August 11th, 2005 07:39 PM
IP3 Seminar - IT Security: From Strategy to Reality
I just completed a 2 day workshop with IP3security, "From Strategy to Reality". It was a great training session, led by IP3's CEO Ken Kousky, an engaging and provocative speaker. I had a chance to talk with Ken one-on-one a few times, and picked up a lot. He's a sharp guy; former VP of Novell/President of the Novell subdivision that created the CNE certification. Founder of Wave Technologies. More.
The class included overviews of most of the current strategies in the industry, with a frank discussion of each from a different perspective. Some educational, non-sales (wink wink, nod nod) vendor presentations were included; TrendMicro, AirMagnet, Entrust, CimCor, and Forescout. The first two were nothing special, the normal wares we're used to seeing. Good stuff, but I won't go into detail. The last three were less well-known and very intriguing.
Entrust IdentityGuard looks like an inexpensive multi-factor authentication scheme. It consists of a plastic card you issue users, each with a unique 5x10 (or other sized) graph, marked on the axis with 1-5 and A-J. When authenticating with userid/passwd, the app will then prompt you with 3 to 5 values from the card... H3, D5, A2 for example. The user must then do the 'Bingo thing' and enter the appropriate values. The cell's can contain single or double digit alphanumeric values. It's interesting, but it's very inflexible...all it can do is supplement a traditional entered challenge response solution (i.e. typing the username and password). The only additional value I see from this product is verbal authentication...helpdesk calls can be authenticated by having the agent prompt the caller for a series of values. http://www.entrust.com/identityguard/
CimCor makes a very intriguing application (CimTrack) that is best described as the next generation Tripwire, with realtime tracking and remediation (i.e. it will replace a system file with a known good version if the system file is altered unexpectedly.) The agent is installed on servers, network devices, etc. and records hashes for all concerned files. It also takes a system snapshot and stores the files in a repository server. When a monitored file is changed, the agent logs the event and overwrites the modified file with the offline copy from the snapshot. Not quite a backup scheme, but it borrows from the idea. They are strongly focused on system integrity, business logic protection, and immediate remediation, NOT access control. So it's a somewhat narrow solution, but it is a darned effective one. Considering the emphasis on auditability of system changes (SOx, HIPPA) this could be a great tool for entities under the authority of these regulations. http://www.cimcor.com/servers.html
Forescout makes some rather bold claims about its network protection solutions. They say their device is not really an IPS, but it serves the same purpose IMHO. While their claims may make many cringe, their client list will make you pay attention; the server the majority if the entertainment industry (RIAA, MPAA, and other industries in the IP fight), the Federal Reserve, and other notables. They say things like zero false positives, minimal (less than 60 minute) tuning and learning window, 100% zero-day protection, etc. They have an elegant solution to scanners, probes, and 'the intelligent hacker' (as opposed to the script-kiddie), but the presenter was the VP of Sales, rather arrogant, and not ready to discuss the product to a room full of engineers. In brief, their sensor will reply to all probes (requests for nonexistent services, addresses, or solutions) with false info that it tracks; further actions utilizing that false info triggers a tcp-reset and other responses...they refer to it as a 'marked bill'. There is much more to it, but this isn't the place. I think its an interesting position, and I can appreciate the defensive nature their sales folks take, but it came over as pretty hostile... Regardless, this could be some hot stuff for security! http://www.forescout.com/
If you have the opportunity (especially if you need some CPE's) this workshop is certainly worth the time and $800 pricetag http://www.ip3seminars.com/
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore