October 3, 2006 - #128

Good Morning:
I'm back. I'd say rested and repentant - but not so much on either count. I am glad to be getting back to the daily routine. Unlike Shimel (here), repenting to me doesn't mean apologizing for being me. It means looking backwards and seeing what I did wrong and resolving to be better in the coming year. I've got a lot to work on. But I'm not going to apologize for calling folks out (sharp tongue or not) because I actually think my style is unique and appreciated. But maybe I'm just drinking my own bath water.

In security-land, the build-up to Vista's release is gaining speed. McAfee jumps on the anti-MSFT bandwagon (here) and it's clear that end users think security is THE main advantage of Vista (here), which doesn't surprise me. But it means the migration to Vista will be longer. In blog-land, similar momentum is building behind leak prevention (here), but it's about more than just email. I also feel like a deal is going to happen soon in the space. There have been lots of rumors about Vontu getting taken out, which may or may not happen. But someone will be taken out and it will happen soon. I guess I'll take my Stiennon suit off now and point to the gutsy call by the Mogull to dare folks to invade his privacy (here). Good luck with that.

And thanks to Christian Koch, who pointed out Cisco's new logo (here). Looks like an EKG drawn by my 6 year old in crayon. They redesigned it to be more "mobile device friendly." Huh? Aren't we getting more bandwidth on our mobile devices? It's definitely less filling for me - and does not taste great. But logos are very subjective, so just because I hate it doesn't mean it sucks.

Have a great day.

Technorati: Information Security

Top Security News

It may be time for a HIPS replacement
So what?- By now you should know I'm a fan of layers, and I think it's critical to protect endpoints because of mobility and the like. So what about HIPS (host intrusion prevention)? For a long time, it didn't work too well. Too many false positives, and impacted performance - not in a good way. But has the technology evolved to the point where it's both usable and helpful at this point? It seems the answer is yes, according to a review of a few options this week in Network Computing. Now there are lots of different ways to skin the cat and the 3 vendors reviewed (Determina, ISS, McAfee) all come at it from different perspectives. But I'm not one to give a rat's ass about this technique vs. that one. I'm interested in whether the endpoint is more secure and it is. That being said, IPS is part of most of the security suites today. So to me, this review seems to be a bit out of step with industry dynamics. The real question is whether you should be paying extra for endpoint HIPS and there my answer is probably not. NWC also does an analysis of the HIPS market (here), which I find a bit light.
http://www.networkcomputing.com/showArticle.jhtml?articleID=193100579
Link to this

Blue Coat emerges from summer slumber
So what? - Blue Coat has been very quiet lately. I guess you keep a low profile when you miss expectations a couple of quarters running and you are dealing with an options backdating issue (ouch). But it seems there has been some activity going on, like seeing what they are finally doing with the Permeo technology. Shocker, they are now in the SSL VPN appliance game. And none too soon, since there aren't any other players in that space. The "so what?" is an executable downloaded to any machine that connects to the VPN to provide tighter control over what applications are used and to prevent malware on the endpoint. Hmm. We are starting to see NAC vendors doing the same thing (having an agent to do more sophisticated endpoint control), so once again we are seeing the functionality in these two spaces overlap. Blue Coat does have a good channel and a pretty sizable customer base, but I just don't see them making even a ripple in the SSL VPN space. In other Blue Coat news, they also announced that MXLogic would be using their stuff as the basis for a managed service (here). Let's just say I've seen this movie before and building a service requires a different architecture - not just stacking a number of boxes on each other.
http://www.networkworld.com/news/2006/100206-blue-coat-ssl-vpn.html
Link to this

McAfee jumps on the anti-MSFT bandwagon
So what? - Just when I thought it was only Symantec that was wringing their hands and wasting time complaining to the EU authorities about big, bad Microsoft. McAfee takes out a full page ad in the Financial Times to voice the same concerns. McAfee also publishes a propaganda piece here about how Vista "increases" security risk. This is a bandwagon folks, and for 100% of end users this is just ridiculous vendor sniping. So let's play this out. The EU gets involved and slaps MSFT's wrists (again). Maybe they even make them write a big check. Big deal. And this is maybe in 2008. Maybe. So when it's time to renew your desktop AV suite, stay focused on what is important to you. It's probably price and maybe manageability. Maybe inertia is high in your shop, so you just renew whatever you are using (like a majority of the folks already out there). But don't let any of this stuff weigh on your product decision. It's a non-factor. Let these vendors spend time in Brussels getting their ya-ya's.
http://news.yahoo.com/s/zd/20061002/tc_zd/190131
Link to this

Vista is the security release
So what? - Speaking of Vista, it seems that end users are really building up the security capabilities of the new OS. InformationWeek surveyed a bunch of end users and far and away security was the most interesting aspect. That's both good and bad. Good because customers understand they status quo is no good, they are vulnerable and they want answers. They think Vista is an answer. Bad because it's not a silver bullet and Microsoft may be setting expectations to a place where they can't be successful. Additionally, when customers get the price tag of the upgrade (including new hardware, etc.) it's going to be easy to defer. Yup, you heard it here first. The upgrade to Vista will take longer than most anticipate, we're talking 2-4 years now. When security is the driving force, it drops to the bottom of the list when money gets tight. You don't want to spend a lot on insurance, especially when it's an unknown quantity. The only way this is a positive for MSFT is if it turns out Vista security actually helps, DEMONSTRABLY. Short of that (and it's hard to envision), it'll be a long slog towards Vista-land.
http://www.informationweek.com/blog/main/archives/2006/09/security_to_dri.html
Link to this

