The InfoWorld (IW) survey methodology was to see a demo of the product conducted by each company via webex and interview with the company over the phone. While we appreciate the opportunity to participate in the survey the methodology limited what was considered for the survey.

There were three important aspects that were not covered:

1.    Security offered by the solution
2.    Security of the cloud offering
3.    Deployment & Management versus Demoability

Let us examine these one by one.

Security offered by the solution
First lets explore how easy is the solution to bypass? For example,
•    take Bit9 which does not offer memory protection, which means that a simple buffer overflow exploit will bypass the whitelisting solution.
•    Or take script authentication, i.e. ability to whitelist scripts and java etc. If a solution does not offer this you can run a script on the system and completely bypass the protection?
•    Or take protection of kernel components? If the solution does not whitelist kernel drivers and components you can bypass the solution by simply inserting a driver into the system
•    Can executables be whitelisted from a network share (required for most Windows Active Directory based deployments)?

Whitelisting is fundamentally different than black listing, in the sense that the whitelist needs to be complete for the system to function. Thus if you don’t have coverage for a particular type of executable the solution is easily compromised. While the report mentions that MFE application control is the only solution which offers scripting and buffer overflow protection, it fails to highlight: Coverage is not a feature it is important for security!

The other aspect which was not covered by the survey was self-integrity or protection of the system itself. If the solution becomes popular how well does it withstand against targeted attacks on itself. Can ill-intended administrators bypass the system?

As several of our customers have figured out for themselves the protection from our competitors is easily bypassed.

Security of the Cloud Offering
The assumption behind the report and several other reports is: “If its in the Bit9 cloud its good”. There are several things to point out here:

•    Cloud can only cover off the shelf binaries (script coverage is very sketchy). They don’t cover any custom software which is a large part of most enterprises

•    Secondly, by shifting the problem to the cloud, one has to ask the question how is the cloud info constructed and how safe is it to poisoning.

As discussed in the previous section most of these solutions don’t cover scripts so the cloud offerings are only for binaries and that too only for off the shelf binaries.

Let us focus on the second aspect. How secure is the cloud? Take Bit9 for example, they claim to have 7.5B files in the cloud. Who checked that these are from valid sources? Most of these are collected by crawling the web? If its on CNET it is secure? If it’s on download.com is it secure? Who checks whether its secure? Has this function been outsourced to a country in Eastern Europe or Asia?  7.5B files were verified?

Niel McDonald’s @ Gartner has an interesting blog article and discussion about the same http://blogs.gartner.com/neil_macdonald/2009/03/31/will-whitelisting-eliminate-the-need-for-antivirus/

If you look at MFE cloud technology, it has several dimensions along with the analysis is done. In addition it directly talks to publishers to ensure that the quality of data in the cloud is pristine. Most small vendors like Bit9, just don’t see enough data: domain registrations, spam addresses, firewall rules, endpoint’s pinging back, site advisor to have enough dimensions to correlate and produce high quality data.

The MFE Application Control will be integrated to the MFE Cloud. This was already demonstrated at FOCUS ’09 and is on the short term roadmap.

Deployment and Manageability vs Demoability

As with most lab surveys, this one does not cover the manageability and deploy-ability of the solution:
•    Can it scale to 100,000’s of desktops/servers

•    What are the breakage/failure rates

•    How much does it cost to operate and maintain

Can it scale to hundred’s of thousands of desktops? Most people who are familiar with EPO will understand that deploying at those scales is a very different ball game. You can’t keep 100,000 TCP connections open to your management sever, most boxes will die at 4000 open TCP connections. You have to deal with reporting and event-flood at that scale.

MFE Application Control is fully integrated into EPO and that is a BIG win. It uses the EPO plumbing to achieve scalability. The management architectures of the competitors architecturally will fail to scale to such numbers.

At one point in the report there is a mention of the memory protection provided by CoreTrace. Again memory protection is an interesting concept, for most solutions out require tuning to make it work. So question to ask is what % of your systems will it work? And the feature of killing running process if a buffer overflow is detected is it a good looking demo? But what are the failure rates: false positives and negatives?

How much does it cost to operated and maintain? Whitelisting is not a new concept. The problem has always been of management of the whitelist. MFE Application Control has a lot of investment and features which dramatically reduce this cost and make it a viable solution for enterprises.

Summary

The InfoWorld survey has evaluated some aspects of solutions, but in my opinion has not covered 3 very important topics: How secure is the solution?; How secure is the cloud?; and Deploy-ability of the solution?

These are top of mind for every customer and should be included in any evaluation or comparison. As we have demonstrated several times in the field, MFE Application Control stands out as #1 as a deployable high security solution.

• A teacher should we willing to tolerate students who are different and wierd, just like one sees joy in ones kids and what they do.  One of my rules developed over the years for working with VCs and board members is that ones with kids are better. I don’t know how to put it exactly, but when one has kids, suddenly life is no longer about you, it becomes about them (for most of us). You begin thinking about their future rather than your own accomplishments.  It happens naturally. Now if you think of a teacher or a board member, it has to be about the student of the company, not about them.
• One should keep going to satsung if one knows the text, as different connections are made everytime you hear or participate. There is a similar saying in english: the books on my bookshelf are fixed, it is I who change and hence read different things in them each time. This is true of almost everything. I don’t have an MBA, but my wife has one from IIM Ahemdabad. So when we got married I asked her for all the books she read and read some of them. And as I go through differnt companies and experiences what I read in those books change. For those of you who have wondered why this blog is called circular insanity, it is for a very similar reason. I find that when learning anything new or when one has bookish knowledge the things one says are not very different than what someone with a lot of knowledge and experience says. Those two points are so close together that they almost touch in a circle, but you have to go through the application of that textual knowledge to arrive from one to the other, sometimes which takes a lifetime. Over the years I have come to realize that it is not really a circle, it is a helix. One when reaches the point where you understand the meaning behind the words, you simply shift your plane, as other things which you were unable to comprehend earlier, suddenly begin making sense, so you become a novice at the next level.
• There was something which Acharya Prabodh said today which I did not agree with. Although I may not have understood the meaning behind the words. He said that if you are asking a question and the teacher wants to give you an answer you have never heard before, you should say “namaskar” to the teacher from a distance. Because all questions and answers have been discussed earlier and you are looking for traditional answers. This goes completely against the grain of enterpreneurship, where you ask the same questions over and over again but the answers are different. Although in the context of life and how we should live it I think he is right that the answers have not changed. Ofcourse one is tempted to ask the question as to why are we chasing all this innovation, does it do us any good in the long run, if this is all “maya” then what is new anyway. I don’t know the answer to that. although this is all “maya” but I feel one thing technology has really done is to make it easier to communicate. I can talk to my parents every day and see their picture and they can see the grandkids, that is a gift of science. It allows people to stay connected and be part of each other’s life. So is the innovation meaningful and what has it done. If the goal of life is happiness, then it does make you happy, although at an abstract spiritual level nothing may have changed

VMWare, Cisco and EMC announced the VCE coalition today. It is a great move which can deliver value to the customer. The question is which customer?

Typically vertical integration of layers into an easy to use and consume package has been the mantra for selling solutions to mid-market or small workgroups. For larger enterprises this has not worked. Also most of such packages in the past have been focused on ease of use and simplifying management.

VCE just by the power it packs looks more like an enterprise offering. Usually the challenge in doing this for the enterprise is that the high end its is very difficult to characterize the input or standardize the parameters, thus fix the output in any meaningful fashion. V-Blocks will answer the question: for this workload we have tested, here are the performance numbers. The question is whether it is representative workload. I have not met a fortune 1000 database administrator yet, who will agree that his workload can be templatized.

Also I think Acadia is a mistake. One thing that Citrix mastered from a channel point of view is product should be simple enough for the channel to install it, complicated enough that the customer can’t do it themselves. This enables the channel to make some high margin money and thus promote the product. Cisco would have been better off having the likes of Accenture or Infosys stand up with them with v-Blocks being an area of competence. Maybe thats the plan.

Many educated people, including myself,  struggle with religion and God.  Their analytical brain says how could such “miracles” happen. We have been taught to question everything, how can we just accept HIS existence. I struggle with it myself. Are the stories in Indian mythology true or not?

I had an epiphany which I wanted to share. My good friend Suman and his wife gifted me with a art work of Lord Ganesha couple of days back. When I opened the present the first thought that struck my head was this house is blessed with Lord Ganesha. From listening to Guru Prabodh talk about the Ramayana: Lord Ganesha is the remover of obstacles. And so he does.

One way I have accepted religion is that God is omnipresent. He is present in each one of us. All the attributes we see in God are reflected in different aspects of our personality. For example, there is a part of us which is the “remover of obstacles”.  As we go through life we develop these parts to different degrees. A lot of it is conditioning of our thinking and our mind. For example, not dwelling on the negative, controlling our ego, channeling our energy on the positive. Offer and receive unconditional love.

I also think that accepting God is also a lot about “giving up control” mentally. A lot of us struggle with that, we would rather walk away than not be in control. To accept that we don’t control everything, thus whatever we achieve  is because of the help and support of others, but not an individual effort, is a big step forward in thinking and maturity. It also helps to prepare us for failure.

If you define one aspect of God as the perfect state of ones mind. It takes a lot to get there. For example, you have to remove the clutter of everyday problems and thoughts. The scientific part of me asks the question is it possible to be aware of the working of the internal part of the body and thus change it. The famous Hindu rishi and gurus have been said to achive that. It does seem that it should be possible. If you look at all modern day medicine it is about figuring out how to communicate with the various parts and organs of the body and change their behavior. If you could control them using your brain then all you need to do is be one with your brain. Perhaps we need to look in different directions.

So one path to God is to improve the qualities in ourself which we see depicted in him and his incarnations. I belive this can make you happier and life fulfilling.

The first article seems to have generated a lot of discussion.

Most of the comments in the first article seem to say the following

• Cricket is a team sport, so you can’t blame Sachin if the team doesn’t perform
• He holds all the records and has inspired the new generation of cricketers
• ….

I don’t disagree with the comments. Mike Singletary who coaches the 49er’s in San Fransisco has a line I really like: “There is no moral victory”.  Similarly no matter what people say, Sachin has not won a world cup for India. For me personally that means he has not touched “greatness”. That greatness which transforms you, and you only need to touch it once.

Yes cricket is a team sport, but one inning can transform the match. Remember Adam Glichrist innings in the world cup final against India. There are many paths to failure, only a few to success.

Ronaldo did not become great, no matter what he did at a club level, till he scored those goals in the final to power Brazil to the World Cup.

Interesting article on brianmadden.com regarding using applocker as a licence enforcement mechanism.

http://www.brianmadden.com/blogs/timmangan/archive/2009/10/29/AppV-and-AppLocker.aspx

App-v and other technologies like it create breakage. The question is how much breakage and how easy it is to fix. The answers to those questions determines whether it is a dev tool for developers, something that consulting houses can do or an IT admin can do.

What has this got to do with security you ask? Well the answer to that question determines how much lockdown you can do with applocker.

If there is a lot of downstream cusatomization, it becomesd hard to use app-locker. The challenge in whitelisting is not the enforcement mechanism, but the configuration of the white-list: its coverage and maintenance.

Over the years the wrapping of apps by app-v has improved. There is betterr handling of things like winzip (which broke because it registered a shell extension) or apps which required a service. But still in general apps which have multiple processes communicating with each other and/or a service are very challenging.

Citrix has had this problem for a long time also. So if you are a developer of the app you can fix this, but to do it in the field and for complex applications not only is tough but also complex. Then to make a whitelist for it is challenging.

Another difference between whitelisting for security versus licencing is that for security the whiterlisting need to be complete. Imagine you missed some drivers from the whitelist, your machine won’t even boot.

But for licensing you are using the WL as an access control mechanism, very different. For example you can say that WL is applicable only to app-v apps, that’s not security but licensing.

We should keep the two separate.

I am sitting at Bangalore airport, having spent the day at nasscom and the previous week in Japan. A little homesick and exhausted.

One thing which hit me in Japan and here is the number of people talking about cloud. At first I dismissed it as people following the buzz. But it seemed to be deeper than that.

One thing very different about India and Japan is that they are phone centric. When people start a company in India they think mobile, not PC. In this world cloud means VAS or value added services on the mobile network.

Those services have always lived in the cloud. Imagine a headline like “Your phone will backup your computer to the cloud”. It is the complete opposite of what we would think in the US “your computer will backup your phone”.

Phone based services have always lived in the cloud. As netbooks and things like kindle which connect to the phone network by default OR if the connectivity is provided by the same companies the notion of cloud based services changes.

