In addition to the above services, KBank offers a service that permits users to receive an SMS message that details any change in account balance and/or point-of-sale (POS) transaction with your debit card.   I really like this service and the feeling of security knowing when, where and by how much my balance changes or my debit card is used in a transaction.    The KBank POS SMS notification is so fast that when I present my card to a merchant I normally receive an SMS message detailing the transaction before the merchant returns for my signature.  (There is an unfortunate lag in the balance change notification that can run minutes to hours behind real-time, but the POS VISA debit card notification is real-time).

As the story goes,  I should have been using my KBank card and account a few weeks ago and not my US-based VISA debit dard.  Why?

My US-based VISA debit card was cloned sometime on or before August 8th.   I am really careful with this card, so I was surprised the magnetic strip was cloned at a POS merchant.   The fraudster made 7 fraudulent transactions beginning on August 8th for a total of around $2500 USD, mostly on August 11th, before I discovered the fraudulent transactions viewing my account on-line.

This would not have happened with KBank SMS-based transaction notification services.

The first transaction with my cloned VISA debit card was less than $50 USD (I assume the fraudster was “testing the water”).   If I was using my KBank card, I would have received an immediate SMS message detailing a POS transaction in Bangkok when I was physically far away from Bangkok in Chiang Mai.   I could have immediately called the bank (or logged in) and blocked the debit card, limiting potential losses to the bank or the merchant to one fraudulent transaction, not seven.

In addition, KBank offers what they call a Web-Shopping VISA card, where you can go into your on-line account (verified by SMS OTP as mentioned) and request a VISA debit card number (with expiration date, CCV etc).   You set the limit from 0 to 500,000 THB (Thai Baht) per day; and you can login to your account and change this anytime (authenticating your transaction with another SMS-based OTP). You can also block or cancel this number anytime and apply for another one.

I am amazed that in Thailand I receive much better anti-fraud prevention and detection services than with banks in the US.   I know of no bank or brokerage in the US that offers the same quality of service and security as KBank in Thailand.  

We've probably all heard that you can't secure what you can't see and that statement is even more profound when it comes to virtual environments.  This is because it is extremely challenging to see what is going on at a micro vs. macro level within a virtual environments network.  The virtualization vendors such as VMWare and Citrix have provided embedded tools into their management consoles that show a macro level of visibility but its not enough to identify security events in the environment.  Take a look at the attached picture.  It simply shows VMWare's ability to monitor virtual network performance statistics from a bits per second perspective.

<-Click To Enlarge

With only this level of detail how can one determine which network applications are causing spikes.  Is it FTP traffic that is occuring at a high volume at an unuseal time of day?  If that were occuring, could that be indicative of either a breach or some sort of problem? What if FTP isn't even an authorized service in the virtual environment but there is a high volume of it?  Did someone install a rouge FTP service so they could steal information from the server at will?

These types of questions can't really be answered without a micro level of detail into the packets flowing in, out and within the virtual environment.  Now, what I am highlighting is not security in the traditional sense of prevention but using visibility as a means to first identify, then pin point the source of an issue so that it can properly be mitigated.  Having constant visibility can also ensure that other security products in the environment are performing as expected.  What if a Montego HyperSwitch with firewalling enabled is configured with many policies but someone forgot to create an FTP block policy.  One could think they are protected from rouge FTP services transmiting data out of the network, but without constant visibility monitoring, can you be certain?

Some vendors, namely Reflex Security will get you to believe that their IPS / IDS solution that is inline and running in the virtual environment is the right and only approach.  Or they will tell you to hang a virtual IDS off a span port in the virtual environment and you will at least have visibility into the attacks that are taking place.  Well, sure... You now have attack visibility but at the performance cost of your virtual environment.  Signature matching technologies are great, I'm a huge believer; however they don't scale very well in shared computing environments such as virtual ones.  IDS systems also don't typically track protocol and network service (FTP, HTTP, etc.) utilizations; which is another important part of visibility.

So, what do we do to gain visibility without the performance headache?  Well, for starters its probably best to put your IDS/IPS solutions in the physical environment where performance will be less of a concern.  In fact, you can span a virtual switch's traffic out to a physical NIC as easy as you can to a virtual one.  So why do it virtual and have to pay a 60% CPU utilization tax?  Another solution is to IDS inspect only the things you care about.  Why IDS inspect SSL traffic if you know your solution can't unencrypt SSL.  Its just a waste of compute cycles isnt it?  Policy based switching helps you with directing only the things you care about to an IDS (attack visualization product).  Montego's HyperSwitch also can help you with the traffic redirection of only the things you care about.

Another method of visibility which I tend to be a fan of is one of packet analysis (aka NetFlow).  NetFlow was invented by Cisco some time ago and has gained popularity in the physical world and definately has a use in the virtual world.  NetFlow is lightweight.  Let me say that again, its light weight!  It only sends a summation of packet detail to an analytical engine which can do some number crunching, packet comparison, etc. etc. to make some sense out of whats going on.  Lancope, an Atlanta based visibility company that provides Network Visibility, Security Visibility and User Visibility has this tool on their website that is a Netflow Bandwidth calculator.  You'll see from playing with this ( http://www.lancope.com/netflowcalculator.aspx ) calculator that it doesn't consume a lot of network bandwidth to transmit these network accounting records.  It also doesn't cause a lot of CPU overhead to send these records to an analytical engine sitting somewhere in the network.

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

...and probably a slew of other things I'm not aware of.  A screen shot of their product is bellow:

<- Click to enlarge

You'll notice from the screenshot that you are able to visualize who is talking to who, how much traffic they have sent and received and something called a concern index (not seen on this screenshot).

Now, a concern index is a number that increases as Lancopes analytical engines monitor suspicious activity on a session.  A high counter can be indicative of a security problem.  Its another way of identifying (visualizing) compromised hosts (virtual machines) without having to do signature matching like a heavy weight IPS engine.  Example:  Lets say you have a VM that has a BOT on it and is "owned".  The Lancope product is monitoring this long life session.  Let's say that session is established for several hours or maybe even days or months.  Lets also say that the conversation appears to be mostly unidirectional from a public ip address not belonging to your enterprise.  Lancope would increase a the concern index on this since this server hasn't typically had this type of behavior.  Once the concern index reached a certain level it could then fire off an email, send you a text message or something saying:  Warning, Warning, Danger, Danger Will Robinson!!! You're virtual server may be infected with a BOT, please investigate immediately!!!

This example is VISIBILITY which helps you with SECURITY.  There are a number of other things you can do with NetFlow and Lancope products that have less to do with security and more to do with operational efficiencies.  Things like, helping you answer questions of:  How do I know what network applications are taking up the most bandwidth?  When should I move those applications over to a server with more horsepower?  When did these VM's vmotion over here and was there a traffic condition / CPU condition that caused that to occur?  I could go on and on but thats a topic for another blog entry.

So, my suggestion is to take a look at what NetFlow has to offer.  Montego Networks supports NetFlow transmission and Lancope supports NetFlow analytics and with both you can regain what was lost visibility.

I hope this was helpful to you all!

-John Peterson

We've probably all heard that you can't secure what you can't see and that statement is even more profound when it comes to virtual environments.  This is because it is extremely challenging to see what is going on at a micro vs. macro level within a virtual environments network.  The virtualization vendors such as VMWare and Citrix have provided embedded tools into their management consoles that show a macro level of visibility but its not enough to identify security events in the environment.  Take a look at the attached picture.  It simply shows VMWare's ability to monitor virtual network performance statistics from a bits per second perspective.

<-Click To Enlarge

With only this level of detail how can one determine which network applications are causing spikes.  Is it FTP traffic that is occuring at a high volume at an unuseal time of day?  If that were occuring, could that be indicative of either a breach or some sort of problem? What if FTP isn't even an authorized service in the virtual environment but there is a high volume of it?  Did someone install a rouge FTP service so they could steal information from the server at will?

