VirtSec Implications from the Verizon Breach Report

The security press and blogs are abuzz with the groundbreaking Verizon (VZ) breach study (pdf). Thanks to Rational Survivability for giving us the link to the actual free report. The report does a few body blows to the massive spin around insider threats coming from the category vendors.  I’m glad that we finally got that behind us. I don’t know how many times I was asked by press and analysts about how we should all be more worried about angry employees.

I didn’t answer those questions directly because I frankly didn’t know what proportion of attacks were from one source or another. Now it appears that the journalists and analysts may have been guessing as well; or at least overly swayed by the marketing hype.

I think there are four noteworthy Verizon Report findings when it comes to virtualization security, again thanks to Hoff:

• 73% of data breaches were exploited by EXTERNAL sources;
• 62% of breaches were the result of insider ERRORS;
• 66% involved data that wasn’t known to be (on the system) accessible;
• 75% were not discovered by the victim.

This takes me back to a panel I was on in Los Angeles months ago. One of the participants asked the security pros in the audience who had been involved with virtualization how many servers they were protecting. None of them knew the answer. I’ll take a guess as to why: the flexibility accorded by virtualization meant that netsec departments would know how many hypervisors they were protecting but not how many servers.

The hypervisor is almost a kind of hybrid server and network appliance, because of the new virtual layer it is introducing into the data center. That layer is typically beyond the reach/enforcement capabilities of most netsec products, especially deep packet intrusion prevention appliances. They cannot see into the new layer and their processing demands mean that it is unlikely that they will ever be deployed inside to protect VMs sharing a hypervisor (from each other). It is much more likely that deep packet network IPS will be used to protect hypervisors from each other, despite the virtualization business case erosion that results in creating elaborate V-LAN trench works.

When you think about the new movement dynamics (flexibility) enabled by virtualization, combined with the lack of traditional netsec visibility into the virtual layer, the Verizon findings should strike a nerve to say the least. According to the study, external sources are already breaching internal assets perceived to be in safe places, unbeknownst to the network security teams.

This is a key reason why I think VMware (VMW) is so much further along when it comes to virtualization security. They formed VMsafe, opened up APIs and invited leading security players to participate. While Citrix (CTXS) (and maybe Microsoft (MSFT)) fiddle with discussions about who owns virtualization security, VMware sends their CEO out to talk about how strategic virtsec is to their business.

This should also raise some interesting new questions for the upcoming virtsec webcast with VMware, McAfee (MFE) and Blue Lane. It might also be a fair question to ask Citrix and Microsoft as they pitch production virtualization.