The river, or, another break in the firewall

Written by Eh’den (Uri) Biber

Sometimes talent seems to come with an amazing self-conviction, and Nir Zuk in a strong example of such case. The extremely articulated security master performed last evening in front of a positive audience with huge self conviction when he presented the vision of his company, Palo Alto Networks, to a group of excited security managers in the SAP lounge, Brussels. (That’s Brussels, Belgium, Europe, the other side of the world to my fellow Americans. You know, a guiding tip in case you get lost in google earth…). The presentation finalized another successful security event organized by L-Sec, “Information Security Management 2010”.

 

One thing for sure, the world has changed so much since I got my first computer – a ZX-81 – for my Bar-Mitzvah. As Nir was saying during his presentation, at the beginning the main infection mechanism was those “floppy disks”. If you think about it – at those times we had to physically get hold of a copy of a game from a friend in order to have it, who got it from someone else, who got it from…probably some old dude who had a flu. Geez… so unclean !!!!

Nowadays no one tries to protect from a floppy infection (except maybe the Iranians…).

The river

The Computer world is evolving so fast that unless you develop the ability to understand what the hell is going on it might seems to you as if it evolves peacefully – But that’s only an illusion, similar to the same 24 frames per second illusion we like to call “movies”. In reality, the changes are extremely drastic, fast, and in an era where everything is digital companies are loosing their position in the market because they are mistaken in thinking this river is flowing peacefully. But my god, it doesn’t.

The paradox is that the bigger the organization is the more chances it’s management will fail to understand the nature of this river. They will fail as they are required by the shareholders to focus on long term objectives, and “long term” is a term that doesn’t really goes along with the information era revolution.

This is the perception most people have when they think of the information revolution river:

But this is how the information revolution river looks like if you try to ride it:

Let me give you an example – does anybody remember that in 2005 Rupert Murdoch paid 580 million dollar for myspace? My kids don’t even know what myspace is but everyone they know about “facebook”. Ask Rupert Murdoch, I am sure he would rather have spent that money on a time machine to let him travel back in time and prevent him from doing that…

In this new world where everything is digital, platforms of web-based applications use HTTP/HTTPS protocol to do things which do things that do not resembles to anything what most management will think of when they hear the word “web Traffic”. Take for example gmail – You get VOIP and chat, and file transfer, and peer-to-peer and whatever… all being tunneled to consumers (AKA corporate employees) via a tunnel, a tunnel most organizations knows nothing what’s going on inside of it. Tunnels, in case you don’t know, are what the people who want to get your information love most. Ah, and most online criminals are not as dumb as the following thieves …


That brings us to Palo Alto Network, Nir’s Post Traumatic Security Order, a creation of a person who is a visionary, a person who decided he wants to change the security world (in his case, once again). Yes, another firewall. Some people invent ipods and iphones and ipads, this guy invents firewalls.

If Security was music, Nir was probably the Israeli Roger Waters of the security world. Yep, I said it, and it will haunt me for the rest of my life, but how will you call someone who has a BMW with a license plate CHKPKLR – acronym to “Check Point Killer”? He is passionate about security, he has a vision and he sticks with it – even when most people will say “Where are you going? the money is here!!!”

Nir made career decisions which seems non logical to anyone who ever wanted to be rich the good old fashion way. If this guy wanted it, all he had to do was to stay where he was and choose the “keep my mouth shut and get filthy rich” attitude. He didn’t. He was the 7th employee in Checkpoint and left to create OneSecure, who was bought by NetScreen for 45 millions, who was bought by Juniper by 4 billion dollars. And then he left.

A remark to the younger audience – my suggestion is – you can always say “fuck off” – but remember that unless you want to live at your parents home till you’re 40 you can only do it if you’re really, really, REALLY smart. And if you got the balls the size of the grand canyon to come back home and tell your wife you quit another job LOL

So what is Palo Alto Network all about? it’s a start up company which brings a revolutionary approach to the way network security is done. Palo Alto developed a security product that makes sense in this world – meaning – if firewalls are protocol, port and IP driven security appliance, Palo Alto Network security appliance is application, identity and content driven. A huge conceptual change. Their appliance unwraps the encapsulation, identify the applications and gives you as security manager what you want to know, without a performance hit that will paralyze your network.

A comment to any non-technical reader: First – I must ask – what the #$!@ are you doing here? This blog is for boring security people! Go away!!!!

If you still here – one of the biggest challenges “normal” firewalls have is the fact that if they try to find out what’s going on, due to their design they go need to go via multiple cycles to do so, while Palo Alto product does it in one pass.

Palo Alto Networks solution is not just a “better” security solution when compared the current firewalls technologies – this is in my opinion how it perform vs. the “current” generation of firewalls most organizations have:

This puts us who work in Security in a place we don’t like to be in. Over the years security managers have been selling their organizations the notion that firewalls protect them. It’s been done for so long that the idea of going to the organization’s management to tell them they need to replace their firewalls scares the $hit out of them.

The hunt (an imaginary short play)

(Corporate conference room, the IT Steering committee is discussing IT projects, after 3 hours of discussions they reached their last topic of the day)

“And now for the next subject, John our CISO (Chief Information Security Officer) wants to raise a new project. Yes John, what’s this Palo Alto thing?”

“Ah…hmmm…. Well, we wish to initiate a migration project of our current firewall infrastructure”

“Wait, didn’t we replaced it two years ago? Aren’t we suppose to have a discussion about the next migration in 2 years from now?”

“Well…It’s true… BUT… we realized that (John is talking in a really low voice)”

“Excuse me John, we can’t hear you”

“Hmm, I said (again, really low tone)”

“I’m sorry John, can you please talk normally?”

“Well, I was saying… (takes a big breath)… We need to replace our firewalls because we realized that do not protect us anymore”

“WHAT?????”

(John drops his stuff and runs away from the room while the whole IT steering committee runs after him with big knifes)

[END OF PLAY]

I think most security managers out there will agree with me that to go to management with such a drastic suggestion sounds crazy and risky. And big organizations don’t like the words drastic, crazy, and risky. The management look at this “river” of the information age and see it as a quiet stream, and trying to take away this picture from them is like taking away from a child his favorite toy – most chances they will operate in “shoot the messenger” mode. Security managers who dare to go to their board and disturb this utopia dream are most likely to be faced with questions like “WHY are we not secure, how come you didn’t tell us about it until now, for how long we been not secured, and why do we even pay you because obviously you don’t do your job well”.

But it’s a startup

Palo Alto Networks is a startup. I know. I agree. Corporations hears the word “startup” and they automatically fear that the company they bought it’s technology will fade away, as so many start-up company did.

But what’s riskier? to keep the current technology that does not protect your organization, hoping and praying every day that someone will not hack you “in your shift”?
Of course we can always close our eyes – and it works great if we are in bed, but working in IT is more like a driving fast car – you don’t want to close your eyes for too long or else you’re going to fall off a cliff…

So I think we don’t really have an option. If you’re a security manager, and you can comprehend what Palo Alto is doing you can either close your eyes and convince yourself that no one wants to hack you, or that no one can. If you do, I suggest first consulting with the Iranians or with Google – they assumed they were secured. In our fast moving river of information technology changes a firewall stopped being an effective security appliance and turned into a compliance appliance. They will help you pass an audit, but they will not reduce the real risks out there which lies in the underwater current of the river.

Our biggest enemies can help us find our greatest virtues, our biggest virtues can be our greatest enemies. The risks organizations face can force them to become more secure, hence become more business aligned. The security infrastructure organizations have can be it’s greatest enemy if the management think that once it was deployed they can rest until the infrastructure will be phased out of support. Security is not an operating system, security is an ongoing, never-ending, always growing and evolving river. Yes, I know, it’s exhausting to be able to keep up with all the changes, but unless organizations learn how to alter their swimming styles they will drown.

 

Final words (or yes, I can shut up)

Our role, as security experts, is above all to be honest – the company we work for is in a risk state if the current infrastructure we have is vulnerable/outdated and trying to “fix it” using the same firewall technology will not work. This risk state is going to cost our organization much more than fixing it, and it can even kill it.

That’s why Palo Alto is so important, and that’s why it’s a startup – it brings a revolution, it allows us to reduce the risks we face – and it does so in a pretty awesome rhythm.

So thanks again to Nir for coming over and sharing with us his vision, considering it was his third presentation that day, he did it pretty well (morning – Antwerp, Noon – Luxembourg, Night – Brussels). And you got to admit that even the name they had chosen is more than symbolic, choosing the name of the city where the most important center of innovation was in the 70s and beginning of the 80s was. (If you wanted another proof why Nir is the Israeli Roger Waters of the security world then… go no further :)).

Will Nir stay in Palo Alto Networks forever? I doubt it, because I believe that throughout time he will wander to other parts of the river which are unknown to him and us at this point. But for now, his company is bringing to us one heck of an innovation, and I believe we should all be appreciating it – regardless if we like Pink Floyd or not…. 🙂

Creative Commons Licence
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s