August 29, 2006 - #105

Good Morning:
So much for my slow week. Since I'm not in the marketing game day to day anymore I forgot how useful the last week of summer was. Most folks used to wait until after Labor Day to announce anything interesting, but it turns out the trade pubs still need to publish, so they are always starving for news during the last weeks of the summer. So you do your meaningless point product release on August 28 and the beat reporters swarm. They don't really need customers or anything interesting because they are looking for ANYTHING to write about. So there was lots of news yesterday, most of it meaningless.

Of the interesting stuff I saw, top of the list is Wells Fargo announcing their online security initiative (here). By packaging up a bunch of stuff together and calling it a "platform" it's a good strategy to catch up to folks like Bank of America that has been talking about SiteKey for a while. Wells initiative seems more comprehensive, but remember this is marketing - not reality. So it's about whether customers feel safer and I suspect they will. Look for every other super-regional bank to do similar stuff in the near term.

On the blogging front, the G-people have stepped in some of that brown stuff relative to actually publishing that customers are better off flipping a coin to pick their vendor (here). Talk about undermining your own value proposition! I doubt that was really their point (I didn't read the report because it's not worth $195 to me), since customers do spend too much time picking products that are technically undifferentiated. But it makes for a great sound bite, so we'll be seeing quite a bit about it for the rest of the week. 

Have a great day.

Technorati: Information Security

Top Security News

Wells Fargo says "I'll take one (of everything)"
So what?- So this whole marketing of security didn't work out too well for E*Trade because they were pretty focused on pushing the two-factor authentication method, which most customers weren't interested in. But now it seems that Wells Fargo has gone back to the well and they aren't taking any chances. They announced a wide-ranging initiative with no less than 6 different vendors providing pretty much every technology to build their "online security platform." I had some of the participants contact me yesterday to talk about their big win. They were a bit surprised when I wasn't impressed since everyone was invited to the party. More meaningful are the vendors NOT included in the platform - they are the big losers. I think this is a great move for Wells. As FFIEC takes root and the more technically savvy customers start using security as a selection criteria, taking a "platform" approach will make for good marketing and advertising fodder. That'll last about 6 months until everyone else does it, but until then I figure this will be very powerful for Wells.
http://biz.yahoo.com/bw/060828/20060828005253.html?.v=1
Link to this

Zombie master meets Bubba
So what? - Just when you thought that running a worldwide network of zombies/bots was a path to fortune and fame, you hear about the unfortunate Californian who will be spending the next 37 months behind bars. Good for him. "If you can't do the time, don't do the crime." If any of you know where that quote came from, I'll mention it in tomorrow's TDI. See another way to get fortune and fame! I'm sure Bot-man make lots of new friends and given his proficient hacking skills may actually give the cons a few "success" pointers that will give them some useful skills upon their parole. Maybe he should have gone on the lamb, that seemed to work out pretty well for Mitnick, who I'm sure can relay some real world pointers for keeping guys like Bubba happy in the slammer. They say it doesn't count if it's in jail or on the ocean...
http://blog.washingtonpost.com/securityfix/2006/08/botnet_operator_sentenced_to_3.html
Link to this

Vulnerability for hire
So what? - Where is Robert Urich when you need him? Unfortunately, he's dead. TippingPoint seems to be taking a page from the Urich playbook by assembling some 400 "Spenser's" to find vulnerabilities. On one hand, I'm glad that there is a monetary incentive for honest researchers to find stuff and TippingPoint will do the behind the scenes work with the vendor in question, so the researcher doesn't have to. But something about this feels dirty to me. Once again, security research is a big marketing lever (driven by eEye predominately - check out my thoughts on this from May here) and TippingPoint is trying to make itself seem smarter. But are they? They've got a big checkbook, whoop-de-do! So I'm torn about this, but I guess overall this is good for the industry because folks can make money by finding problems. But I hope customers don't mistake TippingPoint for a security research house.
http://www.3com.com/corpinfo/en_US/pressbox/press_release.jsp?INFO_ID=246648
Link to this

Six security mistakes to avoid
So what? - NetworkWorld assembled a group of analysts (not including me, grrrrr) to detail six of the "worst" security mistakes. Most are fairly generic and I have a hard time thinking they are the worst (not implementing default-deny would be #1 on my list), but they are all things that should be part of a strong security posture. The one I have the biggest problem with is "buying products with the most bells and whistles," by Mandy Andress. That is way too generic a statement. The point is correct in that the customer should buy only what they need. But to be surprised that customers buy on interface and reporting indicates someone who has not spent any time selling products (or buying them for that matter). Within months security products are all the same, there is very little technical differentiation. So you buy the thing that has the best interface, user experience, and reporting. That's not brain surgery.
http://www.networkworld.com/techinsider/2006/082806-guide-security-index.html
Link to this

