August 14, 2006

Good Morning:
Happy Monday. Today TDI takes a decidedly consumer focus, weighing in on the looming AV battles (here), how banks are getting involved in protecting their customers computers (here) and then wondering ultimately who is responsible for fraud (here). These are pretty touchy topics and ones that warrant discussion, since there is no easy answer. But ultimately every business needs to be profitable (if they want to stay around, that is) and that means they need to have profitable customers. If you are having to make some customers whole because they've been compromised, I'd venture to say they are unprofitable. Non-trivial business decisions, that's for sure.

I also revisit UTM a bit (here and here). If there is one useful thing that the G-people have added to the discussion it's their hype cycle. That is right on the money. It seems that UTM is hitting the trough of disillusionment, and that means the technology is going mainstream. Of course, these are just anecdotal rantings from a mad man, but the data is aligning and I think by mid-next year we'll see best of breed offerings increasing relegated to the large enterprise niche.

On a personal note, today is a big milestone for my family as my oldest daughter Leah starts kindergarten. For those of you with kids, I know you can empathize with how proud you get by even the smallest accomplishment. But seeing her get on that bus this AM was something else. I can only hope she enjoys learning as much as I do, and never loses the excitement about education that she showed this morning.

Have a great day.

Top Security News

Expect casualties from Microsoft's march on AV
So what?- Usually market share numbers aren't worth the paper they are printed on. Basically, you have some analyst quants gather information from a bunch of sources, wave their hands a bit, sprinkle some magic powder, say hocus pocus and abracadabra and BOOM! - you get an idea (sort of) about what's happening in a market. This time is no different in looking at NPD's retail AV stats for June, which showed Microsoft's OneCare nabbed enough of a share (15.4%) to show this is going to be a pretty significant battle. Yes, we can debate the numbers all day, and that's not interesting to me. What is interesting is that none of Symantec's or McAfee's posturing is useful anymore. Microsoft will have an impact on the consumer security market and it's going to be significant. The landscape will be very different 2 years from now.
http://news.com.com/Microsofts+antivirus+package+makes+a+splash/2100-7355_3-6104926.html
Technorati tags: AV, Microsoft, Symantec, McAfee
Link to this

The 21st century toaster
So what? - Continuing on the consumer AV focus, this PC Magazine article highlights the desire and need for consumer AV powers to diversify channels. McAfee has arguably done the best job of this, but now the word is everyone is chasing after the banks. So if I open up an online banking account, I get free AV (or at least a huge discount)? Looks like toasters and other kitchen products will be getting no more bank opening account love. Inherently this makes sense, and at some point the banks will need to take it one step further and apply pre-admission NAC to ensure all clients that connect haven't been compromised. Someone get Stiennon a barf bag, since I know that concept makes him violently ill. And I'd certainly like to see the banks focus on better mutual and multi-authentication strategies first. But for those with big reach, this kind of approach does make sense - given all the potential brand damage from phishing, key loggers, etc.
http://news.yahoo.com/s/zd/20060811/tc_zd/185906
Technorati tags: AV, banks
Link to this

If you can't beat them in the market, lock them out of the kernel
So what? - Seems our pals at Microsoft are taking no chances. If their attack on planet AV doesn't go so well, they have a clear Plan B. Use the next generation Vista OS and lock out AV vendors from working at the kernel level. Of course, that's a bit tongue-in-cheek, but not that much. The reality is that Microsoft needs to lock down the kernel more effectively, since it's that ease of integration that makes rootkits such an issue. But they also need to work with the leading AV vendors to ensure their products will integrate cleanly. Microsoft does claim to face the same limitations with their AV products, but we'll see about that. Instead of bitching about it (listen up Symantec), it's about time the AV vendors looked at maybe rearchitecting their products to be effective given a more robust OS security model. But I guess bitching does generate some ink, so the bitching will continue.
http://www.eweek.com/article2/0,1759,2001914,00.asp
Technorati tags: AV, Microsoft, Symantec, kernel, OS security
Link to this