These types of questions can't really be answered without a micro level of detail into the packets flowing in, out and within the virtual environment.  Now, what I am highlighting is not security in the traditional sense of prevention but using visibility as a means to first identify, then pin point the source of an issue so that it can properly be mitigated.  Having constant visibility can also ensure that other security products in the environment are performing as expected.  What if a Montego HyperSwitch with firewalling enabled is configured with many policies but someone forgot to create an FTP block policy.  One could think they are protected from rouge FTP services transmiting data out of the network, but without constant visibility monitoring, can you be certain?

Some vendors, namely Reflex Security will get you to believe that their IPS / IDS solution that is inline and running in the virtual environment is the right and only approach.  Or they will tell you to hang a virtual IDS off a span port in the virtual environment and you will at least have visibility into the attacks that are taking place.  Well, sure... You now have attack visibility but at the performance cost of your virtual environment.  Signature matching technologies are great, I'm a huge believer; however they don't scale very well in shared computing environments such as virtual ones.  IDS systems also don't typically track protocol and network service (FTP, HTTP, etc.) utilizations; which is another important part of visibility.

So, what do we do to gain visibility without the performance headache?  Well, for starters its probably best to put your IDS/IPS solutions in the physical environment where performance will be less of a concern.  In fact, you can span a virtual switch's traffic out to a physical NIC as easy as you can to a virtual one.  So why do it virtual and have to pay a 60% CPU utilization tax?  Another solution is to IDS inspect only the things you care about.  Why IDS inspect SSL traffic if you know your solution can't unencrypt SSL.  Its just a waste of compute cycles isnt it?  Policy based switching helps you with directing only the things you care about to an IDS (attack visualization product).  Montego's HyperSwitch also can help you with the traffic redirection of only the things you care about.

Another method of visibility which I tend to be a fan of is one of packet analysis (aka NetFlow).  NetFlow was invented by Cisco some time ago and has gained popularity in the physical world and definately has a use in the virtual world.  NetFlow is lightweight.  Let me say that again, its light weight!  It only sends a summation of packet detail to an analytical engine which can do some number crunching, packet comparison, etc. etc. to make some sense out of whats going on.  Lancope, an Atlanta based visibility company that provides Network Visibility, Security Visibility and User Visibility has this tool on their website that is a Netflow Bandwidth calculator.  You'll see from playing with this ( http://www.lancope.com/netflowcalculator.aspx ) calculator that it doesn't consume a lot of network bandwidth to transmit these network accounting records.  It also doesn't cause a lot of CPU overhead to send these records to an analytical engine sitting somewhere in the network.

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

...and probably a slew of other things I'm not aware of.  A screen shot of their product is bellow:

<- Click to enlarge

You'll notice from the screenshot that you are able to visualize who is talking to who, how much traffic they have sent and received and something called a concern index (not seen on this screenshot).

Now, a concern index is a number that increases as Lancopes analytical engines monitor suspicious activity on a session.  A high counter can be indicative of a security problem.  Its another way of identifying (visualizing) compromised hosts (virtual machines) without having to do signature matching like a heavy weight IPS engine.  Example:  Lets say you have a VM that has a BOT on it and is "owned".  The Lancope product is monitoring this long life session.  Let's say that session is established for several hours or maybe even days or months.  Lets also say that the conversation appears to be mostly unidirectional from a public ip address not belonging to your enterprise.  Lancope would increase a the concern index on this since this server hasn't typically had this type of behavior.  Once the concern index reached a certain level it could then fire off an email, send you a text message or something saying:  Warning, Warning, Danger, Danger Will Robinson!!! You're virtual server may be infected with a BOT, please investigate immediately!!!

This example is VISIBILITY which helps you with SECURITY.  There are a number of other things you can do with NetFlow and Lancope products that have less to do with security and more to do with operational efficiencies.  Things like, helping you answer questions of:  How do I know what network applications are taking up the most bandwidth?  When should I move those applications over to a server with more horsepower?  When did these VM's vmotion over here and was there a traffic condition / CPU condition that caused that to occur?  I could go on and on but thats a topic for another blog entry.

