October 10, 2006 - #133

Good Morning:
Enough about Google and YouTube. I'm GooTube'd out. Congrats are in order, creating $1.65 Billion in value over 18 months is impressive. Personally I think Google got a bargain, like Cramer (here). Video is the next wave on the Internet and advertising will monetize it. The combination is impressive, as no one has done a better job at monetizing content than Google. But do I think this is vindication of the VC funding model, which I question in one of yesterday's rants (here)? No. For every YouTube success, there are thousands of bad ideas, fire sales, and flame-outs. 

In security-land, there was a bunch of news, but not much that was interesting. Maybe it's one of those days for me. If you are interested in NAC, check out what Network Computing has to say (here). Now that I no longer have to worry about annoying NetworkWorld, I can say this is a good treatment of the topic. And if you are interested in database encryption, there is a good tip (here) in SearchSecurity. By the way, nothing really good in NetworkWorld on security this week. HA!

There was more interesting stuff in blog-land. Check out Gunnar as he starts to grapple with the impact of decentralized data (here). This is really going to screw up what we thought we knew about security architectures and I don't get the feeling that most people appreciate it yet. They will and it will hurt. I'll also mention some career advice to Andy ITGuy (here). Don't get pissed that there are a bunch of morons configuring pretty important equipment out there. Be happy. It'll make you look good.

Have a great day. Busy busy today trying to clear the decks for my upcoming vacation, so don't expect too much blogging today. You'll get TDI early tomorrow (my chariot picks me up at 8 AM ET tomorrow) and there will be no TDI Thursday or Friday.

Technorati: Information Security

Top Security News

NWC on NAC
So what?- Guys like me have new competition. It's the more technically oriented trade pubs like Network Computing, who are now getting into the for-pay research report business. I'll do a post on that later today, but you can benefit from these guys marketing approach, which is to give away a bit of the content to generate demand for the report. This focus on NAC in Network Computing is pretty good. It's still interesting to see Fratto spend the first half of the article on the NAC frameworks. They justify this because their user survey said that standards are important. Of course users are going to say standards are important. But I maintain they don't care enough not to buy. Fratto does do a good job of laying out how NAC will work in your environment and also profiling some of the vendors. Most interesting is his dumping on DHCP and ARP poisoning as legitimate NAC enforcement mechanisms. And he's right, these are tools in the bag - but not sufficient to solve the entire problem.
http://www.networkcomputing.com/showArticle.jhtml?queryText=&articleID=193101592
Link to this

Good primer on database security
So what? - Kudos to James Foster for a well done primer on database encryption in this SearchSecurity tip. He goes through understanding the difference between communication encryption and field level encryption. He also briefly discusses some of the algorithms available and some tips to make sure you don't crush the performance of your database. Most of all, his point is to really think about how much database security you need: "There are no shortcuts. Hastily implementing database encryption simply to comply or assuming it alone will make your data secure will cost extra time, money, manpower and brain power better spent elsewhere."
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1219561,00.html
Link to this

Outsourcing outbound mail filtering
So what? - The email security business has been about more than stopping spam for a while. With the advent of the recognition that insiders are in fact a threat, many companies have been looking to scrutinize their outbound email traffic to stop private data and intellectual property from leaving the enterprise. Proofpoint and CipherTrust (now Secure Computing) were most aggressive in driving this outbound capability and other vendors lagged a bit (in functionality, but not marketing slides). Reconnex is positioning themselves as the answer to these inbound focused mail security players to help them gain parity without having to build their own filtering engines (which is hard). It's no surprise that the first 3 vendors integrating with Reconnex - Barracuda, IronPort, and SendMail - are known to have the weakest outbound story. I think this is a good move for Reconnex because people are paying money right now to filter outbound mail (while it's debatable as to how much is being spent on leak prevention) and they are diversifying their channels.
http://www.reconnex.net/news/articles/pr_10.09.06.asp
Link to this

Real World UTM
So what? - I always find it interesting when vendors are asked to write selection criteria for tech magazines. Do you think there is a correlation between the vendor's positioning and the resultant selection criteria? Hmm. Usually there is, but in this week's Enterprise Systems Journal, a chap from Check Point goes through his three requirements for UTM. I'm not sure they align. He thinks best of breed components, integration between components, and integration into the customers technology environment are critical. Maybe I'm missing something, but with the exception of firewall/VPN, Check Point doesn't have best of breed. And besides using a common interface, what does component integration really mean? Obviously if you already use Check Point, then their flavor of UTM will be easy to integrate into your environment - so that one I get. This seems more like a pitch for Crossbeam than it does for them. I guess wonders will never cease. 
http://www.esj.com/news/article.aspx?EditorialsID=2203
Link to this

Deal: ExaProtect buys Solsoft
So what? - So Solsoft finally finds a partner. I've been hearing about these guys being on the block for what seems like close to a year. Management as a stand-alone entity is hard. Building a product to automate the management of a heterogeneous networking and security environment is really really hard. So it wasn't surprising that Solsoft never got much traction by themselves. But this does reinforce the trend of SEM vendors (of which ExaProtect is a European one - that I'd never heard of) getting into the remediation business. Solsoft does integrate with networking and security equipment and presumably merging the technologies allows the new ExaProtect to both track events and then remediate based on what they found. And I'm sure they didn't pay a lot.
http://www.exaprotect.com/press-en/ExaProtect-and-Solsoft-merger.jsp
Link to this

Top Blog Postings

Trust no one
Tim Wilson is right. In this Dark Reading post, he makes the case for why security folks cannot afford to trust anyone. For a long time, we didn't have a choice because we didn't have the tools to make sure that the inside folks were doing the right thing. We were so busy fortifying the perimeter that we didn't have any choice but to ignore everything else. Now we've got technology to make sure that the right folks are getting to the right resources. We've got the ability to filter outbound content to make sure our intellectual property and private data are not going anywhere. And we've got compliance requirements that include disclosure provisions that make it very painful to screw up. So Tim's post talks about the ethics of many security folks, and those numbers are disturbing but not surprising. Let's just say that trust is a luxury we can't afford to do our jobs well, even if it means you eat lunch alone.
http://www.darkreading.com/blog.asp?blog_sectionid=327
Link to this

Disappearing perimeter and new applications - we're screwed
This post and resulting discussion from Gunnar Peterson provide a lot of food for thought. He uses a decentralization vs. centralization metaphor to make the point that we are inextricably moving toward distributed data. SOA and web services guarantee that. That means the traditional, centralize and apply draconian policies of many security practitioners are no longer valid. Oh boy. If you aren't following me, maybe this quote from the post will help: "The perimeter in an SOA is the document, not the network. The security model is defined by the security constructs in the document, not the network firewall." That kind of screws everything up, no? Gunner goes into a bit more detail in a follow-up post (here) - but understanding the concept is critical. This is the case for why we need to separate out infrastructure security and data/information security. Right here. Read it and understand it.  
http://1raindrop.typepad.com/1_raindrop/2006/10/decentralizatio.html
Link to this

Andy - remember Darwin
Andy ITGuy is pretty bent out of shape about the sad state of DNS Server configuration amongst a raft of other mis-configured devices. Andy is right. The tightest and most secure products can be rendered useless with a pretty simple configuration error. But I view this as Darwin at work, as opposed to anything else. There are lazy folks and there are stupid folks. You should like these folks, as long as you don't have to manage them. These people will always take the path of least resistance and they will do the bare minimum to get through the day. They will screw things up. They will make the folks like us, that work hard and are diligent, look good. We need C-players because not everyone can be an A-player. And when the ax falls, you want to make sure it's the C-player that is under it, no? Darwin says these folks become extinct over time, and they do. You can run and get lucky, but not forever. I'm not making the case for mediocrity. I hate mediocrity. But mediocrity is a fact of life, so I may as well figure out how to prosper in this kind of environment. And so should you.
http://andyitguy.blogspot.com/2006/10/problem-with-it-and-security.html
Link to this

Why Cramer is my hero
Everyone has a model. Someone who has traversed the path you are on. Someone who lives the values that you hold important. There aren't clones in this world (yet), so no one is going to match up 100% with what you aim to be. But this post by Fred Wilson reminded me why I need to study Jim Cramer more. Of course, he is bold, irreverent, outspoken and says what he believes when he believes it. Like this position yesterday on Google/YouTube, which is right on the money. He's OK being WRONG! But he's not OK letting other folks take weak positions. And he has FU money, so he's not worried about ruffling feathers because his mortgage is paid. I try to be like that. My loudmouth personality and love of intellectual debate make a lot of this pretty natural for me, but still. I'd be a lot less comfortable going down my path if someone like Cramer hadn't blazed the trail before me. He proven that someone with an opinion can actually be successful in a media-oriented business. Yes, I'm working hard to make that FU money. And no, I'm not angling for a TV gig.
http://avc.blogs.com/a_vc/2006/10/jim_cramer_on_g.html
Link to this

Recently on the Security Incite Rants Blog

Is the VC funding model broken?
Despite Sequoia's mammoth home run with YouTube, there is reason to wonder whether the traditional VC funding model still has legs. Sevin Rosen's decision to not raise another fund was the meme that got the discussion going - but it's a legitimate question and one that mega-funds need to grapple with. I'm of the opinion that small is good. Small capital requirements, small funds, modest exits. You grind it out and make a good living. Peter Lynch said "Get rich slowly" and I really believe that (especially since I failed at getting rich quickly).
http://securityincite.com/blog/mike-rothman/is-the-vc-funding-model-broken

Ray Noorda (1924 - 2006)
Ray Noorda was a pioneer and had a big hand in creating the networked economy that pays all of our bills. He died yesterday, so I wanted to say my piece about the impact Novell has had on my career and to remind everyone to remember the man that created the company that brought Local Area Networking to the masses. Not the guy that became one of the original pelts on Bill Gates' bedpost.
http://securityincite.com/blog/mike-rothman/ray-noorda-1924-2006

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-10-09