are comparatively small, they tend to go largely unnoticed, but all the indications are that activity in this area is flourishing. Something that once only affected prominent Blue Chip companies is now moving into the mainstream – but many of us don’t few even realize that such threats even exist.

At the end of 2005, Alex Shipp, MessageLabs senior anti-virus technologist, and his team of anti-virus researchers made a startling discovery following up a hunch that targeted trojan activity was actually far more common than was popularly believed or previously reported.

Sifting through the rafts of interception log data was a daunting task, but as November 2005 came to a close it began to look as though this perseverance was about to pay off. Blocking targeted malware was not the hard part –but figuring out that it existed at all was very difficult indeed.

Central to the challenge was the signal-to-noise ratio. The background noise created by the millions of other volume threats was very difficult to tune out to get a clear picture of what was really going on. What Alex and his team found was both fascinating and worrying:

For almost every week of that year to date either one or two targeted trojans were indeed being intercepted by MessageLabs anti-virus technology. In every instance, the targeted trojans were emanating from the same geographic source and heading toward the same target. But what was most troubling was the high level of sophistication combined with advanced social engineering tactics. Clearly somebody, somewhere really wanted in.

Now that Shipp and his team had devised a way of finding the “needle in a haystack,” monitoring the phenomenon became a core part of MessageLabs overall threat detection. By 2006, MessageLabs had honed its ability to monitor the faint signal of targeted interceptions, evolved it into a routine task, and was intercepting targeted attacks at an average of one per day with varying geographic sources, destinations and across industry sectors. The threat vector was experiencing exponential growth in every direction.

By early 2007, MessageLabs routinely intercepted approximately 10 targeted trojans each day. The threat profile was mixed, but China was the most common source and the Blue Chip industry sector a popular destination. While the problem was threatening, it seemed to be under control, but few could have predicted what happened next.

On June 26, 2007, at approximately 11 a.m. EST, MessageLabs intercepted a run of 514 targeted trojans over a two-hour period. Each instance referenced the email recipient by full name and job title and carried a Word document attachment, purporting to be either a customer complaint or a corporate financial penalty relative to the business in which the recipient was involved. The trojan was embedded inside the Word document and was capable of giving remote access to the victims’ PCs.

Overall, these Trojans we were similar to all previous interceptions, but the sheer volume of them was something that had never happened before. Instead of targeting a specific industry sector, these attacks targeted specific job titles — C-level executives such as CFOs, CTOs and CEOs — who would likely have access from their laptops to proprietary corporate information.

This first blast of targeted attacks was followed by a second blast of 1100 targeted trojans in September 2007 and again in November 2007 with 900 Trojans. Another more recent blast of 900 Trojans in February 2008 arrived with a twist, containing hyperlinks instead of an attachment. The links were self-contained search requests of the Better Business Bureau’s (BBB) actual Web site that when activated, would locate a BBB affiliate. It was the affiliate site that had actually been compromised and housed a re-direct to a third site where the new trojan was planted, disguised as an Adobe Acrobat update.

While all MessageLabs customers have been fully protected through every targeted attack run, it is becoming increasingly important that organizations understand the potential harm that can be done given this sharp increase in new levels of difficult-to-detect activity. Botnets, spam, phishing and spyware are high-volume attacks and can go relatively undetected on the security radar. Targeted attacks are stealthy and are beginning to make their mark on business. MessageLabs predicts there will be another large run before the end of March.

Chris Wysopal, CTO and co-founder, Veracode –
I recently led a roundtable event in New York and Washington, D.C., entitled “5 Trends Shaping Software Security.” This event involved several high-level CISOs, and we focused on creating awareness of software security issues within enterprises.

The general consensus was that developer awareness seems fairly mature, while executive awareness remains spotty. Many of the executives were interested in the idea of metrics, particularly in comparing peer groups. Metrics around secure software could be used to create accountability within business units, generating monthly reports to show who is creating secure software and create a positive competition between groups.

A few main topics discussed at the roundtables:

Technology trends: Web 2.0 and emerging mobile devices were top technology threats. Concerns were expressed about the impact of virtualization and Software-as-a-Service on software security. Concerns ranged from a lack of understanding of the new risks introduced by virtualization to new software development methodologies and a lack of recognition of the ‘enemy’.

Managing security from a business perspective: Progress is being made, but balancing compliance, risk management and business drivers continues to be a challenge. Using clear, simple metrics to create corporate accountability is a key goal. Multiple participants mentioned the challenge of balancing security compliance and time to market for delivering software.

Creating a market demand for software security: Most felt that a security standard approach rating system should be applied to commercial off-the-shelf software as well as outsourced development.

