Symantec and Veritas – after the merger

Posted on By Mark Wilson

Symantec/Veritas merger completion

Last December, I blogged about the merger between Symantec and Veritas. Then, a couple of weeks ago, I got the chance to see Mark Seager, Symantec‘s VP Technology (EMEA), present about the new organisation. Apologies if what follows appears to be a marketing plug for Symantec, but bear in mind where the information came from – I still think it makes some valid points.

Symantec’s view is that information is the “fuel” driving the global economy. Often, this information is irreplaceable and the IT department is the its custodian. According to the UK Department of Trade and Industry, 70 percent of organisations that experience serious data loss go out of business within 18 months.

Symantec quotes the following fast facts:

  • A University of California at Berkeley study suggests that we will create more data in the next 3 years than we did in the last 40,000.
  • The number of Internet users is expected to triple between 2001 and 2007 to 1.5 billion.
  • It is estimated that corporate data storage requirements are doubling every six to nine months and the resulting cost of managing new storage is five to seven times the price of the storage.
  • In the second half of 2005, the average time between the disclosure of a vulnerability and the release of an associated exploit was 6.0 days.

On the surface, some of these statistics may seem a little unbelievable (after all they do originate from a vendor of security and storage management products) but taking the data growth statistic, consider the growth in broadband Internet services and the mobile phone operators who have reached complete market saturation but still have huge costs to cover for third generation (3G) mobile phone licenses. The networks need to get users to transfer to their 3G networks and to do that they need a killer application, for example live TV. Even on the reduced-size screen of a mobile handset, that represents a lot of data.

Furthermore, network managers used to look at securing the perimeter network but nowadays that perimeter doesn’t exist. Remote users with VPN connections and mobile users with data on portable devices mean that security has to be all-pervasive. Combined with the advances in the incidence of social engineering (including phishing attacks), the security landscape is shifting.

Symantec have traditionally looked at risk management from a security management perspective (i.e. when information is unsecured, business is at risk). The Veritas approach was around failure management – whether it was environmental, component, or human error (i.e. when information is unavailable, business is at risk). Bringing together the two organisations makes a lot of sense, with significant synergies but very little product overlap. The new strategy is that when failure occurs, security management processes take over.

Worldwide, there are three areas in particular where pressures are having an increasing (and significant) effect on businesses: regulatory compliance; operational requirements and security threats. Compliance has to be demonstrable. IT operations are under pressure to drive out extra costs (like security tools for threat management) and IT is often inefficient, built on 3 or 5 year growth plans and siloed for a particular application, leading to typical storage utilisation of just 50% and only 20% CPU utilisation. By comparison, imagine what would happen if an organisation’s office space was purchased using a similar model of keeping it half empty to allow for growth!

The result is ever-greater demands on the IT infrastructure at the same time as a need to drive out cost. What is needed is a dynamic IT infrastructure.

Seager discussed the concept of an “electronic chain” of information from the user/client, through the gateway, network and servers, to the application, with its database and associated storage. This may be replicated many times over within an organisation or with different customers, suppliers and partners. This “information stack” needs to be secure, available and performant. Furthermore, it needs to support operational requirements (consider a a bank ATM – a typical customer doesn’t care that the back-end system is 99.999% available – they just need enough ATMs to be available at a particular time so that they can withdraw money without queuing).

What if…

  • …an external threat alert could trigger an internal assessment?
  • …internal audit correlated with inelegance for patch management?
  • …external intelligence could prompt more frequent backups, end-to-end from remote user to data centre?
  • …performance issues could be proactively addressed (e.g. network storms, system issues, human errors, system vulnerabilities), in-plan (not on-overtime)?
  • …early warning could trigger failover to a secure network?
  • …a compromised system could automatically be recovered?
  • …all of these actions where audited to show compliance with company standards?

Symantec claim to be able to meet this through products in four segments that cross the information stack:

  • Security infrastructure and management tools.
  • Storage management capabilities to ensure that information is continuously available.
  • Data management solutions to reduce the risk of downtime.
  • Application service management to allow dynamic service provision.

All of this is wrapped up by intelligence – what Symantec refer to as insight – from the combined experience of Symantec and Veritas with a worldwide capability of:

  • 5 security operations centres.
  • 81 monitored countries.
  • 28 support centres.
  • 20000 sensors in 180 countries.
  • 8 security response labs.

