News
In the News
A Paradigm Shift in Security
Legendary Software Developer, Dan Farmer Changes the Security Game
April 4, 2005
Courtesy of Sarbanes-Oxley Compliance Journal
Jack Martin converses with Dan Farmer, CTO and Ram Krishnan, VP of Marketing of Elemental Security. (You may know of Dan through his work in security and the development of SATAN.)
Jack: Dan, you are a legend in computer security and you have a whole new offering coming out today. What have you done?
Dan: Throughout my career, I’ve basically worked alone or with one or two other people – in very small groups, working on very focused problems. While I’ve had a certain level of success in that vein, there’s a class of problems that a single person or a small group of people just can’t solve. At Elemental, we’ve tried to attack such a problem, one that is really big. The problem involves very large enterprise organizations with numerous machines with very high turn-over rates, mobile devices, M&A’s, you name it – very dynamic environments.
Jack: What kind of issues do you think really large enterprise organizations face?
Dan: They would like to have a couple of things. They like to, first of all, know what the heck is out there and to have a real clear understanding of their environment, what’s going on, who’s coming and going and whether it’s people or machines or anything else. Second of all, they have a stack of policies and when I say policy, I mean the expression of your desire. What do I want to see out there? So they have something in their mind that says, okay, I’d like my machines to look like this or I’d like my people to behave like this. So, we allow people to express their policies at a relatively high level and then apply them to this extremely dynamic environment, and either measure the adherence of their compliance with that policy, or enforce the policy and ensure that people are adhering to it, and the machines are complying with the policies. Along the way, as you run the system, it gathers up enough information so that not only can you know what’s going on out there, but it allows you to make an informed decision on your policy and compliance decisions as you go out.
Jack: You’re extraordinarily well known for a product, that you co-developed called SATAN (throughout, SATAN should be all caps).
Dan: Yeah.
Jack: How did you pick the name, SATAN?
Dan: Well, I was driving the car and I was with my partner at the time and I was tossing out words and it was like Security, Analysis, Tool, you know trying to think about a catchy name. She came up with Satan and so I had to scramble to find the last couple of letters and see what they meant, but it was “Security Administrators Tool for Analyzing Networks”. That seemed to be exactly what the tool did. It was for security people, it analyzed networks, and it had a catchy name. I’m as much a victim of marketing as anyone. If you can get a good name and you can get a good brand behind anything - whether it’s a single person doing something or a large organization - that just makes it more memorable and more successful in general.
Jack: The way I see it, you are creating a whole new space with this new product called “Security Compliance Management”. Where did this idea come from?
Dan: I was on a plane coming back from Alaska. I was just visiting my future mother-in-law and we had given her a laptop computer. She had never used a computer in her life. When I left, I thought, boy, if there’s only some way I could give her protection. I knew what I wanted to do, no viruses, no attacks, keep it up to date, all that kind of stuff. But, there really wasn’t anything out there that could do this and so as I was flying back - just sort of staring at the mountains, I thought to myself: you know, actually there is a way that you can do this, but it’s a really big problem. Furthermore, individual people need this kind of protection, but even more so, large organizations need it. Because the individuals are so disparate and they are so scattered in their desires and wants, it’s really hard to get a good sense of what would be good for everyone. But for organizations and enterprises, they have a pretty consistent set of desires. They want to ensure that they have a good patch level, good passwords, that certain groups can access, or not, certain types of resources. Furthermore, they have a real hunger for the type of information that individual people don’t really care about. A person knows how many machines they have in their house or in their apartment. In large organizations everyday, hundreds of thousands of machines are churning and moving around and they really need a level of help that just wasn’t available at the time. So, I thought – this is in late 2002 and the economy was doing terribly – if I could start a company now in these really bad economic times, maybe I’d have something that was actually worthwhile.
Jack: Why is it such a big problem to solve? Is it human behavior or is it a flaw in the way information technology is deployed?
Dan: Well, I’m pretty certain that there’s not a person in the world, when they turn on the computer, flip the power switch, by the time they get the login screen or the desktop, that understands what happens from point A to point B. That’s even if you’ve written part of it; it’s just so complicated. There’s so much going on and some of it’s open source, some of it’s not, some of it’s well understood, some of isn’t. But, there is dynamism and all this interaction going on, even in a single computer. When you have tens of thousands, or hundreds of thousands of computers, all interacting in different ways, looking at systems in extraordinarily unique fashions, no one has a prayer of understanding what’s going on in that kind of environment, let alone understand what security might be or might mean to me. So, we have this tremendous volume of information, incredibly dynamic environments and a real lack of understanding of the basic issues about security and technology in general. That sounds like a pretty bad situation to me. I think that there’s still a lot that can be done to help people.
Jack: What do you think is the number one security issue facing corporate America today?
Dan: People.
Jack: People in the company or people outside of the company?
Dan: You know computers haven’t been around that long, but they’re starting to get to the point where people are getting really comfortable with them. They are starting to understand how computers are used in a lot of different facets of life and the question is whether, as you see the government and social infrastructure of the world getting pushed online and into computers, if people really start to understand the implications of data loss and compromised systems and the problems with security and viruses and what-not. You know you read about these huge companies losing all these credit cards and all that kind of stuff and people are finally starting to get the realization that it is important and they should pay attention, but we’re not there yet.
For instance, I just read that the IRS called a bunch of IRS employees. A third of them would give away their passwords and accounts to basically random strangers who conned them into it. That’s a serious problem, whether it’s social engineering or just a lack of understanding. It’s a problem if I put a laptop in a corporate environment as a wireless device, or if I had a Bluetooth-enabled cell phone that I walk into Starbucks with, and someone can access my information. The technology and the capabilities of the technology far outstrip our understanding of what they can do. So, until the people can sort of catch up mentally and have a good model of what technology’s capabilities are, the people are going to be the weakest link. It’s not going to be malicious for the most part. There’s a lot of malicious activity going on, but there’s these inadvertent things that people do, putting themselves into vulnerable situations and then other people will take advantage of those. The FBI says something like two thirds of all problems are internal and there’s not a heck of a lot of technology that’s going to change that or really protect you against that. So, “people” is absolutely the number one problem.
Jack: This new project that you have over at Elemental, what exactly does it do?
Dan: I like to talk about addressing a problem or trying to understand a situation or making it better. What we’re trying to do is really raise the bar significantly and that’s what I think we do. What the product tries to accomplish is to allow you to express a policy, monitor your adherence to it, and enforce it. What is a policy? It’s an expression of your desire. What do I want to see happen? How do I want my machines to run? So, we allow you to express these desires in very high-level terms. We allow you to disseminate or deploy these policies to systems out in the network and we allow you to compare what’s actually out there versus your desire and tell you what’s really going on. You might call that your compliance.
Along the way we gather up lots of information, tons of information about the activity in the machines that are out there, what users are doing, and how the machines are looking. We send that information back to the central command which allows the people that are using the product to make informed and intelligent decisions as they go on because security systems cycle. You just keep going around and around. You set policies, and you check the compliance. You fix the problems and you are back to your policy setting. We take that cycle and we try to embrace it in all facets.
Jack: What are the key features of this new offering in regards to custom policy language?
Dan: I would say there are a couple of really interesting and important things. Number 1, there’s a set of policies. We have a policy library that has lots of individual policies that people can use for their own environment or to compare against certain standards. For instance we have policies that the NSA has approved, and policies that different security organizations have put forth, and we allow you to take those policies and use them out of the box. Alternately, we have a policy construction toolkit that essentially allows you to click buttons with your mouse and cut and paste and create your own policy, but the policy isn’t just a written document. It is written at a very high level. ‘Everyone should have a password’ or ‘engineers shouldn’t talk to accountants out of the network’ or whatever you want to say. But, it’s actionable as well. So, you can take these very high level, very understandable policies, and push them out to the systems by this language that’s underneath the hood of this system, which was developed by Guido Van Rossum who’s a language luminary in his own right. He came aboard to create a policy language that helps this expression.
The second thing I think is intensely exciting and even more so if you’ve ever done any operational work. To people who haven’t run organizations or really don’t understand security, it can be a little hard to understand, but we have this incredibly powerful notion of grouping – grouping of systems and grouping of objects. Everyone has a different way of looking at the world. An IT professional might say, well, I’m astute in Windows and Unix and laptops and desktops. A network person might say, I think of LANS and routers and switches and bridges and those things. A security professional might think, hey, I want to set policies on our entire corporation or the east coast and west coast or France, for example. Everyone has a different way of looking at the world and what we’ve done is allow people to select groupings of systems. So, I can say things like, the east coast shouldn’t talk, shouldn’t use instant messaging, to the west coast, or the engineers shouldn’t be mucking around with the accounting systems. This involves very high levels of abstraction and this grouping is very dynamic as well. So as people move either geographically or throughout an organization in the food chain, the groupings map to be current and to the current understanding of the environment in itself. You can set up your vision of the world, map it through these groups and then set policies and deploy these policies for these groups. It’s a tremendously powerful, abstract concept.
Jack: I understand you are doing some very interesting work with packet filters. Could you explain what you are doing?
Dan: One of the more exciting things we can do in a very technical, very specific way is that we can deploy packet filters or firewalls throughout an organization without any knowledge of IP addresses or ports or any of that messy, nasty detail underneath the hood. You can talk about concepts and talk about access control based on these capabilities of systems, rather than worrying about what IP address they are or what this low level detail is. That’s a tremendously exciting thing when we can say, I just want to know that my marketing people aren’t talking to the engineers’ crown jewel source code revision server. These kinds of concepts and these kinds of capabilities are powerful. I don’t care about what’s underneath the hood, I just tell you what I want. We’re trying to access policies at a very, very high level of understanding and capabilities.
Ram: There’s a common thread to these technology innovations. When you go back to the problem that Dan described: The real issue is that this is a hard problem to solve in a large scale environment, in a fast changing, dynamic environment. The way you want to address the problem therefore, is by tackling it in a way that will scale and that allows you to be able to think about the issues at a higher abstracted level. So if you think about the language, it’s a way of abstracting your policy expression. If you think about the grouping, as Dan said, it’s a way of abstracting the way that you manage individual machines. Then if you think about the packet filter, it’s a way of abstracting how you communicate network oriented policies and restrictions. In all three cases, these are abstraction mechanisms available to make it easier to keep up with changes in a large environment.
Jack: Dan, a lot of my readers are not technical people; they’re more line of business people. Could you describe in more simple terms what a custom policy language is, exactly?
Dan: There are two components to it. Number one is the component that the user sees and this is a very easy-to-understand English-like expression of a policy. It might be, ‘go in and set a password’ or ‘this group shouldn’t talk to this group’ and it’s in a very high level of abstraction that people can hopefully grasp. Intimately tied to this, we have a special purpose policy language that under the hood actually doesn’t have a listing. It takes these high level abstract concepts and puts them into reality. For instance, one of the things that we do is that we run on multiple operating systems – Solaris, Windows, Unix, and so forth. At the high level you know that you want everyone to have a good password, but at the low level, you might not understand the implementation details on all these different operating systems and how they work and all the nitty gritty details. The language allows you to express things at a high level while it’s doing the heavy lifting under the hood. So, right out of the box you can leverage this policy language that fully does one thing. It just understands policy, that’s all it does. It can’t compute a factorial, it can’t do anything smart, but it knows policies. It knows how to access the network, and it knows how to access files and processes. With this very simple language we can write policies. This language is called Fuel, and we can write policies in Fuel that are married to these high-level concepts and give the user a very nice experience.
Jack: Ram, when a customer thinks about this custom policy language and this Fuel product of yours, from a businessperson’s perspective, what problem does it solve and why would they want to use it?
Ram: The problem that it solves is the issue that is associated with the complexity of expressing policy in a complex environment. So what our language enables them to be able to do is to express their policies in an intuitive way that more closely resembles how they would have written those policies down in a document. So, for the first time they have a direct mapping from what they thought about and wrote down to how they are implementing it in the system. What that does is reduce the time that it takes for them to be able to express those policies and measure compliance against them. That’s a very direct benefit that they can get out of it from a business perspective.
Jack: What type of feedback have you gotten from business people on that?
Ram: People look at this and they say, wow, I understand it, I understand that you have given me a way of being able to express policy now where I don’t have to worry about the implementation details on a Windows machine or a Linux box, etc. They definitely like that aspect of it. They like the fact that we’re giving them a pre-packaged way of being able to get up and running. They come into the system and there’s a template for them to be able to use to get started very quickly. But on top of being able to get started quickly is being able to quickly express some of the policies they desire. It’s very flexible. The power of the language is that it is built on this hierarchical foundation which allows them to be able to customize the policies to whatever they desire. So, it’s both a combination of ease-of-use up front and the power of having the flexibility thereafter.
Dan: The more technical the person that we’re talking to is, the more excited they get and it’s not because they’re excited about getting another programming language or that they want to go out and program it themselves. They really understand the implications - they understand that it’s hard to get the cross-platform capabilities that it has. They understand that it’s really difficult to access the network, files and processes using the same kind of system. So hearing that we have this unifying concept in Fuel, that’s exciting stuff.
Jack: Dan, what is this grouping mechanism?
Dan: We have a mechanism that allows you to place hosts into different groups. The way it works is that you can group things according to who is using the computer - an individual user or a class of users - what the computer is, or by the software that is installed, the hardware that is installed, and all kinds of information, such as what the computer is all about, where the computer is, the geographic location or organizational location, what LAN it’s in, etc.. The computer undergoes a temporal shift in and out of groups based on what it’s doing right now. If a machine suddenly starts acting like a server and starts delivering packets to another machine as a web server, we can automatically group that machine into the ‘web server’ group. If a new machine comes along and we haven’t seen it before, we can automatically group that machine into the “new machines that we’ve never seen before” group. By themselves, the groups are somewhat of interest, but when you can start applying policies to them, they become very powerful. We can say this group can or cannot talk to this other group called ‘new rogue devices.’ We haven’t seen you before and we don’t know who you are. So, it’s just another way of leveraging this concept of ease of use and talking in language that people can understand.
Jack: And you call the grouping mechanism function what?
Ram: Dynamic Grouping.
Jack: Ram, from a businessperson’s perspective, with this whole grouping mechanism, how would they use it in their own business?
Ram: There’s really three ways that you can make use of the grouping mechanism that Dan described. The first is that it is a way of being able to target the policies that you want to express in the environment, so that you can say I want to apply this set of policies to these machines that are grouped in any of these various flexible ways.
The second is when someone is trying to get a sense for how they are doing from a compliance perspective, and they get a high level view. We’ve tried to really provide a way for a customer to enable the different constituencies that would interact with a system like this. So a high-level security officer type might want to get a very big picture view of how they are doing with respect to compliance. Whereas, a specific administrator might want to drill down to a particular level. As they are getting that information, the grouping gives them a way of being able to filter it, or slice and dice the information when they look at it; it’s a way of filtering those reports to get a view that’s as fine grained or as coarse as whatever they want.
The third important aspect of the grouping is that it allows them to be able to create network-level restrictions or access restrictions again based on those groups. The bottom line is this. The very significant simplified administration using the grouping capability gives them a way of being able to keep up with the dynamic changes in the large environment. That’s the bottom line. It gives a way of being able to allow them to keep up with the changing environment.
Jack: The third thing that I understand you’ve created here is you have something called policy based packet filtering system. What is that?
Dan: Traditional packet filters block packets. What is a packet? It’s a network connection that is taking place on the network. Every time you go to a Web server you make a connection to that Web server and that Web server delivers traffic or content based on your request. Traditionally, firewalls and packet filters base their decisions whether or not to grant you access, based on something called my IP address which is your physical address location on the network.
So because every individual machine has a different IP address, it quickly becomes very cumbersome and very difficult to keep track of all the IP addresses, especially when you talk about very mobile devices such as laptops and PDAs and cell phones and such, that are constantly interchanging their location and their IP numbers. DHCP machines that are constantly running out of their leases and obtaining new IP addresses. Change also happens in larger organizations with the occurrence of mergers and acquisitions. Also, in typical large enterprises, machines are going to go away and be replaced by new ones every three or four years.
There’s all this dynamism that’s taking place in an organization and if you use a traditional packet filter or firewall, you just can’t keep track of these things, so you just block or protect your machines against very basic attacks. Instead of doing role-based access control, you’re stuck with very low capabilities, blocking a certain port or blocking a certain application rather than addressing the person or the user.
With our system, you can leverage the previously mentioned groupings and you can use those as input to the packet filter, so you can talk at a very high level. You can talk about users – e.g., they’d like to allow a certain set of users, “my sales users” when they’re on remote locations to access my internal mail server. Or you can talk about types of machines. You can say, my servers shouldn’t be talking to other servers, they should be talking only to their clients or the desktop machines. With new machines that come into the organization that are unrecognized or potentially rogue machines, they shouldn’t have access to all these other types of machines. So you can talk about things at very high levels, just exactly as I have described right there. You don’t have to worry about IP addresses, you can forget all that low level detail and focus on the concepts that you want to accomplish. People know what they want, they just don’t know how to say it. They just don’t know how to do it and how to make the machines do it for them. What we’re trying to do is to take their everyday language, well, ‘everyday’ in a “computer geek, technical, kind of everyday way”, and apply it to basic problems.
Jack: Ram, this is a very cool thing that Dan has going here, but tell me, how can a regular businessperson leverage this ability with this packet-based filtering mechanism?
