Eugene Schultz, CTO at security event management company High Tower Software for the past year, loves to look for trouble. His background includes starting up and managing the U.S. Department of Energy’s Computer Incident Advisory Capability and co-founding the Forum of Incident Response and Security teams (more recently, he was principal engineer at Lawrence Berkeley National Laboratory and a computer science professor at the University of California at Berkeley). Network World Senior Editor Ellen Messmer recently met with Schultz to discuss security information management as well as other topics, such as computer-based voting machines used in elections.
What’s the experience been like at High Tower after your career in academia?
I had been consulting for them and after I retired from Berkeley, they hired me as chief technical officer last July. I’m their technical visionary, I keep up with what’s going on in technology to determine how we can have an advantage. I also help manage the product to make sure the company’s going in the right direction.
What’s that meant so far?
When I came to High Tower, I didn’t like the product in terms of the rules they had for event correlation. They didn’t make sense to me. I helped them rewrite those and aim for deep-pattern analysis based on my intrusion-detection experience. I did like their user interface and thought the report capabilities were good.
The field of security event management (SEM) — sometimes called security information management (SIM), though definitions differ on these terms — is still fairly new. Why do their corporate customers use SIM/SEM products when ramp-up costs can easily reach US$100,000?
[High Tower] is much less expensive, less than a third of that. There is a huge impetus for organizations to use SEM because the task of going through their logs is overwhelming. Our customers are looking to determine breaches in the network. It could be an insider or outsider.
Is this event correlation done in real-time?
There is no real-time in my humble opinion. But there’s near real-time.
Intrusion-detection systems (IDS) have evolved over the years where the underlying analysis is now deemed accurate enough to be used not just to monitor but to block attack traffic, giving rise to network intrusion-prevention systems (IPS). But SIM/SEM products don’t seem to be used to block traffic in general. Why would that be if a product’s analysis is accurate?
The blocking capabilities of products have been disappointing and very business-disruptive. [Blocking] is on our road map but we won’t do it in a disruptive manner. In a nutshell, [the problem] is IP spoofing. If you try and block that today, you’ll likely block a legitimate address. For instance, Verizon got hit by a lawsuit three months ago because they were blocking IP addresses ostensibly used for legitimate business. With SEM, we’re trying to give you a fast decision-making tool rather than this all-in-one automation. I’m a strong believer in defense-in-depth and I believe human judgment will continue to be an important element in security decisions.
What’s next for SIM/SEM products, what do they have to address?
Performance — they simply can’t work fast enough. They lose events.
Beyond the topic of SIM/SEM, what security issues in general do you find important today?
Electronic voting machines with lack of quality assurance. We should be shifting to federal oversight. It has to go this way, just like voting rights had to be federalized. Quality assurance should be something similar to the Common Criteria [product evaluation program] used by the military. This is more important than the military.
Should commercial operating systems, particularly Windows-based ones, not be considered for use in computer-based voting machines?
Earlier versions of Windows were dreadful candidates for voting machines.
But whatever operating system it is, I would entertain the notion of a massively stripped-down operating system. Linux would be ideal, but it’s a statement of religious belief to say Linux has fewer vulnerabilities than Windows.
What other security topics are important?
Systems control and data acquisition (SCADA) systems. With a research team from Information Systems Audit and Control Association, I wrote a report with the conclusion that not only are SCADA systems wide open but they also provide attack gateways to other business and operational systems. People suppress the news of it, but there have been serious events in SCADA systems.
Any final thoughts?
Security is not a technology issue, it’s a people and management issue. That’s the main thing.