November 9, 2006 - #153

Good Morning:
Quick rant today because I'm running late, I'm tired (travel usually does that to me) and the boss needs me to get something done and she's calling every 5 minutes to make sure it happens. That just makes me pretty cheerful, even though it's a sunny day here in the ATL. Not a hell of a lot of news in security-land. Microsoft issued their Vista Security Guide (here), which is a must read unless you use all Macs (more power to ya). Symantec is writing a book about online safety for teens (here) and Check Point is introducing a wireless security device for home users (here). I'm sure the Linksys folks at Cisco are quaking in their boots on that one.

Speaking of Cisco, they absolutely crushed their numbers last night (here). I read the earnings call transcript and it was very very impressive. Regardless of what you think of Cisco, their strategy is working. I'll do a more detailed post this afternoon because I think their approach is a model that other vendors need to emulate. But only if they want to stay around.

In blog-land, Amrit called Shimel (and others) a bully (here) and asks that we be respectful when calling each other's positions idiotic. Screw him. I'm just kidding. I hear what Amrit is saying, but I'm not going to change. If I think you are doing something dumb, I say it and sometimes that whole tact thing is lost on me. But the wonderful thing about the blogosphere is that it's opt-out as well. You don't like how I say things? Change the channel. Jeff Hayes points to a new vendor doing a storage firewall here. I'm waiting for my brand spanking new earphone firewall to arrive any day now. Where is the line folks? 

Ah, there is my wife again. Better wrap it up. Have a great day.

Technorati: Information Security

Top Security News

Understanding Vista Security
So what?- There you have it, Microsoft made the date. Lots of folks were skeptical and lots of folks were wrong. Good for Microsoft. But now us security folk have to start figuring out how, when and where to introduce Vista into the environment and which of the new security capabilities will work. So, you smart ones out there have been playing with Vista for a while and know all about this, right? The lab is set up, you understand how it's going to impact your applications and also are working on changing your policies to encompass the additional capabilities, right? Oh, you have a day job. You can hardly keep on top of the stuff you are supposed to do. I get that, but you can't really procrastinate learning about Vista security for much longer. Come Q1, a lot of your new PC's will already have it. So it'll be there, you may as well figure out how it works. Check out this guide by your friendly neighborhood Windows folks to learn pretty much what you need to know.
http://www.microsoft.com/technet/windowsvista/security/guide.mspx
Link to this

Educating teens? Write a book.
So what? - Symantec is trying to do the right thing and educate parents and teens about cyber attacks and how to protect their private information. But publishing a book and selling it on Amazon is not the way to get at this audience. First of all, the new generation has systemic ADD, there is no way they are going to sit down and read a book, unless it's about Lindsay Lohan or Paris Hilton. So the packaging is all wrong. They should have extracted the salient points and put a brochure together and distributed it widely through high schools, and probably religious organizations. Sure, I get that it costs money to do that, but this is marketing folks and brand building. Maybe buy one less useless two-page spread in PC Magazine and do some more effective guerrilla work. Second problem is that it's written. Why wouldn't you put all this information on-line in an easy to navigate, kind of cartoonish format - again to appeal to your audience. I hope McGruff has a better plan than this, because if you don't get information to your desired audience in the way they will consume it - guess what happens?
http://biz.yahoo.com/iw/061109/0181425.html
Link to this

Review: Arbor Peakflow
So what? - I've been doing some research into the Network Behavior Analysis space of late. Nothing planned, but those have been the topics of conversations enough to know that there is value in the technology. But as this review of Arbor's Enterprise offering shows, it's still not for the feint of heart and it's very expensive. The idea of tracking your network flows and using that data to figure out if something is amiss on your network is a good one. It always has been, but it's not a stand-alone one - one of two things has to happen. Existing NBA vendors need to add some better way to remediate (in likely an automated fashion), or you are going to have existing defense solutions start to add more sophisticated NBA as part of the detection techniques used on their boxes. Of course, the performance needs to analyze traffic on a SMB network vs. an enterprise network are significant, so this combined offering wouldn't make sense for a large network - but the point is the same. We are going to see more consolidation, and that's a good thing because many of these technologies shouldn't stand alone for mid-sized networks.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1228303,00.html
Link to this

More on Secure Accelerated Access
So what? - The more things change, well the more they change. But the pendulum always swings back. Branch offices are always a pain to manage because there are so many of them, so the multiplier effect kicks in. In the olden days, we just used mainframe or mini-computer solutions basically putting dumb terminals out there. But as technology changed, folks started rolling out branch office computing platforms with all the associated cost and hassle of managing them. With the advent of WAN optimization offerings and affordable broadband, it's probably about time for the pendulum to swing back and allow these organizations to once again centralize computing. There are some security benefits to this architecture as well, which are laid out in this article. Now to be clear, Craig Stouffer (the author) works for a vendor that sells WAN optimization gear, so he's got skin in the game - but the points he makes are good.
http://www.net-security.org/article.php?id=955
Link to this

Check Point your home
So what? - It seems Check Point's new strategy is to go after the home market. On Tuesday they announced a new wireless router branded as a "ZoneAlarm" product, clearly to take advantage of the Zone brand strength in the consumer space. Basically this seems to be a rebranded SofaWare box, and since that was such a home run - I've got similar expectations for the new box. They are positioning the product as "more secure" by providing IPS and AV on the box as well. Because they are such generous folks, they'll throw in a CHKP VPN client. But here is the kicker, they want $199 for the box ($149 if you buy it this year). That's a laugh, when you can get a Linksys for $79. "More secure" is not a defendable brand position for the consumer and SOHO market, because the competition is usually NO security or something they can get easily at a big box retailer. And this doesn't even really protect the consumers, who are still at risk for ID Theft and can still do stupid things, even if they pay extra for the desktop suite. Check Point also doesn't have volume channels (like Best Buy and CompUSA) to drive this product. So if you couldn't tell, I'm a bit underwhelmed.
http://www.checkpoint.com/press/2006/zawirelessrouter110706.html
Link to this

