November 7, 2006 - #151

Good Morning:
So it's out there. I've been a bit quiet on the blogging front and will be for most of November because I'm writing a book. The Pragmatic CSO will arrive on January 2, and I've got a lot of work to do to realize my vision of a thriving community based on a rational methodology that allows CSO's to think strategically, while proving value to the powers that be. So I'll be cranking out TDI every day, but the rest of my time will be spent hammering out the book (and doing a bit of client work).

Happy Election Day. For us Americans, this is a wonderful day and a way to exercise the democratic rights that we fight so hard to protect. Farnum says it much better here. I'm traveling today, but in Georgia you can vote up to a week in advance, so I've already exercised my duty as a US citizen. How about you? On that theme, quite a few politicians will be looking for new jobs, so they should check out Mike Murray's advice here, it's good stuff for those forced into a career change.

In security-land, our pals at McAfee show that they plan to make up the $60 big (that's million for you non-playah's) they paid for SiteAdvisor $24.99 at a time (here). This feels stinky to me. Accept that your market is commoditized and use SiteAdvisor Plus as a value-add or leverage to get someone to switch. I hate being nickel and dimed. There is also more angst about a new training firm called the Hacker Academy (here). Get over it, higher brow training shops have been teaching hacking forever, regardless of what they call it, and there is a lot of precedence for using the term "hacker" as good marketing leverage. But I guess some folks just need to feel angst.

In blog-land, it seems Symantec wants to pat it's own back about how proficient they are at fighting rootkits (here). Normally, I'd pooh-pooh it and move on, but there may be something there. By leveraging some Veritas technology, they may actually have a defendable differentiation in detecting rootkits. Wow, now that would be novel. I also want to point out that Pete Lindstrom is on a philosophy kick (here). His one sentence post hurts my head like Nietzsche, but is a good thought.

Have a great day and I'll be at CSI today and tomorrow, so if you happen to see me - say Hi!

Technorati: Information Security

Top Security News

Vendors on the upgrade hamster wheel
So what?- It seems that the vendor gig is up. If you pay attention to this survey done by Network Computing, the users know vendors lie about what their products do. I know, it's a shocker. But then Art Wittmann points out some of the challenges of growing the business, especially in mature market spaces. Think about it this way, in order to maintain any kind of growth rate, Microsoft needs to grow by a Juniper EVERY QUARTER. Do you understand that? Cisco is almost in the same predicament. So vendors will always be trying to figure out how to get existing customers to upgrade because it's much easier to sell to someone who already knows you (presumably), especially if almost every company on earth already uses your stuff (like Microsoft and Cisco). So you try to add some goodies in a new rev and do a couple of Hail Mary's hoping it's enough to get them to upgrade. So guys like Hoff can have angst about Cisco's evil plan, but it's all part of the game.
http://www.networkcomputing.com/showArticle.jhtml?articleID=193501013
Link to this

So that's what $60 million gets you
So what? - McAfee finally announced how SiteAdvisor plans to monetize. I'm a bit underwhelmed because blocking bad stuff should be a feature. Why do I want to pay extra? I doubt companies will get socked paying extra (you just threaten to go to Symantec or Microsoft and they'll throw it in), but still. Am I going to buy SiteAdvisor Plus solo? For an extra $24.99 a year ($49.99 for a 3-pack)? Probably not, since my web gateway should take care of that, no? Maybe not as well, or with as many cool green check marks - but it works. So I was sold on putting SiteAdvisor everywhere to differentiate, but expecting customers to invest more to get it is a stretch.
http://www.mcafee.com/us/about/press/corporate/2006/20061106_195700_q.html
Link to this

Hacker Academy - Prep school for neer-do-wells?
So what? - That's certainly what the big security vendors would have you believe. A new training shop announced last week, and they are calling themselves the "Hacker Academy" and teaching hacking from hackers. Big deal. Ron O'Brien from Sophos is pretty bent about it, and he's pretty much dead wrong. Do I think my engineering degree isn't helpful to what I'm doing now because I don't practice manufacturing? Of course not, it taught me how to think and that's exactly what the Hacker Academy wants to do as well. In order to stop hackers, you need to understand how they think (at least partially) and unless you know what you are up against, how are you supposed to stop it? Seems Ron also has a problem with the name, but again - it's good marketing. Brand is so hard to build nowadays, and they will carve out a place in your mind. You may not like it, but you'll probably remember it. @Stake took a similar approach way back when, by using Mudge as the poster child - and it worked pretty well to put them on the map.
http://www.redherring.com/Article.aspx?a=19515&hed=Hacker+Academy+Launched
Link to this

Pushing on the mobile security string
So what? - It's tough to create markets. You need to manufacture buying catalysts, present them to customers with a straight face, and pray they don't call your bluff about how serious the threat is today. So when I see a list of "best practices in smartphone security" I'm wondering what stuff will be manufactured to create interest now. It's the standard stuff. Know the security risks. Duh! Considered centralized purchasing of the phones, so you are standardizing on hardware and the protections to make it work. Duh squared, but not bad advice. Use the smartphone browser so data isn't stored locally. OK, that's decent too if your mobile folks are OK with applications that are dog slow (unless you can jump on the EV-DO or EDGE). But then they have to throw the obligatory mobile malware protection in there. I shouldn't have been surprised, but give me a break. I'm not even going to go there. But if I have $10 bucks to spend, it ain't going to be on mobile AV, that's for sure.
http://www.informationweek.com/blog/main/archives/2006/11/best_practices.html
Link to this

