ESG Blogs

ESG recently published a new research report titled, Cyber Supply Chain Security Revisited, focused on cyber supply chain security practices and challenges at U.S.-based critical infrastructure organizations.  The term “critical infrastructure” is associated with 16 industries designated by the U.S. Department of Homeland Security (DHS), “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof” (source: DHS).

Some experts believe that a cyber-attack on one or several critical infrastructure organizations could result in a “Cyber Pearl Harbor,” disrupting society and the economy for weeks or months. This places critical infrastructure organizations firmly in the national security bucket.

2015 has been my year of nonstop ranting about the need for us to get out of the IT Stone Age and into the 19^th century. Dumb infrastructure will be our demise.

But it’s not too late. There are signs of life starting to appear. All hope is not lost.

When I first became familiar with Splunk years ago, I thought of it as a freeware log management tool for inquisitive security analysts. Useful for general purposes, but I didn’t see it as a true enterprise security management system, a category defined by vendors like ArcSight, Intellitactics, and Network Intelligence at that time. 

What will be the role of the classic IT infrastructure administrator be when businesses have fully automated cloud infrastructure deployed?

Future Crimes by Marc Goodman details the dark side of technology, examining how new technologies are used and abused for criminal purposes. In just under 400 pages, Goodman provides some basic historical background on computer security and then guides the reader through a cybercrime journey spanning consumer, industrial, medical, and various other technologies.

We’re still in the early stages of cloud security with respect to controls to secure hybrid and cloud-native environments being less mature than those built for more traditional data centers. But that’s an infrastructure view, which is in contrast to the prevalent use of SaaS apps because even the stodgiest enterprise who is trying to get comfortable with deploying production workloads in the cloud is typically already a consumer of cloud services vis-a-vis SaaS apps such as Box, Office 365, and Salesforce.com being used by their employees. Research conducted by ESG highlights this fact with 68% of respondents reporting the use of SaaS, representing a steady increase from prior years. The question is whether these cloud apps are sanctioned and governed, or unsecured as a result of shadow IT.

Last year I became a huge Microsoft fan, and now Oracle. Me. Oracle. What is happening to me????

I’ve made a living telling Microsoft and Oracle jokes. You’ve probably heard them. I’ve mocked Oracle endlessly for using the middle finger as a sales tool. And now this. I don’t know who I am anymore.

First, allow me to say that I’m talking hardware, not software. Larry bought Sun with the change he found in his couch, and I figured he’ll just milk the customer base for a bit then tank the whole thing. Sun had StorageTek. Sun had ZFS. Sun had Sparc. Hardware? Larry doesn’t want hardware. He’s a ruthless, brilliant software guy. Right?

It's taken me a while to catch up after VMworld, but I did want to share some observations on what was interesting at the show from a data protection perspective. Thankfully, nearly gone are the days of asking “How do I get a good backup of my VMs?”

There was some great marketing execution at VMworld 2015.

As a sequel to my blog last year that “Event Marketing Doesn’t Get Enough Credit,” here is my tip of the hat to some of the unsung heroes of tradeshows: the events planners and marketing leaders that ensure that the technology experts and sales folks have compelling venues and leave a strong impression on the attendees, who are hyper-stimulated for four straight days. 

As the old cybersecurity adage states, "The cybersecurity chain is only as strong as its weakest link." Smart CISOs also understand that the proverbial weak link may actually be out of their control. 

In the Franz Kafka novella, Metamorphosis, traveling salesman Gregor Samsa awakens one morning to discover that he has transformed into a hideous creature. Shunned by his family and despite his best efforts to adapt to his new conditions, Gregor eventually withers away and dies alone in his bedroom. Can Kafka’s story serve as a cautionary tale for those IT organizations trying to force transformation into their IT infrastructure too quickly?

Conventional relational databases and recently-developed NoSQL databases have led some enterprises to an impasse. They want to scale the systems that are handling their data. However, an RDBMS used to guarantee transaction integrity is difficult to expand. NoSQL systems, although scalable, typically do not offer full transaction integrity via the ACID properties discussed in earlier posts. The latest solution in the SQL/NoSQL saga—next-generation SQL databases—may have the answer.