So, my suggestion is to take a look at what NetFlow has to offer.  Montego Networks supports NetFlow transmission and Lancope supports NetFlow analytics and with both you can regain what was lost visibility.

I hope this was helpful to you all!

-John Peterson

“Linux is a movement, a philosophy, where programmers and technical people take control of their own destiny.”  — Tim Bass

Ref:  Email signature, Re: Future of 2.0.36, G.W. Wettstein (greg@wind.enjellic.com), Sat, 24 Oct 1998 10:09:27 -0500

The answer is simple – the same reasons why even risk-averse investors were chasing after every Internet company in the late 90s – the attractiveness of the global scale and reduced costs of e-channels.

Over the years, payments and savings have always been a subject of the most advanced protection:

• Banknotes have watermarks and other security features to resist counterfeiting
• Cheques require the account holder's signature
• ATMs require both your card and your PIN, run secure software, and are physically tamper-resistant
• Point of Sale terminals in your favourite supermarket are protected from tampering and use dedicated secure connections to the payment processing network

These are all very sensible measures that work (to one degree or another) to protect customers' and banks' money.

Today, however, there is a huge imbalance between the value of electronically accessible funds and their security. This is being very effectively exploited by criminals and the banks are looking for a solution. Personal computers are not tamper proof sales terminals, therefore it is unfeasible to rely on the customer to keep them 100% secure. No one can take away online banking but banks can deploy new security measures, and solving this problem requires a new innovative approach that can equally address security, ease of use, and cost.

At Cronto, we identified this imbalance years ago. We also correctly predicted that the only solution to address this problem is transaction authentication (where the customer confirms each banking instruction). We then developed an innovative visual transaction signing solution. Based on our unique Visual Cryptogram, the Cronto solution supports multiple end user options allowing the bank to choose what is right for their customers whilst maintaining consistency in their backend systems.

Most event processing systems would be incomplete without the ability to process events in the form of messages.   Messages can be delivered in either a connection-oriented protocol or a connectionless protocol.   Most enterprise-class messaging systems have both.   Many messaging systems have features like guarenteed delivery, which are important to many applications.

On the other hand, you do not have to work with a messaging system or enterprise service bus (ESB) to process events, because the transport layer is independent from the event processing layer, theoretically.  Most enterprise-class event processing system architectures will use a combination of both asynchronous and synchronous messaging. 

To understand event processing I recommend you turn to network management and the practical use of Simple Network Management Protocol (SMNP) for a basic undertanding of event processing.   SNMP uses both synchronous event-based messaging, called polling, and asynchronous messaging, called traps.   Network management systems engineers use a combination of both polling and trapping in all enterprise-class operational NMS.  Optimizing polling and trapping is one of the tasks good NMS engineers do well. The same holds true in most distributed event processing architectures.  

For example, look at the CEP/EP reference architecture on this site.  You will notice that the mechanism for event transport is generic, represented as an event bus, but it does not specify the transport protocol.  If you are receiving raw events and comparing correlated results against a signature in a database, you are using both asynchronous and synchronous messaging.    In theory, you could build an event processing system with only connection-oriented protocols, but this would be an exeception, not the rule.

Event processing is generally associated with messaging because we generally represent event-objects as electronic messages.   In theory, we could call these cyber event-objects anything we want; for example, we could call them “packets.” However, packets are generally associated with the underlying Internet Protocol (IP) layer by network engineers.  

Moving up the stack, we think in terms of a complete message-object, which we generally call “a message.”  This message could be an SNMP event-object, an SMTP event-object (an email message), or an HTML request to a web server, to only name a few.    In fact, the basic unit of work at the application level of a distributed network application is what we call “a message.”  

So, in On Messaging and Events Opher asks, “Is event processing just fancy name to message processing ?”

Events are generally represented in some electronic format.  The event-object must be transported electronically in cyberspace, and the way that it is transported is in what network engineers generally call “a message.”   It make no difference what we call it, really; because whatever we call it, it is still binary data representing information we are interested in, hopefully in a format we can efficiently process.    Enterprise-class event processing systems are designed to work with myriad formats, protocols and transports.   One size does not fit all.