Anonymous Analysis

Josh Corman (cognitivedissidents.com) and Brian Martin (attrition.org) are putting together some very pointed and well researched analysis of Anonymous, including history and fact/fiction dissection here. Some high level takeaways include their call for transparency while remaining a closed anonymous movement (or idea), the high amount of collateral damage on persons affected by their PII being released in attempts to teach corporations security lessons while the movement is supposedly for the "people" to begin with, and calls to potentially label anonymous a terrorist organization would likely lead to a cyber version of the patriot act. All good stuff, and perhaps the most poignant quote nestled in the analysis:

"When threatened ... powerful, uninformed people make powerfully uninformed decisions"

A day of rest

SOPA. NDAA (Don't worry, we won't actually USE the power given to us to indefinitely detain US citizens on US soil outside of our judiciary system, but we want the option <- hello Patriot Act being primarily used in Drug busts). China. Iran. France is the most active espionage nation state. National economies being decimated by theft of innovations. OWS not targetting the right players and utilizing their now diminished strength poorly. Anonymous/LulzSec executing against equally wrong targets and fueling much of the current pending Internet restriction and privacy violations (hint - target the people who actually care about their public images e.g. politicians/lobbyists and THEIR money trails, not the ones who know they most likely profit even greater during times of active dissent against them). CxOs still viewing security in terms of economic loss thereby taking greater business risks even in the face of what surely is the highest impact year to date for business loss due to CHEW (Criminal, Hacktivism, Espionage and War <- thank you Richard A. Clarke). And so forth.

This past year was an exciting ride, and is going to get crazier in 2012. Having said all that I need a break, even if it is just a day. It is the day before Christmas. I have tremendous respect for faith. Mine may not take the form of the traditional usual suspects, but provided your faith isn't being forced upon others, I have the utmost respect and will abide by that rule myself. So I will relax in front of a roaring fire in the fireplace with my family and appreciate not only them but my personal and workplace friends, industry associates from whom a learn from on a daily basis, the hacking community who, as ironic as it sounds, makes great, if sometimes unintentional steps in securing our assets further, and all of the actors in the previous paragraph for making life as exciting as they humanly can.

Just don't forget about that human part. Cheers to all.

Infosec Summit Talk

Well, I successfully scared the daylights out of another roomful of summit attendees. Which is good. See my previous post on Replacing FUD. Fear is good. It is the uncertainty and doubt that needs to go. I suggest through process replacing them with Understanding and Confidence. So with my talk on Security Economics and the Battle against Patience, I feel succeeded on several levels. The most important statements would be the following:

• Espionage is rampant, both nation state and industrial
• China has been given the source code to virtually all of the Windows Operating Systems and associated applications, is actively looking for new, previously unknown vulnerabilities and has not yet contributed one CVE
• Advanced Persistent Threat (APT) is poorly named - the only difference between these newer attacks and any prior is patience, and I wouldn't call that advanced, even though we as a culture have forgotten what patience is (instant gratification through SMS, twitter, facebook, blah)
• Our adversaries are looking to steal our economic competetive advantages above and beyond intellectual property and trade secrets - business models, sales playbooks, project management methodologies and research papers in an effort to close the gap
• The gap is actually our innovation, and our innovation is being silently and patiently stolen
• That innovation theft directly impacts our national economy(ies)
• Low probability/high impact, which is cost prohibitive to protect against, has become fairly common/high impact
• Focus your security dollars on controls closest to your user, closest to the human

My recommendations:

• The Human - Security Awareness (REAL security awareness programs, not your SOX compliance checkbox program)
• Next closest to the human - Identity Control Systems
• Systems that can, based on your authentication credentials, dynamically create access control lists throughout the network and enforce policy based on what you should be allowed to access
• And next closest - Host Based Application Whitelisting
• Only allowing the execution of known good applications, thereby mitigating most malware techniques

Last word:

Your success and/or failure at reducing business impact within your own organization directly affects our nation's economy (no pressure).

Good Night, and Good Luck.

Updating Security Strategies

There were many talks at DerbyCon a few weeks ago on PenTesting and Social Engineering and how humans are still the best way to gain access to systems. Mobility devices are commonplace in most organizations. The Chinese have thousands of "consultants" pouring over the source code for all of the Windows Operating Systems and applications looking for new vulnerabilities because Microsoft wanted into the Chinese market and caved and, well, gave it to them. To those who have not already altered your course, you are overdue to overhaul your business security strategies.

Today, IMHO, it is imperative to secure your business assets as close to the human as possible. And that starts with REAL security awareness programs, not your SOX checkbox "program". I was walking around the campus of my University alma mater this past weekend and was delighted to see and recognize posters from Lance Spitzner's Securing the Human awareness training hanging everywhere. If a private University can proactively invest in a training program to enhance the security awareness of its students, you without blinking should be doing the same for your employees who have business use case access to your intellectual property, methodologies and innovations.

The next closest area away from your employee's brains is identity systems. Systems can now go well beyond the standard authentication/authorization controls. Active, real time inventories of every device connected to your network and profiles of what those devices actually are, device-based authorization (you are allowed access to sensitive areas on your corporate laptop but not on your personal smartphone/pad, etc.), authenticated user policy enforcement through posture assessments and identity tagging at the IP packet layer. How sexy is that?

And finally comes the host-based controls. My preference is application whitelisting, which can be a challenge depending on the sophistication of your data classification and approved applications programs (if they even exist). But assuming that people are going to click links and trust bad people, preventing malicious code from executing on your systems is a no-brainer. If you're not on the list, you can't come in.

Awareness, Identity and Whitelising are the three most critical controls to invest your security dollars into today. Mitigate the urge to click things, understand and control what is connected to your network, who is on those devices, enforce conformity to your standards, prevent unauthorized access to sensitive data and only allow business approved applications to run on your endpoints. Simple.

Post DerbyCon

I meant to put up a DerbyCon wrapup but didn't get around to it until now. For an inaugural Con it was pretty impressive. I think I read there were 1,000 attendees over the three days. Great sessions. My short list includes:

• HD Moore
• Johnny Long (Hackers for Charity)
• Mitnick/Kennedy
• Nickerson
• Joe Schorr
• Carlos Perez
• Boris Sverdlik (Your Perimeter Sucks)
• Chris Roberts (terrifying)
• Jayson Street

Adrian/Dave/Martin's training sessions were excellent. A great event that I will definitely plan on attending again.

Replacing FUD

I've been thinking about this for a bit. Vendors and InfoSec pros alike use Fear, Uncertainty and Doubt to sell their gear and services. I like Fear. It is a great motivator and, as long as you resist the temptation to panic, you (well, at least I) tend to rationalize options, engage in contrustive decision making discussions and and formulate solutions that reflect both business goals and protection of assets. So I say keep the Fear! It's the Uncertainty and Doubt that we should clearly have issues with. IMHO Security Awareness should be an essential element of your enterprise security architecture. REAL awareness, again, not your SOX checkbox. With awareness comes Understanding. And the direct result of Understanding your InfoSec Fears is the Confidence to meet them head on and be able to effectively manage your business risk decisions. Sound advice, i say, and a nice little elevator pitch at that.

And you can't beat the acronym.

DHS says that's not a bug, that's a feature re: ICS

Threatpost has an interesting article on how the Department of Homeland Security is going to begin reclassifying vulnerabilities in Industrial Controls Systems (ICS) and not create ICS-CERT alerts for vulnerabilities that are deemed "design flaws". Like ICS communications transmitted in clear text. The explanation is that clear text transmission, or better stated as the lack of secure communications, is a design issue across the board that is too big to be considered a "bug", like a buffer overflow in an application would be considered. So they are not going to issue an ICS-CERT security advisory about it.

Given that other vulnerability management systems such as the CVE DB, Secunia and the like all create vulnerability announcements on design flaws such as clear text transmission, why should the DHS act any differently? Perhaps there are so many inherent design flaws in business critical ICSs that they are worried the resulting alerts would scare the kittens out of people in the light of the enhanced press coverage of so many high profile intrusions within the last 8 months.

Or ICS vendor lobbyists. Could go either way.

Richard Clarke joins Bit9 board

I've been a long-time fan and supporter of Richard Clarke. This is the man who served under four presidents, most famously on the National Security Council as the Counter-Terrorism Czar. And the man whose team and he read the intelligence correctly prior to 9/11 but was conveniently ignored. The man who was (if memory serves) the only person on active duty in the administration in the wake of 9/11 who, during the 9/11 commision hearings ever actually apologized to the American people.

"To the loved ones of the victims of 9/11, to them who are here in this room, to those who are watching on television, your government failed you. Those entrusted with protecting you failed you. And I failed you. We tried hard, but that doesn't matter because we failed. And for that failure, I would ask, once all the facts are out, for your understanding and for your forgiveness."