The use case for disappearing email is?
So what? - I did a bit of a DEMO round-up last week and was unimpressed with the security stuff I saw introduced at the conference. But one offering made me want to puke. It's from a company called VaporStream and without being Chicken Little here, this type of disappearing email could become a bad guy's best friend. If you are corporate security folks, logs are your friends. Archives are good. Sure there is a bit of Big Brother going on, but it's your data and your systems and ultimately your business, so you can pretty much do what you want. And if something goes down, you want to be able to figure out what it was (forensically) and make sure it doesn't happen again. So how these folks are positioning this disappearing stuff as for "informal communications" is the wrong answer. The example use case is setting up a lunch meeting on personal time. I'm not sure I care if Big Brother figures out I want to grab a burrito with a buddy on Tuesday. This is another reason you need application control on the desktop and web filtering on the gateway to make sure your employees can't make your intellectual property disappear.
http://money.cnn.com/2006/09/26/technology/pluggedin_boyle.fortune/index.htm
Link to this

Top Blog Postings

Leaks are broader than email
At the risk of sounding like Stiennon, let me point out that leak prevention is important. This post on the ITportal highlights the point be referring to an Aberdeen study. Is Aberdeen still doing security research? Evidently the "researchers" (yes I'm being kind) were paid by a messaging security vendor to figure out how many folks are checking their outbound mail. Predictably, it's not enough. But there is a bigger point here. Email is only one of MANY ways that folks can get information out of your organization. And having to manage multiple points of egress with different products and policies doesn't make sense. So if you've got an email gateway that can do outbound checking and you don't have anything else, by all means turn it on. It'll suck for a few weeks while you figure out how to tune it (it's like the early days of spam), but it's a start. To be clear, it's not the long term answer. You need a broader leak prevention offering that will encompass all of the protocols. Until that category get subsumed into the other gateway/UTM offerings anyway.
http://securityblog.itproportal.com/?p=500
Link to this

Poke the Mogull - he dares you
I've got to hand it to Rich Mogull. He's got some cajones. There is no way I'd be inviting anyone to intentionally compromise my data. Not that they couldn't do it and not that they wouldn't try - but to challenge folks to "invade my privacy." No thanks. Of course, Rich puts some rules in place, like no pretexting and would like the challengers to not post anything that could be used for identity theft. Unfortunately, in the real world - there are no rules. I learned that in my younger, pugilistic days - the hard way. It's about getting your objective. Whether it's getting out of the bar scrape in one piece or compromising someone's data - the unfortunate truth is it's the end result that counts. So I'm cool teaching kids the rule about "it's not whether you win or lose, it's how you play the game," just make sure you tell them the truth when they are old enough to understand how the world really works. And to relate it back to information protection - do not make the mistake of assuming the bad guys won't do bad things.
http://securosis.com/2006/09/28/the-official-securosis-invade-my-privacy-challenge/
Link to this

Hardening your OS - Monkey-style
In this post, the Security Monkey provides some pragmatic, tactical advice for someone looking to lock down their OS. Running tools like Nessus and patching stuff up are a good first start. Eliminating unneeded services is also a good bet. Anti-malware and AV, yep. There are a bunch of vulnerability management tools that can check against a "policy" like the SANS Top 20 or a NIST list of bad things. If you have the money, that's cool. Or you can hire a pro to do it (maybe like Security Monkey) ONCE, and then just save the image. When you bring a new machine online, you use the secure image and then go about your business. But keep in mind that this only gives you a base to work from. If you add insecure stuff on top, you got it - you're exposed. So an ongoing process to ensure your protection is adequate (involving both tools and people) is something you cannot overlook.
http://blogs.ittoolbox.com/security/investigator/archives/guides-securing-hosts-11976
Link to this

Guarantee's are not worth the paper they are written on
A while back I took Entrust to task for what I deemed a ridiculous guarantee on FFIEC compliance (here). Now CA is at the same game relative to their desktop AV suite. Clearly this is marketing and clearly it's going be very hard to collect for users, but I actually think this is a decent move for CA. Why? Because of shelf space and consumer distribution. If you put a big gold sticker on your box saying it's GUARANTEED up to $1,500, it will stand out on the shelf. If your catalog vendors highlight this prominently, it increases your visibility. They'll likely never have to pay out on the guarantee and it will make their bland packaging stand out next to the Big Yellow on the CompUSA shelf. That is until the rest of the lemmings follow suit. Will it increase market share for CA? Of course not. But it may keep them level as Microsoft takes their piece of the market. And I think this will be more effective than crying to the EU about Microsoft.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/09/ca_warranty_on_.html
Link to this

Recently on the Security Incite Rants Blog

Who cares about NAC standards?
I'm not a big fan of standards, never have been. But this whole discussion and resulting angst about NAC standards is annoying me. So I rant a bit about why NAC standards don't matter, why Cisco has no incentive to play along and ultimately why no one (not even customers) are going to be able to force their hand to move towards any kind of standard until the NAC market has already shaken out. It's just the way of the world. You can accept it and plan accordingly, or you can fight it and make yourself nuts.
http://securityincite.com/blog/mike-rothman/who-cares-about-nac-standards

Access is Access is Access
During one of my public speaking engagements on NAC, one of the attendees asked me a very interesting question about how NAC and SSL VPN's come together over time. The answer I think is pretty important because over time, there is no reason why a security administrator should draw a distinction between access on the internal network and access to get onto the internal network. A consistent set of policies should be in place and enforced. Easy, no? Well, not if you are a SSL VPN gateway that wasn't designed to handle multi-gigabit speeds. Those boxes need a brain transplant to get there, but we'll continue to see a lot of overlap between these two markets.
http://securityincite.com/blog/mike-rothman/access-is-access-is-access

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-09-29