Of course, there is also a healthy dose of reality required here – if an expenses policy didn’t restrict me to certain expectations when travelling on business I would always stay in the penthouse suite at a luxury hotel and have a fantastic meal at the best restaurant in town but the reality is a probably more like a standard room at a normal business-class hotel, with a curry from the local Indian restaurant. Likewise, the level of information protection for an organisation’s IT infrastructure has to be selected based on realistic requirements and in line with budget constraints.

The integration of Symantec and Veritas has now started, with a three stage plan:

  • Stage 1 is to ensure interoperability between Symantec and Veritas products, ensuring that all of the technologies offered work together and developing solutions which combine services and technologies from across the portfolio. No products are classified as “end of life” (even though some have alternative views on the same issues).
  • Stage 2 will ensure that common components are used and that there is consistency across the product set, focusing on key areas of integration and identifying the product areas that will deliver the most immediate synergies (common user interface, common licensing terms, common installation, LiveUpdate integration, integrated support infrastructure, product-to-product integration).
  • Stage 3 is about new value – through deeper technology integration but also integration in other aspects of customer relationships such as support offerings, and license management.

Symantec now claims to be able to deliver an end-to-end solution to “keep your business up, running and growing, no matter what happens”. They use an e-mail scenario as an example, controlling unsolicited commercial e-mail (UCE), managing data volumes and ensuring system availability (as shown in the diagram below) but a similar model could be applied to many enterprise applications.

E-mail security

The Symantec Internet security threat report

Posted on By Mark Wilson

Earlier today, I downloaded the Eighth Edition of the Symantec Internet Security Threat Report. Published twice a year, this report highlights trends in the Internet security space and the following list highlights some of the key findings (according to Symantec).

Vulnerability trend highlights:

  • Symantec documented 1,862 new vulnerabilities, the highest number since Symantec started tracking vulnerabilities in six-month increments.
  • The time between the disclosure of a vulnerability and the release of an associated exploit was 6.0 days.
  • The average patch-release time for the past 6 months was 54 days. This means that, on average, 48 days elapsed between the release of an exploit and the release of an associated patch.
  • 97% of vulnerabilities were either moderately or highly severe.
  • 73% of reported vulnerabilities this period were classified as easily exploitable.
  • 59% of vulnerabilities were associated with web application technologies.
  • 25 vulnerabilities were disclosed for Mozilla browsers and 13 for Microsoft Internet Explorer.

Attack trend highlights:

  • For the fourth consecutive reporting period, the Microsoft SQL Server Resolution Service Stack Overflow Attack was the most common attack, accounting for 33% of all attacks.
  • Symantec sensors detected an average of 57 attacks per day.
  • TCP port 445, commonly implemented for Microsoft file and printer sharing, was the most frequently targeted port.
  • Symantec identified an average of 10,352 bots per day, up from 4,348 in December 2004.
  • On average, the number of denial of service (DoS) attacks grew from 119 to 927 per day, an increase of 679% over the previous reporting period.
  • 33% of Internet attacks originated in the United States, up from 30% last period.
  • Between January 1 and June 30, 2005, education was the most frequently targeted industry followed by small business.

Malicious code trend highlights:

  • Symantec documented more than 10, 866 new Win32 virus and worm variants, a 48% increase over the second half of 2004 and a 142% increase of the first half of 2004.
  • For the second straight period, Netsky.P was the most reported malicious code sample. Gaobot and Spybot were the second and third most reported, respectively.
  • Malicious code that exposes confidential information represented 74% of the top 50 malicious code samples received by Symantec.
  • Bot-related malicious code reported to Symantec made up 14% of the top 50 reports.
  • 6,361 new variants of Spybot were reported to Symantec, a 48% increase over the 4,288 new variants documented in the second half of 2004.

Additional security risks:

  • Adware made up 8% of the top 50 reported programs, up from 5% in the previous reporting period.
  • Eight of the top ten adware programs were installed through web browsers.
  • Six of the top ten spyware programs were bundled with other programs and six were installed through web browsers.
  • Of the top ten adware programs reported in the first six months of 2005, five hijacked browsers.
  • Messages that constitute phishing attempts increased from an average of 2.99 million per day to approximately 5.70 million messages.
  • Spam made up 61% of all email traffic.
  • 51% of all spam received worldwide originated in the United States.