Top Blog Postings

Shimel a bully? Nah, he's a pussy cat.
Some people just don't understand New Yorkers. Half the time we say hello by punching each other in the face. It seems Amrit is getting a little annoyed about the way some of us communicate here in the Blogosphere and seems to be worried that it turns some folks off. You know what? Howard Stern turns some folks off as well. But millions of folks love him. As with Alan, and I'm sure with me, some folks like our styles (since they are pretty similar) and other folks not so much. But don't expect Lockdown to respond to Alan, that would legitimize his issues. They kind of hope he just goes away and since no one in tech media really picked up the story, the damage is pretty contained. But back to the point, everyone has their own style and I personally don't write stuff in a way that I wouldn't communicate right to your face. I'm confrontational in my blog because that's they way I am. In person too. Now I do have a problem with folks that will write things they wouldn't say. These email (or blog) gladiators annoy me, so I either call them up or meet with them (when I worked in an office anyway) and see if they have the stones to say it to my face. Suffice it to say, most don't. But Alan does and so do I, so guys like us don't hide in a cocoon of semi-anonymity. As scary as it may be, I have no doubt that Alan would say everything he writes. I've actually seen him do it and it's pretty funny.
http://techbuddha.wordpress.com/2006/11/08/blog-bullying/
Link to this

We still sell insurance
Ravi C provides a couple of options on how to sell security to upper management. First is ROI relative to savings. Huh? What are we saving? Maybe our asses from a compromise, but that is very hard to quantify. And I hear that CFO's are huge fans of squishy measurements like "we'll be safer." What about Ravi's 3rd option, which is that security is a core competence. I'm also a bit skeptical about that because your customers probably don't care about that. They expect that you'll protect their data and will take it out of your hide if you don't. Does the fact that you are good at security help them in any way? Probably not. So we default back to the "insurance policy" model, and that insurance policy is weighed against the expected loss if systems go down, private data is leaked, intellectual property is stolen, or your brand is impacted. Some of those numbers are squishy as well, but part of what I'm doing with the Pragmatic CSO is to nail down a set of metrics that actually make sense. To me anyway.
http://ravichar.blogharbor.com/blog/_archives/2006/11/8/2485628.html
Link to this

What's next? A headphones firewall?
Now I'm a big proponent of layered security, but even I have a line I need to draw a line in the sand. Jeff Hayes points to a new company called DriveSentry that has a "storage firewall," which basically must monitor the reads and writes to the drive and decide if something is kosher or not. Boy this sounds like one step removed from application control and probably not even a niche's niche. I've been wrong before, but I suspect we need to draw the line somewhere and having a storage firewall on every desktop is probably it. Jeff thinks it's interesting, so I hope he does check it out. I don't, so I won't.
http://mycsosolutions.net/2006/11/08/storage-firewall/
Link to this

What is a security trade show?
Since I just got back from CSI as well, let me add a bit to Shimel's observation that we need less security trade shows. He's right and wrong. The problem is many of these educational forums (like CSI and MISTI) have been trying to paint themselves in a more trade show-ish light to get sponsors to add to the kitty. But Mr. Market has a way of working these things out, I assure you. None of the big security vendors were at CSI, and that's because there isn't a good ROI for a marketer. If there was, they would be there. If you are smaller (and the space is cheap enough), it can maybe pay. But the CSI folks didn't help themselves much either. The exhibit hall was on a different floor than the sessions. Unless you wanted a crappy box lunch, there was no reason to go to the floor at all. Contrast that to Black Hat, where much of the social interaction is on a main floor in the same space with small vendor booths and the sessions. So attendees can't help but to interact with the vendors. Maybe the leads aren't any more qualified, but vendors leave that kind of show figuring they had a lot of good conversations and it was worth the money. So I agree there are too many "trade shows," but I'd posit probably not enough education forums because most security folks still have no idea what's going on, and they aren't going to get that from a trade show. 
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/11/we_need_less_se.html
Link to this

Recently on the Security Incite Rants Blog

Coming Soon: The Pragmatic CSO
I'm really excited to announce my upcoming book, the Pragmatic CSO: 12 Steps to Becoming a Security Master. Security hasn't really gotten better, and most security professionals are totally overwhelmed and having a hard time putting in place a program to be strategic, as opposed to firefighting. So the Pragmatic CSO is the Security Incite methodology for "doing" security, allowing you to focus on what's important and show value to the folks that write the checks. There will also be a web community and training programs to support the book as well. You can check out the Pragmatic CSO teaser site here.
http://securityincite.com/blog/mike-rothman/coming-soon-the-pragmatic-cso

Year-end webcast and seminar promotion
In order to support (and properly evangelize) the Pragmatic CSO, I want to be speaking anywhere and everywhere about pretty much anything related to information security. To do that, I'm making it very attractive for vendors and associations to book my talking head for the first 6 months of 2007. Check out the promotion and sign up quick, since the promotion only lasts until the end of the year, and I expect slots will be going fast.
http://securityincite.com/blog/mike-rothman/year-end-webcast-and-seminar-promotion

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-11-08