The Verizon Breach Study: Implications for Virtualization Security By Greg Ness published: Tuesday, June 24 2008
The security
press and blogs are abuzz with the groundbreaking Verizon
breach study. Thanks to Rational
Survivability for giving us the link to the actual free report. The report does a few body blows to the
massive spin around insider threats coming from the category vendors. I'm glad that we finally got that behind
us. I don't know how many times I was
asked by press and analysts about how we should all be more worried about angry
employees.
I didn't answer
those questions directly because I frankly didn't know what proportion of
attacks were from one source or another.
Now it appears that the journalists and analysts may have been guessing
as well; or at least overly swayed by the marketing hype.
I think there
are four noteworthy Verizon Report findings when it comes to virtualization
security, again thanks to Hoff:
- 73% of data breaches were exploited
by EXTERNAL sources;
- 62% of breaches were the result of
insider ERRORS;
- 66% involved data that wasn't known
to be (on the system) accessible;
- 75% were not discovered by the
victim.
This takes me
back to a panel I was on in Los
Angeles months ago.
One of the participants asked the security pros in the audience who had
been involved with virtualization how many servers they were protecting. None of them knew the answer. I'll take a guess as to why: the flexibility
accorded by virtualization meant that netsec departments would know how many
hypervisors they were protecting but not how many servers.
The hypervisor
is almost a kind of hybrid server and network appliance, because of the new
virtual layer it is introducing into the data center. That layer is typically beyond the
reach/enforcement capabilities of most netsec products, especially deep packet
intrusion prevention appliances. They
cannot see into the new layer and their processing demands mean that it is
unlikely that they will ever be deployed inside to protect VMs sharing a
hypervisor (from each other). It is much
more likely that deep packet network IPS will be used to protect hypervisors
from each other, despite the virtualization business case erosion that results
in creating elaborate V-LAN trench works.
When you think
about the new movement dynamics (flexibility) enabled by virtualization,
combined with the lack of traditional netsec visibility into the virtual layer,
the Verizon findings should strike a nerve to say the least. According to the study, external sources are already
breaching internal assets perceived to be in safe places, unbeknownst to the
network security teams.
This is a key reason
why I think VMware is so
much further along when it comes to virtualization security. They formed VMsafe, opened up APIs and invited
leading security players to participate.
While Citrix (and maybe Microsoft) fiddle with discussions
about who owns virtualization security, VMware sends their CEO out to talk
about how
strategic virtsec is to their business.
This should
also raise some interesting new questions for the upcoming
virtsec webcast with VMware, McAfee and Blue Lane. It might also be a fair question to ask
Citrix and Microsoft as they pitch production virtualization.
Related Links:
The Year of Virtualization Security (VirtSec) , Verizon , McAfee , BlueLane Technologies
Greg Ness is the VP Marketing for Blue
Lane Technologies,
a winner of the 2007 InfoWorld Technology of the Year for security,
Best of Interop 2007 in security and the AO 100 Top Private Company
award for 2006 and 2007. Blue Lane is also a 2007 Best of
VMworld Finalist in data protection. I've been a marketing
executive at Juniper Networks, Redline Networks, IntruVert Networks
and ShoreTel. I've been an Always On blogger/columnist since
2004. My recently launched personal blog is: www.archimedius.net
. These are all my opinions, and do not represent the opinions of
employers, spouses, kids, etc.
|
