 Live from San Francisco, extracting the signal from the noise, it's the Cube, covering VMworld 2015. Brought to you by VMware and its ecosystem sponsors. Hello, my name is Edward Hledke, I'm with the virtualization practice and I run the virtualization and cloud security podcast. Normally a video podcast done whenever we wanted to actually these days and we're up to episode 160 or something like that. Mike's been on it as long as I have, almost. Actually, his funny thing, Hema was one of the original podcast members. Hema Profichandra. Yes, I'm Hema Profichandra, I'm the CTO of Hytris. And several other things. And several other things, yes. And Simon Crosby's been on the podcast before. I have pleasure to be back, founder and CTO of Bromium. And Mike Foley is my compatriot of recent years. Yep, Mike Foley, I work in vSphere technical marketing, I'm the author of the vSphere hardening guide. Yes. And you used to work at RSA and several other places that deal with security. Yeah. You're going into those. The vSphere security guide. We love the hardening guide. Believe me, we really do. We do. I think we all have a tool for the hardening guide at one point in time or another. Group hug every time. Simon doesn't need it though. Simon's, I mean, his stuff doesn't need it though, right? Right, right. It just does it for you. I'm all for it. Hotend, server, stuff, good. Yeah, clients, town too. Actually, I think they count a little bit more. I mean, one of the things that came out of the keynote was putting security on an untrusted platform. I'm a little confused. I personally don't think that's possible. Can you put security on top of an untrusted platform? So we've been doing that for years and years and years. But we've been doing it. It's really a question of risk management. It's not a question of security. It's a question of risk management. I mean, if you think about traditionally what we've been doing with firewall products, right? It was on hardware. Nobody actually said that the hardware was validated. So, software is always being placed that provides security functions on hardware that may have come from a different vendor. So, you know, I think it's a model we're used to. The question is, are we going further? Are we actually changing that model to improve the? I think we have to because now we're finding malware inside a firmware and we're getting hardware delivered to us that has like... It's not only that. I mean, we've done work which shows that it's very straightforward with a bunch of JavaScript. It's a drop in the web page. And then from there, just brute force. Yeah. All your way down to SMM and stay there forever. And once you're there, you own it. Yeah, but you can do that from the web. So it's not like your supply chain has to be compromised. malware can do this from the web, get down through the OS and drop into SMM and then you're toast. So it's a big deal. It's a scary world. It's a scary world out there, but how do you, if I don't know that's happening, how do I protect myself? I mean, I don't want an untrusted platform anymore. I really don't. I want a trusted platform. Yeah, but even if you have a trusted platform, that's not going to absolve you. Everyone wants the security easy button. Everyone wants the silver bullet, but security isn't an action. Security is a practice. Yeah. And you can't just say, okay, bang, that covers me for all security. Because it's just. It's a layer. It's just going to remain. Unless you're Simon, then all you need is him. Yes, you do. All you need is Simon. True. You're absolutely right. That we need him. With the danger there is that it sounds like a get out of jail free card to the person who's been buying the same old useless stuff for years, which doesn't work. So I'm not prepared to let people get out of jail on that one. You don't mean this traditional stuff just doesn't work. And there are better ways of achieving security by design. Yes. And I think so hardening out is good, but in general, you know, I divide the security world into two categories of vendors. Vendors who are building stuff that makes the world more secure and vendors who bleed about what they think is bad. Okay. All three here are vendors that try and make the world more secure by design. That's just a much better way to go. Yes. What you see emerging, I think, across all of the major infrastructure vendors is a set of ways, most of which use virtualization, surprisingly, to make the infrastructure vastly more defensible. And it's time to get rid of all the old crap that is sitting in the network, sitting on the endpoint, because it doesn't help. Yeah. Just doesn't help. So when we talk about, I mean, going back, something actionable, is TPM, TXT, and the follow-ons that are actually in all the processors, is those good enough to attest my hardware now? Yeah, it's good enough. Well, certainly with TPM 2.0, you can get to remote attestation. Yeah. But the problem is that there are no devices really shipping with TPM 2.0 yet. So that, look, in the endpoint world, hardware-based security comes slowly. It comes slowly because there's this vast array of different hardware out there, and the OEMs. It takes a long time to design all that stuff, too. Well, it's, yes. And assuming that the current generation of hardware is great, it still takes a long time for that to filter into the enterprise. Yes. By the way, Intel was not our friend here for a while. Intel charged 25 bucks more for a V Pro feature set, which was just unforgivable, you know? It should be part of it. Why does it do that? I mean, it's like, just get people the most secure stuff. Fastwall, please. Right? So they're now doing the right thing. Yeah. For Skylake, it