Some interesting (and some frankly frightening) statistics there. Definitely worth a read for any network administrator or IT manager.

The Spread Firefox community site got hacked – but how many others don’t we know about?

Posted on By Mark Wilson

The Spread Firefox community marketing site has been compromised twice in the last few months. Lots of the comments on the web criticise the site administrators for a) letting this happen, and b) their choice of technology to run the website but I think it’s interesting (and commendable, if a touch worrying) that they came clean and told registered users that their details may have been compromised.

I wonder how many sites have been compromised and users haven’t been notified that their details are now in someone else’s possession…

Microsoft’s view on managing heterogeneous environments

Posted on By Mark Wilson

It was interesting to hear Kirill Tatarinov (Microsoft Corporate VP for Enterprise Management) comment (at last Friday’s UK re-run of the key Microsoft Management Summit 2005 presentations) on Microsoft’s support for heterogeneous environments through its management products (especially as they are finally waking up to the idea that organisations want to run – and do run – non-Microsoft guest operating systems under Virtual Server).

At both the partner breakfast briefing and the main event, the message was that basically, Microsoft will embrace other environments but will not (for example) write Linux agents for Microsoft Systems Management Server (SMS), Microsoft Operations Manager (MOM), or any other Microsoft management product. To quote Tatarinov:

“[it’s] not part of our DNA and I don’t think this is something that we should be doing.”

Microsoft’s view is that products should be scalable and interoperable, providing open interfaces (e.g. WS-Management) alongside technologies such as the MOM connector framework and the SMS software development kit (SDK) to work with other products in the management space.

That may be a smart move – if only to avoid another law suit for supposed anti-competitive behaviour – but it also helps Microsoft to present itself as a team player, at a time when people are starting to take SMS seriously, when MOM is really gaining traction, and when the whole area of systems management for infrastructure built on Microsoft technologies is finally being addressed through the dynamic systems initiative (DSI).

Microsoft management technologies – product roadmap

Posted on By Mark Wilson

My recent post on Microsoft’s dynamic systems initiative (DSI) outlined the various waves of new products which Microsoft is releasing in the management space over the next few years. What follows is a summary of some of the other product roadmap information that I picked up from last Friday’s Best of the Microsoft Management Summit 2005 event:

System Center is Microsoft’s overarching brand for integration of it’s management products, in the same way that Computer Associates (CA) has Unicenter, Hewlett-Packard (HP) has OpenView and IBM has Tivoli.

Microsoft System Center Data Protection Manager 2006 is the first “System Center” branded product – launched last week in New York with an EMEA launch slated for 12 October 2005. The first release provides server backup and recovery for Windows – v2 (as part of the second wave of System Center products) will add support for Exchange Server, SQL Server and SharePoint.

Established products like Microsoft Systems Management Server 2003 (SMS) and Microsoft Operations Manager 2005 (MOM) are also part of the System Center suite and the launch of the SMS 2003 inventory tool for Microsoft updates integrates the Windows Software Update Services (WSUS) scanner into SMS – effectively a locally hosted version of Microsoft Update.

Windows Server 2003 Release 2 (R2) is due for release later this year and will bring a number of new features to Windows Server 2003:

  • New storage and management capabilities (Simple SAN, virtual disk service v1.1, common log file system, WS-Management, Microsoft Management Console v3.0).
  • Enhancements to Active Directory (AD) (federated services, ADAM in-the-box, AD as a NIS master).
  • .NET Framework enhancements (simplified data access and remoting, advanced transactions, ASP.NET v2.0).
  • Services for Unix (Unix application subsystem and utilities – no longer a separate download, database connectivity).

Microsoft are positioning R2 as a minor release – i.e. it has no kernel changes and will actually ship on two CDs, the first is effectively Windows Server 2003 with SP1 and the second has the extra functionality.

Microsoft Virtual Server 2005 R2 (formerly planned as Virtual Server 2005 service pack 1) is Microsoft’s answer for production virtual environments and will include:

  • Non-Windows guest support.
  • Network installation of guest operating systems.
  • Clustering support.
  • Greater scalability.
  • 64-bit host support.
  • Performance enhancements.
  • MOM management pack.
  • PXE booting.
  • A licensing program for the virtual hard disk (.VHD) file format.

Microsoft System Center Reporting Manager 2005 is due early in 2006 (so I guess the name will change) but is currently expected to include:

  • Integration of data from MOM, SMS and AD.
  • An extensible schema.
  • Facilitation of better business decision making.
  • Offline data warehouse.
  • Consolidated view of a multi-site hierarchy.
  • Streamlined querying.
  • Consolidated management.

Another new System Center product is Microsoft System Center Capacity Manager, a sizing solution (initially for Exchange Server 2003 and MOM 2005) which will provide:

  • Assessment of architecture choices for future deployment.
  • “What-if?” analysis.
  • Performance modelling for current deployments.
  • Identification of future bottlenecks.
  • Prediction of the user experience.
  • Understanding of the impact of changes.
  • Optimised upgrade path.

Further out on the development path are new versions of MOM and SMS. MOM v3 is expected to go into limited beta testing at the end of this year with a public beta early in 2006. SMS v4 is further out in the plan, expected in the first half of 2007 (as part of the Longhorn Server wave) with a limited beta in early 2006 which will be expanded later in the year.

Microsoft’s view is that every vendor’s management product has its agent(s), communications protocol, database and user interface, but MOM’s strength is in its knowledge, with management packs built by the product groups. Their goal is to capitalise on that strength and it is expected that MOM v3 will offer:

  • Model-based operations (more than just today’s management packs).
  • Service-oriented monitoring (using SDM models defined in Visual Studio 2005).
  • Improved task and command support.
  • Extensive software development kit (SDK) and authoring tools (making it easier to produce management packs and import knowledge, e.g. from the Internet).
  • Deep platform integration.
  • Role-based user interface.
  • Probable-cause analysis (a vehicle for managing uptime).

SMS v4 is about building on SMS 2003 (which some might consider to be the first solid SMS release), providing:

  • Model-based operations.
  • Desired configuration management.
  • IT policies and industry compliance.
  • Security interface for both intranet and Internet deployment (i.e. RPC over HTTPS).
  • Integration with Windows network access protection (NAP) to implement quarantine for patching etc.
  • Simple, role-based user interface.
  • Unified operating system deployment, pulling together RIS, ADS and the SMS operating system deployment feature pack.

Of course, much of this is still some way off, and product feature sets are always subject to change, but Microsoft is certainly making moves towards becoming a significant player in the enterprise management space – or at least for the management of their own platform.

Microsoft’s Dynamic Systems Initiative

Posted on By Mark Wilson

The Microsoft Management Summit is one of Microsoft’s annual conferences and last Friday, the most popular presentations were re-run in the UK. Microsoft clearly took the event seriously, bringing across from Redmond the Corporate VP for Enterprise Management (Kirrill Tatarinov); the Systems Management Server and Operations Manager Program Managers (Bill Anderson and Vlad Joanavic); and a Director of Product Management for Enterprise Management (Michael Emanuel).

Largely due to the quality of the speakers, the event was well worth attending – particular Michael Emanuel’s Dynamic Systems Initiative (DSI) presentation. I’ve seen DSI presentations before, but this was inspirational – largely due to the charismatic way in which he described the differences between desired and actual states as “ought-ness” and “is-ness” (with associated “was-ness”, “could-ness”, “good-ness” and “should-ness”).

I’ll try to explain it all below (with a few additions from previous DSI presentations)!

It is generally regarded that infrastructure costs fall rapidly whilst performance rises (a derivative of Moore’s Law). What is less well known is that as the infrastructure costs drop, the support costs associated with supporting systems rise. Typically, 70% of an organisation’s IT budget is spent on maintenance, with just 30% on new systems. The trouble is that our increasingly well connected, but highly distributed IT systems are becoming incredibly complex. Add to that, the organisational complexity with infrastructure architects, developers, systems administrators, service architects, business stakeholders, testers, IT management and even outsourced/offshore partners – wouldn’t it be great to do something to control the management costs and let them track the decreasing cost of the infrastructure?

IT complexity and cost

Businesses tend to be dynamic. All too often, IT is not. Microsoft’s answer is the DSI, which is about helping IT organisations to capture and use knowledge to design more manageable systems and automate ongoing operations, resulting in reduced costs and more time for IT to focus on what is most important to the business.

It sounds logical enough… so why don’t we do this already? Basically because IT infrastructure architects and IT operations managers don’t tend to talk the same language! In general, designers think about scalability, security and identity but gloss over the management element. With 80% of the cost of a project committed by design decisions at the end of the design phase (but only 8% of the cost incurred), it is all too often too late to change things when they reach production and don’t fit well within an operational model. DSI is about encouraging a full lifecycle view so that operational awareness can be built into applications and services right from the initial design, using models to capture knowledge (i.e. bottling what is known for re-use) throughout the lifecycle.

The key is that systems should be designed for operations with manageability architected into the system from the outset. To do this, there are two fundamental building blocks required:

  • A generic way in which to model knowledge – the systems definition model (SDM).
  • A generic way in which to communicate with a system – WS-Management.

The SDM is basically a manifest which provides a single source of information on a system, describing:

  • What “it” is.
  • What “it” is capable of doing.
  • What “it” needs to achieve these capabilities.

WS-Management is a web services implementation of Web Based Enterprise Management (WBEM), developed as part of the Web Services Interoperability Organization’s WS-* architecture as a joint effort by AMD, BMC Software, Dell, Intel, Microsoft, Sun Microsystems and WBEM Solutions, and the first Windows implementation (WS-Management is heterogeneous) will be made available later this year as part of Windows Server 2003 Release 2 (R2).

Meanwhile, Microsoft is slowly moving the existing models within its management products over to SDM in support of the DSI and sees Visual Studio as a tool for defining the holistic structure of the application, services and system – considering management at design time to integrate service requirements during development.

By combining the application designer’s feature/functionality view of the world with the IT Operations Manager’s data centre policies and constraints, SDM models can be defined and fed through a validation process to identify errors; but a development environment in itself if not enough. Knowledge is the key to management and the diagram below shows a desired state (models, constraints, policy, prescriptive guidance, SLAs, patches) being replicated down (Emanuel refers to this as “ought-ness”) and an actual state (inventory, metrics, events, alerts, compliance, service level, results – the “is-ness”) being replicated up. The art of management is resolving conflicts between the “ought-ness” and the “is-ness” states. Furthermore, this management is not performed using an expensive tool but is actually the knowledge held by administrators and operators which needs to be re-used. The DSI vision is self-managing systems so that every application is delivered with a model which can be deployed across every Windows system.

Managing systems

SDM models are held in a models database and applied through each of the Microsoft operations framework (MOF)/IT infrastructure library (ITIL) workflows to synchronise with reality. Operational systems feed this information into a data warehouse which stores a point in time view of this reality (the “was-ness”). Taking this a step further, by applying “what-if scenarios” (“could-ness”) to this historic state, the potential (“good-ness”) of what should be (“should-ness”, or future “ought-ness”) can be modelled (i.e. capacity planning).

Of course, Microsoft is a product and technology company and so they have products which map on to this approach. Looking at the MOF model, each quadrant has associated products:

  • Changing: Microsoft Systems Management Server.
  • Operating: Microsoft Operations Manager; Microsoft System Center Data Protection Manager.
  • Supporting: Microsoft Visual Studio 2005 Team System; Microsoft Business Solutions CRM.
  • Optimising: Microsoft System Center Capacity Manager; Microsoft System Center Reporting Manager.

To summarise, DSI consists of a number of core technical principles:

  • Software platforms and tools that enable knowledge of an IT system (architectural intent; operational environment; IT policies; resource needs; across platforms)…
  • …to be captured in software models (MOM management packs; software update manifests; SDMs)…
  • …that can be created, modified and operated upon across the IT lifecycle (develop, operate, analyse/act).

In terms of product, Microsoft has currently defined three waves of products to support the move to dynamic systems:

  • System Center Wave 1 is happening now and consists of:
    • Microsoft System Center Capacity Manager 2006 (codenamed Indy).
    • Microsoft System Center Reporting Manager 2005.
    • Microsoft Systems Management Server 2003 (service pack 1).
    • Microsoft System Center Data Protection Manager 2006.
    • Microsoft Operations Manager 2005.
    • Microsoft Visual Studio 2005.
    • Microsoft Windows Server 2003 R2 WS-Management.
  • System Center Wave 2 should happen around 2006-2007 and includes:
    • Windows Server (codenamed Longhorn).
    • Microsoft System Center Capacity Manager v2.
    • Microsoft Operations Manager v3.
    • Microsoft System Management Server v4.
    • Microsoft System Center Reporting Manager v2.
  • System Center Wave 3 is due around 2008-2009, and is when the various strands of the DSI can finally be pulled together.