Post Iraq II invasion, Richard Clarke became (probably in frustration combined with intel and foresight) the "Cyber-Security Czar", focused on the cyber threat to the American government, military and industry/commerce sectors. His book "Against All Enemies" (2004) is his momoir/account of the events leadings up to 9/11. His book "CyberWar" (2010) is a fairly accurate look at many of the internet-based threats to the U.S. as well as the world as a whole, although some statements contained in the book are disputed within the security industry.

It was announced today that Richard Clarke has joined the board of Bit9. Those who know me know that I have, since the demise of the Cisco Security Agent (CSA), been singing the praises of Bit9's application whitelisting solution Parity, after months of solution research for a true endpoint security solution. I will be very interested to see what impact Mr. Clarke has, if any, on the company and its business goals and direction. Regardless, I am of the opinion that his backing of this organization isn't just fluff and showbiz. The technology is sound and his experience in thirty years of intel, counter-terrorism and cyber-security gets that.

Personally, I hope my optimism isn't disappointed.

DNS and SSL attacks - further evidence that the internet should not be used for critical applications

The DigiNotar certificate forgeries and NetNames and Asico DNS hosting break-in hacks that resulted in DNS entries for several prominent websites being redirected to malicious and unauthorized sites just reinforces the fact that we are pushing the limits of "security" on the internet. Technical limitations of SSL and DNS (even DNSSEC) aside, this is all about good housekeeping and avoiding any false sense of security that tends to fog the issues when nothing bad has recently occurred. Let's go over the list:

• The lack of network segmentation
• Unpatched applications
• SQL Injection
• Poor password management
• Out of date Anti-Virus

Oh, and a bunch of monkeys in charge of internet critical systems asleep at the wheel (well, tire ring, anyways).

Security is most effective when the data owners understand the concept of accountability, so when there are no regulations/standards to enforce organizations who provide security critical systems such as Certificate Authorities and DNS services what do we expect? These are systems we inherently trust (another issues of the "human element") yet they are dropping like flies due to the same issues we "experts" have been screaming about for at least the past decade.

Either regulate with accountability the security critical services on the internet or stop using the internet for critical applications. It's that simple. You know, aside from the whole unregulatable aspect of the internet we all know and love. Which ergo means stop using the internet for critical applications.

<kudos to Brian Honan for succinctly summarizing some of this in a recent SANS post>

Krypt3ia - From China, With Love ... Thank you

Thank you Krypt3ia for this post and the relevant links to chinese cyber-operations from 2008 and on. Please refer to my previous post and the call to make more data loss breaches public in an effort to illustrate scale. None of this is new, why are you all so shocked and wide-eyed?

Go F-Secure - Researcher finds the RSA email in VirusTotal haystack

F-Secure research Timo Hirvonen (who sounds like he should be playing in the NHL) recently wrote a tool to look for flash objects in the gigantic DB that is VirusTotal and came up with what appears to be the exact email that was sent to EMC/RSA employees with the attached excel file that included the malicious flash code that was eventually opened. The rest is now history and the security giant is still keeping relatively quiet while looking at the world now through a bruised and blackened eye. The Network World article spells it out very well so I won't get into the details, but what it clearly illustrates to me is the expanding need for things I've touched upon before (here, here and here, and in this interview) :

1. Data loss needs to be publicized much further so the general public (and press) has a better understanding of the scale of what is going on in the cybercriminal and nation-state espionage worlds
2. REAL Security Awareness programs. Lance Spitzner's work on Securing the Human is excellent and take his SANS course, it's great.
3. Application Whitelisting. If you are only allowing business approved applications to run on your hosts, you have thwarted the ability to run malicious code.
4. Identity based profiling, authorization and access controls. Identity at the packet layer and the ability to tie that back to an authorization directory and create dynamic rules on the fly of what that packet (person) can access. You now have an inventory of everything that is authorized to connect to your network, where they are and what they can do. That almost sounds too good to be true, and, yes, I'm specifcally refering to Cisco's ISE. Just wait until they add NAC posturing to it.
5. Information classification programs and policies. KNOW what you are protecting and its business criticality.
6. Peer groups. Executive periodic peer group discussions to review trends, methods, controls and metrics.

China's PLA video - accidental or a strategic showing of their hand?

It's being called the "smoking mouse" already. This state sponsored propaganda video archived on F-Secure's blog site has already been removed from the PLA's site (or at least been edited to remove the images of the PLA hacking tool). It clearly shows that the tool is from the People's Liberation Army Information Engineering University, so the obvious conclusion is that China has been outright lying (*gasp*) to the rest of the world when denying any involvement and/or sponsorship of the gaggle of recent cyber-crime incidents. But was it truly accidental? China has a history of flaunting their espionage feats in the face of the U.S. (David Wise's book on U.S./China espionage Tiger Trap is excellent), so one has to wonder if it may have been another event in a long line of examples of China showing their adversaries one of the cards in their hand to remind everyone that they still have assets that the rest of the world should worry about. That it would be unwise to ignore their capabilities. Which is absolutely true. It just seems a little childish if this were the case.

EMV coming to America

I was very pleased to read this article which reports that Visa will be pushing for and eventually requiring any company that processes Visa transactions to support EMV cards by 2013. This is great news, as the EMV cards (short for Europay, Mastercard and Visa) are in wide use in Europe and greatly increases transaction security through an encryption chip on the card itself that replaces the magnetic strip, making it much more difficult to not only grab transactions off of the wire but also use stolen credit card info.

The U.S. has largely ignored implementing these better controls because of the costs to every company that swipes cards to replace their existing Point of Sale equipment with new gear that supports the EMV cards. So as an incentive to retailers, Visa will waive much of the costs of PCI-DSS compliance validation if companies have at least 3/4ths of their POS systems EMV capable. It seems entirely feasible that if EMV cards provide end to end encryption from card to processor, PCI-DSS scope may drastically change with most businesses like gas stations, convenient stores and restaurants that never store card data now not having to even think about whether or not their systems and networks are secure enough to meet today's PCI-DSS requirements, and therefore expensive remediation controls. Keep an eye on this one.

Shady RAT and national economies

McAfee yesterday (8/2/11) released a pretty amazing study on 72 major global cyber-compromises over the last 5 years that were all exceptionally related and were most likely initiated by the same nation state. The Register has a good summary here.

Here is my 2 cents. The game has changed. There is something about your organization that sets you apart from your own competition, makes you stand out among the crowd. Whether it is your sales processes, your business model, your innovative ideas or your project management frameworks. Let alone your legal documents and email archives. All of these are being targeted in an effort to gain international competitive advantage and results in the further lack of economic growth in the countries they have been exfiltrated from. In the U.S., as well as most other nations, national economic security is reliant on the security of every organization and company that contributes to it. And every organization and company that contributes to it is responsible for securing their own business critical assets. I've posted my own views on this before. Security is subjective and there are no effective standards that everyone must conform to regarding the protection of their own methodologies, secrets and intellectual property. There may never be such standards, which means a heightened awareness must be developed and cultured. Peer groups encouraged to discuss methods, controls and metrics. Data loss needs to be publicized so the general public begins to realize the scope of what is happening. And for the love of whatever you may find holy, people, stop allowing weak passwords. I've been in this industry almost 20 years now and weak passwords and policies are STILL one of the top mechanisms of compromising systems. If we can't improve on that one in 20 years how can we have faith that all the companies that today support our nation's economy are able to defend themselves against the latest zero-day vulnerability that was spear-phished to a member of their executive council?

Smart Business Interview

Here is an interview I recently did with Smart Business.

Shackleford and InfoSec IDGAF

Speak softly and carry a big stick rarely applies to Shackleford, as his opinions are almost always as blunt and in your face as the American Gladiator style weapon he uses as his stick is big. And in his latest blog post he does not disappoint, introducing the concept of IDGAF security and designing for this lowest common denominator. Great stuff. Application whitelisting and NAC are two of my own favorite big sticks (check out Cisco ISE, identity at the packet layer, mmmmmmm) but my only bone to pick is the lack of definition of the term "traditional" in his statement "Traditional security awareness programs are useless. Give them up. Do it now." My assumption is that "traditional" means the existence of a weak security awareness program simply to satisfy the compliance checkbox and that has no teeth. To which I would absolutely agree. But when you have the technologies with teeth meant to enforce policies, those policies must first off exist and secondly they must be communicated throughout the business. And this should be done through "non-traditional" security awareness programs.

Oh, who am I kidding? IDGAF.

InsecurID? RSA/Lockheed - Another example of media jumping on blog speculation

A client and associate of mine were talking further about the risks to our organization in the wake of the latest RSA associated news wave with Lockheed Martin. I'm not saying that the accounts blogged by Cringely on his recent post aren't the events that actually occurred. They might be. But it does appear to be one of the first posts about the Lockheed Martin incident. And it does contain a number of words/phrases such as "probably", "seems likely". And it is being referenced as a source in other media reports on the events. Now this is absolutely not a knock at Cringely's cyber-sleuthing skills. It absolutely is a blast on verifying data, using blog speculation as news sources and creating news "facts" that may or may not be accurate.

Note my use of the phase "may or may not be". That might be reported tomorrow by Reuters as true.

Facebook introduces 1-1/2 factor authentication

And collects more of your PII in the meantime by requiring your phone number. I hope Google authenticator gets an API and becomes widely adopted. Facebook post here

Real world costs of APT to American Taxpayers

Bejtlich's analysis of a new report on the costs of the new USAF bomber and how much of those costs have increased due to China's APT program ($8B). That's just for this one project that falls under the Special Access Program. Tip of the iceberg, anyone?

DLP vendors and the top three threat vectors (OUTSOURCE!)

I've spent quite a bit of time over the last 6-8 months evaluating Data Loss Prevention solutions for several clients. Apart from the obvious (DLP pre-requisite of having an established data classification policy/program in place), the common thread across several verticals is the top three threat vectors being (gasp) Web, Email and Removable Media. What has surprised me the most during this process is how few of the leading DLP vendors actually can truly address all three. The buzz phrases du jour are data in motion, data at rest and data on the endpoint (which in most cases means managed assets like mobile laptops and not unmanaged devices like smartphones and tablets like the iPad). But how important is the fact that few vendors can adequately address all three vectors? Yes, a single vendor (best of breed or not) having a single interface to manage all three primary threat vectors (regardless of where the data actually sits) would be a best case scenario (budget not included). But I have also repeatedly made the argument that Web and Email threat vector mitigation are two of the easiest business responsibilities to outsource, and there are enough enterprise level SLAs out there to make that decision a no-brainer. So that technically (at this blog post date) leaves the removable media threat vector the last of the three top threat vectors left in the hands of any organization that chooses to outsource the other two. When batting .250 keeps you in the majors, two out of three is a compelling business discussion.

The best APT definition yet

Interesting article on some of the dynamic domains used in the RSA heist, but Krebs, in his usual fine form, nailed it with this statement:

"Much of the speculation about the attacks on RSA so far has invoked the term "advanced persistent threat", or APT, which is security industry shorthand for "We're pretty sure it came from China.""

You can read the whole article here.

Stolen RSA SecurID data. That's data, as in Data Loss Prevention

I certainly can't be the only one wondering how a 2010 Gartner magic quadrant DLP vendor managed to get its own data "lossed". That's almost too stupid to be ironic.

The death of HIDS and HIPS vs. the smartest men in the network syndrome: Part Two

The previous post took the death of Cisco Security Agent as an example that the infosec industry is poised for some serious change. This post will attempt to shed some light on those changes, how they came about and what that means to the future of endpoint security.

I ended part one with a number of questions around Cisco, the death of CSA and what is the general direction of security. It would be fair to next focus on the many possible reasons CSA was canned. For starters, it was a bitch. It took myself  many years knee deep in CSA to eventually develop a solid, repeatable and efficient deployment methodology. Virtually every installation had massive administrative overhead on the front end, primarily due to the very high level of application behavior tuning, and typically a constant low to mid level administrative overhead to monitor, maintain and improve. It was an amazingly complex application itself, which, when implemented properly, worked like a champ. Implementing it properly, however, ended up being a huge challenge for both Cisco VARs and clients alike. And this challenge left many a Cisco customer with a fierce dislike of the product.

Some of the reasons there was such a large knowledge gap with both vendors and clients are pretty obvious in hindsight, and not at all limited to Cisco as an organization. The product was from an acquisition and most Cisco Account Managers I encountered really did not know the extent of its capabilities and therefore how to sell it effectively. Cisco is a hardware company and the software sale wasn't at the time the norm, especially security software. The result was a number of companies hearing lofty sales pitches about the product, purchasing it and trying to implement it themselves with no real concept of how complex the application actually was and never getting past any initial test or audit-mode pilots. On the VAR side, a similar lack of experience with the product was the typical cause of project failure. Like any policy based application, you need to have the policies and standards in place before you can effectively and tactically enforce said policies. At least in a perfect world. In the real world, what percentage of all companies actually have well defined policies for such areas as data classification, role/responsibility/access or even application white and blacklists?