Development best practices: Successes were discussed in areas of increasing developer awareness, and a few leaders had strong programs that spanned the entire software development lifecycle. Security success starts at the code level. Ensuring secure code needs to be a priority – preventing flaws like hidden backdoors — a serious vulnerability that can provide sophisticated hackers easy, undetected access to an application and the highly confidential customer or company data that resides in it. Left intentionally or unintentionally, backdoors are a way developers can bypass authentication or other security controls in order to access the software application, and are often left in by accident. However, this increases the security risk of an entire organization.

What do you think? Have you experienced security success in your organization? What are the trends in your organization around shaping and monitoring software security?

Kurt Roemer, chief security strategist, Citrix –
SSL/VPN continues to be the technology lifeline of remote workers who require access to rich applications and data sources. Originally, these workers viewed the SSL/VPN as a simple extension of network connectivity, with many now finding greater utility in managing application access – both inside and outside the organization.

SSL/VPN technology has opened the doors wide to accommodate remote access needs. That’s no surprise, but what is surprising is how the control and management granularity of SSL/VPN are being applied to internal applications’ needs. There are many drivers behind this evolution, including access fluidity, support, granular application-level control and compliance.

In today’s highly regulated economy, “distributed everything” doesn’t make sense anymore. However, overly restricting the capabilities of the workforce leads to diminishing productivity – and an increasingly upset user community. In the face of deploying traditional “solutions” that would only deepen the chasm between technology and users, balancing the straightforward access methods and strict controls of SSL/VPN started to make sense for all classes of user needs.

By brokering virtualized access to application, desktop, network and data resources, the SSL/VPN has proven to be a mighty delivery vehicle.

Whether the access is from the office, home, an outsourcer or a personal mobile device, ease-of-access and security needs can be met. The application-level enforcement of security and compliance policies, including strong authentication, encryption, detailed audit logging and user controls that are consistent across applications has been a tremendous benefit for IT. Compliance is also a primary benefactor of these extensive capabilities and controls.

In the future, it’s logical to see this technology expand to become much more focused on brokering increasingly intelligent access and being intertwined with dynamic personal and business policies. A consistent access method for all flavors of access solves real problems, such as the separation of home and work environments on a personally owned device, as well as the assurance for the business that a managed barrier exists between personal and business usage and users’ divergent interests.

As an example, a worker attempting to access a highly-sensitive document will be subject to layered scrutiny, seamlessly automated through rich policy. As this worker issues the access request from their personal device, the policy notices that the worker is not using a managed device and that the requested application displays information that is subject to regulatory concerns. The workflow engine kicks in transparently and requires strong authentication, displays the application virtually for use and restricts the ability to copy, paste and print.

This situation requires on-line access, but what if the worker needed to complete the report on an airplane? On a managed device, workflow policy may have requested manager approval to copy the report to the device, after verifying that the report can only be saved to a properly encrypted managed partition.

By consolidating access methods and automating workflow and policy, the SSL/VPN has become the gateway that delivers the worker’s access lifeline. Now we just need a catchier name that portrays the true power of evolving “SSL/VPN” usage!

Chet Hosmer, chief scientist, WetStone Tecnologies, Inc. –
Autonomous hashing and live discovery technologies are advancing rapidly and provide value and expediency for forensic investigators. It is important as we advance these solutions that we consider not only what we collect, but also engineer solutions that can prove what we collected, where we collected it, when we collected it, and by whom it was collected.

Traditionally, hashing is performed during postmortem forensic investigations and is used to maintain evidence integrity, as well as to identify known files (known good or known hostile). Digital investigators commonly utilized one-way hash technologies MD5 or SHA varieties to generate unique mathematical signatures of known files.

Autonomous hashing (over the wire, or during direct overt or covert interactions) – the process of collecting hash values from live running systems – can significantly speed the identification of known threats and known files that users should or shouldn’t possess.

Performance enhancement is obtained by performing the hashing function utilizing the target machine’s computing resources – in other words, off-loading the processing to the target. This approach has two important benefits: the content of the files, directories or drives being hashed don’t pass over the network, which could potentially expose non-encrypted proprietary data; and the performance is dramatically improved, especially if multiple targets are being processed simultaneously, resulting in a reduction of network traffic congestion reduced.

Autonomous hashing is accomplished by pushing a small software agent to the target machine (credentialed access to the target under investigation is required to accomplish this, or the agent must be installed a priori). The hashing agent is then instructed to gather hashes from the target machine and report back results when completed.

The agent can be instructed to collect hashes from all drives and devices permanently or temporarily attached; searches can be further restricted to specific directories or file types. This can include USB or Firewire drives, local or remote network drives, or mounted or encrypted file systems.

