Security Thought Leaders

Introduction

Stephen Northcutt from the security laboratory conducts in depth interviews with the thought leaders in information security. For every novel security product, there is a thought leader, a man or woman of vision that sees the need and guides the creation of the security product. If there is someone missing whose voice you feel should be heard, drop me a note, stephen@sans.edu.

Table of Contents

• What is a Security Thought Leader - Updated August 26th, 2009
  
• Framework for Security Thought Leader Interview - August 26th, 2009
  
• Ed Hammersla, COO, Trusted Computer Solutions - October 15th, 2009
  
• Amit Klein, CTO, Trusteer - September 27th, 2009
  
• An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - Updated August 13th, 2009
  
• A. N. Ananth, CEO, Prism Microsystems, Inc. - August 7th, 2009
  
• Lance Spitzner, The Honeynet Project, founder - Updated May 11th, 2009
  
• Jeremiah Grossman, Founder and CTO of WhiteHat Security - Updated April 24th, 2009
  
• Mike Yaffe, Director of Product Marketing, Core Security Technologies. - April 15th, 2009
  
• Chris Petersen, Chief Technology Officer, LogRhythm - March 13th, 2009
  
• John Pirc, IBM, ISS Product Line & Services Executive: Security and Intelligent Network - February 17th, 2009
  
• Leigh Purdie, InterSect Alliance, co-founder of Snare: Evolution of log analysis - January 28th, 2009
  
• Bill Worley, Chief Technology Officer, Secure64 Software Corporation - December 9th, 2008
  
• Doug Brown, former Manager of Security Resources, University of North Carolina at Chapel Hill - October 30th, 2008
  
• Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008
  
• Andrew Hay, Q1 Labs - May 13th, 2008
  
• Gene Schultz, CTO of High Tower - April 4th, 2008
  
• Tomasz Kojm, original author of ClamAV - April 3rd, 2008
  
• Bill Johnson, CEO TDI - April 2nd, 2008
  
• Gene Kim, Tripwire - March 14th, 2008
  
• Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008
  
• Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008
  
• Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008
  
• Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008
  
• Kishore Kumar, CEO of Pari Networks - Updated January 28th, 2008
  
• Ivan Arce, CTO of Core Security Technologies - Updated May 6th, 2009
  
• Mike Weider, CTO for Watchfire - Updated July 23rd, 2007
  
• Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007
  
• Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007
  
• Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007
  
• Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007
  
• Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007
  
• An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007
  

Kishore Kumar, CEO of Pari Networks

January 28th, 2008
By Stephen Northcutt

One of the ongoing research projects in the Security Laboratory is to work with the thought leaders in information security to get an understanding of their vision for our industry. We have recently had the honor of working with Kishore Kumar, CEO of Pari Networks, and we certainly thank him for his time.


Kishore, let's start with the what and why behind Pari Networks, please, what was behind the motivation to start Pari Networks?

Well Stephen, during my experience with Cisco Systems (spanning 10+ years) I looked at both enterprise and SMB/commercial customers, and in talking to them I found that there are challenges faced by both network/security operations folks and higher level executives/business unit managers.


I'll say, Kishore, just trying to keep up drives me nuts. What were the biggest issues that you found, say the top five?

The top five issues plaguing network and security operations are:

• What exists in my network (Accurate discovery & Inventory Assessment)
• What devices have reached their end of life? (Life Cycle Assessment)
• What security vulnerabilities does my network have? (Security Assessment)
• What configuration changes are happening in my network? (Configuration Assessment)
• What capabilities do my network devices have & what services are running on my network? (Capability Assessment)

I will spot you those are all important, but other than vulnerabilities in the network leading to a certain risk level, they seem to be mostly issues that impact operational folks, not so much senior management issues. What makes the top slot uncomfortable?

Similarly I found that when it comes to business/executive decision makers, these are the top issues keeping them awake at night:

• What security risks are in their network? (Security Assessment)
• Is the network in compliance with the mandated regulations? (Compliance Assessment)
• How much money is being spent every quarter on asset management? (Life Cycle Assessments)
• How to keep up the network availability while changes are implemented on the network? (Capability & Configuration Assessment)

So the way you see it, both the operational folks and senior management are concerned about the same broad categories for organizational IT, but they are concerned at a different level. I can see that being true for senior executives who have educated themselves about IT. So, we still want to drill down on Pari - what headache is Pari aspirin for?

Network or security operations staff are spending most of their time (more than 50%) on getting these assessments done, in most cases using manual methods or a set of unrelated tools; both approaches are resource intensive and do not always provide accurate results. In talking with friends in the channel, I also came to understand that they were faced with the same manual process and either had to keep their best people stuck doing assessments because they had the skill set, or they were not able to really address the client's needs because the information was impossible to find and illustrate.



That is a good description of pain the operations folks feel all right and, worse, it is a moving target; every couple weeks you have patch cycles that can impact your business in ways ranging from subtle to catastrophic, and every couple of years there is a major technology change putting you in an "all bets are off" situation. So, what is your vision for Pari, how can you help?

Pari Networks products address all these pain points, providing one-click reporting and making it easy to get the information as needed. The platform provides faster service and feature delivery in addition to supporting new platforms and operating systems at a very fast rate. We made a conscious choice in initial product development to address usability, deployment and scalability with high priority in designing the architecture. Internally, Pari Networks can quickly adapt to new mandates or device coverage. Externally, the solution is delivered in a way that is equally well suited to SMB/Commercial, Enterprise and Managed Services customers. As one of our customers indicates,



So far, it sounds like what you are telling me is that this is a tool that helps with situational awareness. According to a US Navy web site "Situational Awareness refers to the degree of accuracy by which ones perception of his current environment mirrors reality."[1] So, putting that into our context as computer security managers in business we need to perceive what is going on with the business, understand the meaning of these events in context, and be able to predict what they mean going forward.[2]

This sounds like the oft discussed security officer, network manager dashboard or cockpit. You talk about internal or end users, and also managed services customers, wouldn't they have different needs?

From an end customer point of view I foresaw a big market opportunity for a hybrid product which combines network operations/configuration management, security assessments/remediation and regulatory/corporate compliance mandates, all from a single console. Currently the products in this space are either too fragmented (you need multiple products to get the same functionality), too complex to use, or cost prohibitive to many midrange and lowend customers.

From a managed services point of view the biggest difference was how can you define and deploy new services easily, and have accounting features to track it. Scale and high availability are the two key requirements for our managed services customers, since they have to keep up with SLAs (Service Level Agreements). Second major need for managed services customers is in the area of customizable data collection from the network:

• What data you want to collect from the customer network (different devices have different data collection depending on their location in the network)
• How often you want to collect the data
• How the data can be securely exported

A current Pari enterprise customer describes their experience with one of our products:



I thought the Security Event Monitor (SEM) was the gadget being touted as the single console from which you do all your management, is that no longer the case? Can you help us understand where your products and vision differ from the SEM/SIM or SIEM?

SIM is mainly for looking at various events/logs from the devices and figure out what is going on in the network. I would see this as a more "reactive" method of looking at things, since by the time you see some problem in a log, the problem has already occurred. I would consider our products providing the "proactive" way of looking at things, we will make sure your network devices are protected through secure configurations, so technically you will not be seeing the problems that any SEM/SIM products are looking for.


I do not disagree, it seems there are two basic keys to information assurance, configuring equipment correctly and maintaining that configuration as new information becomes available; and since this is impossible knowing the network traffic entering and leaving our organizations, the famous "detection is a must" security credo[3,4]. How does Pari help us with that difficult problem of maintaining the best possible configuration?

Pari provides two ways of maintaining the best possible configuration:

• By providing the secure and base line configuration for all the new devices (say a new router is deployed)
• Secondly, by keeping track of all configuration changes, and making sure any new configuration change detected always going through the mandated policy audit defined for that device or device group, alarming the administrator in case of a violation.

Thanks for clarifying that, let's get back to understanding your prodct space, if you are positioning some of all of the Pari product suite as the primary management console what is the primary reason a managed services provider would want to adopt this?

From a Managed Security Services point of view, I looked at where most (60%) of Cisco's revenue was coming from, during the time I was employed there, and found that it was coming from Resellers/Distributors.


I imagine it is even higher today, Kishore, Cisco really seems to be focused on the partnership model.

Right, and most of the partners are just pushing boxes and fighting for very thin margins on the network gear. There are no specific incentives from Cisco for two partners, i.e. if both of them are at the same level (GOLD Partner, etc.). I thought if I could provide them with a platform that can be used to offer managed services, through which they can get to more lucrative "recurring" revenues, that will open up a new market for us as well as those resellers. In addition, these partners can resell the product to their customers. This provides them with more options to be part of their customer operations and to be a trusted adviser for both Capital Expenses (CAPEX) and Operational Expenses (OPEX) budgets.


Well, since you have mentioned Cisco, let's talk about that a bit because, if there is a network involved, there will most likely be Cisco gear. What Cisco equipment do you interoperate with, how do you get the information from the devices and can you make configuration changes to Cisco gear?

We do support pretty much all Cisco gear, including their routing, switching, wireless and security infrastructure. We do accurate discovery and inventory of network devices using many different ways of collecting the information from those devices, that includes some of the popular protocols like secure shell, telnet, snmp, http and/or https. Once the user defines some credentials using any one of the above protocols, the moment we discover a device, we use the credentials to collect as much information from the device as possible, since you can do a better job of analyzing the data if you can get more information. Our inventory and discovery mechanisms are quite extensive and support many different network devices.


Great, one of the things that I think is a big win for organizations is configuration management. When done well, it saves a lot of pain and money. Can you help us understand how your system helps manage a configuration, is it at the file and registry level like TripWire or open ports like nmap and a data base. Essentially, how does this work?

Yes, from our customers we are seeing that configuration management is one thing that takes a lot of money and time for most organizations. We keep track of every change that happens for all the network devices that we manage, both in terms of the configuration that is "active" in the system right now as well as the "stored" or "factory default" configuration. The Network Administrator will get information on every change that may or may not be in compliance with corporate mandates, and can act on the information in real time. In addition most of the compliance auditors (SOX, PCI, etc.) do ask for all configuration changes to the network devices, and getting all of it in customizable reports does save both time and money.

Pari is a start up right? Can you give us a sense of who you are? How old is the company, how many employees do you have, how many customers, what is your funding status?

I would say Pari is a young company. We founded it in April, 2005, so we are looking forward to our 3rd year anniversary pretty soon. We are a 30 people company, with a development center in India, and sales offices in US, Canada, India & Europe. We have 15 customers and are privately funded.


How about the names, what is the significance of Pari? Is it a play on a strong trademark, a non English word, or something related to equality?

Pari means "guardian angel" in Sanskrit and Arabic languages. Since we are looking over your shoulder, protecting the network, we felt that will be a good name for the company and products.

Thanks for that, learn something new every day and while we are at it, what about Enguos?

Enguos is the name for our Auditor Portal which we are hosting; Enguos means "tight security" in Greek.

OK, got definition as "surety" when I looked it up, but, as they say, it's all Greek to me. I think we have the basic handle on Pari at this point. Now, since this is a thought leader series, please allow us to pick your brain just a bit, Kishore. Where do you see the IT network industry going over the next five years? Do you believe the Services Oriented Architecture movement will continue to gain steam? What is your take on the IBM ubiquitous/self healing computing vision?

I do believe that, moving forward, the IT network industry will be moving to SOA. Having said that, we are still long way from going to SOA or Common Configuration DB since more and more services are being integrated into the network fabric. Most of the services right now are still network centric (security, voice over ip, etc.); as more business requirements (compliance, location based services) are moved to the fabric, it will be a complex, yet interesting, problem to solve, and we do believe the way we designed and implemented Pari products, we are in the right place at the right time.

Self healing and Cisco's self defending networks are good concepts/prototypes for now, but it will take a lot more time for them to become really ubiquitous in terms of self correcting/securing networks because, right now, the "glue" that ties together the devices, processes, people and management is missing.

One of the traditions of the Security Lab is to give someone a bully pulpit, a platform from which to persuasively advocate an agenda, and drive home your number one point that you are trying to make as a thought leader in the industry.

I would have to say about the complexity of network convergence. Lots of new services are inserted to network fabric, with a little thinking of the security and manageability of those services (say voice or video), thus making the job of network/security administrator really complex. I would suggest the security companies to look at easing out the pain of administering the security & management of new service before coming with a new "best of breed" solution/service.

Kishore, can you tell us something about yourself, what do you do when you are not on a computer?

Either playing with my two year old, or spending time reading a book or working in the yard (although definitely not in the winters).

=====

To request information about Pari Networks or to sign up for a live weekly demo, click here or send an email to: info@parinetworks.com

=====

Links valid as of January 22, 2008

1. https://www.netc.navy.mil/nascweb/crm/standmat/seven_skills/SA.htm
2. http://www.sans.edu/resources/leadershiplab/127.php
3. http://www.sans.edu/resources/securitylab/ryan_barnett.php
4. http://www.sans.edu/resources/securitylab/honeypots_guide.php
<<Thought Leader Home