Security

(Credit: U.S. Department of Energy)

The Oak Ridge National Laboratory has created software that uses colonies of borg-like cyberrobots it says will help government agencies detect and fend off attacks on the nation's computer network infrastructure.

The Ubiquitous Network Transient Autonomous Mission Entities (Untame) differs from traditional security software agents in that its cybot "entities" form collectives that are mutually aware of the condition and activities of other bots in their colony (PDF).

When these cybots detect network intruders, they communicate with one another, preventing cybercrooks from creating and using a diversion in one spot within the network to then break through in another.

"The cybots are an inherent part of Untame's software, designed to do cybersecurity," Joe Trien, a team leader from the lab's Computational Sciences and Engineering Division, said in an interview with the Daily Beacon. "Most enterprises have intrusion detection centers set up in key spots, but they don't communicate with each other. But a cybot is intended to work with other cybots, continue their mission, or regenerate when necessary so they can pick up where one left off" (PDF).

The U.S. Department of Energy commissioned the software, in response to criticism from Congress (PDF) over security lapses. It hopes for an "intelligent, self-healing, intrusion detection and prevention system" capable of real-time response and defense, one that can learn to avoid false positives and relieve human operators from sloughing through low-level alerts.

The concept of mobile, autonomous software is not one that commercial software developers have embraced, said Lawrence MacIntyre, who is also working on the project. "When you tell people you've got this software that roams, the first thing they think of is a worm," he said.

Trien says Untame is more analogous to the Borg from "Star Trek," only benign. Plus, it would be bound by mission directives to monitor and protect its assigned cyberinfrastructure--not assimilate humanity.

Earlier this month, I predicted that large companies may soon adopt policies mandating that technology vendors adhere to best practices for security in product design and development.

I also suggested that government agencies may be on the cutting edge of adopting these types of policies.

On Monday, I read a preliminary report that New York state may be the first government to move forward with this type of policy. Apparently, New York will use the Common Weakness Enumeration/SANS Institute list of the Top 25 Most Dangerous Programming Errors as a baseline for software security. Under the proposal, vendors selling software to New York state must document how their software developers design and test code in order to prevent problems.

Kudos to the Empire State for taking the lead on this critical issue. Given the recent news at Heartland Payment Systems and Monster, New York's action is timely and a sign of things to come.

The state of information security is pretty poor, and large organizations have neither the time nor the money to continue to add security safeguards onto their networks to protect them against the latest threat du jour.

I believe we are at a tipping point when CIOs push back on their vendors with a new "enough is enough" acquisition policy. In 2009, expect large organizations to establish a new acquisition policy mandating that their vendors either deliver secure products or lose their business.

What do I mean here? CIOs will demand that IT vendors provide:

1. Secure product design, development, and testing. Software and hardware products must be designed to anticipate and minimize potential attacks. Additionally, vendors will be required to adopt secure and auditable software development and testing processes.

2. Secure default configurations. Users should not be forced to jump through hoops to secure products "out of the box." Rather, default configuration must be hardened from the get-go.

3. Security support. Vendors will be required to have proper processes and procedures to respond quickly and consistently to any security problems that arise with products in the field. Furthermore, vendors must have field engineers and support personnel who can help customers integrate individual products into secure architectures consisting of networks, servers, operating systems, databases, applications, and storage devices.

I expect the federal government (with its $70 billion-plus IT budget) to make secure acquisition policy part of the revised Federal Information Security Management Act sometime this year. Once Congress gets the ball rolling, the National Institute of Standards and perhaps the National Security Agency will quickly follow with formal guidelines. Note that secure acquisition policy was one of the suggestions posed to President-elect Barack Obama in the recent Center for Strategic and International Studies report. Other industries beyond the federal government alone will follow this lead.

Yes, this will put pressure on the IT industry--especially venture-backed start-ups focused on feature/functionality at all costs. Tough luck for sure, but this will be a wakeup call to the entire industry. Users want security that is baked in and not bolted on. IT vendors will either come to terms with this or suffer the consequences.

CA announced Thursday plans to acquire Israel-based Eurekify, in a move to expand its identity and access management software portfolio.

IT management software company aims to use Eurekify's analytics engine to reduce the time and effort it takes for customers to shift through employee's duties and responsibilities and to monitor their access management settings.

The combined CA Identity Manager and Eurekify Enterprise Role Manager will aim to help customers clean up existing identity data and build a model that "serves as the foundation to automate the user provisioning process and enhances identity lifecycle management," according to Islandia, N.Y.- based CA.

The acquisition is expected to close by month's end. Terms were not disclosed. Last month, CA made another security-related acquisition with its purchase of IDFocus.

CA on Tuesday announced it acquired identity management company IDFocus.

With the acquisition, CA plans to use IDFocus' Ace identity management technology to provide employees with multiple authorizations in their company's employee resource planning (ERP) system to automatically have those authorizations checked against the information they are seeking or the task they're trying to conduct.

Specifically, the CA Identity Manager aims to give employees various authorizations, then run a check against the segregation of duties (SOD) policies set up in the IDFocus software. If a policy has been violated, the CA Identity Manager is designed to kick in and prevent the employee from accessing the information or performing the attempted task.

"This acquisition strengthens CA's ability to continually enhance critical elements of CA's Identity and Access Management suite," Dave Hansen, CA Security Management general manager, said in a statement.

Terms of the sale were not disclosed.

Recent Enterprise Strategy Group research points to two evolving trends:

1. Information security practices are merging into other IT areas, such as regulatory compliance and IT operations.
2. Enterprise users are leaning toward integrated security suites rather than "best of breed" security products.

With these trends in mind, it is safe to assume that the market advantage goes to security vendors with integrated product portfolios that cover security, compliance, and IT operations. Firms like EMC's RSA Security, McAfee, and Symantec are betting on this happening soon, but these industry heavyweights are not alone.

Case in point: Check Point Software Technologies. The company, best known for its pioneering firewalls and virtual private networks, may be the only one with a security portfolio that covers end points, networks, and data. McAfee is close, and all the others have a gap in their product line.

Of course, there are no guarantees here. Check Point's firewall base is constantly challenged by Cisco Systems and Juniper Networks, and the company has to throw some sales and marketing resources at its nonfirewall products to build more visibility.

This won't be easy, but Check Point is building a new execution team that may be able to take it to the next level. Check Point has always had great technology; now it may finally be poised for another round of rapid growth.