Having been skeptical about the adoption of VDI, I was surprised recently to learn that atleast 5 major banks have moved large chunks of their desktops or are in the process of moving them to VDI. I did not get a chance to understand what were the drivers for this, but atleast the early adopters are out there.

In addition their architecture looked very similar: ESX backend, Citrix Stack in front, HP thin clients (XPE/Linux). Even that was surprising. Again I did not get a chance to ask what storage they use etc.

Traditionally on sandhill people say that once the financials buy the rest of the country follows. I would be convinced if I see a couple of more industries. But I must say I was surprised.

At an abstract level if we view IT infrastructure as a black box. Change is the input and logs, events and application behavior is the output. Correlation between the two is Nirvana and very very powerful for IT.

To give an example, lets us say there is a security incident flagged by EPO, an unauthorized binary was attempted to run. You can click on it and will tell you how it got there, which user got it. And it may take no more than 5 minutes for all this to happen. That is the power of  correlation between event (output) and change (input).

For some events mapping between the event and change is straightforward. For others it is more involved. In general mapping a user action (like setting a configuration), correlating it to the changes it causes and then mapping those to events and logs becomes very interesting and core IP.

Virtualization turns everything including security on its head. Imagine a machine running VM Worsktation or Sun Virtual Box. What does it mean to white list this machine? If you whitelist the VM Workstation application then it can run any virtual image that the user brings.

We began looking at this problem last year and have come up with a solution which enables the whitelisting of virtual images!! Yes only images which are authorized by the enterprise can be run. This is a very cool feature and will become essential with MED-V or Kidaro as people migrate to win7 and need to run an XP machine for their legacy applications.

Technically it is very challenging on how to do this. We had to come up with a solution which allowed virtual images to run, but their clones to not run (although snapshots of a whitelisted image are allowed to run). We are still working through how this gets integrated with McAfee EPO and shipped to customers, but it is very exciting.

Damon Tepe responded to my earlier post “cost savings on VDI“. I thank him for educating all of us. I have tried to articulate my reservations about the ROI for VDI. I have been doing startups for the last 17 years. How do you decide whether a product is a good idea or not: my litmus test has boiled downed to, does the customer need to make a decision independent of the knowledge of your product.

Usually one confuses customer interest with intent to buy. Yes a lot of customers are interested in VDI, but what is the driver. What decision do they need to make for which VDI is the best answer.

The article and the slant on the ROI implies that the primary driver for this is the “hardware refresh cycle”. Most enterprises have a hardware (desktop) refresh cycle which is 3-4 years. The hardware refresh cycle on laptops is killing people, because laptops don’t last more than 2 years in several cases. This is where using thin clients are being seriously considered. If you look at current deployments of thin clients, they are in public places like libraries or fixed function like call centers, check-in stations at hospitals etc.

The second driver that I have seen is Disaster Recovery and all the requirements that came out of 9/11. If you are manadated to setup a DR infrastructure for people to work from home or a remote location. While this is a compelling use of VDI, we have not seen real world deployments outside wall street in large numbers.

The use case that is out there, that I think will transform the whole desktop space and stack, is the migration to windows 7. The reason is that the “customer has to make a decision” independent of the solution out there. If VDI is the right solution for this problem then it will win, my suspicion is that it is not. Desktop admins don’t want to run server farms and it has a high barrier to entry, but that is to be seen.

here is the announcement from coretrace.  They seem to have added support for whitelisting of activeX.  It is great to see vendors in this space begining to worry about things other than pure binaries. Just FYI Solidcore (McAfee AWL) has had support for this for some time.  The tough issue here is a lot of download/upload clients in the browser are done via ActiveX. So you have an ActiveX component that is signed, it downloads a driver update, should the driver be allowed to run?

INTRODUCING BOUNCER 5.0 Award-Winning Application Whitelisting Solution Extends Memory Protection & Enables ActiveX Whitelisting

CoreTrace continues to redefine the antivirus and configuration control markets with the release of BOUNCER 5.0 featuring: * An industry-first ability to seamlessly allow and whitelist trusted ActiveX installations * Improved memory protection * Automated and streamlined deployments * Efficient management capabilities like group security configurations BOUNCER 5.0 is the only application whitelisting solution that simultaneously stops even the most sophisticated malware attacks while allowing users to safely install new applications and have them automatically added to the whitelist without requiring IT involvement. No other solution on the market today is capable of automatically installing ActiveX signed by Trusted Digital Signatures. BOUNCER 5.0 is also outfitted with enhancements to CoreTrace’s leading memory protection capabilities. In addition to preventing the execution of payloads deposited via a memory exploit, BOUNCER 5.0 addresses major classes of exploits directly, such as DLL injections and attempts to write to kernel-memory.