Ram: The best way to think about this is instead of having a separate mechanism for expressing policy in different aspects of a business environment – which is traditionally how people have had to deal with this – they have one policy mechanism for their Unix machine, one for their Windows machines, one for their networks, etc. The important angle here is being able to unify all of these at once. So, we’ve built a mechanism providing a unified policy infrastructure so people can actually express their policies more holistically without having to worry about the different aspects of its implementation. So, as Dan said, for the first time, there is a tool available as part of our product, that implements those policies at the network layer that takes the abstractions of policies and grouping as its input, instead of the technical details of IP addresses, ports and protocols. What that means is, therefore, it gives customers a way of being able to enforce those policies. This is where it just comes into play. We talked about being able to express, monitor and enforce policies in a large-scale environment. The packet filter enables the enforcement side, i.e., you can enforce the policy you desire or also take mitigating actions when required. So if a particular machine is not in compliance, you can take corrective action, or you can take preventive action just to make sure that it doesn’t compromise your overall broader network – to protect the other resources that you have. That’s why your audience should care about this from a business perspective.
Jack: As regulations change as we move forward, does your system adapt to that or do they have to go in and completely start over from scratch again?
Ram: The answer is that it will adapt in the following way. One of the other interesting by-products of the architecture that we’ve created is that we will have a way of being able to send out updates of the policy sets that are provided with our system. So as we described to you, there is a rich set of pre-packaged rules that our system provides that are then packaged up in various ways into the skins that we talked about to implement either specific security standards like the NSA Best Practices for instance, or specific aspects of regulations, such as a skin to implement Sarbanes-Oxley. The point is – as additional regulations or rules or standards get implemented or as they evolve, we have a way of being able to push out to our customers, updates and modifications to the rules that constitute those particular policy implementations.
Jack: Is this why you created a new language?
Dan: In particular, one of the reasons that we went to all the trouble of making this language is that it speeds and hastens new development of new policies and technologies. In creating a new set of rules or new set of policies for the next set of regulations, or if there is a new interpretation of the rules that becomes popular, we can easily shift our existing implementation to another implementation or approach to the problem.
Ram: Taking that a step further, we talked about the notion that while we have a language underneath the hood that it is extensible, there is no programming knowledge that’s required for someone to be able to interact with our system. However, what we’re also doing is we’re making the language extensible so the customers will have the ability to build out their own rules if they desire, for instance custom applications that they may have. So, as the needs evolve in various directions, customers will be able to react and respond, and we give them a way of being able to keep up in terms of their policies.
Jack: So, what you are saying, is correct me if I’m wrong, is that if an enterprise customer wanted to use your Sarbanes-Oxley skins today, and 85% of them were something that they actually did and they need, let’s say another 47 policies, those can be custom written and they can start doing that immediately?
Dan: Absolutely. That’s exactly why we developed the system. There’s no way we can anticipate what everyone wants at any given time, so what we do is we give a good basic policy library along with what our idea of a good, sound, starting point is, and we allow you to extend it to the way you want.
Jack: What should everyone expect from your company over the course of the next 12-36 months?
Ram: What people can expect from us over the next one to three years is this: as you know, we’re coming out with our product for the market now. We have put a lot of effort into making sure that the very first commercial product is substantive in nature and addresses real customer problems. We talked about the idea that we’re building a product that is targeted at the mid to large size organization and that, we believe, already has reasonable scale associated with it. Our focus has been initially on financial service organizations. What our audience can expect from us in the next three years is an expansion of the type of offerings that we have that will get richer in terms of the platforms that it supports. Richer in terms of the policies that we provide out of the gate and with the product, and a broader scope of the types of audiences that we can service so that we’ll have the ability to meet the needs, not only of people, for instance, in the financial community and in the government and high-tech and healthcare areas that we are beginning to get into right now, but a broader set of audiences. Then over time there will be policies, perhaps, that are specific to international audiences, or a company that’s operating in overseas environments, and we can see various ways of expanding our offerings.
Jack: And Mr. Farmer?
Dan: It’s a fine question, I must say. One of the, reasons I started the company is because I couldn’t do this myself. I couldn’t get a couple of my friends and start the company, and start this product and produce a piece of software that did what this company does. It’s just too big; it’s just too hard to do by yourself. One of the real joys has been already creating something that was beyond my own capabilities and to see that something which I had in my head actually could get created with all of these millions of dollars that we spent. So as we move on, but nonetheless, as much as we got done and how far we’ve gone so far, we’re still limited in what we can do according to the resources and the time we put in. The next one to three years are incredibly exciting times because we start to really focus and address on more and more of a wider set of problems and real world problems that people have.
The great thing about technology, when used correctly at least, is that it can really help people out. The basic value proposition of the company as I see it, we allow people to express their desires, see if they’re true and make informed decisions. That just sounds like a great thing and as we move forward we are going to allow people to express more and more and allow them to understand more and more what’s happening out there and it’s an incredibly exciting time.
Ram: What we’re doing is providing a way of enabling the enterprise to measurably improve security and to satisfy compliance requirements.