According to ESG research, 79% of cybersecurity professionals working at enterprise organizations (i.e., more than 1,000 employees) believe that network security management and operations is more difficult today than it was two years ago. Why? Infosec pros point to a combination of increasingly dangerous cyber-threats, new IT initiatives like cloud and mobile computing, legacy point tools, and growing security operations overhead. 

VMworld has become, arguably but also most likely, the closest thing we have to a de-facto general IT conference. Despite being vendor-named and organized (duh!), that vendor has a driving necessity to [at least] be seen to be heterogeneous and even-handed…simply because of its central role in so many IT organizations. Nothing else is quite so “IT ecosystem” strong. As a result we had 10+ ESG analysts covering the event, most actually in San Francisco; since our standard “On Location” video recap could easily have grown to fill 20 minutes or more, and since there are so many specialist areas covered, we decided to do things just a little differently this time: a quick couple of minutes “flavor” video, together with a reminder to visit ESG's aggregate micro-site of VMworld 2015 coverage.

When it comes to threat intelligence, there seem to be two primary focus areas in play: The threat intelligence data itself and the legislative rhetoric around threat intelligence sharing (i.e., CISA, CISPA, etc.). What’s missing? The answer to a basic question: How do organizations get actual value out of threat intelligence data and threat intelligence sharing in a meaningful way?

This is my second VMworld 2015 observations blog. The first one is here.

Not one, but two products

When people discuss NSX, they consider it to be closely tied to vSphere. It’s actually not, and VMware is actively embracing a multi-platform world. Let’s not forget that there are two NSX products – NSX for vSphere (currently at version 6.2) and NSX for Multi-Hypervisor (4.2.4). It was stated that there 20% NSX deployments are on OpenStack. This is in reference to OpenStack based on a GNU/Linux foundation such as KVM and Open vSwitch as opposed to VMware Integrated OpenStack, so this is a good start for multi-platform support.

NSX’s origins are from VMware’s acquisition of Nicira, which had an OpenStack based Nicira Network Virtualization Platform (NVP), so they had existing assets to leverage. Customers are realizing that they are one of the few vendors that offers deep support for multiple platforms. There are important differences between the two products (NSX-V & NSX-MH), so customers note them and should ask that they get rationalized on the long-term.

People ask me how this compares with SDN systems like Cisco ACI. ACI primarily resides in the networking layer, so by nature, is multi-platform since the core parts of the system reside outside the realm of the server and hypervisor and are implemented in the switches and controllers. However, additional software like the APIC Driver enables the translation of cloud management platform settings (such as OpenStack configurations) into ACI.

For the last decade or so, data and data structures have been moving at the speed of the web. They change rapidly to keep pace with end-users and markets that are in constant flux. The data model is volatile and will continue to be as more and more unstructured data (images, videos, social media content, online purchase histories, and more) is generated. The solution of the pre-Internet era, meaning the RDBMS, can’t keep up. Enter the NoSQL database—a solution for handling data with highly variable formats in massive quantities at lightning speeds.

The transition of the data center from physical infrastructure to virtualized servers to software-defined everything is yielding another form of heterogeneity, disparate infrastructures, and a distinct set of security challenges for CISOs. Complexity is, after all, an enemy of security because the need to use multiple security solutions to set, automate, and monitor creates inconsistencies and seams for adversaries to exploit. Such complexity also drives up the operational cost associated with procuring, managing, and developing competency in disparate tools for disparate infrastructures.

I attended VMworld in San Francisco last week, and I want to offer my observations from the context of networking.

What is NSX good for - classic use cases and security 

VMware continued to talk about NSX, which of course received a lot of attention. They continued to emphasize the security use cases (micro segmentation) for NSX, but a surprising observation was that just as many customers (about 40%) used NSX for network virtualization (primarily provisioning and configuration) as they did for security. Although one can argue that one needs to set up standard network virtualization before they embark on NSX-based security, it’s good to hear that the original, classic use case that drove SDN is one of the top use cases of NSX. Other networking vendors also advocate network segment-based security, such as Juniper’s AppSecure for SRX (for micro perimeterization), or Nuage Networks’ Virtualized Services Platform (VSP), and security firms such as Illumio which (taking one step further down the unit-prefix ladder) has nano-segmentation in its Adaptive Security Platform (ASP). I can’t wait for pico-segmentation.

At last week’s VMworld event in San Francisco, I spent a good deal of time speaking with VMware, its customers, and a wide variety of its partners about the cybersecurity use case for NSX. I came away from the event believing that NSX (and other similar SDN technologies like Cisco ACI, Juniper Contrail, HP VAN, Illumio, vArmour, etc.) have great potential to help large organizations lower cyber-risk. 

ESG's research crack team has been working hard on getting the insider's view of the big data and analytics marketplace, including Hadoop and Spark trends. While we're not quite ready to release our findings yet, I thought I'd share a little teaser of what is coming. Enjoy the overview video and let me know if you'd like to schedule a personal briefing to discuss how this will impact your business and opportunities.

VMworld is wrapping up, so here's a look at some of what our team has seen in the last few days:

Everyone loves the concept of Schrodinger's cat, with the possible exception of a few serious PETA members. The metaphor that an entrapped feline can be both poisoned and/or not poisoned until directly observed is a catchy way to understand uncertainty around various possible states and outcomes.

The relational database management system was a breakthrough when it first appeared about 40 years ago. A relational database puts power into a user’s hands. Few assumptions are needed about how data is related or how it is to be extracted. Data can then be viewed in a variety of ways, each one illustrating different connections or correlations. This power, history, and a little user inertia have led to the RDBMS being implanted and used in practically every sector of business today. Well-known RDBMS product examples are IBM DB2, Microsoft SQL Server, and Oracle databases.

Big data has a real complexity/credibility problem. There are too many variables to the system that make even basic product evaluation tricky for even the sharpest technical decision maker in the IT shack. Let's say you want to achieve a simple design goal for your environment, such as speed (or velocity if you insist). Certainly there is much talk about "fast data" these days. Look at the vendors all promising a billion rows a second*... But hark, what asterisk through yonder window breaks? Well, what exactly do you want to be fast? Fast ingest? Fast data integration or transformation? Fast modeling? Fast discovery? Perhaps you mean fast analytical calculations? Or fast querying? Fast, fast, fast. Good luck. 

Little known fact: Yesterday was the 30^th anniversary of Bob Ballard’s discovery of the RMS Titanic, several hundred miles off the coast of Newfoundland Canada. I’ve recently done some research into the ship, its builders, and its ultimate fate and believe that lessons learned from Titanic may be useful for the cybersecurity community at large. 

Every year at Blackhat there is a section of the show floor charmingly referred to as "Innovation City," which functions as an area for up-and-coming vendors to show their stuff. One of the citizens of Innovation City this year was x.o.ware, which bills itself as an "end-to-end encryption solution" that makes public Wi-Fi completely secure. At the risk of misrepresenting their product (I have not been officially briefed), essentially what they do is this: the customer buys a box (which is called XOnet and looks like a mini Wi-Fi router) that stays at home. With that box comes a small piece of rubber-covered  hardware (which is called an XOkey); this key pairs with the box and then plugs into a laptop. Result? If I am at Starbucks on public Wi-Fi, I plug the encryption key into my computer, it uses the public Wi-Fi to tunnel back to my XOnet box at home, and voila! --my very insecure public Wi-Fi connection has become a secure home Wi-Fi connection. This is a very cool idea! But as cool as the idea is, I found myself wondering- are people ready to buy personal security hardware? Are people even thinking about this stuff? 

Day Two of VMworld is in the books, and here's what our team of analysts have to say:

A significant part of any enterprise mobility strategy begins with mobile apps that are designed, developed, and deployed in the cloud. Developers are consuming these services from the cloud and not letting IT stand in their way. However, every time a mobile application lands on the public cloud, it adds a potential risk to VMware's long term business model, since it is an application that is more likely to not be running on VMware infrastructure and has likely landed on Amazon AWS, Miicrosoft Azure, or some other developer-friendly and mobile-app-friendly cloud platform.

But, if you are VMware, you want the mobile application to start development on the VMware platform and you want the application to run in production on the VMware stack. So here is the premise of their value prop to businesses and a clear message that they are reinforcing at VMworld 2015.