October 24, 2006 - #141

Good Morning:
It must be Awards Tuesday, since I am giving out two awards on this fine sunny morning here at Incite Central. First, the "Rip Van Winkle" award goes to SendMail, who has decided now is the right time to get into the email security business (here). This isn't the first time they've indicated this direction (and it seems every new management team has a different name for the products) and maybe they'll even get it over the finish line this time. Ouch. And the "No Shit Sherlock" award goes to McAfee, who are kind enough to inform us that bots are a threat to national security (here). Even better, the answer to the problem is IPS. Maybe I can do a Rip Van Winkle and when I wake up we won't continue to be bombarded with this stupid marketing.

Before heading off to blog-land, let me also highlight an interesting case study about how the Celtics fight spyware (here). It seems they subscribed to the "throw everything including the kitchen sink" approach to security. The more boxes, the better. I'm not one to quibble with success (or perceived success anyway), but maybe they could get by with less than 5 separate products? And who said security folks don't spend money like drunken sailors?

In blog-land, Ross Brown decides AAC is not about how iTunes rips music anymore, but rather "application access control" here. Yes I hate acronyms, but Ross does a good job of trying to categorize a number of distinct product functions. I also want to congratulate Martin McKeay, who is now officially an influence peddler after having been wined and dined by Symantec (here). Actually, it was probably more like a flight and a turkey sandwich while chatting with some of the Big Yellow's big brained security researchers, but nonetheless there is plenty of time for Smith and Wollensky now that Martin has joined the club.

Have a great day.

Technorati: Information Security

Top Security News

Microsoft pokes the entire industry
So what?- Microsoft is on the offensive, and I think that's a good thing. In a RSA Europe keynote, Ben Fathi pretty much pokes at all the detractors and says the entire industry must start to think differently to provide any progress on security. He also defends the PatchGuard approach and also revisits the trust ecosystem concept that was originally presented at RSA back in February. Interestingly, Microsoft is positioning an olive branch, maintaining they can't do it alone, while poking many of their detractors. That's good stuff. In product news, Windows Defender is generally available and they also formally announced a new PKI certificate manager. But more to the point, Microsoft is evolving their security capabilities. Of course, it'll never be enough which is why there will continue to be a security market that is not Microsoft. BUT, it requires existing vendors to continue to innovate and fill the gaps, as opposed to crying anti-trust. 
http://biz.yahoo.com/prnews/061024/sftu051.html?.v=75
Link to this

Just what we need - MORE email security vendors
So what? - Honest to God, I'm at a loss when I see two new vendors get into the email security business now. That is just shocking to me. I can understand bigger vendors, with established channels acquiring some technology because email security is a universal problem and a substantial market for those with good channels. But seeing SendMail look to get into the email security business at this point in time earns them today's "Rip Van Winkle" award. Guys, how was that multi-year slumber? Fact is, SendMail could have been a player in the space if they had their act together 4 years ago. With their installed base of MTAs, it would have been a logical jump for companies to just add the email security capabilities. But the email security market is saturated. The big deals are all upgrades and replacements. Very little, if any, greenfield of size. And if I'm replacing something I hate, why would I pick SendMail - which is unproven in this space? Just because I use their MTA? Not likely. Sure there are lots of little customers that need something, but many of them will go to a service (or buy it as part of their bandwidth or hosted email). Speaking of services, Declude is now offering a service-based on their gateway as well (here). Doesn't seem to be anything groundbreaking there, either in terms of technology or channels/distribution. So ho hum. Maybe I'm missing something, but what is the likelihood of real success of someone entering a mature market at this point - without some type of innovation that will stand out? I guess it gets back to your definition of success. 
http://www.networkworld.com/news/2006/102306-sendmail-messaging-security.html
Link to this

Botnets are a risk - Duh!
So what? - McAfee gets the "No Shit Sherlock" award today for a Chicken Little release on how botnets are a risk to national security. And?!?!? We all know that pretty much most of the bad stuff that happens out there are attacks launched via zombies. Spam, denial of service, malware propagation, etc. all lies at the foot of the great zombie master in the sky. So what? I'm looking for answers, not the obvious. And McAfee's presents no answers in the release, so let me check out the linked white paper (here). OH, it's about an IPS. So the answer to solving botnets is for folks to deploy McAfee's IPS. Give me a friggin' break. Jeez, if it was that easy every company would just buy a big honkin' IPS and they'd be done with it, no? I hate this "turnip truck" marketing. If you are going to align with a big problem like zombies, at least bring forward a broad and realistic solution. Or address the cultural issues in blocking traffic from unknowing consumers. It's not like these guys don't have a number of things in their bag that can help, but to broadly say IPS is the answer is pretty insulting.
http://biz.yahoo.com/prnews/061024/sftu084.html?.v=77
Link to this

How many vendors make the parquet floor?
So what? - I enjoy reading case studies, I wish big media would do more of them. Far more valuable than the useless coverage of Refriger-oven 2.0 from some vendor I've never heard of. Like this case study about how the Boston Celtics organization battles spyware. First, it's clear that user education/training is a key part of the program. Bravo. But I'm a bit shocked at the sheer number of solutions these folks use. A spyware gateway from Mi5 (who?), but also SurfControl, Trend, SonicWALL and Aladdin for other pieces of the puzzle. Wow, that's 5 different products with 5 different consoles. I get layers, but that seems a bit excessive. But who knows? At the end of the day, this guy claims to have eliminated the problem and that's what's important. You can't have too much security (though you may struggle with diminishing returns), but you can certainly have too little.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1226004,00.html
Link to this

Data breaches more expensive - just ask the guys that protect them
So what? - More survey mayhem today. Looks like Ponemon is back at it (he seems to have built a pretty good business manufacturing these wacky numbers), with an update to his 2005 numbers on what data breaches are costing enterprises. Evidently it now costs $182 to fix a compromised client, up from $132 last year. I'm sure there is some "methodology" on how these numbers were derived, but ultimately it doesn't matter. If your senior executives will only do the right thing and put proper protections in place because they see a $182/client number - then either you are doing something wrong in selling security or they just don't get it. If it's the former, I can help you with that. If it's the latter, dust off your resume and find a place where you can be successful.
http://www.informationweek.com/story/showArticle.jhtml?articleID=193401492
Link to this

Top Blog Postings

Eek, here comes AAC
I hate acronyms. But it seems here in tech-land we are sentenced to call whatever we are talking about by a 3-letter acronym. Ross Brown provides some food for thought relative to desktop/endpoint security and how "application access control" (AAC) will play. Ross shouldn't be surprised to get a cease and desist letter from Apple, given their digitized music format is also called AAC. But he does a good job by categorizing 4 different types of AAC that are going to be a factor, maybe. I like the white/black list approach best because it's here today and it helps (at the risk of being politically correct). The idea of application virtualization and providing tighter security on a Citrix or VMware infrastructure access remotely is also interesting. Not sure about application delivery, though I guess having some way to ensure you are interacting with the application and you are authorized to get there is important. And finally application functionality parsing is a pipe dream. I tried to build a company to abstract security within some of these packaged applications there is no leverage there. None. I guess if you are just talking about simple stuff like printing, fine. But that's not interesting to most customers, who want to be able to govern modules and usage of the specific applications. And it needs to be multi-platform, since shutting down Windows printing doesn't help much if you use a Mac. But I'm nit-picking here. Thanks to Ross for at least trying to categorize a bunch of these seemingly disparate technologies.
http://technobabylon.typepad.com/tb/2006/10/application_acc.html
Link to this

Turn off that wireless card
The Mogull provides yet another good reason to turn off your wireless card unless you are actually using it. His ideas come from where Metasploit is going and how they are going to institutionalize transitioning kernel mode exploits to control your user session. This makes your wireless card close to easy vector #1 to own you. I've been shutting mine down since Black Hat because I had Matasano's Dino de Zavi walk me through how he can own pretty much any machine in about 2 minutes by putting up a compromised access point. The point remains the same, part of user training must be to turn off the wireless card when they are not actively connected to a wireless network.
http://securosis.com/2006/10/21/its-time-to-turn-off-wifi-and-bluetooth-when-not-in-use-mac-or-pc/
Link to this

Congrats to Martin, welcome to influence land
It's so cute to see a newbie get his first all-expenses paid vendor show and tell. Martin McKeay had Symantec fly him down to Norton Central to meet and hobnob with the security research team and some other folks. These days can be fun and even if Martin didn't agree to post something, I think everyone knew that he would. But good for Symantec, for realizing the reach that a blogger like Martin has and the fact that he would be writing stuff. I liken this assessment to a tourist seeing a beautiful place for the first time. You are taken in by the sites and don't really look at anything with a critical eye. But it's all good, as Martin gets more comfortable sharing his opinions (both good and bad) and vendors increasingly figure out how to deal with blogger-types (are they analysts? sort of. how is it best to interact with them?) we'll all benefit from more perspective.
http://www.computerworld.com/blogs/node/3791
Link to this

Club Fed roomies
How cool would a reality show be about Ebbers, Skilling, Fastow, Kozlowski and Rigas getting along in the pen. Who's taking Bernie in the best jail house tat contest? I'm with Amrit here, in that I'm not shedding any tears about Skilling getting 24 years in the big house. Maybe he'll die there. Serves him right, as now lots of folks will be serving McDonald's coffee so they can pay for their presreption medication when they should have been enjoying their pension. But being a bit more circumspect about the entire thing, what drives guys who are rich beyond anyone's wildest dreams to break the rules for a few more shekels? I've heard the words about "keeping score" and "competing," but they ring hollow. What fun is winning, if you have to break the rules to do it? I guess that's why I'll never be ultra-wealthy, I just don't get it.
http://techbuddha.wordpress.com/2006/10/24/white-collar-smack-down/
Link to this

Recently on the Security Incite Rants Blog

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-10-23