White Listing is not a new concept. It has been around for a long time and refers to the ability to run only a known white list of “good” programs on a device. Traditionally the security solutions such as anti-virus have focused on the black list concept where they look for known “bad” stuff. A big part of the both a white list and a black list approach is that the lists need to be constantly updated. We have all experienced this with our anti-virus solutions which download updates and signatures of newly discovered malware to add the black list.

White listing has not been widely adopted because of the difficulty in creating a white list. If you fail to enumerate all the “good” software in the white-list the device may fail to function. Note this is different than a black-list as in a black-list if you omit something, the device will still function but some malware may run. Given that the white-list has to be complete poses a big challenge as the machine is updated. Every time the machine is updated the list needs to be updated.

The most recent approaches for white-listing include repositories of known good software collected either by the US Department of Defence (http://www.nsrl.nist.gov/ ),  or from the National Drug Information Center (http://en.wikipedia.org/wiki/HashKeeper/). These have formed the basis for white-listing approaches provided by companies such as Bit9 etc. It is very difficult to lock down a machine based on these white-lists as they are not complete. The best you can do is use them to report programs which are running but not in the “known” list. In addition just because something is in a global whitelist does not mean that it should be allowed to run in your enterprise.

Most vendors punt on this problem by creating a “gray” list. What ends up happening is that the gray list grows over time and essentially the system is not secure.  Another manifestation of both the issues highlighted above is think about a program which is in the whitelist and it gets updated: what should happen? should the updated program be allowed to run? Solutions like Bit9 and others don’t maintain integrity of the machine, for example write protect the binaries in the whitelist, so a malware can overwrite these binaries and either cause a denial of service attack (system won’t boot) or the whitelisting software will quitely push the binary into the gray list and voila the system will run but compromised. (Note: some vendors may say you can set up write protection file by file, but this is useless as no-one is going to do this manually and unless it is integrated and automatic with the whitelist it is not effective)

Another challenge with solutions like Bit9 is that they don’t protect the integrity of the running program. So if a whitelisted program is running and is compromised (buffer overflow), not only can the “external code run” but it can also make changes. Any whitelisting solution without system integrity (on-disk & in memory) is not a good security solution.

The other dimension that all whitelisting vendors today (except solidcore & now MFE) ignore is what to do with scripts, java  etc. Bit9, Symantec etc  only tend to cover OS images or application binaries. It is outside the scope of most of these solution to cover custom applications or to cover applications that are written in languages such as Java (several POS applications tend to be Java based). So you can use whitelisting from Bit9, but it can be bypassed by writing a Java application or a vbscript?  For most enterprise desktops again this is not a viable solution. The breadth of the solution is not a nicety, its a necessity.

Continuing along the same theme: Bit9 or Symantec don’t provide whitelisting of kernel mode components. Thus you can add a device driver to the kernel or something during bootup.  This is something that is architecturally very difficult and is not something that can be retro-fitted in.

To summarize, does your whitelisting solution breadth (scripts, binaries, libraries), does it lead to a large gray list, if it works of a global list: how good is the list, which country is it compiled in, if its good in the list should you run it?, does the whitelisting solution guarantee system integrity (on-disk and in memory)?Does the whitelisting cover kernel components?

In the next part we will look at a more technical view of how you need to carefully assess how the solution is built and how easy is to bypass?

I was reading an article by Paul Ghostine, VP & GM Desktop Vistualization Group, quest Software, where he had the following ROI for VDI (for 1,000 desktops)

Hardware Savings: 610,00 (as compared to buying a thin client and making the hardware refresh cycle 6 years from 3 years. desktop costs ~ 2500 & think client 300)

Power Consumption: 85,000

Downtime Savings: 98,000

Optional Office Space Savings (Telework): 2,400,000

the whole argument seems very weak. I think we are still searching for the business driver which will drive this adoption.