Avnet brings good things to life?
So what? - Why a company like GE owned a low margin distributor like Access Distribution always was a bit strange. Well no longer, as the distribution channel consolidates (like everything else), Access was taken out by Avnet. It seems Avnet was most interested in the Sun channel, though Access did a lot of security business with the likes of Check Point and Nokia. It'll be interesting how much attention they continue to pay to that business, or whether they'll spin off those product portfolios to more specialized security folks (like Westcon). This doesn't really have much bearing on end users (since you deal with the resellers anyway), but your reseller will have less folks to work with and that may have an impact on price and flexibility somewhere down the road.
http://biz.yahoo.com/bw/061106/20061106005530.html?.v=1
Link to this

Top Blog Postings

Losing your job isn't the end of the world
For a guy who has a job, Mike Murray certainly talks about finding another one an awful lot. Obviously I jest because I think the personal management stuff that he discusses is good stuff, and this post is no exception. Basically when you get canned, you can view it as the closing of one chapter and the beginning of another, or it can be the end of the world. Take it from me, since I've been in both places. But Mike's point (taken from the JibberJobber folks) is right on. You need to take some time to figure out what you like to do, and then build a plan for how to get there. This isn't brain surgery, but it's a lot of hard work and sometimes it takes eating some pride and approaching folks you may have lost touch with. I can tell you, every time I've been shown the door, it's been a very positive experience. But because I've worked my ass off to make it a positive experience.
http://episteme.ca/cblog/index.php?/archives/96-Networking-Blog-Carnival.html
Link to this

We do rootkits too!
Just ask the guy we paid some money to check it out. I do say that a bit tongue in cheek, but Symantec patting themselves on the back about how well they do rootkits is a bit much for me. Now I know Roger Thompson of Thompson Cyber Security Labs, and he's a good guy. But so is Kevin Tolly, but it always seems that the folks that sponsor the studies do pretty OK in the final results. Maybe a lot of vendors put unfavorable results on the shelf, but I don't think so. Anyhoo, predictably Symantec came in #1 and Microsoft came in dead last. Coincidence? OK, I'll give the conspiracy theories a rest, but at least Symantec has an answer as to why they are better. It's some stuff they got from Veritas that allows them to bypass the Windows file system and directly access the raw NTFS. That actually makes sense. And given McAfee and Webroot ain't buying a storage player anytime soon, could be a point of longer lasting differentiation. Now that would really be interesting.
http://www.symantec.com/enterprise/security_response/weblog/2006/11/handling_todays_tough_security.html
Link to this

Try "yes, but"
The fact is, it's always easier to blame someone else. That's the subject of Alex Hutton's post here, point to some sage words on Dark Reading and Security Ripcord. I hear a lot of aggravation and annoyance about how stupid users are and that usually results in security folks saying no, as opposed to 'yes, but.' That's a pretty important nuance, so let me do it again. Try not to say no, but reorient your response to "yes, but." That makes the other party more aware of the compromises necessary to do what they want. And there are always compromises. Part of the Pragmatic CSO methodology is designed to help communicate decisions based on risk and economics, not based on annoyance or stupidity. Sure, if a user suggests something stupid, you want to be able to tell them no. But as my wife always reminds me, there is a right way and a wrong way to say no. I also love Alex's perspective on "Security 2.0." Amen to that brother, our messages MUST be consistent and defensible.
http://riskmanagementinsight.com/riskanalysis/?p=49
Link to this

Spire's Fundamental Law
Pete Lindstrom is on some heavy stuff. I suspect it requires a prescription or perhaps a trip to see some guy on a corner in downtown Philly. Today's wisdom is "badness scales better than goodness." Wow, that's deep. It's true also, but deep. Basically because Pete has left us to our own designs to figure out what he means, let me give you my take. The bad guys only have to be right once, and they are in. The good guys have to be right EVERY TIME. And that is hard. Very hard.
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/11/spires_fundamen.html
Link to this

Recently on the Security Incite Rants Blog

Coming Soon: The Pragmatic CSO
I'm really excited to announce my upcoming book, the Pragmatic CSO: 12 Steps to Becoming a Security Master. Security hasn't really gotten better, and most security professionals are totally overwhelmed and having a hard time putting in place a program to be strategic, as opposed to firefighting. So the Pragmatic CSO is the Security Incite methodology for "doing" security, allowing you to focus on what's important and show value to the folks that write the checks. There will also be a web community and training programs to support the book as well. You can check out the Pragmatic CSO teaser site here.
http://securityincite.com/blog/mike-rothman/coming-soon-the-pragmatic-cso

Year-end webcast and seminar promotion
In order to support (and properly evangelize) the Pragmatic CSO, I want to be speaking anywhere and everywhere about pretty much anything related to information security. To do that, I'm making it very attractive for vendors and associations to book my talking head for the first 6 months of 2007. Check out the promotion and sign up quick, since the promotion only lasts until the end of the year, and I expect slots will be going fast.
http://securityincite.com/blog/mike-rothman/year-end-webcast-and-seminar-promotion

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-11-06