September 28, 2006 - #126

Good Morning:
The best laid plans... How does that story go? I had every intention of doing all sorts of blogging and catching up yesterday, but alas the main water line into my house had a different plan. A good portion of the day with the plumber, dusting off the shop-vac and a trip to get a dehumidifier was my exciting activity yesterday. Ah the wonders of home ownership, but as with everything else - it could have been much worse. 

Today is officially "Thomas Thursday," since Thomas Ptacek of Matasano was busy yesterday poking and prodding inline patching (here) and listing what products he thinks are hot (here). Most of what I think is hot is NOT related to security. But that's me. We are also seeing the leak prevention space evolve in front of our eyes. The velocity at which new markets move these days is astounding. We are seeing the bus dev phase now (here) and that will eventually lead to the integration/consolidation into other categories (according to Stiennon - here - and I concur).

And speaking of consolidation, Sophos has sent notice to the rest of the AV crowd about application control (here). It'll be a feature of a desktop/endpoint security product in the near term. So if you are working fervently on cool, new application control technology and want to tell me all about it. Don't waste your breath. I'm interested in who you know at Symantec, McAfee, and Microsoft and why they are going to buy you and not one of the other 5-6 that do the same thing.

And to be clear, I don't hate any specific vendors. I can tell you there are individuals within some companies that I'm not a huge fan of. And I know there are many folks that just wish I would go away. But I'm not going to. I'm having too much fun. Let's keep in mind what my job is, to provide focus and perspective about all the news and activity in the information security space. Sometimes I'm a bit colorful and controversial in how I call things out (especially stupid things), and if you are still reading, then you appreciate it. Those on the receiving end of a tirade... not so much. But always remember that I'm an equal opportunity offender. I don't play favorites and I call it like I see it. If you can't deal with that, then change the channel.
 
Have a great day.

Technorati: Information Security

Top Security News

Application Control coming to a suite near you
So what?- Sophos broke the seal on application control. By integrating application control into their desktop AV suite, they have just made clear what many of us have known for quite a while. Application control is NOT a stand-alone market. It's a feature of a desktop/endpoint security suite. And I keep hearing about new app control vendors launching weekly. Too little, too late for the new guys. Here's what will happen. The only way one of the existing, more established ones (SecureWave, AppSense, Bit9) stand alone is to OEM their technology to more than one of the big guys pronto. Failing that, they better get that deal book done, get on the road and sell. The AV vendors need to have this and they'll most likely buy it (as opposed to build it), but at least one will buy one of these new things because it'll be cheap. They'll be sorry. Application control breaks things on your desktop and you want a technology that has gone through at least one break/fix cycle with real customers.
http://www.sophos.com/pressoffice/news/articles/2006/09/application-control.html
Link to this

Get a WAFfle for Burton
So what? - The Burton folks recently published a report on web application firewalls (WAF), which is covered here by SearchSecurity. A lot of the points are legit, like a WAF will add some measure of latency and requires tuning so it doesn't hose your application. Unless I'm mistaken, there is no requirement for WAF under PCI. PCI now requires applications to be scanned, not necessarily to be protected at all times by an application firewall. But my position is consistent with theirs, application-specific protection is something you need. I also agree that it needs to be bigger than just HTTP. These boxes will need to do XML and probably something at the database level as well, enforcing a single policy for application use. So, we'll see more consolidation - which I know is surprising.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1218406,00.html
Link to this

Hot and Dark (Reading)
So what? - In what is a major PR coup for a couple of vendors, Dark Reading has published their Six Hot Security Products list. What annoys me is that they mention specific vendors, even though there are alternatives for all. That's why this reads a more of a PR bonanza, rather than a useful article for end users. Metasploit is a poor man's Core. PGP and PostX certainly make a case about doing encryption, maybe not with IBE - but how important are encryption algorithms? ISS and other IPS vendors say they do "virtual patching" as well. And there are only about a zillion NAC vendors out there, so what makes Lockdown that much better? Nada. There are tons of vendors that make the same claims about having product today that is not vendor proprietary and supports existing infrastructure. That's not unique. Interestingly enough, they don't pick a favorite for secure-code scanning tools. I guess Coverity and Fortify need new PR people. I am not so presumptuous to think I know what products are the correct fit for a specific customer. By anointing one vendor as "hot" and therefore the others as not, Dark Reading has done exactly that.
http://www.darkreading.com/document.asp?doc_id=104437
Link to this

Compete in the market, not in the courts
So what? - The folks at Symantec think I hate them. Really. I get calls from their AR people wondering whether they should expect continued bludgeoning or whether they can "explain" their strategy to me - perhaps to garner more favorable coverage. I have only one thing to say. Stop doing stupid things and I'll stop calling you on it. This running off to Europe to make an anti-trust case about opening up APIs and dashboards in Vista is turning my stomach. Keep in mind that Microsoft claims to have to adhere to the same restrictions in how their AV product can interact with Vista. Maybe a 3rd party can weigh in and figure out what the truth is. But it's Microsoft's OS, they can determine how to protect it as they see fit. They are not bundling in AV and not restricting other's ability to provide AV or other security capabilities. I'm no Microsoft-lover either, they screw up plenty. But in my opinion they've brought OneCare to market by the book. Where's McAfee in this discussion? If it were that big of a problem, it would be more than Symantec making waves here. There are lots of small European AV vendors (F-Secure, Panda, Kaspersky) that would provide a more compelling case to the EMEA regulators. Until they get all of them banding together to do something, this is just Symantec wailing about how unfair life is.
http://biz.yahoo.com/ap/060927/eu_symantec_microsoft.html?.v=7
Link to this

WebSense come into Port(Authority)
So what? - The days of the large stand-alone single function security company is over. I'm not sure it's UTM, but is more than STM (single threat management). Folks like Websense cannot compete just on the basis of market share in one category. So this deal with PortAuthority makes a lot of sense. They already manage the outbound web connections for lots of larger enterprises, and one of the key vectors out for intellectual property and privacy leakage is that web connection. These products are adjacent enough to make sense. But why didn't they just outright buy the technology? Valuation, I'm sure. Since leak prevention is so early, we haven't had any kind of shake-out yet. So all of these vendors have delusions of grandeur about multi-hundred million dollar exits. Two or three will get there. The other 8-10 will not. Websense can be patient because for the time being they are just selling the product. At some point, they'll need to integrate policy and management consoles. Then they'll need to make a deeper commitment.
http://biz.yahoo.com/prnews/060927/law028.html?.v=74
Link to this

Top Blog Postings

Thomas vs. Hoff on inline patching
Thomas from Matasano had a lot to say yesterday, and it was provocative. I love that. In this piece, he goes to town on Chris Hoff relative to Chris' support of Blue Lane's inline patching process. Thomas' argument is that inline patching is nothing more than IPS with fancy marketing. At the risk of having Thomas come to my town as well, I will take the pragmatist's view. If I'm a customer, I don't stand on principle or get involved in much religion. I'm paid to get a job done. I don't care if you call it inline patching or IPS. Give me some protection, especially if I have a wacky change control process that prevents me from patching when I want to. As virtualization hits and you are dealing with not hundreds, but potentially hundreds of thousands of "machines" that need to be patched - this can make a difference. Do the IPS guys take a similar approach? They should, this adds value to the customer. Do some of them say they do it today? Again, yes. Do they? Who knows? But that's why larger companies must bring stuff into their labs and bang on it, especially for a new category. And I don't have any issue with innovative marketing.
http://www.matasano.com/log/521/network-patching-is-not-an-alternative-to-third-party-patching-chris/
Link to this

Thomas' top 6
In what may be a TDI record, Thomas gets his 2nd mention today because he just could not be outdone by the folks at Dark Reading (here) who posted their list of 6 hot security products. So he had to weigh in with his own top 6 cool stuff. 3 of the 6 are consistent with Dark Reading (Voltage, secure coding tools - Coverity, and next gen attack tools - CORE IMPACT). The rest are a mix of open source things (like PaiMei), non-intrusive vulnerability monitoring (Tenable), and network segmentation (not really a product, but a religion). Not being a developer, I was unfamiliar with PaiMei - which sounds cool. I guess the point is that there is no lack of cool things that we can (and should) be doing. But it gets back to prioritizing and figuring out what will have the most value to the business.
http://www.matasano.com/log/522/the-matasano-h0t-s1x-4-0h-s1x-security-technologies-to-pay-attention-to/
Link to this

Stiennon loves the leaks
Maybe Richard is just a plumber wanna-be because a lot of what he talks about is about leaks. He's been all over this extrusion or leak prevention stuff and it's finally turning into a market, as opposed to 10 well-funded vendors telling everyone it's a market. But it's still early. When you have total VC funding in a market outstripping sales in the category, you are in an early market. Richard's point here is that some of the bus dev activities like WebSense/PortAuthority (here) and Extreme/Reconnex are shepherding in a new phase for this category. But we will see consolidation and I agree with Richard's assessment that this will cease to be a stand-alone market. I'm figuring by the end of 2007. He's also right on the money that other categories (email security, perimeter defense, content filtering) will be adding leak prevention to their stuff as well, it's happening already.
http://blogs.zdnet.com/threatchaos/?p=411
Link to this

Price is one lever
Alan Shimel waxes poetically about open source and price competition in this post. He's referring to Vyatta, which is trying to break into the router market with a low end, open-source based offering. He's right in that no one is going to break Cisco's hold on the router market. There is too much inertia for that to happen, even if someone does some interesting packaging. But what about the other 20%? That's what Firefox is going for in the browser space. And Apple and Linux in the desktop OS space. And AMD in the PC processor space. You see two tangents of competition. Price is definitely one of them (AMD and Linux). Adding functionality and offering a better user experience is the other (Firefox and Apple). So Alan is right and wrong here. There are lots of ways to go after a monopoly position. But keep in mind these folks are competing for the other 20%.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/09/is_price_ever_e.html
Link to this

Recently on the Security Incite Rants Blog

It goes to 11 - Introducing BluePrint Marketing
My friend Scott Santucci knows what a big Spinal Tap fan I am. So when he posted to his blog regarding how most technology companies rely on a similar tactic to try to differentiate themselves in increasingly crowded markets - I just had to take it. With his permission, of course. Scott knows all about this, since his consultancy BluePrint Marketing, works with large tech vendors to refine their value propositions and guide their customer conversations based the customer's buying cycle, not on a vendor's sales cycle. So check out Scott's thinking on this, and how I added some relevant security perspectives.
http://securityincite.com/blog/mike-rothman/it-goes-to-11-introducing-blueprint-marketing

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-27