October 18, 2006 - #137

Good Morning:
Interesting day today. There seemed to be a lot of news, but it was kind of an effort to get a list assembled that made sense. I think I did OK, but tell me if I didn't. That's the kind of feedback I need, though I do appreciate all of the positive feedback I get as well. In the news clips, I'm kind of confused (which happens more than I like to admit) as to why some of the alleged white hats would release technology to cloak exploits (here). I know that they do this to cajole vendors into making better products, but this would seem to be giving stealth technology to terrorists. But maybe I'm wrong. I'll also point to some strategic confusion on the part of Cisco. They announced their re-branded Meetinghouse client yesterday (here) and now it's not clear when I'd use this thing vs. a CSA or a CTA.

In blog-land, Ross Brown figures pretty much every security company will be oil for the next generation of technology (here). Ross is right on relative to the disappointing level of integration in most security "suites," but given the inertia in the mature security markets - it's hard to see this happening anytime soon. But I guess the dinosaurs never saw it coming either. And finally, I was pointed to a good post on competition and differentiation (here) and it got me thinking about how hard it is to have any type of "durable" advantage in technology anymore.

Have a great day.

Technorati: Information Security

Top Security News

Cloaking exploits
So what?- I'm at a bit of a loss about this article. I understand the need to put tools out there that find vulnerabilities and exploits. I understand the research benefit of proving things like the "Blue Pill." But help me understand the benefit of technology that cloaks the exploits, so they can bypass the defenses on a machine? This I don't get. But it's out there, so what do we do? Basically, application control (or some wacky derivation of HIPS) is no longer an option. Your AV will get a lot of stuff that you already know about, but not everything. So you need additional layers running on those endpoint devices.
http://www.informationweek.com/story/showArticle.jhtml?articleID=193303384
Link to this

Eat Microsoft's privacy dog food
So what? - My last NetworkWorld column was about how Cisco has consistently used their own experiences and processes for tremendous marketing effect. Looks like someone at Microsoft was listening. My head's not too big now is it? Here Microsoft is starting to talk about what they do internally for privacy. They are a very big company, so I imagine a lot of other big companies can learn from this. The document will hit on Thursday, and we'll see how much there is there. But I suspect we'll start hearing from people like EMC relative to how they run their own storage environment before long. Maybe this is Poster Child Marketing 2.0 - where you are your own poster child.
http://biz.yahoo.com/ap/061016/microsoft_privacy.html?.v=8
Link to this

Cisco goes to a client meetinghouse
So what? - In what seemed like a pretty short time, Cisco has re-badged their acquired Meetinghouse 802.1x supplicant client code as the Cisco Security Services Client 4.0. Yes, I'm a fan of descriptive naming - but Cisco takes descriptive naming to new heights. Guess it doesn't take too long to replace the logo on the splash screen. But this leaves a bit of uncertainty about what Cisco's real client strategy is. First they went to push the CSA (with the Okena HIPS technology in there) out widely. I suspect you have a lot of CSA keep shelves all over the world very warm and dust-free. Then they partnered up with McAfee and Symantec (and Trend, I think) to distribute the CTA (which is CSA without Okena), so they could push the C-NAC Framework internally. And now they have an 802.1X supplicant - which does most of the stuff of the CTA, no? So I'm pretty confused, maybe Cisco will be kind enough to clarify their client strategy at some point for all of us.
http://newsroom.cisco.com/dlls/2006/prod_101706.html
Link to this

Cloudmark jumps into the anti-zombie game
So what? - The next forefront in the emerging security category game is technology aimed to help service providers stop zombie attacks. We've seen Trend announce some technology and a few start-ups (Simplicita and StreamShield) get into this game. Now Cloudmark has repackaged their sender reputation intelligence technology as a salve to the service providers that are constantly subjected to zombies. This market already feels crowded to me, given there are about 150 service providers of size, that doesn't leave a huge market and many of the big folks (except Trend) haven't jumped on. And it may turn out that the anomaly detection capabilities that many SPs have deployed (from folks like Arbor) may actually solve the problem. But I don't get the feel that figuring out which machines are zombies is the problem. It's figuring out what to do with them. Much bigger problem. 
http://www.cloudmark.com/press/releases/?release=2006-10-17-01
Link to this

