RSA Conference Guide 2014 Deep Dive: Network Security

By Mike Rothman

As we begin deeper dives into our respective coverage areas, we will start with network security. We have been tracking the next generation (NG) evolution for 5 years, during which time it has fundamentally changed the meaning of the perimeter – as we will discuss below. Those who moved quickly to embrace NG have established leadership positions, at the expense of those that didn’t. Players who were leaders 5 short years ago have become non-existent, and there is a new generation of folks with innovative network security approaches to handle advanced attacks. After many years of stagnation, network security has come back with a vengeance.

Back to Big Swinging (St)icks

The battle for the perimeter is raging right now in network security land. In one corner you have the incumbent firewall players, who believe that because the future of network security has been anointed ‘NGFW’ by those guys in Stamford, it is their manifest destiny to subsume every other device in the perimeter. Of course the incumbent IPS folks have a bit to say about that, and are happy to talk about how NGFW devices keel over when you turn on IPS rules and SSL decryption.

So we come back to the age-old battle when you descend into the muck of the network. Whose thing is bigger? Differentiation on the network security front has gone from size of the application library in 2012, to migrating from legacy port/protocol policies in 2013, to who has the biggest and fastest gear in 2014. As they work to substantiate their claims, we see a bunch of new entrants in the security testing business. This is a good thing – we still don’t understand how to read NSS Labs’ value map.

Besides the size of the equipment, there is another more impactful differentiation point for NGXX boxes: network-based malware detection (NBMD). All the network security leaders claim to detect malware on the box, and then sling mud about where analysis occurs. Some run analysis on the box (or more often, set of boxes) while others run in the cloud – and yes, they are religious about it. So if you want to troll a network security vendor, tell them their approach is wrong.

You will also hear the NGXX folks who continue to espouse consolidation, but not in a UTM-like way because UTM is so 2003. But in a much cooler and shinier NGXX way. No, there is no difference – but don’t tell the marketeers that. They make their money ensuring things are sufficiently shiny on the RSAC show floor.

More Bumps (in the Wire)

Speaking of network-based malware detection (NBMD), that market continues to be red hot. Almost every organization we speak to either has or is testing one. Or they are pumping some threat intelligence into network packet capture devices to look for callbacks. Either way, enterprises have gotten religion about looking for malware on the way in – before it wreaks havoc.

One area where they continue to dawdle, though, is putting devices inline. Hold up a file for a microsecond, and employees start squealing like stuck pigs. The players in this market who offer this capability as a standalone find most of their devices deployed out-of-band in monitor mode. With the integration of NBMD into broader NG network security platforms, the capability is deployed inline because the box is inherently inline.

This puts standalone devices at a competitive disadvantage, and likely means there won’t be any standalone players for much longer. By offering capabilities that must be inline (like IPS), vendors like FireEye will force the issue and get their boxes deployed inline. Problem solved, right? Of course going inline requires a bunch of pesky features like fail open, hot standby, load balancing, and redundant hardware. And don’t forget the flack jacket when a device keels over and takes down a Fortune 10 company’s call center.

ET Phone Home

Another big theme you will see at this year’s RSA is the attack of Threat Intelligence (TI). You know, kind of like when ET showed up all those years ago, got lost, and figured out how to send a network ping zillions of light years with a Fisher Price toy. We are actually excited about how TI offerings are developing – with more data on things like callbacks, IP reputation, attack patterns, and all sorts of other cool indicators of badness. Even better, there is a specific drive to integrate this data more seamlessly into security monitoring and eventually update blocking rules on network security devices in an automated fashion.

Of course automatic blocking tends to scare the crap out of security practitioners. Mostly because they saw Terminator too many times. But given the disruption of cloud computing and this whole virtualization thing, security folks will get much more comfortable with having a machine tune their rules, because it’s going to happen fast. There is no alternative – carbon-based units just can’t keep up.

Though we all know how that story featuring Skynet turned out, so there will be a clear focus on ensuring false positives are minimized, probably to the point of loosening up the blocking rules just to make sure. And that’s fine – the last thing you want is a T1000 showing up to tell you that sessions you knocked down caused a missed quarter.

Network and Endpoints: BFF

When it comes to advanced malware, the network and the endpoints are not mutually exclusive. In fact over the past year we have seen integration between endpoint folks like Bit9 and network-based malware detection players such as FireEye and Palo Alto Networks. This also underlies the malware defense stories coming from Sourcefire (now Cisco) and McAfee, and pushed the FireEye/Mandiant acquisition announced in January. You can bet the Mandiant folks were drinking some high-end champagne as they welcomed 2014.

There is method to the madness, because network folks need visibility on endpoints. These network detection devices are going to miss at some point, both due to new attack tactics (those notorious 0-days) and devices that escape the comfy confines of the corporate network and perimeter defenses. It’s hard to keep track of those pesky laptops and mobile devices. If you can’t catch everything on the way in, you had better be able to figure out what happened on the devices and determine if that thing you missed caused a mess – quickly.

So what does it mean? You will likely see a bunch of kumbaya on the show floor – these enemies are now friends. Best friends, at that.

Clouds on the Horizon

As we wrote in the key themes, cloud everything remains a big driver of security stuff. And yes, it’s boring. But the network security folks have been largely left out of the cloudwashing for the past few years, and this year they will catch up. We will cover that in depth in our cloud security deep dive, but for now suffice it to say all the network security vendors continue to roll their stuff into VMs and AMIs that can run in public and private clouds. So they are ready to solve the cloud computing security problem. As usual, incumbents continue to solve yesterday’s problem tomorrow.

This isn’t all bad – just understand the potential performance impact of having to route all your traffic through a virtual network security device choke point to enforce policies. But all those issues go away as Software Defined Networks (SDNs) provide much more flexibility to route traffic as you need, and offer bigger faster networks. SDNs do promise to change a lot, but be wary of the double-edged sword – now your admins (or anyone who hacks them) can press a button and take your entire security layer out of the traffic flow.

No Related Posts

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.