Once the collection of hashes (and associated file attributes) is completed, the agent delivers a report back to the investigator workstation with the result. It most cases this report is delivered as a compressed and encrypted XML document that is ready for post processing by the investigator. The reason this document is encrypted is to prevent the disclosure of file system data collected by the agent. Even though the file contents are not included in this report, file system information contained in the report still may contain proprietary data that requires protection.

Post processing of the resulting discovery provides investigators with a wealth of data regarding the target.

Obviously, a file system inventory may reveal recent documents, population of images, audio files, movies, application data, documents etc. In addition, based on the hash values collected, a comparison of hashes collected to known good (operating system programs, application files, development tools) or known bad (rootkits, password crackers, botnet files, trojan horse, encryption, steganography, key loggers etc.) programs/applications can be made. In addition to the known good or bad files identified in such a discovery, files containing proprietary data could be identified based on the hash files, known file names or known partial hashes.

One of the criticisms of utilizing autonomous agents that execute on the target platform is the potential untrustworthiness of the Operating System (OS) of the target.
Developers of autonomous discovery technologies certainly are aware of the threats posed by rootkits and other malicious code that can intercept OS calls and circumvent the discovery of hidden directories or files.

Without revealing the specific details of the countermeasure that developers employ to overcome these hooks, it is safe to say that self-inspection of the operating environment is critical to effective autonomous hashing software. This implies that the software must perform a thorough inspection and determine whether core API calls that will be used can be judged safe.
In addition to trustworthiness concerns, there is anxiety over agent modifications of target evidence that would bring into question the efficacy of the discovery in court. This is a valid concern, and the responsibility of those engaged in the development of such agents must be considered from the top down.

For example, great care must be taken to audit every operation and potential modification that the agent may cause. In addition, time stamping (from a trusted source) should be included in robust solutions in order to prove the exact time the “snapshot” of the file system was taken and when collection of the hash values occurred. Since the target machine is running before, during and after the discovery, at the very next moment the file system is likely to have changed – this is especially important when collecting hashes across multiple targets potentially existing in differing time zones.

Scott Chasin, chief technology officer, MX Logic –

For years now we have faced the deluge of spam and other digital pollutants clogging the communication vectors of the Internet.

Unfortunately, the rising tide of duplicitous advertisements and contaminated bits billowing from the massive and far reaching botnet factories of “planet Internet” will only continue to worsen as the technology being embraced by their malevolent facilitators continues to outpace that of the slow reactive filtering models.

This reactive cleanup model, installed as protective filtering gateways or desktop scanning processes, provides an invaluable asset in the war against internet pollution.

However, it doesn’t take an internet environmentalist to note that the volumes of pollutants are increasing at such a fast pace that inboxes are still getting clogged and the pipes connecting those end-points are being suffocated and choked.
Can the reactive model keep up with the threat? Or will the delivery of malicious bits evolve faster, with more sophistication, morphing to a scale that will dwarf the attempts of signature and heuristic-based reactive approaches?

One thing is for sure, the internet climate IS changing. The filtering models that have been installed are not only changing the behavior of how we use the internet (think quarantines and virus updates) but are also impacting the reliability of communication.

Filtering isn’t completely accurate and mistakes can be made. Some could say we are simply sorting the pollutants from the Inbox to the quarantine. Are we simply wearing gas masks and ignoring the saturated spammy internet atmosphere?

Some recent studies suggest, that if a typical email server on the internet were to relax or drop it’s edge filtering, it would be overran with contaminates within minutes, crashing or halting under the burden.

I’ve advocated the use of outbound filtering models for sometime, especially with internet service providers.

Since the majority of pollutant spreading botnets are usually seeded within an ISP’s consumer subscriber base, shouldn’t the ISP have more tight control on what bits are leaving their networks? It seems, up until now, that ISPs have largely ignored the pollution emanating from their networks and have only really focused on the incoming pollutants from other providers. Perhaps the symbiotic nature of controlling one’s own pollution output could ultimately help diminish the input deluge that seems to be the primary focus of today.

Maybe we are ready to enter a new world of proactive medicine?

It appears to me that internet security and pollution control is certainly ready for new models of containment and the recent advances in identity and trust management could be the future of how pollution on the Internet will be controlled and squelched.

That said, the reliance on reactive filtering will never dissipate and will for the unforeseeable future likely be a cornerstone of Internet pollution control, protecting millions of internet inhabitants from phishing, botnets, viruses, worms, spam, spit, spim and every other new form of evil bit that evolves to subvert the security of our privacy, our attention and our wallets.

Hugh Njemanze, founder and CTO, ArcSight –

Traditional security monitoring strategies have focused on the “low-hanging fruit” of the perimeter.