Get your security boxes monthly
So what? - In what was a pretty innovated packaging move, Red Seal announced a monthly fee to use their configuration security appliance. No I can't bear to call it security risk management. I just hate that term. But for many customers, this could be an interesting way to buy something. The accountants may balk because it kind of munges with capex vs. opex categorizations, but ultimately it's about cash flow for any company that wants to keep the lights on. This also is good for Red Seal because it levels out their revenue stream (presuming there is a revenue stream) and gets them out of the end of quarter blues. We'll see if the model takes off, or whether customers that have a monthly payment mindset would just buy everything as a managed service.
http://www.redseal.net/news/index.html#monthlypricing
Link to this

Top Blog Postings

Dinosaur 2.0 is security?
Ross Brown has an interesting post here about what integration really means. To date, most of the integration as a result of security acquisitions have been at "veneer" level - meaning in the interface. If that much. But when you start hearing about how these AV suites just kill the performance on a typical PC, you wonder if this "integration" hasn't gotten out of control. So Ross says the answer is true integration (he posted on what that means within the context of zero days and his products here), and the folks that can't do that will be destined to mass extinction like the dinosaurs. I agree with him, customers are pissed. But they can't say no. Maybe the users out there are Addict 2.0 because you can't leave yourself exposed because you are pissed at your security vendor. In any case, the timeframe for extinction is long. Inertia is very strong, especially for desktop stuff - so the AV folks still have years to fix it - even if a disruptive technology appears.
http://technobabylon.typepad.com/tb/2006/10/mass_extinction.html
Link to this

Cisco patents air
Well not really air, but in the networking space - it may as well be. Thanks to Shimel for pointing out Cisco's recently awarded patent for putting voice, video and data on a single network. I'm not a patent lawyer, but it would seem that every company would infringe on that. The real question isn't so much about how Cisco gets a patent like that. Clearly the patent system here in the US is broken. But whether Cisco would choose to enforce it. And if so, how and against whom. It would be the carriers (as Alan surmises a bit) because they pay Cisco billions each year. But it could be anyone else providing equipment for a triple play service. So Nortel and Alcatel/Lucent could be exposed. Or more likely Cisco will do nothing with it, but remind their competitors every now and again that they could use it.  
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/10/more_patent_cra.html
Link to this

Trust no one
Amrit rants a bit about the fact that users don't trust vendors because vendors behave badly. I can already hear Shimel screaming in my ear about the fact that many users behave badly as well. The IT business has become such a "game" that no one trusts anyone anywhere anymore. It's sad, but it ain't changing. I guess all we can do is act ethically on our own accord and be suspect of everyone else. Over time, we could restore trust - but it's going to be hard when every market is overcrowded, chasing the same dollars from the same customers for products they may not even need. I'm sure the trust factors mentioned by Steven Covey are wonderful and can be applied, but not when there is a fundamental breakdown at all parts of the system. Basically you probably need to just blow everything up and start over again. I'll trust you folks to take care of that.
http://techbuddha.wordpress.com/2006/10/17/the-economy-of-trust/
Link to this

Differentiate or die
Thanks to both Anton and Mike Murray (here) for point me towards this post from Michael Shrivathsan regarding competitive differentiation. Like Amrit, I sit through many presentation each month, and most vendors I talk to have shockingly little differentiation. That's one of the key problems with the technology space (and why Warren Buffet wouldn't touch it with Bill Gate's money). Even if you have differentiation, it's gone in a product cycle. Maybe a year or 18 months tops. And there have never really been any long lasting brands built in technology to elicit loyalty like Coke. The lack of differentiation breeds a distinct lack of loyalty which makes competing in tech-land pretty brutal every day. I do agree with Michael's summary, success in technology is all about differentiation. I just am skeptical that any company can innovate consistently enough for long enough to really provide a "durable advantage."
http://michael.hightechproductmanagement.com/2006/03/got_competitive_differentiatio.html
Link to this

Recently on the Security Incite Rants Blog

Another appearance on Shimel and Ashley's podcast
Alan and Mitchell were kind enough to invite me for another guest appearance on their podcast. We had a great time and discussed some topics like Symantec and McAfee's new strategies and the zero day attack space.
http://securityincite.com/blog/mike-rothman/appearance-on-shimel-and-ashleys-podcast

Read Tuesday's Daily Incite
http://securityincite.com/TDI-2006-10-17