Don't Miss Pen Test Hackfest Summit & Training, November 2-9 near DC!

Thought Leaders

Table of Contents

Ed Hammersla, COO, Trusted Computer Solutions

Stephen Northcutt - November 19th, 2009

Ed Hammersla, Chief Operating Officer, Trusted Computer Solutions has agreed to be interviewed for the Security Thought Leadership project. I was very impressed by the Trusted Computer Solutions product, Security Blanket. It is part of an inexorable change in our industry. In the past, you had to hand configure operating systems and that was an actual job for some system administrators. These days, the position of Security System Administrator is disappearing and instead, we see automated tools. Security Blanket is an example of these automated tools, Ed is the brains behind the product, he has agreed to be interviewed and as always, we thank him for his time.

Ed, can you please give us the basic background information, do you have a short BIO we can post?

Certainly, Stephen and thanks for the interview, here is my bio:

Ed Hammersla is Chief Operating Officer (COO) of Trusted Computer Solutions (TCS) a leading supplier of cross domain and cyber security solutions for industry and government organizations. In this role, Mr. Hammersla applies his 30 years of technology experience to support organizations’ requirements for improving their overall enterprise security posture as well as implementing solutions for sharing information securely and quickly to those that need it most. These information sharing solutions (known as cross domain solutions) became increasingly important within the Federal government following 9-11. Mr. Hammersla is one of the most sought after experts on cross domain technology. In addition to his cross domain expertise, Mr. Hammersla was instrumental in bringing to market the industry’s first solution that fully automates the process of locking down a Linux or Solaris operating system.

Mr. Hammersla began his career at IBM where he spent 10 years in engineering, marketing and various management positions. Prior to joining TCS, he held leadership positions with Sterling Software, Informix Federal and NEC. He has also worked in the Venture Capital Community as CEO of multiple startups and served as an investor and advisor for other companies. Mr. Hammersla currently sits on the Board of Directors for the Armed Forces Communications and Electronics Association, Washington, D.C. Chapter (AFCEA DC) and the United Services Organization for Metropolitan Washington (USO Metro).

Thanks, Ed. And, if readers want to learn more about your work, are there URLs of papers or presentations you have written that are available on the web?

Surely, here are a couple: (live interview on Fed News Tonight) (article in Government Computer News) (article in Washington Business Journal) (interview in Government Computer News)

And, still in the vein of sharing knowledge, here are some are some links to papers on the Internet that you consider a "must read", thank you for sharing these: (CCEVS vs. C&A – The Alphabet Soup Decoded) (The Inevitability of Failure: the Flawed Assumption of Security in Modern Computing Environments) (Navigating the SABI / CDS Process)

Now let's drill down into you a bit, how did you become interested in the field of information security?

My Father was a Georgia Tech Grad, then a researcher with Bell Labs and taught some classes at MIT. So I’ve always been close to the research community and had an interest in how good research makes its way to useful commercially viable technologies. As an investor and sometimes acquirer of software companies, I always looked for technologies that “solve an interesting problem”, and that’s the source of my interest in information security and cross-domain solutions. They are both vital technologies in terms of national security as well as stable and productive businesses. And, as in many fields, the most interesting technology advancements usually start in the research community.

What do you see as the two biggest takeaways from The Inevitability of Failure: the Flawed Assumption of Security in Modern Computing Environments paper you suggest as a must read?

It was written by an interesting and elite group of people, one of those guys for example, Stephen Smalley, is one of the fathers of Security Enhanced, or SE Linux. One of the takeaways from the paper is that if you leave security at the application level and don't embed controls in the kernel, you don't have much security. The goal of the paper is to motivate a renewed interest in secure operating systems. Another big takeaway you do not want to miss is that phrase, "modern computing environments." Back in the mainframe era maybe it wasn't so important, but in these days of widespread internet and network connectivity, the non-secure OS presents the hackers with a plethora of opportunities.

What are your thoughts on the endpoint whitelist products such as Bit 9, CoreTrace, Savant Protection? Could they help with this problem?

They are helpful add-ons, but far from a comprehensive solution to lock down an OS. One of the discussions we have at TCS is that when you take Red Hat out of the box, it fails 90 - 100 STIGs right off the bat. There are reasons for that in terms of usability, but in many environments it means you can't use the system until these are addressed.

Forgive me, what is a STIG?

Security Technical Implementation Guide. Security guidance for systems.

Thank you Ed. We used to have lots of people show up at OS classes for securing Windows and Unix/Linux, not so much today. Do you think this has become productized, that tools like Security Blanket, where you choose a configuration and the tool sets the system up, are the standard approach.

