December 5, 2006 - #166

Good Morning:
Ah Tuesday and it's back to normal. Lots of security stuff to talk about, a little bit of chill in the ATL air, and an overwhelming workload for the rest of the week. It sounds kind of weird, but I thrive on the activity. I guess I should bring that up to my shrink, eh? No deep thoughts today, let's just enjoy the crisp air (in the US anyway) and the fact that we have lots to talk about.

So in security-land, we have a deal. I guess the i-bankers haven't taken off for holiday quite yet. With IBM buying Consul (here), it's clear that SIM is a feature, maybe. The music is about to stop, and lots of folks won't have a seat. Even the big SIM dog is diversifying as ArcSight introduced remediation and logging appliances yesterday (here). This is indicative that log management is a real market now, and we'll start to see more vendor sniping. Oh joy! And it looks like customers still like what network security vendors are selling (here), given the market grew 11% last quarter (according to Infonetics anyway). But the reality is that security continues to evolve and mature and that means we as security professionals need to do likewise.

In blog-land, Farnum lets us in on the secret of what a security job is really like (here), and I'm cool with that. You don't want folks (maybe SCO driver developers) to come into security because they think it's cool and glamorous. You want cool and glamorous become Britney Spears underwear salesperson - though there doesn't seem to be much longevity in that business either. Commando!!! Seriously, we need to be honest with ourselves and other folks that are thinking about becoming security professionals because no job is all good. I'll also point to a post (here) from the legendary Geoffrey Moore about building a "platform," and challenge you to think about how that applies to the security business. My ideas are there to get you started, but clearly this is where Big Security is trying to be.

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Deal: IBM buys Consul
So what?- The SIM and SIM-like market keeps consolidating, and none too soon. You have a relatively big player (ArcSight) and lots of folks that have either sold out or are running for cover. Suffice it to say it's a tough market and one more potential acquirer is now spoken for as IBM has acquired Consul. Interestingly enough, Consul will be folded into the Tivoli software group and not the ISS group. Hmmm. But wacky organizational structures aside, of all the SIM and/or compliance dashboard players IBM could have taken out, Consul is a pretty good fit. First, if they paid more than a song and dance, then they paid too much. Second, Consul's heritage is big Iron, so they've got all sorts of connectors to mainframe and mini-systems, which is very leverageable to a company like IBM. The clock is clearly ticking for all the other players in the SIM space to find a partner or to go away.
http://www-03.ibm.com/press/us/en/pressrelease/20716.wss
Link to this

Log Management hits the big time
So what? - Speaking of ArcSight, it looks like they've gotten appliance religion. First, they finally got a new ENIRA-based product into the market (what 6 months after the deal happens?) to start providing remediation options for information gathered in the SIM (release here). Next, they are now entering the log management market, with a box that is bigger and faster than current leader LogLogic. Just ask them. With lots of folks converging on the log management opportunity (EMC/RSA bought Network Intelligence for largely the same reason), it's now a real market. And what does that mean? It means vendors will bend and stretch numbers and other positioning points because it's all about who's piece is bigger. LogLogic had to respond to ArcSight's announcement (here) to set the record straight, according to them anyway. Let the vendor sniping begin! But if you are a user, don't pay attention to the marketing games. Determine your requirements, bring in some folks for a bake-off, and see which solutions will work for your environment. Then beat them with a stick to get the best price. Just like I laid out in the Buying Security Products guide.
http://www.arcsight.com/pr_12_04_06b.htm
Link to this

Oh crap, we have a problem. Now what?
So what? - Incident response is a science and there are lots of folks that are very good at piecing together what happened and helping you pick up the pieces. This Network Computing article hits many of the highlights about what you need to do when something goes down. There are lots of tools emerging to gather appropriate data and assist in the analysis and help post-mortem activities. Whether it's gathering data from volatile memory or analyzing hard disks, there will be plenty of data to pore over. The question is what conclusions to draw from that data. In general, I recommend bringing an expert in to help (at least the first time) because they will save you a lot of time in figuring out what is going on. But all security professionals need to have a tight incident response process because sooner or later your number will be up.
http://www.networkcomputing.com/showArticle.jhtml?articleID=196510315
Link to this

Network security market continues to grow
So what? - Just to show that I'm not always beating up the Infonetics guys, I'll give them a pat on the back because they do a good job of counting things that have already happened. Numerous people have told me that their market sales and share reports are very close to the real numbers. Looking forward and market sizing, not so much - but I don't think even Carnac could tell you how big the NAC market will be in 2009. Infonetics' latest report shows network security growing 11% to a cool $1.1 billion. It looks like Cisco showed the most significant market share gains. Shocker! More interesting is the projection that "within the next 2 years almost every VPN/firewall appliance will have some form of intrusion prevention and gateway anti-virus integrated...," so UTM is here to stay and you won't really be able to get a standalone firewall. The good news is that you can get a new device, but no one is forcing you to use all of the capabilities. So if you are happy with your existing IPS, then leave it be. But the day you get tired of paying yet another maintenance charge, you turn on the capabilities on your UTM device.
http://biz.yahoo.com/iw/061204/0191159.html
Link to this