gets better. Well, in some of the sort of OEMs, right, where Cisco, HP, Dell, almost all of them have least hardware that is TXT, TPM enabled now, but you have to order. So it's a further line item. And I think Cisco's the only one that's decided that their ECS, going forward, all their blades are going to have TPM TXT because they don't want to go retrofit those. Well, only in the US. Oh, so there you go. Only in the US. So again, you know, if we're trying to seed the market with the right approach, none of the hardware vendors, right, from the processors to the OEMs, right, are actually enabling the automatic choice. They've all made it way complicated. And ultimately, it's way hard for the customer to figure out what to do. That's the challenge. So we need the hardware vendors to actually make it easy. They need to make it easy, but ultimately the hardware features just get consumed in a software stack. And ultimately, that's what the customer buys and needs to know is good, right? Yeah. So again. But we've even seen situations where the hardware has failed, right? So while... And the BIOS is a terrible... And the BIOS is a terrible. There's so many moving pieces here. And so rather than getting to the point of... What I'm afraid of is that people are going to be listening and hear the point solution of, oh, I've got to have TPM 2.0. That'll solve my problem. Yeah, I agree. Really, it's much more along the lines of having a solid security practice that gets you, that allows you to take care of the unforeseen. Yes. I agree. It allows you to adopt the right technologies at the right time and the right place. And also retire the old technologies at the right time and the right place. Yes, I absolutely agree. And if you don't do that, if you're just looking for a... Make it secure, then you're not hiring a security officer, you're hiring a compliance officer. And there's a lot to do with maturity, too. So we have a number of customers that actually have enabled their infrastructure with TPM TXT-enabled hardware. But what's interesting is that they do a measured launch, right? So they're still allowing the launch to continue, even if the measurements are not in compliance to what they want, right? They're not saying, don't stop booting if the bits are not right. They're like, let me know, I just want to detect if the bits are not right. Yeah, but even then you can do a measured launch into something where the malware then is the first thing to come up after you've done your malware, measured launch, and then you still stack, right? So my issue with measured launch is the two words, measure launch. So only measured at launch time. And when you have up times of 30, 60, 80 days slash months, then at some point that launch measurement gets stale. I'm sorry, if you have up times of greater than... That's a whole other issue and I'll address that in my session later. Well, I'm going to address it right now. That is not a badge of honor. Right. That is a really just don't do it. You got to upgrade these machines, upgrade the firmware, the software, and you got to upgrade the software pretty easily, at least with the security patches, folks. I know, but with virtualization, you can easily evacuate all the VIPs and reboot more often. I mean, you can, that's what virtualization is allowing you to do, but nobody wants to. That's right. I do mine every quarter, at a minimum. Yeah, but nobody likes that. I mean... You're in the extreme. You're in the extreme category. With that, we knew that coming in here. But this will know it coming out. Come on, I'm going to practice what I talk about. Yes, of course. And for each and the thing is, is that, I mean, I run a lot of products in my environment. Yeah. I run a lot of security and management products and I do role-based access controls properly. Yeah. Most people don't. These are the simple things people can fix without costing anything. So here's another one. Here's another simple one. So 90% of enterprise breaches stop with a compromised endpoint, right? Yeah. So, simple. Move distrust every PC in your org. Yeah. Don't trust the damn things, but don't worry about the line of business. That'll continue. Move it out, right? Yeah. But it will, because if I don't trust anything outside of my trusted component, end tops, best desktops, why trust them anyways? So you're not advocating VDI, are you? No. Yeah. Yeah. I mean, we're going back to a very long conversation many years ago. I love the VDI thing, I mean, it's most, a lot of malware I see just lives on the user profile and comes back every time you reboot your VDI desktop. And then it loves being in the data center too, right? Right. And being on the same VLAN as all the other VMs which can use to bounce around. So, VDI doesn't solve a security problem, it also solves a compliance problem. It's better hygiene. It doesn't solve the patching or any other problem. No, it doesn't, but you need to, you said the right word. You need hygiene. You need to be able to think about your environment, whether it's a server, a cloud, a hybrid cloud, holistically. You can't just look at it as a point solution. It's like, oh, I got an iPad, I better do, I better secure it. No, it's like, from here to where it's going and where it's talking, figure out what your users are doing. Once you know that, then you can figure out a policy around it to say, what should they be allowed to do? Yeah, but also what can I do to mitigate the fact that I know that humans are going to be doing stupid things. And whether they're admins or just- Or extental. I mean, classic one that I've seen recently, admin, user logs on as admin to administer Windows, server instance, and this decides to browse the web. That. With admin credentials, right? So, it's not toast, right? In the same system. Come on, I really like doing that. You know, I use it in a captured VM. As long as you throw away the VM, it really is. Exactly, throw away everything, yeah. Take that laptop, get it wherever. So, I've been presenting at VMworld now for a couple of years, and what I'm finding my role has turned into is one of educating the VI admins on how to just step back and think of what their actions may have as far as a consequence goes. Yes. And that what I've also found is, I did last year a session on hypervisor security, and I had 500 people in the room. If I had done that session in 2010, I would have had 10 or 15 people in the room. So, what's happening is that the security industry and the security professionals are now starting to come out of their post-911 bunker, and they're looking around and realizing that the whole infrastructure has changed, and now they're worried about it being secure. And I think that then puts the onus on the IT admin to be coming up with better security practices and then educating the security folks on how these practices then affect security. Because the security guys just looking to, you know. I'm also seeing in the industry, given the recent data breaches, right, that there is mandates coming from the top. So, like, I was talking to a major insurance company just over lunch the other day, and they were like, we've got this requirement that says, encrypt everything. And, you know, it's like, no new budget, just encrypt everything, right? That's like coming up from top down because the CIOs, the CISOs, right? Well, so now- It says encrypt everything, but it doesn't say how do you manage the keys. Or, where's the right level to encrypt, right? Given that you're going to encrypt everything, how are users going to get access to the data? And when it's decrypted, then the bad guy shows up, right? It's about the use case and the threat surfaces, right? It can't be about just encrypt because the suggestion was storage level. And they're like, well, my facility is very tightly, nobody's going to walk out with a drive from my storage system, right? So if I encrypt at that level, is it really going to solve my problem? In the virtual environment, even in most cloud environments, you can encrypt in 10 different locations and they still encrypt at the storage level. So, you know, encrypt everything. I've never been a fan of that. I actually think it's a waste of resources. Some things just need to be digitally signed, some things you don't care about. So I think that whoever said that on high needs to be educated. No, no, no, but this is the mindset that- Yes. But wait, it's a little bit like the HTTPS everywhere mindset, right? Which of course serves a bunch of hardware vendors extremely well, right? Net scalers and F5s, all they love this stuff. So little people become big holders. The whole thing around encryption is all about data leakage, right? So it's a brute force approach to solving the problem of data leakage. But data leakage, if I'm someone with access rights to sensitive data that I bring up on the screen, oh, I can't take it out of the building because it's encrypted. But I can take my phone out and take a photo of every single piece and have that synced up to a cloud service in seconds. So it doesn't really address the problem of data leakage. That's really an education of the end user. And what we're looking, encryption is stopped stupid. I would agree with that, yeah. The guy who pulls out the disk drives and goes and sells them down at the- Or the people that are supposed to dispose of the drive, you send it back to the manufacturer, they send it over to Africa to pick apart. But before they do that, they read it. Exactly. That's what those policies are there for. They're really to stop that. But at the end of the day, if someone is determined enough, they will get past a lot of those things. And that's when you really ought to be thinking about- So you're just raising the bar, right? You're making it harder for them. Yes, absolutely. Rather than just, it's in the clear and they just take it. But at the end of the day, when something like that happens, and you have a breach or you have data leakage, you really have to have a disaster recovery plan for security in place to deal with the outcome. And that's what I was going to get to is, you really need to have those plans, a library of them, all those incident responses for everything. It's not just disaster recovery. It's an instant response for a breach. It's an instant response for an encryption of key missing. It's an instant response for someone couldn't unlock their laptop for whatever reason. Well, someone's inconvenience is another person's disaster. So I'll just stick with disaster recovery. Okay. It's a disaster, it's a disaster. Oh my God. But you need a library of incident responses. There's a point of which some of the stuff is risk becoming too complex for an organization which gets IT, but not a lot of it, right? Yeah. So I mean, it's easy to talk to mature, scruity organizations and they get it. But the mid-market guy who's under-resourced in IT, anyway, and IT is not the business. For him, this is a lot of work. It's a huge amount. But that's why maybe what needs to happen is instant responses need to be shared and made available so that people have a library to go to. Okay, we're thinking of another product for somebody else to make. But still, I think you're right. But it's not just- It's a difficult problem to solve, right? So there's the process by which you can address an incident and you can have a supply chain of renders that can help you with the