I hope so, keep in mind, it isn't just the initial configuration, it is also ongoing.

Boy, do I understand that! I have been running Savant and literally watching every change. I upgraded to Firefox 3.5.5 yesterday and that was about fifty changes to the operating system. I didn't have to see them all, could have put it in learn mode and just accepted them all, but I wanted to see all the DLLs and configurations just to upgrade a single application. This means running operations in a secure manner is a tough problem.

Exactly Stephen, it results in a natural conflict between the security guys and the application guys because security blows up their applications. Of course, there is an argument that lack of security leads to downtime so security helps with uptime.

But that argument is a tough sell at best, Ed. Anyway, I love the life of a researcher as well. Can we go back in time? Have you worked on security products before the product you are working on today?

The first security product I became involved with was a trusted database product developed by Informix. That was back in the day when the NSA used the DoD Trusted Computer System Evaluation Criteria, known as the Orange Book, as the de facto standard for computer security.

The Orange book, wow, that is a "take me back" moment. So, how did you go from that to Trusted Computer Solutions (TCS)?

When I joined TCS in 2000, the company had solutions that allowed government employees to access and transfer information between classified domains at different classification levels. These solutions required a trusted operating system of which there was only one that was mainstream, Trusted Solaris 8. When the open source community began developing a trusted version of Linux, we became heavily involved in the development effort. The idea was that we would port our cross domain solutions to Linux so that we would not be tied to one proprietary hardware platform. This is one of those concepts/projects that actually worked!

Are you still involved in low to high type stuff in terms of security levels?

Stephen, I am. Today, TCS sells a commercial product, SecureOffice Trusted Thin Client (SOTTC) which provides access capabilities across multiple classified networks; another commercial product, SecureOffice Trusted Gateway (TGS) that enables the transfer of sensitive and/or classified information between networks; and SecureOffice WebShield, which allows for secure browse down from the higher classified network to a lower level network, all running on a “trusted operating system” that is open source, Red Hat Enterprise Linux.

And, this is your opportunity for a sales pitch! What product are you working on today? What are some of its unique characteristics? What differentiates it from the competition?

In addition to continually supporting and enhancing our cross domain solutions, TCS is marketing a solution called Security Blanket that automates the process of locking down or hardening a Linux or Solaris operating system (OS). It is the only solution on the market today that assesses the security state of the OS against industry standard or customized guidelines, and then automatically configures the OS to render it compliant.

For example, the DoD is required to be compliant with a set of guidelines called the STIGs (Security Technical Implementation Guidelines) that we mentioned earlier which are defined by the Defense Information Systems Agency (DISA). Using Security Blanket, system administrators can run an assessment of an OS against the STIG profile that is included in the product. Doing this manually can take hours, or even days, for just one server. With Security Blanket, the process is done in minutes. The enterprise version of Security Blanket allows for the ability to manage any number of servers and group them, so one could lock down 100 servers to be compliant with the STIGs in less than 5 minutes. The product also has an undo feature that allows a user to reverse a lock down if something goes wrong. It is granular to the point where a user can undo a single lock down action on any one or all of the 100 servers in the group.

The only other product that does the actual lock down or OS configuration is an open source solution called Bastille. However, it does not report any status as to adherence to industry standards (such as DISA STIGs, SANS Guidelines, or CIS standards) and does not have any type of enterprise capability. It has to be run on each individual server and steps users through a set of questions that take a considerable amount of time – much more time than Security Blanket requires.

Another product that rounds out our product portfolio is a network security product we acquired last year, called CounterStorm. This product is a solution that stops zero day and targeted attacks in seconds. Using a combination of behavioral, statistical, and content-based anomaly detection, CounterStorm expands the level and sophistication of detection found in other solutions.

Is Bastille still a Jay Beale thing? I have not spoken with him in a bit.

I believe it is. Anyway, today, TCS is in the process of adding rich functionality to Security Blanket and making it even more user friendly with a new Java interface. Recently, we announced Security Blanket’s availability for the IBM System z mainframe and adding support for Novell SuSE.

You have mentioned cross domain several times, "In addition to continually supporting and enhancing our cross domain solutions." Can I pin you down, what exactly do you mean, can we have several examples?

The way we talk about it now, we have two divisions in the company, one is the cross domain division, which is our bread and butter; we help the government share information from one agency to another. This is especially tricky when the information is classified. For a long time the only suitable platform was Solaris. And, Unix on the desktop died, what, two decades ago? But we have some options, nowadays trusted thin clients give you a lot of options and you can run powerful applications.