Solidcore (now part of McAfee) had an interesting evolution. We started off as a security company to prevent “bad” stuff from running on the machine. The methodology we evolved to stop the bad stuff was to keep a list of all good stuff and then make sure tha the updates to this list were “authorized”. Over the years this methodology in the security world came to be known as whitelisting. Where only things in the good (or “white”) list can run.

Well it turns out that a similar thing was happening in the provisioning/patching world in the enterprise. If you look at vendors like Microsoft SMS, HP Radia, Opsware,  Bladelogic (so both desktop and server side),  they came up with technology to create gold images or builds, find out what on the machine was different from what was recoded in the system. They did for completely operational reasons without necessarily thinking about security.  If you look at their dashboards they show which systems are “all good”, which systems have “unkown” stuff which is not part of the standard images.  While this was not called “whitelisting” it effectively is a whitelist where the whitelist is maintained at the level of images and packages, rather than individual files.

Luckily for Solidcore some of out customers, namely a gentleman called Lynn Trent @ GM and Randy Barr @ Webex (Cisco) saw this and realized its impact way before the industry did or we did.

So our product evolved to take ideas from both worlds and today this has become really powerful concept. Essentially if you put on the operations hat solidcore tells you what has changed and can compare it to your change process or your image process to point out anamolies. If you put on the security hat it only allows the things which are part of your whitelist (from an imaging world or from a security world) to run. Thus we sometimes use the term “integrity” to describe what we do.

We help maintain the on-disk integrity (change control) and the run-time integrity (security) of a system. This paradigm is revolutionary, but new to most companies. But we are begining to see a lot of adoption of this in the Enterprise. Once you explain it people get it.

Now you can also see how we began competing with Tripwire for PCI. Tripwire essentially solves the FIM (file intetgrity monitoring) problem for PCI as it scans and tells you what files have changed (this is very similar to what most provisioning products do). If you were to make it simple: Tripwire monitors if your on-disk integrtiy has been violated. Solidcore detects whether your on-disk integrity has been violated, it can also prevent it from being violated and lastly it uses this information to ensure via whitelisting that your run-time integrity (what can run) is not violated. That is a very powerful combination and once customers see it in action they can see the vision.

This has been a run away success in environments where the image management and security traditionally have been one role, for example retail. Typically store management falls under one person.  Also in large enterprises where the CISO and the VP Operations are peers and have good communication, this paradigm is easily adopted.

As part of McAfee we now have the opportunity to share this with a much larger set of people and also do some other very interesting integrations with EPO (will write another article on that).  I believe that this will change how enterprises view end-point security in the next decade.

One of the companies most threatened by McAfee’s acquisition of Solidcore is Tripwire. Tripwire had a head start over Solidcore, they had been around for 5-6 years longer and got lucky with their name being mentioned in the PCI 1.0 spec document (which has now been removed). Those two factors put them in a sweet spot when vendors began looking for PCI FIM solutions. To Tripwire’s credit they seized the opportunity and made hay. However their basic technology has remained unchanged for over 12 years. Sure there have been improvements in reporting and the # of templates they have, but the core remains the same.

Solidcore and Tripwire began competing with each other about 2-3 years ago. And we (Solidcore) were beating them in large enterprise accounts based on our pro-active technology. That is not to say that Tripwire was not winning large accounts, we simple did not compete in several because our salesforce was smaller and also in some places the size of the company became an issue.

Both the later two dis-advantages have gone away with the MFE acquisition. Now suddenly the Solidcore technology is in the hands of a global salesforce, with established relationship in large enterprise accounts (McAfee has a large share of this market as compared to Tripwire). And while it will take time for the sales team at McAfee to flex their muscle the machine is coming.

I am also really happy for the customers as they are getting a much better solution for thier money. Something that they can build a platform out of and deliver operational efficiencies in addition to obtaining compliance and security.

It was an amazing series. I am big Phil Jackson fan , more so than a lakers fan. I find basketball most fascinating in terms of how it mirrors the outcome of startups. The missed layup at the buzzer, the two free throws that Howard missed, so little is the difference between success and failure.  I have done 6 startups till date. I look back and it is those really small moments, some deal which you fought and won, some deal which you lost. A negotiation where you over-committed or asked for too much. You try, try and try and either they all add up or it fitters away.

The thing which I am confused by is whether this is something that applies to life. Should you try, try and try or wait for it to come to you?