This is a tough category to define because it changes as the underlying infrastructure changes. We have gone from mainframes to large-scale Unix to hardware-defined data centers, to software-defined data centers to the cloud. To a certain degree, all of these are present today and, in addition, we have hybrids that include two or more of these paradigms. Along with the changes to the underlying architectures the security stack protecting them needs to evolve.
In this year’s Security Infrastructure section, we have focused on large-scale enterprise resource planning (ERP) security, remote session security and industrial control systems (ICS)/IoT/hybrid security. These different products take different approaches, but they all seek to address the fundamental CIA requirements of its target infrastructure. One thing that is notable is that the application layer is as likely to be included directly in the security stack as not. This is a fundamental shift in that rather than deploying security for the network infrastructure and separate security for the application layer, these products – especially when it comes to defending an ERP system – take a completely integrated seven-layer approach.
The reason, more or less obviously, is that applications are so tightly interwoven with the hardware and communications architecture that it is difficult to address, effectively, the network model in layers. We are reaching an all-or-nothing world when it comes to deploying a security infrastructure. For example, ERP systems are anywhere from two to more layers thick. They usually contain at least a database layer and a processing layer. They may use a web interface or have a third, discreet, visualization layer.
Access to any of the outer layers by an attacker can spell access to the backend data if the infrastructure security is not in place and effective. In fact, if the user interface is web-based, that implies a web server somewhere. Web servers can be notoriously unsecure if not protected properly so compromise of the web server can mean a free ride inside.
The three Innovators we have selected this year really show that an effective, seven-layer type of deployment – while not trivial – is doable. You just need to be, well, innovative.
Flagship product Onapsis Security Platform
Price $60,000 per production SID.
Innovation A security stack dedicated to SAP.
Greatest strength Being able to expand its offering to meet market needs and move into the ERP market space as a whole.
The Onapsis Security Platform (OSP) is a SAP security tool that combines vulnerability, compliance, detection and response capabilities that traditional security solutions do not provide in this environment. Through continuous monitoring, OSP provides a near real-time preventative, detective and corrective approach for securing SAP systems and applications. It can be deployed on-premise or in a private, public or hybrid cloud environment. The product supports SAP NetWeaver, ABAP, J2EE, HANA, mobile and BusinessObjects platforms.
The platform integrates with network security, security management, SIEMs and workflows, as well as cloud providers. Specific alarms can be sent and automatic response actions can be triggered. The Platform also enables secure migration to cloud environments by seamlessly integrating into private, public or hybrid deployments.
Over the past year, Onapsis has begun to address ERP platforms other than SAP. The next product will address Oracle, for example. This Innovator also has developed a new product platform. What was largely a Windows desktop-based scanner now is an enterprise-grade platform that can be deployed on-premises or in the cloud. This new iteration also supports detection and response. It can identify exploit efforts or attempts at accessing information without authorization.
An important capability is its ability to feed SIEMs and ticketing platforms. In that regard, the tool can apply virtual patches. It scans automatically and can, if configured, push patches. For Onapsis this has been a year of change: increasing the number of employees, receiving investment and moving to a new facility. Additionally, the company now supports the cloud and is a founding member of the Cloud Security Alliance (CSA).
Developing threat intelligence on SAP-specific exploits has been a differentiator. Its innovation stretches to vertical expansion with new modules, such as risk calculations. This Innovator is continuously investing in vulnerability research. Because it is dealing with business risk instead of just technology risk, it has been able to develop reliable metrics and is seeing interest in the audit community as a result.
We see Onapsis as an Innovator that started with a good idea and a niche market – SAP – in which it became dominant and has begun to apply its innovative approaches to moving into the entire ERP market where it is similarly likely to dominate.
Flagship product RecordTS
Greatest strength Ability to turn on a dime to meet customer challenges.
TSFactory is a software development company focused on remote session monitoring and recording. This Innovator embraces the idea that the cloud is here to stay. It also believes that security tools for the cloud and remote access tend to lag behind and are always trying to catch up. The solution, says this Innovator, is to provide the security and auditing tools that can help customers feel safe. With this in mind, they are moving more into the auditing area and also are moving toward gateway appliances.
As part of its go-to-market strategy, the company is partnering with large cloud providers with unique challenges to face. That lets them tailor products to the market and help cloud providers overcome those challenges. One of TSFactory’s strongest innovations is that it is able to re-tool rapidly to meet new challenges. The company is able to do these changes in 24-48 hours because they are lightweight and can make changes in hours rather than months. To meet that challenge, though, this Innovator had to update its architecture to support rapid change. This is almost unprecedented fast turnaround. That is innovative, for certain, but how scalable is it? Very, because one change usually can propagate widely in the customer base.
This almost is as if TSFactory had a captive team of market researchers feeding it new requirements based not on a perceived need but on real, actual requirements. If one cloud provider has a particular problem, many do. That means that a fix for one is extensible to many others. That approach offers real economies of scale. The company also worked aggressively with cloud providers to meet their needs; for example, updating licensing to fit the cloud provider paradigm.
Performance is a big challenge as past tools are too slow for real-time auditing. Another major challenge is data reliability. Obviously, one can’t afford lost data. Dropped packets are an example of one way to lose data. This is not just an issue of ramping up wire speeds, there are lots of other factors that contribute to performance-related data loss. That means that this Innovator is constantly trying to accommodate faster standards. For one, it changed up its databases and used multi-stage buffering.
This has made a big difference in performance without depending on driving up wire and interface speeds. They intercept all traffic so nothing can get around them. Since they are in-line, they use buffering that allows them to approach real-time analysis.
Vendor Tempered Networks
Flagship product Identity-Defined Networking
Many years ago, there was a theory roaming around the info sec community that all we had to do was encrypt everything and we’d be safe. No need for any other protections… just encryption and all would be right with the digital world. That never materialized – until now. The fact is that at the time that theory was proposed the way forward to deploy it was still shrouded in mystery. The key, as it turns out, is identity defined networking (IDN), and this Innovator has built a business around it.
Identity-defined networking effectively brings identity to the network and endpoints and allows central management of these identities in a dynamic and scalable way. An IDN is an encrypted overlay network that transcends traditional segregation mechanisms, such as VLANs, VPNs, MPLS, and addressing schemes.
Well, it’s not quite that simple, but close. The key, as one would expect, is encryption. The assets are identified cryptographically and only certain assets are allowed to communicate with them. By defining the communication groups, you define a collection of IDNs. If an asset – or an intruder – is not in a particular IDN, it cannot communicate with any of the assets in the IDN. Additionally, communication is via a special protocol called host identity protocol (HIP). All communication is based on cryptographic exchange prior to data transfer.
This Innovator overcomes the problem of updating access control lists (ACLs), etc., by using host identity protocol to assign a unique host identity to each asset on the network. This makes it very hard to penetrate. It completely defeats phishing because the user’s access to certain assets is restricted by his asset’s allowed access. A phisher can’t spoof because he doesn’t have access. Because this is completely software-based, deployment takes seconds instead of weeks per device and it’s verifiable and easily auditable. IDNs dramatically reduce the attack surface by reducing lateral movement.
Tempered Networks has a host identity protocol (HIP) client for Windows and is working on Mac and Linux clients. The HIP switches are proxies for devices that cannot protect themselves. This Innovator also has the HIP chip that can be embedded in IoT devices. A staffer at this Innovator told us that getting the market to adopt HIP, more than selling products, is a primary driver.