Security analysts are comfortable talking about firewalls, VPNs, IPS and the like, because they generally fall under the control of the security and operations teams. But over time it has become clear that the scope of monitoring activity needs to expand and consider a broader range of threats.

Now, monitoring internal network devices, operating systems, databases and applications—the “higher-hanging fruit”—becomes strategic. When the strategy includes detecting threats from insider activities, the need for monitoring can expand to printers, desktops, identity management solutions and even physical security solutions.

However, this goes beyond simply monitoring a broader range of devices to paint a more complete picture of your organization’s security status and posture. Having that information is great, but the real payoff is the ability to use the captured data to enable an organization to make better business decisions.

Are our policies being followed? Are we compliant? Are we more secure today than yesterday? How does this help my business? These are all questions a comprehensive and scalable monitoring solution can help address.

Because the data being analyzed crosses many technical and political boundaries, the monitoring solution needs to integrate decision support systems, allowing groups such as security, operations, desktop support, application, telephony, HR, legal and management work together to address suspicious or malicious activity.

Security is no longer just an IT issue; it impacts the entire business so decisions can’t be made in a vacuum. Having solid policies and processes in place around incident detection, notification, escalation and response will allow security to be more tightly integrated with the organization’s mission.

So now you’re collecting the data and you have a strong decision support system; it is time for security to provide not just qualitative but quantitative results.

In the past, it has been hard to define ROI when discussing security, but that’s changed. Mature monitoring solutions should yield tangible results such as:
• Decreased response time for incident detection and resolution
• Reduced number of employees who are required to do analysis (i.e., let your security engineers focus on more strategic objectives – not sifting through logs)
• Reduced training costs because monitoring is being leveraged from a central point
• Greater employee retention – because your security engineers aren’t burned out by “syslog madness”
• Security as a business differentiator – more companies are advertising their commitment to security, and even more importantly, their implementation of effective programs as a way to retain or generate more business

While it may start with capturing data feeds, a robust-security monitoring solution can provide multiple paths to business optimization far beyond those commonly associated with security and compliance. The net benefit is that it allows you to know more about what’s going on inside your organization and make more efficient, effective and informed business decisions.

Who ever knew logs could be so valuable?

Ron Ben-Natan, CTO, Guardium –
The most valuable resource managed by IT is an organization’s data, and data security has become the number one issue for CIOs and CSO. This was not clear seven years ago, when we started working with key enterprise customers on a new generation of security products, but it is quite clear today.

There are two key compliance drivers: One is data privacy, required by PCI and other data privacy regulations. These initiatives establish controls to ensure that sensitive data cannot be accessed by unauthorized users, and create a secure audit trail of all access to that data. The second driver is ensuring the integrity of data for corporate governance, as characterized by SOX controls around the activities of privileged users.

Thanks to compliance (or really bad cases of insider fraud or a breach), data security is now even on the minds of CFOs, CEOs and board-level executives.

This focus on data security has naturally propelled Database Activity Monitoring (DAM) to the forefront. All enterprise applications use databases as the back-end, and the vast majority of data addressed by these security and compliance projects resides in databases. If the network can be viewed as IT’s arteries and veins, the database is the heart or brain – or both.

The most interesting thing about DAM is that it did not grow up in a vacuum. Databases have always had good security and auditing capabilities.

For example, almost all major database platforms have provided entitlement management and auditing. Oracle had native auditing in the early 1980s and put in Virtual Private Database in 8i. IBM’s DB2 and Informix similarly have had auditing for a very long time. Sybase has sybsecurity and Microsoft SQL Server has C2 audit, traces, and in SQL Server 2008, Change Data Capture.

I think that DAM has caught database vendors off guard – from their perspective, they gave users all the tools to implement security and compliance. What they didn’t realize is that other methods can be an order of magnitude easier to implement (also, most enterprises have multiple DBMS platforms deployed, so a single vendor’s solution usually isn’t the optimum approach).

Where is DAM going?

I believe the focus will be on optimizing business processes and increasing operational efficiency. Understanding where different types of data are located, how they’re being accessed, and analyzing and controlling access behaviors are key not only to security, but also to effective data management. But the crux is efficiency.
DAM is no longer about whether you can observe all database access. The focus has turned to how easily you can implement these capabilities and what you can do with them to optimize your environment.

DAM is growing quickly – because it has become mainstream. Seven years ago we had to convince people it was important. But DAM is also evolving (and will eventually change its name) because customers need to go beyond simple monitoring. They need more automation, auto-discovery, and preventive controls that support more stringent security, compliance and granular access policies– without requiring additional staff or disrupting existing infrastructures.