Perimeter defense: Innovators 2015

December 14, 2015

The perimeter is disappearing. There really is little or no argument on that score. So if the perimeter is going away, how does one defend a perimeter that no longer exists? The answer is philosophically simple even if it is not quite so easy to implement. The perimeter has become virtual. Not just in the sense of a formal virtual environment – a software-defined data center or the cloud, for example – but in the sense that the perimeter still exists, just not as the formal demarcation to which we have become accustomed.

With that in mind, one might go out on a bit of a limb and state that the perimeter is a device-specific thing. Every server, workstation or mobile device – whether in physical space or in cloud space – has its own perimeter. The overall enterprise perimeter now becomes defined, not just by where you put the firewall, but by the policy that controls all of the individual device perimeters. That – sort of – is the approach taken by our two Innovators in the perimeter defense space.

...the perimeter is a device-specific thing.

You will note that this year we have not included any of the traditional firewall or gateway products in this section. That is because we see the entire issue of the perimeter changing rapidly and we wanted to look for the most forward-thinking Innovators. Does that mean that we believe that the firewall is doomed? Certainly not (although that has been a topic of discussion for quite a while in security circles). What we believe is that the roles of traditional devices – such as firewalls, gateways and IPSs – are due for a change as the perimeter becomes less and less easily definable.

With that said, the Innovators in this space will need to take either (or both) of two approaches: deal with the policy-defined virtual perimeter, and/or redefine the roles of their traditional products to accommodate the emerging network architecture of the future. Our two Innovators have looked closely at the problem and their solutions to the challenge of protecting a disappearing perimeter are what attracted us to them this year. We believe that they are headed in the right direction – although it seems that we never are, actually “there."  It doesn't hurt to try to complete the journey though.

Vendor Good Technology 

Flagship product Good Work 

Cost Suites start at $3 per user per month, up to $15/user/month.

Innovation They built a security policy model around the philosophy that the framework carries everything with it in a way that users can extend to every user/device without having to own/control it. 

Greatest strength Their view of the challenges of the virtual perimeter and their ability to address it in a manner that is technologically sound, scalable and deployable.

Good Technology

We have been watching Good Technology for a while now. They started with a different approach than we see typically: assume that every end-user on the planet will have a mobile device and most of them won't be your employees. If you as a CIO, CSO or CMO and want to reach users in your extended infrastructure and you base your approach to security on the traditional mindset, some will work some of the time and none will work all the time. Many organizations, for example, will never have full control of their devices. So the uniqueness of Good Technology's approach is that the framework carries everything with it in a way that you can extend to every user/device without having to own/control it. We found that quite interesting and very sensible given the notion of the virtual perimeter.

Their innovation is that they built a security policy model around that philosophy. Good Technology's system was purpose-built. They found that their predictions of years ago are coming true. Because they have this approach, when they set up to build their platform they had the vision that it had to be portable to anything. They now have their system running on many more types of devices than just iOS, Android, and the other usual suspects. Good Technology bases its strategy on the prediction that eventually everything is going to be connected and consumers are going to want to connect. So no matter what becomes the popular platforms, Good Technology wants to be able to participate. That means that beyond the typical mobile devices they are looking at laptops and other non-common devices. Nothing that Good Technology does limits them to the traditional mobile devices. What is more important is that the devices connected, not just mobile.

Additionally, Good Technology is working toward not doing all of the application development themselves and have enabled other developers to provide feedback and develop even newer innovations. They have developed a very large ecosystem. However, that gives potential for security issues (particularly for third parties). The way they manage that is if you are a third party wanting to bring a product into the ecosystem there is a security vetting process using a neutral third party for security testing. Nothing is onboarded, including their own apps, unless it goes through the security vetting. They also have the Good Technology catalog, an application that gives the customer control over what Good Technology applications their users can access. If the app has the “G-Lock” logo that means it has been vetted.

Vendor LightCyber  

Flagship product Magna Cost Appliances start at $45,000 with a perpetual license. 

Innovation Application of the attack mechanism to the breach detection gap using behavioral analysis. 

Greatest strength Vision and leadership of experienced people from the military and cyberwarfare world.

LightCyber Magna Platform

This is one of those companies that makes us glad we are working in the security space. In our discussion with this Innovator we were taken by its vision of the virtual perimeter – which, by the way, is our characterization (feel free to plagiarize it any time you wish) – and its approach to addressing the challenge of securing it.

The company is 3.5 years old but its product only has been in general availability since January of this year. LightCyber looks to Israel for research and development. The principals come from a background in the military and cyberwarfare.

The big question LightCyber intends to answer is: How does an attacker compromise the network? They are not concerned solely with malware. The attack mechanism is the key issue, whether or not it includes a malware component (contrary to popular belief, a very large percentage of attacks either are manual or automated; malware does not always enter the picture). They see the first 20 years of information security as being all about blocking and preventing installation of malware. Every generation – from firewalls, IDSs, IPSs, sandboxes, etc. – has been trying to identify malware and stop it. Good, to be sure, but not good enough.

Now there is a total change in the industry: recognition that prevention is necessary but not sufficient. An attacker with enough sophistication can test its attacks against prevention devices and circumvent protection. This is the “breach detection gap." To defend a network, we must assume bad guys will succeed and begin from that premise.

To address the breach detection gap, LightCyber uses behavioral analysis. This starts with a baseline profile. They then apply attack detectors that see universal indicators – they are not static – looking at hundreds of behaviors indicative of anomalous activity. The system profiles behavior relative to the user and to enterprise devices to see anomalous behavior.

LightCyber categorizes anomalous activity in five buckets: 

  1. anomalous C&C activity
  2. East-West traffic – changes in traffic patterns
  3. lateral movement within the network
  4. exfiltration
  5. anomalous activities and states at the endpoints. 

This approach allows the use of automated investigative data with the discovered anomalous data, and that facilitates the ability to analyze in their cloud and to shorten a tedious manual investigative process.

prestitial ad