I get that, in fact I just read something like that in an Air Force periodical about the advantages of the Trusted Thin Client, they said:

"A key ingredient in that was installation [of] a “trusted thin client,” which allows users to view multiple networks on the same screen, even networks that contain different classification levels. The TTC also reduces the number of “desktop computers” at each work station, which not only reduces the clutter, but also allows for better computer administration, because most of the computer power is centralized and easily accessible by the information technology staff.

“We also expect this to be more efficient because it will reduce the power requirement for the computers and the air conditioning,”

Apparently before the TTC, they had to have a separate computer for each network they were on. This is fascinating, what is the trickiest part of cross domain: technical or political?

Political in the sense of certification and accreditation. You have the purists that say "you changed a driver, we need to do the entire C&A again". We are beginning to hear enlightened people say test only the changes, and does the change impact security in the first place. Under the National Intelligence jurisdiction there is a Unified Cross Domain Office, they are making some progress, but it is slow and tough to do.

Yes, doing my research for this interview, I found a short piece on you and the topic and the charter for the Unified Cross Domain Management Office (UCDMO) as well. Sounds like a very interesting project; with respect to cross domain, what do you see as the future of C&A?

Well, I hope the current trend of test once, test only the changes continues, and I think reciprocity is vital; if one DAA approves, you accept that system, if not, you explain your reasons. The people at the top have the right philosophy, but they have a tough road because of embedded people who hold onto the old philosophy and are not ready to embrace the changes that are needed.

What do you think the biggest benefit of C&A is for the cross domain community?

Provides fee for service to the people to do it.


Yes, I will probably make some people mad at me. Seriously, the C&A process done wrong can delay the delivery of the systems or information to the warfighter. This forces workarounds like the memory stick that ended up in the market in Kabul. By not having a proper cross domain system, they resorted to a workaround; it did move the information, but it also put the information at risk.

Can Security Blanket help with the C&A process, can you establish a set of specs and as long as we pop out a system that meets those specs, it could be automatically accredited?

Interesting idea, I think I'll write that down. There are some at NSA working on HAP, High Assurance Platform, so that if you buy certain hardware and configure it in a certain way, then you are already there with a high assurance system. While all of our cross domain products have Security Blanket built in, you still have to worry about the application, but this could certainly help.

What is the most common application used in cross domain computing, what do they actually use?

MDDS, Multi-Domain Dissemination System is the program much of this is based on. It gives secure browse down capability. The commercial product is called SecureOffice WebShield, which I mentioned before. It allows high to low communication. It has absolutely saved lives. An intelligence officer can browse down to SIPRNet from his top secret network. You see, the warfighters all work at the Secret level and this makes it possible to get intelligence to the warfighter. The program is managed out of DIA and it is one of their major success stories. The government always renames our product to the program name, so more people know our product as MDDS than WebShield.

What do you think the security products in your space will look like in two years, what will they be able to do?

In two years, we should see full automation and proactive anticipation of new attacks. These solutions will be viral in their ability to morph faster than the attack software. Polymorphism is the future.

OK, I am having a hard time getting my head wrapped around that, but I will keep trying. Ed, you shared that you have always looked for technologies that "solve an interesting problem". What do you see as the most interesting problems over the next few years?

Even with the signature based tools, they only find about 50% of attacks, this is largely due to polymorphism, On the defensive side we need to get ahead of these attacks. The really interesting thing is you don't know what you don't know. Even the well known viruses are getting through because people morph them a bit with packers and similar tools.

Sure, like the race to zero, the contest where you had to get really famous viruses like Stoned past the commercial AV scanners with packers. And I think most people agree we are hitting the wall with pure signature solutions. But defensive polymorphism, whew, that is one of the most interesting predictions I have read, not sure that is going to happen in two years, but we will both see! Now Ed, please share your impression of the defensive information community. Are we making progress against the bad guys? Are we losing ground?

I think that progress is being made, but organizations are overwhelmed by the multitude of solutions available on the market, and the rhetoric that we use to describe them is too common. Also, most don’t have the time or bandwidth to investigate them thoroughly. People are confused about the role that firewalls play today and continually ask questions that include:
  • Why is a firewall no longer sufficient to protect my systems?
  • What should we do to ensure application security?
  • Will solutions that provide network intrusion protection also protect my networks from a malicious insider?
  • What standards should I look to in order to protect my systems?

I agree, we seem to be short on the fundamentals. Would you be willing to share your thoughts concerning the most dangerous threats we will be facing in the next year to eighteen months?

Combined physical and cyber attacks, where careful coordination and precise timing causes immeasurable damage. For example, the Bruce Willis movie, “Live Free or Die Hard,” where coordinated computer shutdown of traffic light systems causes massive traffic damage, and a new breed of terrorists who are cyber aware experts, cause a massive computer attack on the U.S. infrastructure which threatens to shut down the entire country.

I hear that! Not sure about the attacks that shut everything down or to quote Ed Skoudis, the Internet "snow day", but we are surely seeing coordination and timing. What really has my attention are these attacks against comptroller desktops where the attackers get control of the system and then harvest the credentials for the bank account and starting wiring money in chunks less than ten thousand dollars, but doing it a large number of times. I find that frustrating because it is a solvable problem. Anyway, that is my beef, may I ask what is your biggest source of frustration as a member of the defensive information community?

One of the biggest frustrations is the need to categorize software solutions into boxes or “quadrants.” This was a model that did work in the past, but things have gotten too specialized today. Not every solution fits in a pre-defined “category.” It becomes very difficult to talk about what your solution does without someone immediately categorizing it. The result is that once categorized, it is compared to other solutions in that category which may or may not be a valid comparison. There are a lot of very robust configuration management tools on the market, for example, that do OS assessment against the same industry standards that we use in Security Blanket. Needless to say, these CM solutions also do a great deal more, but they do not configure the OS. When Security Blanket is compared to a CM tool, it comes up short because it is not a CM tool. Once people understand that it is a tool for configuring the OS, period, and they see that it is a fraction of the cost of a CM solution, then they get it.

I have been updating the crypto section of the primary course I author and teach, Security Leadership Essentials and I am starting to wonder if we will ever really solve the hash problem (computationally inexpensive for any arbitrary file and yet resistant to collision, especially engineer collision). Do you have any thoughts on this area?

I am not a crypto person, but I have had the opportunity to talk with some of the best and brightest. I have a lot of faith in the best and brightest.

Funny, that is exactly what an expert said to me yesterday. I believe the NSA will be able to give our warfighters and intelligence folks strong working tools, I am a bit more concerned for the commercial space. Anyway, you have made a major investment in Linux, what do you see as the near term future of Linux?

We are bullish on it. Linux has been able to achieve what Unix set out to do, run the same OS on different hardware. That is a key point, nobody else has been able to do that. Back in '02, or '01, you guys got hacked and we got a call from you about using one of our super locked down systems. We went to talk to you and you said, "we can't use that because it only runs on Solaris, we use Linux". That was actually a key moment for us, because the same week a government customer said the same thing to us; so, you had a part in our transition from Solaris to Linux. I continue to be optimistic about Linux. I still think Linux, Windows, and maybe Mac are the only growing operating systems, everything else is in decline.

Let's drill down further, according on one source, "Linux's market share of the server market will grow from 19 to 26 percent by 2010."

That would be a massive state change, however you can read just about anything on the Internet, what is your take and
where are you seeing the actual organic growth in Linux?

The proprietary Unix systems Solaris, AIX, HPUX, those will morph to Linux. Anything to do with the government, technical folks, startups, they tend to gravitate towards Linux. I think Linux is here to stay and it will eventually be the standard non-Windows offering.

Now that is a researcher talking, you don't like to be told to get in and stay in your box? One of the traditions of the thought leadership project is to give our interview candidates a bully pulpit, a chance to share what is on their mind, what makes their heart burn even if it is totally unrelated to the rest of the interview. Please share the core message you want people to know.

Software should do something that is easily explainable. I can read a paragraph or two of “technical description” today and it’s all buzzwords, leaving the reader with no idea what the software really does.

Software should do one of three things. It should, 1) automate an otherwise manual process, 2) save time and increase productivity for IT professionals, or 3) add significant competitive advantage to an enterprise. I think we’ve gotten away from these basics with all the terminology that we use today; SOA, SaaS, Cloud computing and so on.We have a lot of interest in the Z series or system Z from IBM, very advanced technology and these are replacing a bunch of the old mainframes. Know why they call it system z? Zero down time; the mean time for failure is 15 years. There are systems that have not been rebooted since many of us were born. More and more people are putting Linux on these systems; this is a big growth area and Security Blanket supports it.

Can you tell us something about yourself, what do you do when you are not in front of a computer?

I enjoy science, trivia, history, archeology, any number of land and water sports including swimming, surfing (long board and short board), water skiing, sailing and boating. I also skateboard, snow ski, and bike. My more sedentary activities include lounging by the water, reading and watching movies that have unpredictable outcomes.

Wow, sounds like you have balanced a full life with geekiness, Ed, I really enjoyed getting to know you a bit better and feel free to stay in touch. If you think about it, get back with us in a year or two with an update on your latest thoughts!