August 8, 2006

Good Morning:
Happy friggin' Tuesday. Actually it is, I just love a good dust-up to get the blood flowing and brain stimulated. Since I don't really work in a office and the nuances of NAC and endpoint security are lost on my kids (Dad - SHHH! We're trying to watch Mickey Mouse Clubhouse), a good bit of passionate discourse makes the day fun. Yesterday was fun as Hoff, Shimel, Stiennon and yours truly debated a bit on the role of NAC and endpoint security and a few other topics. Normally I don't send you to my site, but check out the comments on these posts (here and here). Stiennon and Hoff respond here in their inimitable way - which is worth the read.

In security-land, let me highlight the increasing maturity of security outsourcing. Network Computing did a pretty detailed RFI analysis of a couple of MSS providers (here) and came back with the conclusion that they are largely all the same and they can get the job done. That means we'll start to see a lot more outsourcing, since operational processes are baked and now it's about economies of scale. I also want to highlight a post from Mitchell Ashley (here), a new blogger on the block, about standards and Cisco's gradual assimilation of all things network-related. I can only say that for most companies - resistance is futile.

Have a great day.

Top Security News

Yes, MSS is a Commodity
So what?- Network Computing does a really good analysis of the managed security services space in this article. Using the RFI technique they get a bunch of vendors to do detailed responses for a fictional company. The folks that showed up were ISS, LURHQ, SecureWorks, CyberTrust, and BT. About 19 others were either "too busy" or basically seemed to have something to hide. The conclusion I draw? Even though they name ISS the arbitrary winner, each vendor has pretty much nailed down the process and capabilities to outsource perimeter security. There seem to be very little outward differentiation and the biggest decision point is probably how long it takes you to wade through all of the pricing and packaging options. But this is good news, in that the business is mature enough to have tight operational processes - which is pretty much what you want to see in an outsourcing situation.
http://www.networkcomputing.com/article/printFullArticle.jhtml?articleID=191203015
Technorati tags: MSS, ISS, LURHQ, SecureWorks, CyberTrust, BT
Link to this

AOL = Privacy Dummy
So what?- AOL has once again stepped in the poop. It seems in their haste to provide data to researchers, then ended up publishing user search data for all to see. Even worse, the data was cached and indexed, so now it's just out there. There is no mulligan. This is basically a manifestation of the Web 2.0 mindset of "do it now, fix it later." In general that mindset helps to drive innovation and basically get things done, but there is clearly a down side. And we are seeing it now. So AOL was trying to help and they discovered a bunch about the law of unintended consequences. I guess we can only be reminded that Web 2.0 has not suspended the time-tested tradition of thinking before you act.
http://www.securitypronews.com/insiderreports/insider/spn-49-20060808PlentyOfFalloutFromAOLScrewUp.htmlTechnorati tags: AOL, privacy
Link to this

Deal: Citrix Acquires Orbital Data
So what? - Orbital is in the WAN acceleration/optimization business, but this $50M deal underscores a bigger trend in remote/branch office networking. Basically, Big is the new small in this business as well. Folks like Citrix are consolidating access, optimization, and security in one offering to make it easier to deploy for folks that have a lot of sites (retailers, banks, restaurants) and need a tremendous amount of operational leverage. We've seen folks like Blue Coat go in this direction as well. But the real killer here is the channel, as Citrix has done a great job of pumping acquired technology through their existing channel and quickly establishing a market leading position (SSL VPN is a case in point). I said a while ago that network/infrastructure security is not really a stand-alone business in the long term rather it needs to be subsumed into the equipment etc. It's deals like these that are slowly, but surely validating the point.
http://www.citrix.com/English/NE/news/news.asp?newsID=31991
Technorati tags: Citrix, Orbital Data, WAN optimization
Link to this

FFIEC and Authentication
So what? - This is a good overview at Enterprise Systems Journal on FFIEC and it's impact on authentication. It is a bit light on technology, but does profile a couple of customer case studies to highlight how the technology is being used. For so long passwords were good enough, and I'm not disputing that for a large majority of applications passwords still are sufficient. But anything having to do with protected data needs more, if only because the ramifications of notification make it worth the investment to increase the security. Now two-factor authentication is no panacea and we'll still see phishing be successful even with these techniques - but less of it. And that's the point, right?
http://www.esj.com/news/article.aspx?EditorialsID=2056
Technorati tags: phishing, authentication, FFIEC
Link to this

Endpoint Security is still relevant
So what? - You should read the Symantec Security Response blog. Not because I love the Big Yellow (that's a joke, eh?) but because they do mention stuff from time to time that is relevant. Of course you need to apply the vendor filter on what they say, but for the most part it's balanced and informative. Given the dust-up with Stiennon over endpoint security, I thought I'd dig this link out of the archives and provide yet another perspective on why mobility changes the dynamics of protecting the endpoints. This piece applies mostly to phones and PDAs, but I'd throw laptops into the same mix. When you don't control the network, bad things can happen. It's true that managing agents on endpoints is a pain in the ass, but what choice to we have? Ultimately those endpoints come home and we need to make sure they don't endanger the rest of the network. I guess you could let the endpoints sow their royal oats out there in the wild, and clean up the mess when they get back - but is that the most efficient way to go about things?
http://www.symantec.com/enterprise/security_response/weblog/2006/07/why_the_network_cant_protect_m.html
Technorati tags: endpoint security, Symantec, mobile devices
Link to this

