Saturday, October 23, 2010

Bit9 (and a bit of a rant about Infosec Pros!)

I have to tell you, every now and again I get a presentation from a product vendor that just makes me go "Wow. I wish I'd thought of that!" Bit9 was one of those.

During my travels I keep hearing the name Bit9, but hadn't really been exposed to their product. I attended a conference in January where they had a booth, but I hate those things. You can never have a serious talk. I guess they are a good way to get exposed to a lot of things and then circle back, but I always try and take notes on which to circle back on, and then either forget, or end up misplacing the literature.

Anyway, I did see Bit9 during the conference but didn't get to spend any time with them. When I returned, I forgot about them, only to be reminded a couple of months ago. So I set up a time, and offered my staff a lunch 'n learn.

Bit9 is a tool used (I'm sure they have others, but I loved this one) to identify installed malware on a system. More importantly, I was surprised to see that Bit9 is the brains behind some of my other favorite tools like Mandiant's MIR and is delivered by about a dozen others providing services. Interestingly enough (maybe I hadn't looked hard enough) I was under the impression that this space was wide open for exploitation with very little competition and a reasonable barrier to entry... meaning if I went to a VC for money to build the solution, a business case could be made, and I'd have enough of a run on my competition to be able to make a few bucks before they caught up. I still think that... the market for malware identification is still wide open and the AV vendors don't seem to have a clue.

Back to the point. Bit9 backends several malware identification tools with a database in a 'cloud' (marketing speak for two datacenters in Massachusetts). Regardless, the cloud is a massive repository of unique indicators each representing specific pieces of malware. The Bit9 tech is deployed to scan an environment using a client based system which compares files on a system to those in Bit9's database. The management console was, as you'd expect, pretty. Pretty without functional does no good, but in this case, the management console was totally functional. Running in a browser, it can be operated by any SOC or remote worker.

Bottom line: If you're looking for malware identification/remediation and whitelisting tools, save yourself some time. I've heard the name from some of the best companies in the world. Bit9 appears to have something real. I'd look at them first.

[rant]
In sitting with my team (and others I've worked with), it seems vendor presentations are peppered with questions like "You do X, why don't you do Y?"

This case was no different. Scope creep in vendor presentations is easy, and often takes away from the presentation. In this case, Bit9 has some really nice tech. They found their niche, filled it nicely, and are licensing the hell out of it to others who provide services in their space. Well done. What they didn't do was lose focus on their principle value proposition... finding malware on a host.

I'd love for one magic bullet solution. I'd drop it in my environment and turn it loose. It'd solve every problem I have, and those I haven't thought of yet. My users would be happy, it'd be free, and wouldn't require any maintenance... never going to happen.

Bit9 focuses on malware. Other technologies focus on other areas. Good management finds that first thing, with that first customer and puts it out of the park. Bad management finds thousands of customers and delivers mediocre solutions. I'm with Bit9.
[/rant]

Jeff

Invicea bake-off in a large company Internet isolation strategy

I had the opportunity to speak with a colleague last week. This gentleman is the CIO for a very large company and is in the middle of a bake-off between Invicea and another virtualization offering.

I'd discussed virtualization with him previously, but not in the form you're probably thinking. This is not a datacenter reduction strategy, rather an internet isolation strategy. He's trying to figure out a way to isolate his corporate network from the open internet.

My discussion started like this... "I'm interested in understanding how the Invincea test is working for you." His response? "No virtualization offering is worth anything by itself. Let me show you the what we wanted, what we did, and the architecture that we had to build behind it." In the end, this CIO built one reference architecture in which he tested two virualization strategies. Both were intended virtualize only Internet Explorer on the desktop.

His measures of success were easy to understand and very straight forward:

1. Isolate to the greatest extend, the internet from the corporate environment.
2. Do it with the least possible pain experienced in the end user experience.

I'd had a strategy discussion with him about a year ago. We discussed several options, including other virtualization applications, but also the use of simple terminal services, as well as a more simple idea.. issue everyone an iPhone. In the end, the iPhone dog didn't hunt and was dropped for discussions of the limitations of terminal services versus the implementation of an application virtualization strategy.

They've done a great job in that year, and now have about 1200 users in the pilot. Invincea had strengths and weakenesses, as did the other product. The other product has a significant price advantage, but is a tool developed for one thing, then used in another (therefore, no support for this particular use). Invincea on the other hand is a small company and therefore, more willing to accept development money and allow this large company to shape its product strategy.

Bottom line: No one application (including this wonderfully promising tech) is the cure-all. Remember defense in depth? Invincea handles only one of those layers, but with the right architecture in place provides a truly viable option. There are others however. Don't be afraid to look around. One company I talked with was experimenting with qmu! Others, VMWare, simple terminal services, etc. Do you homework. Do the architecture. And remember, in the end, nothing's cheap!

Jeff