August 31, 2006 - #107

Good Morning:
Big Thursday. Almost ready for the long weekend, which will be nice. Hopefully my friend Ernesto doesn't have other plans to wash away ATL this weekend. In security-land, once again data protection is front and center. People are starting to realize the potential security issues with SaaS (here), and it's about time. We'll see if the application vendors can get beyond "Your data is secure. Trust me."

I also want to call out a big faux pas on the security marketing front. I call out Alert Logic (here) for recycling almost the exact same announcement that competitor SecureWorks made about 6 weeks ago regarding SQL Injection. Yes, the summer is slow and yes my head has been elsewhere lately. But come on, you are going to have to work harder than that to pull one over on old Mikey! 

Finally let me point to a column by fellow NetworkWorld columnist Mark Gibbs about Vista's true impact on security (here), and I have to say that Microsoft is in a no win situation. As Mark points out, some customers are going to turn off the additional security in Vista (like user access control) and they will remain no more protected than with XP. That is the user's problem, not Microsofts. I remember an old saying about a horse and water. How does that go again?

Have a great day.

Technorati: Information Security

Top Security News

SaaS security blind spot
So what?- SaaS (software as a service) continues to be all the rage. This week Google decides to package some of their stuff together in what promises to be a full frontal assault on Microsoft. As I mentioned on Monday (here), this is going to present some pretty significant data security issues. It seems the rest of the world is starting to agree, as this InformationWeek article points out. Of course, it's not just that Web apps are "less secure" that is the issue. It's the fact that corporate data, consisting of both private and intellectual property is somewhere else beyond your control. Besides saying they have solid and secure data centers, none of the SaaS players have really talked much about DATA SECURITY. Feels like a bit of obscurity in play and as I mention below (here) that will work for a short time. But now it feels like customers need to start challenging the SaaSy folks to clarify exactly HOW they are protecting their data.
http://www.informationweek.com/story/showArticle.jhtml?articleID=192500179
Link to this

Was IBM/ISS about protecting data?
So what? - This VARBusiness story seems to draw some funny conclusions about security. I guess they did a survey (oh how I love surveys) that ranked customer service as high on the list of priorities. OK, that sounds reasonable. But they also say it's security and privacy policies drove the customer service spending. Huh? Non-sequitur alert. And then they go on to mention a term my pals over at Nemertes use "information stewardship," which is basically data protection. Kind of sounds like a butler is involved, no? Where is that damn steward? Maybe this is the Ask Jeeves butler's new gig (since he got canned by Barry Diller). If that wasn't enough, then they go and justify IBM dropping $1.3 big on ISS because customers are interested in security. This plot has jumped around more than a David Mamet screenplay. Ultimately, as I've said, IBM/ISS was about IBM taking a market share lead in MSS, which they think is about to explode. Pure and simple. It wasn't about products. It wasn't about data security. It was about market share. That's how big companies do things.
http://www.varbusiness.com/showArticle.jhtml?articleId=192300805
Link to this

So HP, do you want Door #1, #2, or #3?
So what? - Part of the fun part of being an analyst is to be able to speculate for hours on end with smart people about what may happen. The IBM/ISS deal made it very clear that HP is woefully behind in everything having to do with security. So the Wall Street rumor mill starts to turn with tales of how HP needs to buy McAfee or even Symantec to gain parity. Actually, this article on MarketWatch throws another name into the mix - Check Point. On the surface, there are some synergies, like adding Check Point to the ProCurve arsenal could increase HP's presence in the channel. And being able to bundle Zone (for free) on every computer HP sells will create an upsell opportunity for the enterprise endpoint offering. But then you get back to economics. McAfee would cost less and bring in more than twice as much revenue. Yes, Check Point is obscenely profitable, but HP is so big even Check Point's over 50% NET margins won't move the profit needle much. But let's just say it's a buyers market for security companies and HP will have the pick of the litter because they've got the biggest checkbook. 
http://tinyurl.com/h7s8f
Link to this

SQL Injection deja vu
So what? - Alert Logic has stepped in the recycled news poop. I saw their announcement about how mid-size financial firms are increasingly targeted by SQL injection and it was interesting. Web application security and even IPS are under utilized in that segment, so it made sense. But then I got this distinct feeling of deja vu and did a bit of digging. It turns out that SecureWorks said EXACTLY the same thing back in mid-July (here). I mean EXACTLY. I hope AlertLogic thought they were breaking new ground and perhaps they weren't aware of SecureWorks research, but get with the program folks. It's not too hard to track the 3-4 MSS competitors to see what they are announcing. It doesn't paint you as a market leader if you are regurgitating 6-week old news from one of your competitors.
http://www.alertlogic.com/news/press_releases/Alertlogic_Press_Release_08-29-06.php
Link to this

Nokia and Sourcefire - So what?
So what? - I actually had a number of folks send me notes commenting on the recent Nokia and Sourcefire announcement. Candidly, I think this is a non-event. Why? Nokia is a dead man walking in the security space. Not that I agree with all of the slanted vendor-isms of Chris Hoff (here), but the Rip Van Winkle suit is definitely fitting Nokia like a glove. They've been milking their installed base for years without adding anything to the boxes and now that requirements are changing (either folks need more capabilities - UTM or they need bigger boxes), Nokia is exposed. The ISS deal from years ago didn't work out too well, and I think this will add some short term wind to Sourcefire since there are a lot of folks with Nokia boxes that need more than just Check Point and the channel loves to upsell. Since Check Point couldn't buy Sourcefire, which would have had the same net result (Sourcefire on Nokia hardware) - Sourcefire is taking things into their own hands. Good for them.
http://www.darkreading.com/document.asp?doc_id=102587
Link to this