Top Blog Postings

Baaaaa - How funny is the Wall of Sheep?
There is a reason you leave your wireless card at home when you go to hacker conferences. Just read this post about DEFCON's Wall of Sheep and you'll understand. Of course, there is value in the fun they poke at folks and that is the issue with clear authentication protocols. Sure it's easier to code, but also easier to break. And there needs to be a minimum level of security inherent to the web-based applications that we use. Note to self, check on what Drupal does for this...
http://blogs.zdnet.com/Ou/?p=285
Technorati tags: DEFCON, authentication, hacking
Link to this

Understanding the cost of privacy breaches
Intuitively we all know there is a "brand" cost to a privacy breach - but how much? That's always been a bit squishy to figure out. But as the fall-out from the Ohio University fiasco hits the ground, I think we are going to find out. Rebecca Herold lists a number of items that both directly and indirectly will impact the university because of the breach. I don't think it's too much to ask whether over time the institution is viable. And that's not even factoring in the inevitable class action vultures that will be trying to get their pound of flesh. Sort of like Arthur Andersen, in that if the customers cannot trust the institution - it goes away. Let's hope that isn't the case, but you can definitely see a sharp downward spiral ensuing Given the fact that many alumni will no longer support or even deal with them anymore.
http://realtime-itcompliance.typepad.com/itcompliancecommunity/2006/08/ohio_university.html
Technorati tags: privacy, Ohio University
Link to this

We don't need no stinkin' policies
This rant by Tim Wilson over at Dark Reading is pretty funny. He uses a Wild West analogy to make a point about the need for policies. Fact is, many organizations (especially the smaller ones) don't have policies to govern the use of technologies. 99% of the time that's not a problem. But when someone does something unbelievably stupid (and you know it happens), you want to be able to take action. No policy, no action! That's Tim's point and it's absolutely true. Another of Tim's points here is that most employees will follow the policy even if there is no way to enforce it. That may be true, but it's wrong. If you don't enforce the policy, then you may as well not have it. You look like an idiot and you also expose yourself to litigation if you selectively enforce policies. Policies - $250. Enforcing the policies - $2000. Dealing with the wrongful termination lawsuit - priceless. You get the picture.
http://www.darkreading.com/blog.asp?blog_sectionid=327
Technorati tags: security policies
Link to this

If you want a friend, get a dog
I get very amused by seeing educated folks wringing their hands about standards. In this post, Mitchell Ashley vents a bit about how Cisco doesn't play nicely in the sandbox with everyone else, and it's bad for customers. Actually, it's only bad if the customer doesn't use Cisco end-to-end, and that's the point. Cisco is big enough that they only need to pay lip service to standards and if anything, they push stuff towards REAL standards bodies (like the IETF) that basically have no power. Why would they play along with all of their competitors when they can muscle around the "standards-bodies" and get the same goal? So Mitchell points are exactly right, Cisco's goal is to provide all of the equipment for all of the networks in all of the world. It is about assimilation. But most customers are too busy to care, so they don't. History has shown this to make for problematic migration when the BIG vendor stumbles (remember, IBM in the early 90's), but customers have short memories. That's a fact.
http://www.theconvergingnetwork.com/2006/08/evolution_or_assimilation.html
Technorati tags: standards, Cisco
Link to this

Recently on the Security Incite Rants Blog

Comment Watch: Stiennon SNACs on the Cocktail
Richard decided to end his two or three hour silence (damn him, doing something else) and weigh in on the firestorm he created. Not to be outdone, and always to have the last word (ask my wife, I kind of need to have the last word) - I provide my perspectives on Richard's comment. Suffice it to say, it's a good discussion and we both have points of merit. But we do disagree on a fairly fundamental point relative to the role of pre-admission control using endpoint data.
http://securityincite.com/blog/mike-rothman/comment-watch-stiennon-snacs-on-the-cocktail

Why SNAC, when you can Cocktail?
Based on my comments in yesterday's TDI about Shimel, Stiennon and NAC - Chris Hoff did a pretty extensive analysis of all the positions and seems to end up right on the fence. Besides being uncomfortable on your bum, the fence is no place to spend your day. Being an impatient guy, I couldn't wait until this morning to respond to some of Chris' perspectives - so I further clarified my position in this post. It pretty much continued the firestorm momentum that Chris started and the discussion has now taken on a life of it's own.
http://securityincite.com/blog/mike-rothman/why-snac-when-you-can-cocktail

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-07

Technorati: Information Security