YACL - Yet another certification lab
So what? - This one is new and in my town. Looks like David Maynor (formerly of SecureWorks) and Robert Graham (chief scientist of ISS) are starting a new shop to test and "certify" security software called Errata Security. What a crappy name. Why don't they just call themselves, "We Screwed Up Security Services" or maybe "Naming is Not our Forte LLC?" Having spent some time at TruSecure, I'm very familiar with the ICSA Labs and their model. Personally I think Maynor and Graham can build a decent business doing a better job than ICSA, which hasn't seemed to really do anything interesting in a long time. But it gets back to playing on their names, which would make their certification worth something. They can drive the price down on these certifications and bring some competition to the lab game. Is it a $20 million dollar opportunity? Nope. But you certainly could make a nice living.
http://www.darkreading.com/document.asp?doc_id=111357
Link to this

Top Blog Postings

No bed of roses
I always use a pretty interesting interviewing technique that I learned from my first research boss - the legendary Joaquin Gonzalez. I would paint the absolute worst case scenario about what life was like at the company, what the challenges were, and how hard a job it is. If the candidate was still interested, then I would see if there is a fit. But I didn't see any point in deluding folks relative to what the situation was like. That only caused mismatched expectations and disappointment when the job didn't turn out to be a bed of roses. Thanks to Farnum for making the same point about security in his latest ComputerWorld blog post. Life isn't grand, and most days being a security professional is a thankless job. Part of the Pragmatic CSO approach is to interface with the right people, so they gain a better appreciation for what you are doing - but the reality is, it's not about fighting the bad guys and ducking bullets each day. Like any job, there are parts that are great and others, not so much. Hopefully posts like this will make sure the folks that are coming into the business know what they are getting into.
http://www.computerworld.com/blogs/node/4115
Link to this

Transport security is different than protecting messages
Gunnar excerpts an interesting passage from the 1600's to make a point about protecting devices versus protecting data. Whether you refer to infrastructure and networks as "transport" and data can be called "messages," the point is the same. Data is fungible. It changes form and it becomes impossible to track (and protect) using traditional network and system security techniques. So a discipline is evolving in data security or "information" security, which looks at the how to most effectively protect the fundamental elements of data. The answers aren't real good yet (today's DRM/ERM solutions are ineffective and cumbersome), but they'll get better. They always do. But we need to continue thinking about protecting information as being distinctly different that protecting the infrastructure.
http://1raindrop.typepad.com/1_raindrop/2006/12/neal_stephenson.html
Link to this

Fighting for the security "platform"
I am a big fan of Geoffrey Moore. Fact is, he hasn't really done much interesting since he wrote "Inside the Tornado" back in 1995. But no matter, Crossing the Chasm and Inside the Tornado are timeless classics that we all need to keep in mind as we see markets ebb and flow down the technology adoption curve. Geoffrey Moore's blog does provide some perspectives from time to time that we can apply to our own experiences in the security market. Like that of the platform. Cisco, Microsoft, Symantec, McAfee and a host of others continue to try to assemble the pieces to bring forward a platform mentality in the security space. So clearly, they are trying hard to traverse the 3 stages of platform innovation that Moore describes here. On a good day, some of these vendors are at step 1, basically trying to improve productivity and making their own product lines more compelling. The idea of an ecosystem around a security platform hasn't happened yet, though folks like Cisco and Microsoft are trying. Fact is, they've got the cart a bit ahead of the horse on that one. And eventually they will try to be a de facto standard (which is step 3). We are a ways off, but this provides a decent taxonomy of what Big Security is trying to do.
http://geoffmoore.blogs.com/my_weblog/2006/12/platform_innova.html
Link to this

Sales and Marketing are different too
Stiennon, that vendor guy, is poking a bit at the trend for IT security and physical security to be consolidated. His point is that there is very little technical overlap between the functions, so there is little benefit to joining them. Having a marketing background, I can tell you that marketing and sales are very different as well. But organizations that have both under the same organizational umbrella tend to work better. Huh? It's true because it gets back to eliminating the constant sniping between sales and marketing. If there is one executive (who is not the CEO) responsible for both marketing and selling, those excuses go out the window. To be clear, you will still have sniping, but it won't be as apparent. And ultimately sales and marketing will work together. Same goes for IT and physical security. Sure they are different, but they need to work together. If the only way to do that politically is to join the two groups under one manager, I'm all for that. Don't expect to save a lot of money because of that lack of leverage Richard refers to, but do expect better communication and more effective shared goals.
http://blogs.zdnet.com/threatchaos/?p=441
Link to this

Recently on the Security Incite Rants Blog

The Righteous Path of the Analyst
As Amrit and Stiennon head back to vendor land, it got Thomas Ptacek to wonder whether being an analyst is just a training ground for a high-level marketing position at a vendor. Given that I was an analyst, then became a marketing guy, and am now back to being an analyst, you'd figure I'd have an opinion on the topic. Well, you'd figure right. Check it out.
http://securityincite.com/blog/mike-rothman/the-righteous-path-of-the-analyst

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-12-04