The Consumer AV price wars begin
So what? - I had an interesting email exchange with a friend yesterday about how Symantec was also a loser as a result of the IBM/ISS deal. My point was that SYMC is under siege for lots of reasons, not really services (it's such a small part of the business). You have folks like Sunbelt's Alex who want to blame Microsoft for driving down the prices of AV (predatory pricing my ass), but the reality is you have a bunch of upstarts like BitDefender, Panda, and Kaspersky that are going after SYMC's fortress of solitude - the consumer/SMB AV market. They are doing it by adding more functionality and dropping the price. This data point is BitDefender's new version, which adds rootkit detection and web filtering as part of the suite. And they license it for 2 years on 2 PCs for the list price of $69.95. That's less than $18/yr per PC. Looks like market economics are finally applying to consumer AV - which is good since Adam Smith was turning over in his grave.
http://news.bitdefender.com/NW280-en--BitDefender-Unveils-Next-Generation-Security-Products.html
Link to this

Top Blog Postings

Gartner says "flip a coin" for product selection
Context is a wonderful thing. This meme is making the rounds and I'm sure it takes the words of the G-people out of context. I don't have access to the full report, but it seems strange to me. Basically it seems they believe most of the work should be done to define the short list and then you can flip a coin to pick the winner. There is probably some truth to that, and my Buying Security Products (here) methodology does front-end load a lot of the work. But I think it's a bad, very bad idea to not do a technical lab evaluation for critical infrastructure components (if you are big enough to have a lab). I think more of their point is that technical differentiation is a myth and the opportunity cost of figuring that out yourself is pretty significant. If you do a good job defining the short list, all of the products will work for you.
http://armadgeddon.blogspot.com/2006/08/to-save-time-on-product-selection-dont.html
Link to this

Centrino nightmares
George Ou points out some of the issues surrounding the Intel PROSet hole discovered at Black Hat (I think this is the same vulnerability). But more painfully, he describes the mostly manual process that must be done to fix it. Intel really boned this one and they better start working on their auto-update capability (or get to work with the patching/configuration management vendors pronto). This is a nightmare for pretty much any security administrator with more than 10 Centrino laptops. The update is 51 MB and depending on your configuration you may only want to do a driver install. Suffice it to say, there will be a lot of grumpiness in security-land about this one.
http://blogs.zdnet.com/Ou/?p=306
Link to this

OS X security: Hype vs. reality
You cannot argue with Apple's marketing prowess. Now they continue to drive home the message about the Mac's security model and it's working. You also have a rabid, foaming at the mouth user community that will attack anyone questioning the propriety of Apple's claims. But Dave Goldsmith of Matasano is a brave soul and picks apart the hype and reality of Apple's claims. There are good (minimal attack surface and small user community) and not so good (administrator privileges and default personal firewall), but overall I'm still comfortable that the Mac is a more secure platform. But I am not delusional that it's bulletproof. Clearly it's not.
http://www.matasano.com/log/436/my-dad-can-beat-up-your-dad-part-1/
Link to this

More IBM/ISS fodder
Here are two pieces that I didn't get to cover yesterday (here), but I think add value to the conversation. The first is from Dwaine Van Vuuren of DiData. Dwaine's points pretty much echo mine, which is the deal is better for ISS - but IBM will benefit from the services play as smaller MSSP's inevitably get squeezed. He also points out the problematic product business, which is under siege from all sorts of competition, including Cisco and Microsoft adding more capabilities to their base platforms. The second piece is from Mitchell Ashley, and he looks at it from the perspective of the X-Force, which has really been marginalized over the past few years. When was the last time the X-Force made waves with any of the research they've done? Mitchell believes IBM will re-energize that group, but I don't think so. IBM has one of the biggest and most effective research engines in the world, and perhaps the worst research marketing operation. It's very rare that you hear about anything IBM does. And the security research business isn't about being in the background, it's about having a big megaphone (despite Mitchell's protestations). There will likely be a lot of ex-X-Force (is that X-squared-Force?) folks looking for new gigs.
Dwaine: http://secure-o-gram.blogspot.com/2006/08/ibms-acquisition-of-iss-for-16bn.html
Mitchell: http://www.theconvergingnetwork.com/2006/08/and_the_winner_is_xforce.html
Link to this

Recently on the Security Incite Rants Blog

More thoughts on IBM/ISS
In yesterday's Daily Incite, I did a special section on the IBM/ISS deal - taking some news stories and blog posts and providing some perspective in the areas of user impact, winners/losers, channel impact and what seems to be the biggest dissension in the deal coverage - market leadership and the continued opportunity to security start-ups. Anyhow for search engine and tagging purposes, I provided a direct link to the section.
http://securityincite.com/blog/mike-rothman/more-thoughts-on-ibm-iss

NetworkWorld Column: We need more security intelligence
In this edition of my Security Insider column, I deal with the difference between security research and security intelligence. Both are important, don't get me wrong. But I think intelligence is an underused weapon in the battle against the bad guys.
http://securityincite.com/blog/mike-rothman/networkworld-column-we-need-more-security-intelligence

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-28