August 25, 2006 - #103

Good Morning:
Hi, I'm Mike. And I'm a blogaholic. That's right, I'm looking for a 12-step program that would allow me to cure my need to share my opinions for free and not complete documents that pay money. I had all good intentions of being pretty quiet on the blog this week and complete some customer deliverables during a restricted work schedule due to some travel and family commitments. But the best laid plans...

So first of all ISS gets bought, which totally screws up my Wednesday. Then on Thursday I decide to pick a fight about UTM because it would give me the opportunity to quote Pink Floyd. I wonder what my therapist will say about that. But the UTM discussion is interesting. To gain the context, read my posts (here) and then you can go see Hoff defend his territory (here) and Alan Shimel throwing his 2 cents in as well (here). And just for the record Alan, though you are a few years older Pink Floyd's Animals is my favorite Floyd album as well. I fancy myself to be a Dog, but I eat like a Pig. Go figure...

Based on my commentary below, today is Cynical Friday. I'm pretty much poking holes in everything, from NAC interoperability (here) to market share numbers (here) to virus response times (here) to SIM event formats (here). And with good reason, I believe. Lots of this stuff seems pretty wacky to me. Let me know what you think.

Have a great weekend.

Top Security News

C-NAC to take an interoperability NAP
So what?- Talk about getting the cart ahead of the horse. It seems that next month Cisco and Microsoft will demo how their respective network access control (NAC) offerings interoperate. Hmm. My first thought is this kind of stuff puts the vapor in "vapor-ware." First, NAP won't be commercially available for 6-12 months, best case. And hardly anyone has bought into the Cisco NAC Framework. So are customers really worried about interoperability? Or is this just a way to keep Cisco and Microsoft top of mind as customer struggle to get any value out of these big vendor NAC architectures? Yes, that was a rhetorical question.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1212324,00.html
Link to this

Who's Next
So what? - Kudos to Chris Walsh over at Emergent Chaos for this great visual (here), relative to who will be the next Big Security vendor to get gobbled up by a huge systems management/systems (HP and Sun have little security presence) or Networking (Nokia, Ericsson, Lucent/Alcatel) vendor. I've been saying for a while that security is ultimately a feature and that's why "Big is the new small." I guess sometime next year, I'll need to change that to "Huge is the new big." But the IBM/ISS deal has Wall Street aflutter, and speculation is running rampant about McAfee and Symantec. I think they are looking in the wrong places. CheckPoint is the biggest of the independents left and McAfee is also a doable deal. Symantec (at what would be more than $18 billion) is not, even for HP. The next layer down is Secure Computing, SafeNet, SonicWall and Websense with around $50 million a quarter, which may not be enough to interest the HUGE. But if anything, the i-bankers will stay busy because the feeding frenzy is underway.
http://www.forbes.com/2006/08/24/hewlett-packard-0824markets07.html
Link to this

Do market share numbers matter 8 months later?
So what? - I've riffed before on why calling yourself a market leader DOES NOT help you sell more products (here), but I continue to be amazed at how the quant analysts (predominately IDC and Gartner Dataquest) publish market share numbers that are 8-10 months old and vendors flog these reports like they are news. In this clip, Websense feels the need to pat themselves on the back and claim victory for battles they may have won 8 months ago. Whoop-de-do. And that's if you believe the market share numbers, which I know from experience are not totally correlated to reality. Websense has missed two quarters in a row and it seems that their market is saturating TODAY. What do Dataquest's 2005 numbers say about that? So let's congratulate Websense for being the big dog of web filtering and jump into the time machine to go back to 2005 where maybe it mattered.
http://biz.yahoo.com/prnews/060824/lath022.html?.v=67
Link to this

Wanted: WiFi VPN for SMB
So what? - One of the advantages of what I do is that I can be a nomad. Armed with my trusty MacBook and Foldershare, I can work anywhere. But at times it's a challenge to find free WiFi (I refuse to pay unless I'm in an airport) and there are those niggling security concerns I have. Being a small business, I don't have a VPN and proxy set up that would allow me to connect securely to my network and then get out the Internet that way. But It seems that Microsoft is working on that with an add-on to Office 2007. The "Live Connection Center Wi-Fi" will supplant Microsoft's existing Wi-Fi management software, link with Windows Live Local, and most interestingly provide a VPN connection - encrypted presumably to their servers and then sent out the Internet from there. This is a cool idea. Not cool enough to make me think about EVER going back to a PC-based laptop, but there will be some type of 3rd party that figures out how to do it for more than just Windows.
http://www.informationweek.com/story/showArticle.jhtml?articleID=192205127
Link to this

Disposable email addresses come into vogue
So what? - It seems Earthlink remains 6-12 months behind Yahoo in most things. I use Yahoo Mail for my personal stuff and I've had (and used) disposable email addresses for quite a while. Good for Earthlink for giving their customers the same capability. I find the disposable email addresses useful because I can register using a generic name (nothing that says Mike Rothman) and a code word (like orders or sales) that allow me to track that specific mail list. And if they exhibit bad behavior (if I get on a spam list, for example), I report that list to the powers that be. This IS NOT really something that is applicable to corporates at this point, but for very small companies and/or individuals I've found the capability useful.
http://www.darkreading.com/document.asp?doc_id=102192
Link to this

