Posted by: Greg Ness | June 13, 2008

Verizon Breach Report Raises VirtSec Implications

Can we finally put the “Angry Insider” Hype to Rest?


The security press and blogs are abuzz with the groundbreaking Verizon breach study.  Thanks to Rational Survivability for giving us the link to the actual free report.  The report does a few body blows to the massive spin around insider threats coming from the category vendors.  I’m glad that we finally got that behind us.  I don’t know how many times I was asked by press and analysts about how we should all be more worried about angry employees.


I didn’t answer those questions directly because I frankly didn’t know what proportion of attacks were from one source or another.  Now it appears that the journalists and analysts may have been guessing as well; or at least overly swayed by the marketing hype.


I think there are four noteworthy Verizon Report findings when it comes to virtualization security, again thanks to Hoff:

  • 73% of data breaches were exploited by EXTERNAL sources;
  • 62% of breaches were the result of insider ERRORS;
  • 66% involved data that wasn’t known to be (on the system) accessible;
  • 75% were not discovered by the victim.


This takes me back to a panel I was on in Los Angeles months ago.  One of the participants asked the security pros in the audience who had been involved with virtualization how many servers they were protecting.  None of them knew the answer.  I’ll take a guess as to why: the flexibility accorded by virtualization meant that netsec departments would know how many hypervisors they were protecting but not how many servers.


The hypervisor is almost a kind of hybrid server and network appliance, because of the new virtual layer it is introducing into the data center.  That layer is typically beyond the reach/enforcement capabilities of most netsec products, especially deep packet intrusion prevention appliances.  They cannot see into the new layer and their processing demands mean that it is unlikely that they will ever be deployed inside to protect VMs sharing a hypervisor (from each other).  It is much more likely that deep packet network IPS will be used to protect hypervisors from each other, despite the virtualization business case erosion that results in creating elaborate V-LAN trench works.


When you think about the new movement dynamics (flexibility) enabled by virtualization, combined with the lack of traditional netsec visibility into the virtual layer, the Verizon findings should strike a nerve to say the least.  According to the study, external sources are already breaching internal assets perceived to be in safe places, unbeknownst to the network security teams. 


This is a key reason why I think VMware is so much further along when it comes to virtualization security.  They formed VMsafe, opened up APIs and invited leading security players to participate.  While Citrix (and maybe Microsoft) fiddle with discussions about who owns virtualization security, VMware sends their CEO out to talk about how strategic virtsec is to their business.


This should also raise some interesting new questions for the upcoming virtsec webcast with VMware, McAfee and Blue Lane.  It might also be a fair question to ask Citrix and Microsoft as they pitch production virtualization.


Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection. I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel. I’ve been an Always On blogger/columnist since 2004. My recently launched personal blog is: .  These are all my opinions, and do not represent the opinions of employers, spouses, kids, etc.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: