I have been preaching for some time about what I call complete NAC. That is a complete network access control solution, not just network admission control and certainly not end point access control.  It is not an evil plot to extend Cisco/Microsoft dominance and most importantly Richard, no one and let me say this again, no one has ever said that NAC negates the need for a layered security model.  NAC is just another layer in that model.  Richard’s comments deriding the .edu and .mil markets were also laughable.  Richard, have you ever heard the term military grade?  Are you seriously trying to say that enterprises take security more seriously than the military does?  Come on now Richard.

The bottom line is Joel Snyder is not only a sharp dude technically, but is street savvy enough to run circles around my friend Richard.  He made Richard stay focused on the question at hand, did not let him wander and so Richard had to face reality a bit. I am sure Richard will still say NAC is useless and will admonish people about hanging out with the likes of the StillSecure crowd, but I guess some things will just never change.  Except, I don’t think Richard will be in anymore of these bouts.  Maybe he can start selling a grill that takes the fat out of meat or perhaps a reality TV show like the other washed up palookas ?

One of my favorite responsibilities at StillSecure is business/corporate development.  The biz dev role is something I have done for a long time for several companies. Having a decent grasp of technology, insight into business and my legal training have helped me to conclude many successful business deals over the many years I have been at it. Over the years I have also had the opportunity to work with many good people on both sides of the table, as well as the chance to help train many good people.  Some of the things I have tried to teach others and that I myself try to remember in negotiating business terms are:

1. Win-win - I know it is such a cliche, but it is also still true.  I have seen so many people from attorneys, to entrepreneurs to other biz dev people try to "beat" the other guy.  You may put one over on the other side and get favorable terms in your agreement, but ultimately if doesn't work for the other side, all of the agreements in the world won't make it work for you.  The most successful deals I have been involved in have been ones where both sides feel that they are getting real value out of the deal.

2. Don't think you are smarter than the other guy - How many times have I seen this vain attitude ruin deals.  Everybody sitting at the table puts their pants on one leg at a time.  Don't think that you are so superior or more intelligent than the other side. They usually are perfectly capable of seeing exactly what you are really driving at and trying to outsmart them again will wind up with a lose-lose.

3. Its not the battle, but the war that counts - One of the things I disliked most about practicing law was dealing with other lawyers.  Every single point of every single agreement could become a knock down, throw down battle to the death, as each side tried to show that they were the better attorney on each point.  Its not about winning any given point, its about getting the deal done.  Unless a particular point is truly a showstopper, you have to remember the big picture of what you are trying to accomplish.  Too many times I have dealt with people who seemed to keep a running tally of how many points they got their way versus how times they gave in.  Is the deal in total a good deal, accomplishing your goals the real scoreboard.

4. Theory is fine, but go for the meat and potatoes -  I have seen so many deals drag out because a particular point is taken to a theoretically possible, but highly unlikely scenario.  Good legal drafting practices says you should try to plan for every eventuality.  But because a corner case of a corner case is remotely possible, don't throw away a great opportunity.  Try to draft around that remote possibility.

5. Put as much effort into the success of the relationship as you do in negotiating the contract.  I have been involved in some deals that by the time the agreement is agreed to, one party or the other is spent and just seems to lose the momentum to carry the relationship beyond the contract.  The contract is the beginning of the business relationship, not the end.

6. Put yourself in the other guys shoes - Empathize with what your colleague is thinking and feeling. Understanding their needs, motivations and state-of-mind can help understand what it will take to reach an agreement.

Of course every deal is different, but remembering these rules will serve you well every time.

One of my favorite responsibilities at StillSecure is business/corporate development.  The biz dev role is something I have done for a long time for several companies. Having a decent grasp of technology, insight into business and my legal training have helped me to conclude many successful business deals over the many years I have been at it. Over the years I have also had the opportunity to work with many good people on both sides of the table, as well as the chance to help train many good people.  Some of the things I have tried to teach others and that I myself try to remember in negotiating business terms are:

1. Win-win - I know it is such a cliche, but it is also still true.  I have seen so many people from attorneys, to entrepreneurs to other biz dev people try to "beat" the other guy.  You may put one over on the other side and get favorable terms in your agreement, but ultimately if doesn't work for the other side, all of the agreements in the world won't make it work for you.  The most successful deals I have been involved in have been ones where both sides feel that they are getting real value out of the deal.

2. Don't think you are smarter than the other guy - How many times have I seen this vain attitude ruin deals.  Everybody sitting at the table puts their pants on one leg at a time.  Don't think that you are so superior or more intelligent than the other side. They usually are perfectly capable of seeing exactly what you are really driving at and trying to outsmart them again will wind up with a lose-lose.

3. Its not the battle, but the war that counts - One of the things I disliked most about practicing law was dealing with other lawyers.  Every single point of every single agreement could become a knock down, throw down battle to the death, as each side tried to show that they were the better attorney on each point.  Its not about winning any given point, its about getting the deal done.  Unless a particular point is truly a showstopper, you have to remember the big picture of what you are trying to accomplish.  Too many times I have dealt with people who seemed to keep a running tally of how many points they got their way versus how times they gave in.  Is the deal in total a good deal, accomplishing your goals the real scoreboard.

4. Theory is fine, but go for the meat and potatoes -  I have seen so many deals drag out because a particular point is taken to a theoretically possible, but highly unlikely scenario.  Good legal drafting practices says you should try to plan for every eventuality.  But because a corner case of a corner case is remotely possible, don't throw away a great opportunity.  Try to draft around that remote possibility.

5. Put as much effort into the success of the relationship as you do in negotiating the contract.  I have been involved in some deals that by the time the agreement is agreed to, one party or the other is spent and just seems to lose the momentum to carry the relationship beyond the contract.  The contract is the beginning of the business relationship, not the end.

6. Put yourself in the other guys shoes - Empathize with what your colleague is thinking and feeling. Understanding their needs, motivations and state-of-mind can help understand what it will take to reach an agreement.

Of course every deal is different, but remembering these rules will serve you well every time.

I blogged on this topic a few weeks ago but given the huge interest in this topic I’ve decided to blog on it again. One of the major concerns in virtualized environments is the lack of visibility of the communication between virtual machines. With this lack of visibility a number of challenges start to appear such as security, monitoring and capacity planning.  It’s hard to secure what you can’t see or don’t know about and it’s hard to determine when you need to add more resources when you don’t have a clear picture into what applications are consuming them.

This problem is widely known and as a result there are a few companies that are starting to pop up that are building Virtual Network Visibility tools. But should you buy yet another tool to gain visibility into your Virtual Network communication when you may already have a tool for your physical network? Should you have to have separate tools for your physical network and virtual network?

One common method of gaining visibility into network communication is through a technology called Netflow. Netflow was originally developed by Cisco Systems but has since become a defacto standard for Network Monitoring and Network Behavioral Analysis. Companies such as Lancope, Mazu Networks, Plixer International and Arbor Networks all have products that enable network visibility, monitoring and analysis. These tools typicaly take Netflow feeds from a switch of some sort.  Knowing that some of these tools may have already been deployed in physical environments, IT staff will now need to consider  whether or not to buy new visibility tools to give them visibility into their virtual environment communication or try and leverage existing solutions already deployed in their physical environments.

Up until recently there has been no elegant way to export Netflow records from virtual environments such as VMWare and as a result companies have had consider purchasing new visibility tools that would often antiquate their existing physical solutions. This is due to their migration from physical environments to virtual environments.

Montego Networks now has Netflow capability in its HyperSwitch product which runs inside VMWare and enables security, visibility and control for the virtual environment by leveraging existing tools. Through its API’s and standards based methods Montego can enable customers to leverage existing infrastructure purchases to gain visibility and control within the virtual environment.

So, enough of the commercial and lets get on to the technical meat of this new Netflow enablement within the virtual environment.

Let’s say that you have a virtual machine that is infected with a BOT and it is communicating to a Command and Control Site of a BOT-Army. How would you know this? Well, you could have a NetFlow tap at a network switch close to your internet connection. But what if you have some sort of communication between VM’s on a non standard port that you are not aware of? Maybe a machine got infected and is sending data from the database virtual machine to a web server virtual machine and then feeding that info from the web server virtual machine to the internet. Your Netflow tap on the internet facing switch would see traffic coming from the web server virtual machine to the internet but wouldn’t see that data was being taken from the database, put on the web server and then fed out to the internet. Kinda tricky to hunt this problem down isn’t it?

So, whats needed is Netflow all the way into the virtual environment so that it can be fed to the same tools in your physical environment for easy correlation.

Take a look at the attached screen shot which shows Lancope and Montego Networks in action.

<---Click to Enlarge

With this level of visibility now you can see who is talking to who, when are they communicating and how much traffic is being consumed by which applications and which virtual machines.  This can now all be done by leveraging existing Netflow analytics tools.

This screen shot is showing flow data of Virtual Machines talking either to the Internet or to other virtual machines within the same environment.  You will notice from the flow data that one of the Virtual Machines has iTunes running on it.  An IT Administrator may have not sanctioned this or even know about it.  But with Flow records you can now see!  Like a new pair of glasses for your virtual environment.  With this visibility you can now go in to the Montego HyperSwitch and enable a firewall policy to block that iTunes traffic as an example.
 

Lancope is just one example here and its important to note that, because Netflow is a defacto standard for this type of visibility, other tools such as those from Mazu Networks, Plixer International and others can be used as well.  They all have their unique advantages and disadvantages but the point here is that dependent upon your prior network purchases in this area you will now be able to leverage existing tools vs. having to purchase new ones in many cases.

Check out Montego Networks at Networld Interop 2008 in the Lancope booth to see the solution in action!

John Peterson
CTO Montego Networks

I blogged on this topic a few weeks ago but given the huge interest in this topic I???ve decided to blog on it again. One of the major concerns in virtualized environments is the lack of visibility of the communication between virtual machines. With this lack of visibility a number of challenges start to appear such as security, monitoring and capacity planning.  It???s hard to secure what you can???t see or don???t know about and it???s hard to determine when you need to add more resources when you don???t have a clear picture into what applications are consuming them.

This problem is widely known and as a result there are a few companies that are starting to pop up that are building Virtual Network Visibility tools. But should you buy yet another tool to gain visibility into your Virtual Network communication when you may already have a tool for your physical network? Should you have to have separate tools for your physical network and virtual network?

One common method of gaining visibility into network communication is through a technology called Netflow. Netflow was originally developed by Cisco Systems but has since become a defacto standard for Network Monitoring and Network Behavioral Analysis. Companies such as Lancope, Mazu Networks, Plixer International and Arbor Networks all have products that enable network visibility, monitoring and analysis. These tools typicaly take Netflow feeds from a switch of some sort.  Knowing that some of these tools may have already been deployed in physical environments, IT staff will now need to consider  whether or not to buy new visibility tools to give them visibility into their virtual environment communication or try and leverage existing solutions already deployed in their physical environments.

Up until recently there has been no elegant way to export Netflow records from virtual environments such as VMWare and as a result companies have had consider purchasing new visibility tools that would often antiquate their existing physical solutions. This is due to their migration from physical environments to virtual environments.

Montego Networks now has Netflow capability in its HyperSwitch product which runs inside VMWare and enables security, visibility and control for the virtual environment by leveraging existing tools. Through its API???s and standards based methods Montego can enable customers to leverage existing infrastructure purchases to gain visibility and control within the virtual environment.

So, enough of the commercial and lets get on to the technical meat of this new Netflow enablement within the virtual environment.

Let???s say that you have a virtual machine that is infected with a BOT and it is communicating to a Command and Control Site of a BOT-Army. How would you know this? Well, you could have a NetFlow tap at a network switch close to your internet connection. But what if you have some sort of communication between VM???s on a non standard port that you are not aware of? Maybe a machine got infected and is sending data from the database virtual machine to a web server virtual machine and then feeding that info from the web server virtual machine to the internet. Your Netflow tap on the internet facing switch would see traffic coming from the web server virtual machine to the internet but wouldn???t see that data was being taken from the database, put on the web server and then fed out to the internet. Kinda tricky to hunt this problem down isn???t it?

So, whats needed is Netflow all the way into the virtual environment so that it can be fed to the same tools in your physical environment for easy correlation.

Take a look at the attached screen shot which shows Lancope and Montego Networks in action.

<---Click to Enlarge

With this level of visibility now you can see who is talking to who, when are they communicating and how much traffic is being consumed by which applications and which virtual machines.  This can now all be done by leveraging existing Netflow analytics tools.

This screen shot is showing flow data of Virtual Machines talking either to the Internet or to other virtual machines within the same environment.  You will notice from the flow data that one of the Virtual Machines has iTunes running on it.  An IT Administrator may have not sanctioned this or even know about it.  But with Flow records you can now see!  Like a new pair of glasses for your virtual environment.  With this visibility you can now go in to the Montego HyperSwitch and enable a firewall policy to block that iTunes traffic as an example.
 

Lancope is just one example here and its important to note that, because Netflow is a defacto standard for this type of visibility, other tools such as those from Mazu Networks, Plixer International and others can be used as well.  They all have their unique advantages and disadvantages but the point here is that dependent upon your prior network purchases in this area you will now be able to leverage existing tools vs. having to purchase new ones in many cases.

Check out Montego Networks at Networld Interop 2008 in the Lancope booth to see the solution in action!

John Peterson
CTO Montego Networks

Evolutionarily, presumably it is a better survival strategy to -- all other things being equal, of course -- accept small gains rather than risking them for larger ones, and risk larger losses rather than accepting smaller losses. Lions chase young or wounded wildebeest because the investment needed to kill them is lower. Mature and healthy prey would probably be more nutritious, but there's a risk of missing lunch entirely if it gets away. And a small meal will tide the lion over until another day. Getting through today is more important than the possibility of having food tomorrow.

Similarly, it is evolutionarily better to risk a larger loss than to accept a smaller loss. Because animals tend to live on the razor's edge between starvation and reproduction, any loss of food -- whether small or large -- can be equally bad. That is, both can result in death. If that's true, the best option is to risk everything for the chance at no loss at all.

This behavior has been demonstrated in animals as well: "species of insects, birds and mammals range from risk neutral to risk averse when making decisions about amounts of food, but are risk seeking towards delays in receiving food."

A recent study examines the relative risk preferences in two closely related species: chimanzees and bonobos.

Abstract

Human and non-human animals tend to avoid risky prospects. If such patterns of economic choice are adaptive, risk preferences should reflect the typical decision-making environments faced by organisms. However, this approach has not been widely used to examine the risk sensitivity in closely related species with different ecologies. Here, we experimentally examined risk-sensitive behaviour in chimpanzees (Pan troglodytes) and bonobos (Pan paniscus), closely related species whose distinct ecologies are thought to be the major selective force shaping their unique behavioural repertoires. Because chimpanzees exploit riskier food sources in the wild, we predicted that they would exhibit greater tolerance for risk in choices about food. Results confirmed this prediction: chimpanzees significantly preferred the risky option, whereas bonobos preferred the fixed option. These results provide a relatively rare example of risk-prone behaviour in the context of gains and show how ecological pressures can sculpt economic decision making.

The basic argument is that in the natural environment of the chimpanzee, if you don't take risks you don't get any of the high-value rewards (e.g., monkey meat). Bonobos "rely more heavily than chimpanzees on terrestrial herbaceous vegetation, a more temporally and spatially consistent food source." So chimpanzees are less likely to avoid taking risks -- as most species are.

Fascinating stuff, but there are at least two problems with this study. The first one, the researchers explain in their paper. The animals studied -- five of each species -- were from the Wolfgang Koehler Primate Research Center at the Leipzig Zoo, and the experimenters were unable to rule out differences in the "experiences, cultures and conditions of the two specific groups tested here."

The second problem is more general: we know very little about the life of bonobos in the wild. There's a lot of popular stereotypes about bonobos, but they're sloppy at best.

Even so, I like seeing this kind of research.

In Coral8 is Our Choice or “How the Hell Did We Get Here?”, Marc Adler does his normal (and now expected) fantastic job of cutting past the CEP marketing hype and getting to the meat of the issues, from an actual user’s perspective.  Marc is spot on in his evaluation of the various so-called CEP vendors.   I highly recommend you read Marc’s post above.

The bottom line, today, is that CEP software products have a long way to go to live up to the current CEP hype and none are really doing what we would call “CEP”.   So, in the current market, the intangibles, as Marc points out, are critically important.  

Coral8 has recently demonstrated to the event processing community that they are above-and-beyond the competition in that category. 

Coral8 has an open software evaluation and licensing model, one you would expect in the year 2003-3005 (this is 2008). 

Coral8 has significant white papers, thought leadership papers and documentation, all freely and readily available. 

Coral8 is standing by to support you in your event processing efforts, from Marc at the big and powerful Citigroup (be careful of your subprime portfolio) to consultants in Asia (be careful of mosquitos), you can count on Coral8’s leadership to support you.

As Marc keenly pointed out, it is not the final imaginary number in low latency that is important; nor is it important that you call yourself the “top leader” and the “creator of the standards” that makes you important; nor is it how innovative or smart you are (or think you are).  What is important is your customer service model.

Coral8 has demonstrated to many of us that they take the customer service model very seriously and this is the reason that Coral8 has caught our attention in the past 6 months.

Congrats to both Coral8 and Marc.   We look forward to hearing more about the results of your teamwork and event processing solutions at Citigroup.

I had an Austin Powers moment today when I opened an email from eSecurityPlanet.com and saw a link to an article called, Feel Vulnerable? Time for Vulnerability Management Tools.  I felt like I had been in suspended animation for years and just woke up. I have not seen an article on vulnerability management in forever and ever. There was nothing earth shattering in this article.  Meat and potatoes VM. That is vulnerability management, not virtual machines.  The fact that VM is more commonly associated with virtualization than vulnerability management in and of itself probably speaks volumes.

Just last week at the Infosec World conference I had remarked to some folks that walking the show floor I did not see one vendor using the term vulnerability management in their signage.  Even some companies that are plainly in the VM space such a nCircle and Qualys, are using risk management and similar terms to describe what they do. So why has vulnerabiity management fallen out of disfavor?  Is it any less important?  In the words of "The Shagadillic One", do they think it ain't sexy? That may be it.  It is not sexy or trendy anymore.  I remember going to RSA a few years ago and every vendor had some strategy around vulnerability management.  I will be looking at this years show and report how many times I see the VM word.

So what is it about the security world.  Do we collectivley have the attention span of a flea. Do security tools go from golden to rust that quickly?  Why are we constantly searching for the next great thing but seemingly at the expense of the last great thing.  Wouldn't it be nice to see something through and make it really work before we rush on to the next one.