UTM backlash means the market is happening
So what? - No existing market goes down without a fight, and perimeter gateway security is no exception. Since unified threat management products hit a couple of years ago, we've got to rehash the best-of-breed vs. integrated discussion another million times. This NetworkWorld article looks at it from the perspective of performance. Since when you do everything in one box and turn on complicated policies, the throughput is impacted. Thankfully no one has repealed the laws of physics, so this holds. I guess my question is how does doing this on separate boxes change anything. You are still dealing with serially examining the packets and still applying the same complicated policies, no? The decision still gets back to balancing complexity vs. having all your eggs in one basket. At the high end, you'll continue to see best of breed (though they may be running in big UTM chassis) for those that can't get comfortable with a single vendor's software. For those of us with better things to do, single-vendor UTM will be just fine.
http://www.networkworld.com/news/2006/080906-all-in-one.html
Technorati tags: UTM
Link to this

Top Blog Postings

UTM still relevant for big companies
In this post, CJ Kelly rants a bit about how big companies shouldn't be putting all their eggs in one basket with a UTM solution. I guess I'd counter with a position about picking the wrong product. If what her agency needed as an IPS, then that's what they should have bought. But to categorize the entire Big UTM market as crap because they picked the wrong vendor strikes me as a bit unfair. Depending on your requirements, UTM may make sense even for big companies. I'm sure my pal Chris Hoff would have a thing or two to say about that. I'd also question the procurement process of the agency when the folks who have to support and manage a product don't get to play with it before it's bought. That's certainly not best practice as laid out in Buying Security Products.
http://www.computerworld.com/blogs/node/3212
Technorati tags: UTM, procurement
Link to this

Who's responsible for fraud?
Since today seems to be the consumer edition of TDI, let me look at a post from Martin McKeay last week trying to get a bead on who is ultimately responsible for consumer fraud. He even beats me to the punch by a couple of days in visioning a pre-admission NAC test by the banks. What's worse from a branding standpoint, locking out Aunt Bessie because she has a key logger or having to reimburse her for the thousands of dollars pulled out of her account because of that key logger? It's a tough call, but ultimately strong businesses need to fire their customers from time to time, and if someone can't get security correct (and isn't willing to accept the bank's help to clean it up) - that may be a good acid test for a customer that you just don't want.
http://www.computerworld.com/blogs/node/3207
Technorati tags: consumer security, banks, key loggers
Link to this

Still not a fan of security metrics
Let's be clear, you have to measure stuff. That is how people want to define success and that is quite a quandary for security practitioners, who at best are making up numbers to justify their existence. I beat down a new security metrics initiative (even though it involves a bunch of my friends) here because I don't believe in the methodology. Ogren responded in his comment here. But I think Ravi Char has got it right in this post. Metrics are deceiving, and I've always said that I can make a number say anything I want it to say. It's all about the positioning. But ultimately, how do these metrics make my environment more secure? How does this type of initiative help me substantiate my existence better to the people that write the checks? Those are my acid tests for security metrics, and until we get a crisp affirmative answer to those questions, my opinion will remain the same. You can "count" on it.
http://ravichar.blogharbor.com/blog/_archives/2006/8/12/2225384.html
Technorati tags: OS security, Microsoft Vista, Apple
Link to this

IT staffers can be insiders too
This is a pretty insightful post from Tim Wilson over at Dark Reading about the fact that company's (especially big ones) need to protect themselves from their IT staff as well. Or at least have checks and balances that make sure there are unalterable audit and logging trails for what data IT folks access and what changes they make. Of course, we all want to trust the folks that are running the IT shop, but they do have access to all sorts of data they shouldn't. Until we get to a data/information security model where all sensitive data is persistently protected (years at best), this will remain a problem. But letting the IT folks know that someone is watching is a critical first step to deterring this kind of behavior.
http://www.darkreading.com/blog.asp?blog_sectionid=327
Technorati tags: information security, insider threat
Link to this

Recently on the Security Incite Rants Blog

More scratching and sniffing
It seems that Mark Bouchard's post on Security Incite added fuel to the fire, and as opposed to Chris Hoff usually piling on everyone else - Chris got to face off against both Boo and Stiennon. So check out this post, which links back to the comments on the original Scratch AND Sniff piece and a few of my thoughts both clarifying what everyone is trying to say - and also adding some virtualization complication that may make the entire discussion irrelevant within a few years.
http://securityincite.com/blog/mike-rothman/more-scratching-and-sniffing

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-08-11

Technorati: Information Security