Tuesday, 31 July 2007

The bare minimum

I had the good fortune to get in touch with one of the great security thinkers recently. You may have heard of him if you'd read these posts before, or you may have come across him in your own research. He should certainly be more famous than me, but as he says himself, "I'm not a good marketer."

Fred Cohen has been involved with some big ideas, claims to have invented all sorts of security, including the first antivirus, none of which I can prove nor disprove, but he was thoroughly entertaining to speak to, and as he said himself "only human".

The reason I found Fred in the first place was that I was looking for some integrity quotes. I remembered reading something that Alex Hutton had posted about on PCI Answers, so looked it up and mailed Fred. He mailed straight back, to my astonishment and delight.

His idea had been similar to the technology that I now find myself the Product Manager for. A simple p├Čece of integrity software, with powerful potential. Fred had realised that he could sign an entire system with his software, and if anything changed from the norm, he could stop it from starting up. Any process that was not legitimate could be killed before entering the network. That's pretty cool.

I'd seen it before with the stuff I was selling at Vormetric too. It's an interesting concept, signing a filesystem and sitting in the I/O stream watching for changes in the executables. It means that you have to re-sign every time a patch is applied of course, but then that just ensures change controls are adhered to, and that's a good thing, right?

The only problem that wasn't addressed by either of these was the reporting. The guys who got this right were TripWire. They use their system SOLELY for change control management, and it seems to work. It took them a lot of searching to get their killer app, but they now pretty much own the space. Kinamik works at a different level to TripWire, we sign the underlying file data rather than the system itself, so we are more for long term file integrity rather than short term system integrity, yet people still get us confused. I think we're going to see a time when compliance tells us that we need to be completely sure of the integrity of our data, not just in terms of digital signatures, but down to a much more granular level.

I can't see why Availability and Confidentiality get all the press when Integrity is a much more interesting story. Is it really because people still don't "get" security? I don't believe that for a second. Is it because people are only prepared to do the minimum to avoid fines, rather than securing properly...

... yes.

No comments: