October 9, 2006 - #132

Good Morning:
Big Monday. Hope you enjoyed your weekend. Thanks to all that sent in their birthday well wishes. I had a great B-day and a nice weekend to boot. But now it's back to business. Don't have a lot of time this AM, so I'll be brief. The biggest news you are likely to hear this week is about the US Commerce Department hacks (here). It's another opportunity to vilify China and let the xenophobes strain their vocal cords. Oh joy. We also see an audacious goal for Symantec to get to $10 Billion in revenue (here). Fathers, chain your young ones to the fence post because the Big Yellow checkbook is coming to your town. That's the only way they get there.

In blog-land it was a pretty slow weekend, but Ed Moyle weighs in on the Symantec/McAfee vs. Microsoft battle (here) and George Ou highlights Google dipping their toes into the web filtering waters (here). I'm sure the SiteAdvisor folks are glad they took the money and ran. Probably to their own islands in the Caribbean.

Have a great day. And here's another reminder that there will be no TDI next Thursday or Friday. I'm going on vacation, so you'll have to make due without me for two days.

Technorati: Information Security

Top Security News

China 1, US 0
So what?- Looks like the xenophobia train is about to leave the hype station once again. After the Check Point/Sourcefire and Lenovo PC sale to the State Department debacles, it seems now China is sponsoring institutionalized hacking to compromise US machines. At a minimum, someone in China is performing denial of service attacks on the Commerce Department and compromising machines. Did anyone think that maybe you've got a high percentage of zombies coming out of China? That maybe (just maybe) other folks are masking their attacks on the US by routing them through China. Maybe I've been reading too many spy novels again, but I tend to think the Chinese are smarter than to do a full frontal assault from addresses very easily tracked back to them. Maybe I'm wrong, but maybe I'm not. What I'm not wrong about is the sorry state of US Government security, and this is after what's likely billions of dollars of investment. Now that is a big problem.
http://news.yahoo.com/s/cmp/20061007/tc_cmp/193105174
Link to this

Selling security in the mid-market
So what? - It seems that it's hard to get mid-market folks to continue buying security. No kidding. These folks don't have the budget, time or expertise (for the most part) to have sophisticated security operations. So what's an IT manager, who knows they need to do something, supposed to do? This article on SearchSecurity does a pretty good job of at least highlighting some of the important stuff. Like talking the language of business, in terms of regulatory compliance and brand impact. Others use a message of insider threats. A few use penetration tests to make their point about how exposed the organization is. The problem is, there is no standard, repeatable methodology for CSO's to make their case, tell their story, and get the funding they need. Hmm. Seems like an interesting thing for someone to start working on. Ya think?
http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1220179,00.html
Link to this

Next stop for Big Yellow - $10 Billion
So what? - I love audacious goals. Ones that just make sane folks laugh and quota carrying reps shudder. I can imagine all of the Symantec reps breaking out their HP calculators and screaming "what do you mean my quota is now $100 million!" Obviously I jest and I do hand it to John Thompson for getting past the Veritas merger and at least paying lip service to the growth opportunities. Can they get there by 2010? Sure. Organically, Probably not, given their cash cow (consumer AV) is under siege. So success will depend on what they buy and how well they integrate. You aren't going to get there by taking out WholeSecurity. They'll need to add revenue in $75-100 million increments and then drive double or triple that through their channels. Or they could get there in one fell swoop by buying something really big. But this is clearly a message to the market that SYMC is going to accelerate their use of the checkbook strategy.
http://news.yahoo.com/s/nm/20061008/bs_nm/symantec_targets_dc_1
Link to this

Valuing security?
So what? - With the EMC/RSA deal behind him, looks like Art Coviello is hitting the road. This GCN article highlights some of Art's ideas relative to why security is reactionary and also some thoughts on how organizations can put a "value" on security. Given the Commerce Department news over the weekend (covered above), it's interesting stuff. Some good, some not so good. The good nuggets are to think about security in terms of risk and also that security is more about people and processes, not technology. But having security leadership being driven by the rank and file doesn't work. People on the front lines can certainly do the easy stuff and increase security awareness, but they can't invest in the defenses required without the support of the upper echelon. But it's good to see the process discussion being driven at all levels because it's important. 
http://www.gcn.com/online/vol1_no1/42229-1.html
Link to this

Deal: Arrow to Buy Alternative Technology
So what? - Not sure how many folks saw the Arrow acquisition of Alternative Technology, a specialty distributor of many security products. Or how many of you even care. You should. There is consolidation happening at all levels of the channel. From FishNet buying a national presence (here and here), now seeing fewer distribution options will impact choice. Is that bad? Not sure, but the really big security vendors like Cisco, Symantec, and McAfee will be able to start pushing more packaged offerings (including best of breed and not so best of breed stuff) down the throats of their distributors. Since crap rolls downhill, VARs will increasing be pushed to take the packages to market as well, and as such customers will be buying them. Depending on your size and expertise, this is not a bad thing. But it's a thing and you should pay attention.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=193104955
Link to this

Top Blog Postings

More on Symantec and McAfee vs. Microsoft
I spent a decent amount of time last week spouting about how lame it was for Symantec and McAfee to be running off to Europe to complain about Microsoft's Vista. I got lots of support from folks with similar positions. Here is another one with a much more reasoned and technical bent from Ed Moyle. He does a great job of digging into what Symantec and McAfee are complaining about and comes to the same conclusion as most of us. Microsoft is acting not only fairly, but correctly in closing many of the undocumented kernel level hooks where today's generation of AV products do their magic. In a refreshing bout of truth, the folks over at Kaspersky validate this point (here). And they are both small and European - so they'd be able to make a good case if there was any through to it.
http://www.securitycurve.com/blog/archives/000460.html
Link to this

Google gets web filtering game
Well, not exactly, but it seems that based upon this George Ou post, Google is now informing users that they are navigating to known bad sites. I think this is great because most users (and consumers) are too dense and not equipped to protect themselves. Will this be annoying if you know what you are doing (like are a malware researcher)? You bet, but suck it up because this is good for everyone. Of course, you need to search via Google to access this stuff, but that's OK. Most folks do that. I also think this will impact the opportunity for products like SiteAdvisor (which is why it's not a stand-alone gig). How hard will it be for Google to add a color gradation on their widely used toolbar? Not too hard, I suspect. I don't see Google going after someone like ScanSafe, yet. But clearly Google wants to see all of your traffic, so they may be thinking about how they can do web filtering in their cloud and monetize that aggregated data. 
http://blogs.zdnet.com/Ou/?p=340
Link to this

Security is not today's "Quality is Job 1"
OK the title is a bit deceiving here, but I wanted to revisit a post Mike Murray made last week relative to the death of the CISO and the rise of the Chief Risk Officer. Mike kindly refers to some of my ramblings in this follow-up post, but then tries to make an analogy between security today and the quality movement of the 80's and 90's. Hmm. Not sure it works because quality is definitely something that adds value to the product. It's certainly helpful that cars blow up far less frequently and my door closes on a high humidity day. That's a result of the auto makers quality initiative. How does better security impact my experience with a product? Does it make it better? There are clearly two camps in the security ROI discussion. I'm much closer to the "there is none" camp that says security is a cost of doing business, not something that adds value to the experience or makes a product better.
http://episteme.ca/cblog/index.php?/archives/46-CISOs,-Quality-and-Enabling-Business.html
Link to this

Anyone looking for an evangelist
It's nice to see some folks embrace what they really enjoy and what they are good at. It's also interesting to see folks somewhat prominent in the blogosphere basically asking for a new job via their bully pulpit. Martin McKeay is pretty thinly veiled in voicing his desire to eventually get a job as a security evangelist. I'm assuming this is for a vendor, since I'm not sure how many users need external security evangelists - though many could use internal evangelists. Personally, I think Martin would be a great addition to a vendor that is looking to leverage new media to accelerate their path to market. But most importantly, I hope Martin gets the opportunity sooner rather than later. Every day that you spend not doing what you know you love to do is a wasted day.
http://www.mckeay.net/secure/2006/10/being_an_evangelist.html
Link to this

Recently on the Security Incite Rants Blog

Profiling analysts Forrester-style
I saw an interesting post about a new Forrester report that purported to categorize analysts into advocate, strategist and evangelist buckets. I was kind of stumped by that because I get that there is a cottage industry of helping AR folks understand analysts. But to have an analyst practicing this was strange to me. I also had a hard time getting their characterizations because I think good analysts need to be advocates, strategists and evangelists. But that's one analyst's opinion.
http://securityincite.com/blog/mike-rothman/profiling-analysts-forrester-style

A NAC for Open Source
There is a new alternative for NAC and it's open source. There was rejoicing in the streets. Actually, calling this NAC right now would be a little generous, it's more like device authentication and VLAN assignment - but you've got to start somewhere. And I also got an opportunity to poke Shimel a little bit, and he weighed in on the topic (here). I'm not surprised that he's not threatened and generally supportive of FreeNAC.
http://securityincite.com/blog/mike-rothman/a-nac-for-open-source

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-10-06