Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Thought Leaders

Table of Contents

Amrit Williams, Chief Technology Officer, BigFix

Stephen Northcutt - June 30th, 2008

Amrit Williams, Chief Technology Officer at BigFix, was formerly a research director in the Information Security and Risk Research Practice at Gartner, Inc. He is certainly a security thought leader and if you have not been introduced to him before, we are sure you will find he has some interesting out of the box opinions. We want to thank him for his time, we know he is a really busy guy.

Amrit, I just finished a research project on endpoint security which was both eye-opening and depressing. The complexity of protecting an endpoint is really scary. Do you agree?

Absolutely, we are definitely reaching a tipping point in endpoint security - well, security in general - but let’s focus on the endpoint for now. When I worked on anti-virus software in the mid-90’s, we dealt with a handful of virus samples we needed to deconstruct and create signatures for; now we are seeing viruses in the millions, so, not only has the threat environment become increasingly sophisticated and stealthy, but the demands on enterprise IT have significantly strained their ability to properly manage these systems. This is especially true as more organizations enable mobile computing, and we see a proliferation of consumer devices entering the enterprise. Think about this: in 2004, the most prolific enterprise endpoint security technology was anti-virus, with penetration of about 98% of all desktops; now, with an increasingly hostile threat environment and regulatory pressures, most organizations are forced to deploy between 5 and 15 agent technologies to deal with security, compliance and operational initiatives. This is a systems manageability nightmare, not to mention the ineffectiveness of most of these technologies to deal with the sophistication and sheer number of emerging threats. I wrote about this in my blog,

Amrit, I remember that piece actually, especially the ending, you said, "Of course we could just go back to a thin-client architecture leveraging enterprise applications delivered through web services, producing an 80% or more reduction in security issues and significant reductions in costs...but that level of elegant simplicity would just be silly." Now, clearly, that is a bit of sarcasm, but can you expand on what you are saying, do you recommend that organizations adopt thin clients? I have heard that it works well for jobs with a lot of repeatable tasks, but, for knowledge workers, my understanding is that most organizations have run into problems. What is your take?

Thin-client architectures with very limited local computing or processing power would definitely limit the number of client-side attacks. But, the reality is that the new generation of knowledge worker is far more technically savvy than previous generations, and they would never allow that type of restriction. Plus, there is too great a demand for productivity at the client so, as you point out, the old thin-client model won’t work in most enterprises. We will, however, see an increase in virtualization technology for applications and desktops that will, in effect, segment and sand-box shared computing infrastructure. For example, imagine an organization able to deliver a secure virtual desktop environment, configured to policy and isolated from the user’s applications, personal internet activity and other often unsafe computing habits.

A big part of security is based on configuration management, and you guys are square in that business, but it seems like it has some limitations. My friends Alan Shimel and Mitchell Ashley asked a couple questions[1] that I never saw an answer to, and they are good questions; let me reprint them here and ask you for an answer:

1. Does configuration management boil down to remediation being the only answer? If so what is remediation? Is it only applying patches or shutting down a port or service? Could applying limitations on access be part of the equation? Access control based upon configuration baseline is I think an important part of managing the system.

Configuration management is more than remediation since remediation is a reactive process while configuration management, especially security configuration management, is a proactive process where one defines the desired configuration state of computing devices based on industry best practices defined by organizations like NIST, NSA, CIS and others, audits the environment against policy to identify non-compliant machines and then enforces policy. Ideally, devices will almost never deviate or experience too much configuration drift. For configuration management or remediation to be effective, however, it must automate any and all actions that an administrator can take and provide that level of control at scale, so it is much more than simply patch management or making small configuration changes. I think this distinction is important, and it highlights the need for remediation to be owned by the IT operations team, not security.

2. Can configuration management be done outside of an on board agent. Looking at some of the traditional VM scanners like nCircle and Tenable, they are claiming configuration management capabilities. Can their "point in time" scanning compare to always on configuration management agent based solutions? If not, what about unmanaged devices coming on the network without an agent? Do you fall back to scanning them with a scanner? Is the position really that if all company owned assets are fully compliant, we don't worry about what a guest computer can introduce? It is for this reason that I think you can never have a pure agent based configuration management system, but need both agent and agentless based.

No, configuration management cannot be done effectively outside of an on board agent. What remote vulnerability assessment scanning vendors like nCircle and Tenable provide is remote configuration auditing, which is different from management; these tools still require a separate set of technologies to effect change on an endpoint. When I was an analyst with Gartner, we generally advised clients that they require a combination of both agent and agent-less technologies. Agent based technologies provide the greater depth and breadth of information, usually in real-time, whereas agent-less systems are challenged by both space and time and, in many cases, an inability to properly interrogate an endpoint. Agent-less scanning does, however, offer the ability to see unmanaged assets, so you really need a combination of technologies. From an organizational perspective, agent based technologies are generally managed by the IT operations teams, whereas agent-less, remote assessment technologies tend to be managed by the security team and used to audit the operational teams.

I am in the camp of people that feel the majority of systems are too frail to be placed on a network. They need to be configured differently, better. But, how can they do that unless someone tells them how. I have been a big fan of the Center for Internet Security for a long time. What are your thoughts about the NSA and Center for Internet Security templates?

The real problem is that most of our client / server computing infrastructures are sick and built on inherently weak and insecure architectures, so we are constantly trying to accommodate these deficiencies by building layers of security on top of inherently weak and insecure foundations. Unfortunately, this will not change anytime soon. If we look at attack characteristics and forensic data over a large population, it becomes apparent that weak systems are attacked opportunistically, and the more vectors of attack that are available, the higher the chance of exploit. So, we must remove as many vectors of attack as possible. Most attacks take advantage of known vulnerabilities, poorly administered or configured systems and socially engineering the user. It is inexcusable that enterprises fall prey to conditions within their control. I have been a strong proponent of security configuration management, which leverages much of the work organizations like the NSA and CIS provide, and believe it is critical to improving organizational security as well as operational efficiencies.

Thank you for sharing that Amrit, but we are still in the same place, systems must be properly configured. So, this is where I would like to give you the opportunity to make the elevator pitch for BigFix.

BigFix is a leading global provider of high-performance systems and security management software for enterprise companies. The BigFix unified management platform provides real-time visibility and control through a single infrastructure, single agent and single console for systems life cycle management, endpoint protection, security configuration and vulnerability management.

BigFix is based on a revolutionary architecture that distributes management intelligence and responsibility directly to the computing devices themselves. This architecture makes BigFix radically faster, more accurate, scalable, and more adaptive than traditional management solutions. What is high-performance?
  • Blazing Speed: Real-time control to effect change of thousands of granular computer properties 100 times faster than competing technologies
  • Extreme Productivity: Full control of all computing assets performing the work of multiple administrators using legacy solutions
  • Pervasive Visibility and Control: Up-to-the-minute visibility of the most granular computer properties across our entire computing infrastructure
  • Massive Scalability: A single BigFix server can manage over 250,000 computing devices - more than 20 times that of traditional, legacy solutions
  • Revolutionary Economics: A single infrastructure, single console, single agent architecture combined with the ability to address multiple domains provides the lowest TCO in the industry

A number of people have expressed that your insights on the industry, have often been spot on. Let's talk about a few of these, starting with my favorite:
"And finally, realize that you probably won’t have the same job in 2012: So all you firewall jockeys and IDS/IPS admins who spent a career learning the ins and outs of ingress/egress traffic flows may want to take a college course on nursing, a field which will explode as all of the baby boomers inch their way towards the golden years."

Once again, we see a bit of the humor/sarcasm, but let's drill down to the truth. Most certainly our world is changing. We are inching closer and closer to convergence security boxes that do five or more functions. While the state of the endpoint is pretty pitiful right now, projects like Ubuntu give me a lot of hope; it is now one of the three operating systems I use to accomplish real work on. So, what advice should we be giving firewall jockeys and IDS admins (my favorite demographic group)? When people ask me what they should do to improve their career, odds are I usually tell them three things: learn Chinese, get a project management certification, and get published. What advice do you have for these folks?

Learn business skills. The reality is that information security is changing and, although we still need the highly technical folks that understand the ins and outs of Cisco IOS and TCP/IP, there is definitely a movement to evolve security into becoming part of the business seen as important to IT as critical infrastructure networking and storage. Security must move away from its traditional roots, voodoo performed in the basement that inhibits business innovation, to become an enabler and partner for business success.

In the same general gloom and doom prognostication, you wrote:

"Let me state that I know as well as the next guy that trying to determine financial loss is about as predictable as trying to determine which politician elected to public office, on a platform of morality and decent values, will find themselves in the middle of a Spitzer, Craig, Foley, Clinton-esque sex scandal. That being said, does make you wonder doesn’t it - is security as we know it about to end up in the obituary of dead technologies?"

I wonder about a lot of things, but whether security is going away is not one of them. I think about the Chinese Advanced Persistent Threat (APT) and have little doubt that the organizations who want to be around in ten years are going to put a lot of focus on security and data loss prevention, in particular. And, despite that well phrased insight, I read your document about NERC, and it looks like BigFix will still be around in the energy production sector in five years? So, let's be forward looking, what do you think security will look like in five years?

Security will never go away, however it will evolve and look very different than it does today. It will be more operationalized, more structured, more built-into the infrastructure. However, security tends to lag innovation, so as we see technology innovation emerge, we will see new areas for security to be applied. I used to joke that one day technology will revolutionize my living room, and I will be able to write an email, work on a presentation, control my TV and program my toaster from a single, handheld device, so, of course, some 15 year old eastern European hacker will figure out a way to burn my toast. The recent remote coffee machine vulnerability only shows how close to reality this really is.[2]

Amrit, one of the traditions of the security lab is a bully pulpit, an opportunity to share what is on your heart, in your case you have clearly been doing that in your blog. However, looking out towards 2012 or so, what is the biggest single piece of security related advice you have for organizations?

Wear sunscreen. We need to evolve security beyond a reactive, ad-hoc process that inhibits business innovation to a discipline that is pre-incident, measured, and aligned with the business.

Second to that is to move as much day to day administration for security to the operations folks as possible. Today, security is difficult and complex for multiple reasons; one of the keys to resolving the complexities is to deal head-on with the inherent problems of systems manageability that security technologies introduce.

IT Security listed you first as one of the most influential thinkers, and I would be hard pressed to pick between any of the top ten, so you are well known in the industry.[3] Can you share just a bit about your personal life, what do you like to do when you are not behind a computer screen?

Honestly, I think that reference on was a fluke and probably a result of my name starting with an A. But, about me personally? I was born in Kathmandu, Nepal and lived in India, Japan, Thailand and Hong Kong. I travel extensively and love to experience other cultures. My brother is a stand-up comedian and I spend time working on his material and am developing a couple of screenplays with him. I also have an affinity for photography and, living in California, I spend a lot of time outdoors with my two beautiful children.

Links valid as of June 27, 2008