The resulting mayhem no doubt resulted in negative reviews, comments and opinions around the product which most likely directly lead to poor numbers - one of the reasons Cisco supposedly killed the product. But there were also a smaller population of clients and VARs who completely understood and loved the product and its capabilities in all of its complexity. It died nonetheless, and there was nothing on the market to replace all of the functionality CSA provided on an apples to apples basis, leaving many dedicated CSA customers left with a daunting task of finding a number of individual tools to replace all that CSA provided them.

Another probable reason Cisco dumped CSA was the increasing cost to develop a host client on an ever increasing number of platforms, especially now as the the tablets, pads and phones have become the next generation of corporate data access. Cisco was having trouble keeping up with and supporting Windows releases, let alone getting to the "supported" linux and solaris versions. Mac? Not a chance. Then the onslaught of mobile devices ensued with iphones, blackberries, ipads, androids, etc., and the future indeed was dim for CSA support on all of these disparate systems. But the collective brain trust at Cisco felt they were prepared for this with a very strong, industry supported strategy - the cloud.

Why concentrate on protecting all of the various endpoint operating systems when you can, as the 800 pound network gorilla, move everyone into the cloud. It is the industry direction at this point in time. And once everyone is in the cloud, a large percentage of the malicious activities that HIPS is supposed to prevent can be addressed in transit before it gets to the endpoint. Cisco's Ironport reputation technology and Sensorbase is perfect for that scenario and in fact does a spectacular job. And it should come as no surprise that after Cisco's acquisition of Ironport that Ironport founder and CEO Scott Weiss became VP of Cisco's Security Technology business unit, and the writing was on the wall for CSA.

So the theory was that CSA was being replaced with the Ironport technology for both cloud and in transit intrusion prevention. And that indeed was the message occasionally coming out of Cisco when pressed. Which is an absolutely sound solution if everything is already in the cloud. Which clearly isn't the case. In fact, for all intents and purposes we are several years away from that suspected reality, which again means CSA die hards have a tough road ahead of them. And when pressed further about this now major hole in host based protection, clients were told that they could migrate to Trend AV. Really? Static AV signature protection and the inherent flaws of those systems were some of the primary reasons people wanted CSA in the first place.

Here is where I feel Cisco really sucker punched a dedicated clientbase with the following executive decisions, hence earning the title "Smartest Men in the Network":

• Zero client communication on why CSA had been killed
• Very little client communication on preparing for the death of CSA
• No viable replacement path (Trend AV - whatever)
• Not selling the technology to someone else (yeah, right)
• Trying to convince people that the Ironport technology could replace CSA's functionality in transit

I will reiterate that I am a big fan of the Ironport tech and preach its effectiveness to my own clients. However, here is a short list of what it can't do, which CSA could, all in one application:

• User/group access controls for file, registry and network resources
• System state controls to determine and enforce policy (e.g. I am not connected to my corporate wireless SSID, I better enforce VPN connectivity back to my firewall)
• Removable media controls to prevent data leakage and theft
• "Long Tail" threat protection (I've posted on this before, read ReL1K's article here.

To that last point, persistent attackers will find ways to subvert controls. A new and niche piece of malware launched from an IP address with a good reputation will likely subvert reputation controls. And to be fair, it is not feasible to truly be able to protect against that type of targeted and persistent threat. 

So what does it all mean? My take is this. Cisco has the right idea for long term protections when everyone is using virtual desktops in the cloud. It makes a lot of sense given the growing number of mobile operating systems that need to be protected, but that's a long way off. Static signature based anti-X protections haven't been a relevant security solution since the 90s, yet they keep making money. And until the day comes where we are all logging into our cloud desktop, the host still needs to be protected from things we don't yet know about and preventing data loss from removable media and other sources. Which presents a big hill to climb for those who believe in the cause, and that hill is development of host-based intrusion prevention solutions on many of these new mobile platforms. Despite those hurdles, HIPS is continuing to morph and improve. Bit9's Parity is a good example, performing whitelisting of applications. Instead of looking for bad behavior Parity only allows known good things to occur and has rapidly become my choice for CSA replacement. Regardless, HIDS/HIPS, at least in the traditional sense, aren't dead yet, but they look to be running a race that ends with a proverbial IT cliff.