So we may find in a copuple of years that the cloud is a telco or mobile operator thing with countries like Japan and India way ahead in consumer adoption while the US is ahead in enterprise adoption.

Wonder which one will be bigger?

Before the class begins there is a small prayer and usually some kid comes and states the values if the Chinmaya Mission. One of the values is:

- Give more than you take, Produce more than you consume

Its a simple concept: revenue should be higher than expenses. The problem here is ‘credit’. I am consuming more today so that I can produce more in the future. People without credit don’t go bankrupt.

I don’t mean bankrupcy in terms of money, but also values, health of companies, our moral and mental health.

- Evolution of faith: blind –> non-blind –> conviction

Faith is a concept or effort goes through three stages. We start with blind faith, which is slowly transformed into conviction.

When you do a startup, usually someone with a product idea with blind belief that if we build it they will come. As you talk to more customers that belief gets transformed into conviction.

- Ram & Sita: can’t say they are the same, can’t say they are different. Just like speech & meaning, wedding & marriage, house & home, water & wave.

The engineer thinks of it as water. Marketing transforms into a wave.

- We seek security from what’s constantly changing: accomplishments, position, title, our body. Nothing in the world is independent.

It is amazing how many folks are trying to seek security through clauses in their offer letters in todays ever changing corporate world.

- God is the cause and not the effect

- In life the background noise is problems and complaints. We seek freedom from that.

Wish we had the equivalent of noise cancelling headphones for life? The goal is freedom, ask any enterpreneur. Or is it: you don’t want to be acquired?

What is noise in you life and what is music? Amplify the music.

- Three realities in the world:
* Absolute Reality
* Transactional Reality
* Illusionary existence

- Klesha’s:
* avidya: ignorance:I don’t know my true self
* asmita: I am so and so
* raga: I have to have this
* dvesha: I can’t stand this
* abhinivasha: submerged in that I am in this body, body related thinking, result of it is fear of death

- Shreyas = moksha = absolute good

Some nuggets…..

Hard to change brainware: hardware and software is easy

Update after every transaction, not based on calendar

If you left it upto TSA no one would get into planes

One button to talk to all the generals in gulf war

Balance between threats and vulneribilities and organizational efficiency

Leader knew reality of the situation and acted on it

Gorbachev: openness and restructuring

Information is bringing the world together, we need to make sure that faith in the information continues.

Creation of wealth: get people up from the poverty line

Energy, Water and Environment

Who we are and what we are in America?

Japenese Businessman when asked what is your fav city?
Why NY?
Its the only city where when I am walking down the street they ask me for direction

Hope, Open dreams and Opportunity

Nation of nations

David Milam CMO giving overview of the conference. Lots of
presentations from customers. Going over logistics.

DDW runs up to the stage ….

Human Protection history; cows, eggs, homes, houses, castles, ships… Now protection of cyber world. First virus 1986. Now time to protect online assets.

Attack sophistication is going through the roof.

Malware: 500 percent up last year
80% to steal money
20% for disruption
25K samples a day

Web: 1.5 M web sites a month
DNS attacks
Cross Site Scripting
Defacing

Network: 400K zombies a day
Conficker/Korea
Critical Infrastructure

Data: 1 trillion a year
Autorun.exe
Usb and phones
Compliance

Email: spam=malware
Up 10% a year
Spear phishing
New protocols

MFE Strategy:
Multi-layer defense, multi-correlated defence, real time visibility

Security at every layer: chip, os, virtual, usb sticks,

Solution Stack:
EPO
Endpoint: greatly expanded coverage of platform (Solidcore)
Network
Data Center
Extended Supply Chain
Across networks

Interlocked
Outside Threat
Inside Threat: 99% of data theft
Malicious insider who come to steal

Intelligence Integration
The cloud and intelligence
30M users connected constantly to the cloud
.More than aq million appliances talking to the cloud
Application intelligence (solidcore, known good) whitelisting is key for this intelligence
Open invitation to develop intelligence

SIA partner program
Common agents, reports, policy, dashboards
Different vectors talking to each other
Partner eco-system: correlating different vectors

Real time visibility

George Kurtz, CTO of MFE
Presenting a demo of McAfee Risk Advisor (awesome product)

Why does this matter:
Money, reputation, brand –> action

MFE has grown from an AV company to a Security Company