Morphisec Cyber Security Blog

Morphisec Moving Target Defense verified as Citrix Ready to enhance protection with Citrix XenApp and XenDesktop

CISOs face an escalating battle on two fronts: externally from ever-more sophisticated attackers and internally in managing all the threat protection and additional security layers they put in to stop them. And they are losing. Despite added technology complexity and operational overhead, cyber criminals still manage to get past defenses.

According to a a new whitepaper from analyst firm ESG, 72% of organizations believe that security operations are more difficult today than they were two years ago yet 54% still suffered at least one security incident.

The recent Meltdown and Spectre CPU vulnerabilities took almost everyone by surprise.  Widespread panic was staved off only by the promise of a nearly-ready OS patching fix, which it turned out, excluded a large swath of systems and created its own set of problems. 

Users are still scrambling to patch systems with an extremely complex mixture of OS, firmware and application updates. Organizations are encountering slowdowns, blue screens and reboot problems in their rush to avoid security problems. The entire stack of Spectre and Meltdown fixes has not yet been properly tested and will take time to reach anything resembling stability. 

Last month I discussed cybersecurity effectiveness, particularly in regards to the growing threat of fileless attacks. But effectiveness is only one piece of the equation.

First and foremost businesses still need to go about their business. Unfortunately, it has long been the case that the more effective a cybersecurity tool is, the slower and more intrusive it is and the more effort it takes to manage it. The complexity and pain of managing – not buying, managing! – security tools often forces companies to reconcile themselves to unacceptable exposure, for example to security-related business disruption, for want of resources to manage cumbersome defensive technology.

Last week I had the pleasure of speaking at the Israeli Dealmakers Summit in Silicon Valley. With over a thousand of the world’s top corporations, investors and entrepreneurs, it’s known as the largest and most prestigious Israel-focused business event. While it was exciting to participate, the real privilege was to be able to help showcase the innovative ideas and technology coming out of Israel.

Imagine this. You are in charge of public health and must deal with an unrelenting epidemic. You have two options for protecting the population.

The first option is to monitor each person for symptoms of infection. You buy analytical technology and infrastructure, hire staff and build hospitals. You send forth specialists to monitor everyone. When they notice symptoms, more tests are performed. The symptoms are
subtle (fatigue, headache, stiffness), and healthy and sick people look a lot alike, so to be on the safe side you test far more people than are truly ill. Once you suspect infection, you quarantine the person and start a course of treatment. Sometimes the people are cured. Sometimes they are not. You can’t guarantee that you will find everyone who is infected. Or that everyone you treat is ill. The monitoring and mandatory quarantine intrude on civil liberties, disrupt lives and interfere with the economy. To compound matters, the disease mutates, so you have to continually design new screening tests and retrain the specialists.

A Brief History

Virtual Desktop Infrastructure (VDI) is not a new concept – in fact virtualized desktops can be traced back to the 1960s, when IBM divided up mainframes into virtual machines to allow for multiple, simultaneous users. The modern take on VDI emerged around 2007 with the Virtual Desktop Manager by VMware. Citrix entered the game in late 2008. Over the next years, VDI and grew steadily but slowly. Until recently. The emergence of cloud-hosted virtual desktop solutions has accelerated VDI adoption by enterprises and smaller organizations alike.

This year’s Black Hat USA conference was bigger and badder than ever, with attendance up nearly 30% according to show organizers. Of all the security conferences, Black Hat has the most clear divide between the technical practitioner side and the security vendors, and the main themes varied depending on which side of the divide you were standing.  From the practitioner side, these ranged from enhancing technical skills (excellent training) to strategies and threats, to leadership and alignment with the business. The instructors and presenters were world class, the content was superb, and thoughtfulness and creativity were everywhere.

All good for the practitioners and kudos to the organizers. On the vendor side, things were a little more nuanced.

Imagine a conversation like this.

ASPIRING VIOLINIST:  Maestro, what should I do to be a violin virtuoso?

MAESTRO: You must practice 48 hours every day on the tuba. I will sell you a tuba.

ASPIRING VIOLINIST:  But there are only 24 hours in a day. Did you say tuba?

MAESTRO: If you won’t follow my advice, I can’t help you.

More Madness than Method

It sounds absurd, but conversations like this unfold daily when enterprise cyber practitioners meet with industry vendors and security consultants. The industry tells them that they are not doing enough. They must install more security technology, hire more analysts, and patch more frequently. This may seem simple; merely a matter of budget and execution. But the technology is not up to the task and the cost of following this advice to the letter would force enterprises to spend themselves out of existence. And it still wouldn’t work. Not enough hours, wrong instrument.