Top Blog Postings

The Tao of Security Switches
Richard Bejtlich is doing a lot of blogging of late, and it's good stuff. He takes Stiennon to task a bit about what consolidation means in this post. Stiennon's response to IBM/ISS was that it wasn't consolidation because there are still over 860 vendors in his database and no one really has a dominant market share. AND? Bejtlich's points on that are well founded. But then he moves into why security will inevitably be baked into the switching fabric, and he is exactly right. Welcome to the club. Stiennon will get over the poke (as I have from your MSS beating here) because we are all in agreement that over time, infrastructure security does happen within the network. Of course, information/data security is a different animal, but I digress. The real question is when, not if.
http://taosecurity.blogspot.com/2006/08/all-network-security-functions-in.html
Link to this

eEye/Microsoft flare-up in the rear view
The battle between Microsoft and eEye over the recent IE patch (here) is now in the rear view since Microsoft re-issued the patch today. It turns out it was a problem with a piece of SMS that prevented the original patch from working. Check out Ross Brown's post-mortem here. He can't help but get a few more pokes in. But, that being said there is still a huge difference of opinion relative to what responsible disclosure means. Captain Privacy, Martin McKeay, weighs in on the side of more disclosure, and pushes back against the somewhat arbitrary descriptions of "responsible." I'm not sure I buy this. To me, it's all about consistency. Security researchers are within their rights to set reasonable deadlines. If the vendor in question does not have the issue addressed, then disclose. But to not give the heads-up and a reasonable timeframe puts end-users at undue risk, and that's not acceptable.
http://www.computerworld.com/blogs/node/3299
Link to this

Do virus response times matter?
Today must be curmudgeon day here at Security Incite, because I'm coming to the conclusion that nothing really matters. In this fairly indecipherable post from Dancho (he must have been tired because the English is almost unreadable), he brings up a decent point. The AV vendors want to convince you that their response time is the best. The security vendors that don't do AV are trying to convince you that their "zero-day" approach obviates the need for AV. And the reality is that neither really matter. You need both signatures and heuristics/behavioral protections. This is not an either/or situation. Since most folks are not being attacked (in corporations anyway) exactly in the window between the exploit and the update, that really doesn't matter. And most of all, Dancho's point is that many folks get nailed by stuff vendor's already have fixed because of either faulty patching or the lack of updates. This outbreak response time battle keeps security marketers busy, but doesn't really make something "more" secure.
http://ddanchev.blogspot.com/2006/08/virus-outbreak-response-time.html
Link to this

Common Event Format - who cares?
Since ArcSight's Comment Event Format is SIM-related, I must hate it. And that's pretty much right. But I'll use a misconceptions from Michael Farnum to illuminate my point. Firstly, Farnum posits that the problem with SIM is "So many devices spit out syslog messages in different formats." Hmm. Is that the problem? I don't think so. This initiative will require that the equipment vendors to jump on the common event format bandwagon and the reality is it will take a long time before customers receive any value. The issue is not event formats or even integration (folks like ArcSight have connectors to almost anything you'd need to manage). It's time to value and the ability to gain information that helps you do your job. SIM is failing because it doesn't help anyone do much of anything. It's all about being able to 1) prioritize efforts and remediate faster, and 2) crank out a report to keep the auditor happy. I know a lot of folks have spent a lot of money on SIM, but I'm still of the opinion that it's not meeting expectations.
http://infosecplace.com/blog/2006/08/23/reporting-standard-for-sim-needs-to-be-adopted
Link to this

Recently on the Security Incite Rants Blog

My plan is...
Every so often I feel the need to bare part of my soul on the blog. I'm not sure why, but yesterday was one of those days. I read a piece by Tom Peter's and it got me thinking about what my plan is. How am I going to make an impact? How am I going to make tons of money? Basically, for the first time in my life, I intentionally don't really have a plan. And I have to admit it's great. I go into some of the details and why I'm OK with living one day at a time.
http://securityincite.com/blog/mike-rothman/my-plan-is

Security is just another brick in the wall
I saw an interesting post by Seth Godin that I thought was very relevant to the security business. There are only a few ways to increase market share and two ways to innovate to solidify that market share (according to Godin), and we are seeing one of them in action in the security business daily. It's the "another brick in the wall" strategy, where vendors keep adding functionality until it passes the tipping point and customer migrate to the integrated solution. And it gave me an opportunity to quote lyrics from Pink Floyd, so this was a double whammy post.
http://securityincite.com/blog/mike-rothman/security-is-just-another-brick-in-the-wall

RIP Perimeter BOB
Sometimes I forget that I need to be very very careful with words when I mention UTM, lest I raise the ire of the verbose Chris Hoff. Well, I did and he responded and then I had to respond. So this post publishes Chris' comment and then my clarifications and response. Of course, I need to get the last word because this is my blog after all. But as you saw from the intro rant, both Chris and Alan Shimel posted their own ideas where they are the home team.
http://securityincite.com/blog/mike-rothman/security-is-just-another-brick-in-the-wall

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-24

Technorati: Information Security