mitigation piece of it. But that awareness and training piece, which is a challenge even just with the, even today in the basic, don't click this, right? That piece becomes even more complicated. So if it's a- I mean, I think the business of don't click on stuff, honestly, I think that that one is, I mean, there are lots of ways to solve that problem. But it's, I mean, I think it's in the category we've solved, okay? That is, we know how to make operating systems extraordinarily secure nowadays. The problem is the legacy. Yeah. Okay, so, you know, number one thing is, you know, just move on, people. Move on, right? Move on, move on, move on. It's like- You move on and use something you guys created. So I had this meeting with CISO, the Federal Reserve Bank, right? Daddy, Windows XP, everywhere. You know, and the first thing he says, guys, you are completely unlike every other financial services organization. By the way, you're supposed to be the leader. You know? What the hell are you doing? It's the long Windows XP, you know? Just move on. Yeah. And then the world gets better. Same with the US Navy. It's just like, why the hell do I even know that the US Navy has Windows XP? That's vulnerability in itself, okay? Well, okay. It's been actually a pleasure talking to everybody. We're almost done with our time. So a closing thought from everybody, Hema? Well, so I'll build on what Simon said. Definitely deploy the new emerging technologies and actually adopt it because it will make them safer and more secure. Yeah, I mean, for me, you're vastly more secure if you use virtualization and if you use the cloud. Just get there, right? Humans tripping on ethernet cables, bad idea. Just get out of physical infrastructure and the same stuff is coming on the client. You know, virtualization is about to transform security of endpoints and it's all going to be much better. Just move forward. Faster. Quit resisting change. That's number one. And then I agree with this key requirement, get planned for the bad things. So I guess I would say when you're adopting all of these new technologies that we want you to move to, don't apply the same old rules because if you apply the same old rules to the new technology, you're not gonna reap the benefits of the ROI of that new technology. If you're just applying new technology just to say we're running virtualized, that's not going to help you. You really need to sit back and understand the impact of the business that new technology is going to have and your rules may change. Well, and my last thought is this all is going to start. I mean, Mike and I were on a panel one time and someone got up and asked like where does everything stop without start? And without even looking at each other we said with architecture, if you're going to sit there and adopt a new technology, come up with an architecture, please. Sit there and at least think about how security is going to be impacted by those and change how you're looking at security to fit that environment. You mean, the stuff we're talking about encrypt everything, it may not actually be worth doing. It may actually have such a high overhead because of what you have that you may be adopting the wrong platform. There's a whole lot of factors here that we're not thinking about today as we go forward. I think that's the key is you've got to start thinking about them at the beginning and as you move, you can't just say, oh, I moved and let's go bolt on some securities. Like, no, think about it, think about security and then move forward. Yeah, so it's almost like, you know, the empowered CISO is the way forward and empowered sophisticated architecture sensitive CISO is the way forward, right? And the CISO for too long has been, you know, subordinate to the CIO and everything else. They've also been reactive. They're feeling the compliance. But they've been reactive. You've got to break out of the reactive on both security and later. They're not brought in at the design time. Yeah, yeah. So get out, break out of the reactive mode. Yeah. But I think it's also the responsibility of the CISOs, the security engineering teams to actually take a more active role. They can't just be focused on the ongoing maintenance of what they've already deployed but actually spend the time with the business units and say, what are you doing? And my big complaint about security teams is they need to get ahead of the technology changes and not react to the technology changes. A perfect example would be things like Dropbox, right? If you can't provide an alternative solution that your customers, your employees can use that works just like a Dropbox, for example, if you make it really, really hard for them, they're just going to go around you. Oh, absolutely. Right now, I think the final thought is that, let's tie it back to VMworld a little bit, is that security professionals now have a chance to really get ahead by looking at the photon platform and tools like that because now you've got something that is not in every data center. You got a chance to think and plan around it. Yeah. And architect how it's going to move into your environment and be part, the security folks just have to be part of the discussion. Yes. Get there. Yeah. So I mean, if you're a CIO, the message is let the security people lead from an architectural perspective and don't try and call them in later and say, hey, we're about to do this, how are you going to secure it? And allocate the budget as well, right? So not just design an architect, but allow the budget to be there for the security and compliance controls that are necessary. Well, thank you, Hema, Simon, Mike, for being on the virtualization. Thank you. Security and Cloud Podcast.