Top Blog Postings

Will there be a security industry in 10 years?
This is an interesting topic of conversation, especially since it was brought up by Ross Brown - who runs a security company. But his point is well taken and is consistent with what I've been saying for a while. Optimally security is a feature of other technology infrastructure. Whether it's your network, data center, applications or end points, security is something that should be built in. Of course, it's a long and hard road to get there, but we will get there. I agree with Ross also that there will be a cottage industry for security "utilities" like vuln and pen testing. And there will also be money in reporting (mostly for compliance sake), but to think there will be a stand-alone security opportunity ad infinitum is a bit optimistic in my view. And CISO's aren't going away, they'll just be advisors to other IT and line of business domains within the organization. We're already heading that way, but many folks don't want to admit it.
http://technobabylon.typepad.com/tb/2006/08/the_security_in.html
Link to this

The Mogull talks disclosure
Rich has a pretty lengthy post yesterday about disclosure and it's pretty interesting and pragmatic, which I like. The reality of the situation is that we need full disclosure in some cases to keep the vendors honest and doing the right thing, even though it does help the bad guys more. It's not up to the vendors to decide what is "responsible." We as an industry should be determining that. Since most of the bad guys would just as soon take the path of least resistance, obscuring information about vulnerabilities is a short term strategy that works. I also think that we are getting reasonably close to an answer, since there are enough checks and balances to keep the big vendors honest and the researchers incented to keep doing what the do. A case in point is the recent eEye/Microsoft dust up. Microsoft called foul, the industry told them to shut up, so they fixed the problem and that was the end of it. Of course, Martin McKeay has his own opinions (here) and supports most of what Rich says, with the exception of the obscurity issue. Clearly obscurity is not a long term strategy, but it works great for a couple of weeks.
http://securosis.com/2006/08/29/the-3-dirty-little-secrets-of-disclosure-no-one-wants-to-talk-about/
Link to this

It's about those soft skills again
Douglas Schweitzer points to an article that says security folks are frustrated. Thank you Captain Obvious! Of course we are frustrated, since we know the right stuff to do, but in many cases it's either too expensive or makes too much of an impact on the user experience, so it becomes a non-starter. It's that old balance between security and usability. And when something goes down, you bet it's the security guy that gets blamed. So what do you do? Practice those soft skills (like selling and politicking to get adequate funding) which separate the successful CSO's from the one's that get popped when something bad happens. Oh yeah, and COVER YOUR ASS. Make sure all of your requests are documented and that you have a very clear statement of what COULD happen if a project doesn't get the green light. Then if it does, you've at least got documentation to say "Told you!" as they are doing your exit interview.
http://www.computerworld.com/blogs/node/3353
Link to this

Will Vista help security?
Resident NetworkWorld curmudgeon Mark Gibbs asks that very question, but I'm not sure his answer holds water. Yes, additional security is a pain in the butt. Yes, user account control will break some applications and require many vendors to change their model. And finally, if users turn off the additional security capabilities than you bet, Vista will not help security. But is that Microsoft's problem? I think not. Of course, they'll get blamed but the reality is we need to compromise. End users need to change their behaviors to protect their desktops more effectively. They need to be trained on what to do. On the other hand, we need better tools (like Vista and application control) that prevent users from doing stupid things. But the old adage is true: you can bring the horse to water, but you can't make it drink. Let's just hope that a lot of new Vista customers are very thirsty.
http://www.networkworld.com/columnists/2006/082806backspin.html
Link to this

Recently on the Security Incite Rants Blog

The 11th (and most important) reason security products don't work
Most of the time Dark Reading does a good job, but I pick apart their 10 reasons article in this post because I'm not sure it adds much to the discussion. Shimel disagrees (here), but that's OK. Suffice it to say that a majority of these "reasons" are directly related to mismatched expectations between the users buying the products and the vendors selling them. And I manage to throw references in there to both Heidi Klum and Medusa, so it's all good.
http://securityincite.com/blog/mike-rothman/the-11th-and-most-important-reason-security-product-dont-work

Keywords tell the story
You can learn a lot from what people are searching for. Just ask AOL. In this post, I look at some of the recent keywords that led folks to securityincite.com, and it's pretty interesting. You can get a feel for M&A in the pipeline, some perspective into the rumor mill, which vendors are competing against each other, and lots of other stuff. And don't miss the funniest search of all, it had me rolling on the floor.
http://securityincite.com/blog/mike-rothman/keywords-tell-the-story

The downside of hosted environments
When you run a small business, there are always compromises to be made. There are lots of hosting options for almost everything, web applications, phone systems, conference calling, and most prevalent is email. But when you can't send out mail (because some other joker with your service provider ends up on SpamCop) it's a bit frustrating. But you do get what you pay for, and I'm not about to go build my own infrastructure.
http://securityincite.com/blog/mike-rothman/the-downside-of-hosted-environments

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-30