January 18, 2007 - Volume 2, #10

Good Morning:
Ah, the dashed hopes of a 6 year old started my morning. Here in Atlanta, we were supposed to get the first winter storm of the year. The first of maybe one or two that we get every year. But alas, upon waking up - it wasn't that cold and just kind of rainy and crappy. My 6 year old was very excited to have some snow (or maybe ice) to play in. She was little when we lived in Virginia and couldn't really appreciate what a pain in the ass snow is. So it was another day and off to the bus at 7 AM per usual. Thankfully, the boss and I spent time managing expectations last night, so she didn't have a meltdown this AM when the ground remained cruddy brown, not pearly white. Managing expectations applies to everything you do.

In security-land, there is a deal to discuss. Fortify "acquired" Secure Software (here) - but it seems to be more akin to opening up a sales office in DC to attack the Federal market than "extending a lead." So now Fortify is the self-proclaimed leader in a market of two. I also rant a bit about the SIEM market (here), using a new release by the Big Yellow to once again reinforce my thoughts on the topic. 

In blog land, it seems that printer attacks are now all the rage (here). Personally, I think this is a bunch of security research guys without enough to do. I guess if you have a PC-based printer controller, then there is a potential problem. But of all the bots out there, I don't think a lot of them are spewing out postscript as their day job. I also found a good post on improving vendor pitches to analysts (here). Read this if you are a vendor, it will save both of us some heartburn.

Have a great day.

PS: My second shipment of Pragmatic CSO - The Book arrives tomorrow, so if you are waiting to get your hands on one - the books will go out tomorrow and I'll finally have some inventory. If you aren't waiting for your copy - why not? Go buy it today.

 
Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Deal: Fortify takes Secure Software out of its misery
So what?- Creating new markets and changing user paradigms is hard. And it takes an exceptionally long time. The folks that make source code analysis tools are finding this out. So I can't say I'm surprised that a few have fallen to the wayside. What's interesting to me about the Fortify/Secure Software deal is that the Secure Software investors would settle for a private company transaction. That means one thing - no bigger security player wanted to buy it. This is another data point as to how early this market is, and Fortify can talk about "extending it's lead" all it wants - but the reality is until somebody big shows interest in this market - there is no market.
http://biz.yahoo.com/prnews/070117/sfw052.html?.v=90
Link to this

Security companies line up behind Vista
So what? - I'm glad I have two ears because some of the security vendors are talking out of both sides of their mouths. On one hand, you have McAfee and Symantec taking every opportunity to take potshots at Microsoft. The latest is alleged problems with User Account Control from Symantec. But when Microsoft asks for them to get on stage (or in the press release anyway) and get some free publicity as Microsoft spends probably a hundred million to launch Vista - they are right there. I just think it's funny more than anything else, and 2007 will be very interesting to see how the AV vendors evolve their offerings to survive in age of Vista. I can safely say, continuing to bitch about it isn't the answer. I'll also tip my hat to Microsoft, who is taking the high road, finally realizing that Symantec's bitching won't stop them from selling hundreds of millions of copies of Vista. It's nice to see them ignoring Symantec, knowing that it makes the Big Yellow seem all the more petty. 
http://biz.yahoo.com/prnews/070117/sfw041.html?.v=83
Link to this

Revisiting the SIM
So what? - Since when does Symantec have a SIM? Of course I jest, but that is one of the issues of being in Big Security and having one of everything. Half the time no one even knows you've got an offering in a specific space. But, this isn't about Symantec's SIM, read the release if you want more details on the new version. I've done two press calls this week on SIM because it seems that everybody thinks I hate the category. Well I do, but not because customers don't need to correlate issues and figure out what's going on with their network and systems. They do. My issue is that today's SIM solutions don't do that. They are still too expensive, too hard to use, and look in the rear view mirror. There are better ways to do this than SIM.
http://biz.yahoo.com/iw/070117/0203955.html
Link to this

Is that a rootkit in your pocket?
So what? - Is a rootkit detector a separate offering? Today it is, but it probably shouldn't be. This review in InformationWeek takes 6 different products for a spin. Most of the AV products have some rudimentary capabilities along these lines and for daily stuff that is good enough. Of course, there are some instances where you need more horsepower, especially when trying to figure out if a device has been compromised and that's where these products come in handy. But these tools are not for the feint of heart quite yet (neither is dealing with rootkits in general). As I mentioned yesterday, once you figure out what happened (and take steps to ensure it doesn't happen again), you are better off re-imaging the machine, rather than trying to clean it up.
http://www.informationweek.com/showArticle.jhtml?articleID=196901062
Link to this

Top Blog Postings

Oh crap, more convergence
At some point, the term convergence is going to grow tiresome. That point may be sooner, rather than later. Steve Hunt, a former Giga security analyst, is now blogging. Though I'm not really clear on what Steve does to pay the bills, it has something to do with the intersection of physical and computer security. In this post, Steve relates the tale of a CSO that actually collaborates with his counterparts in physical security and compliance and actually got some leverage. Security is not an island, and not really adding to revenue makes it all the more important that security folks work with other parts of the organization to figure out how/where to gain as much leverage as possible. Seems like a very Pragmatic thing to do.
http://www.securitydreamer.com/2007/01/doing_more_with.html
Link to this

Path of least resistance - your printer!!!
Looks like the latest security meme is going to be around networked printers. Oh the horrors! A bad guy might start a batch print job and run through an entire ream of paper. Maybe in 2007 we'll have the first sacrificial lamb who will get canned because his HP printer got owned. OK, maybe I'm being a bit facetious here. Yes, networked printers are exposed, but do they really present a RISK? You've got 24 hours today and a list as long as your arm. Where does "patch the printers" end up on the list? Part of being Pragmatic is to be very focused on addressing the issues that present the most significant risk to your organization. Are the printers that risk? I don't think so, and if you have the time to address those issues - then congratulations, you are one of the few that actually has a manageable list.
http://www.computerworld.com/blogs/node/4376
Link to this

Vulnerability disclosure in the SaaS world
Whoever pointed me towards the new Veracode blog, thanks. I can't remember because I'm senile. Chris Wysopal and friends will add a lot to the discussion. The question in this post is what is going to change as more and more of the software we use is delivered as a service. Chris is worried that there are no watchdogs in the SaaS world, and his fears are well founded. Traditional vulnerability research is moot for a SaaS system. For example, what good is disclosing a vulnerability on Salesforce.com? Basically to figure it out, you've got to hack into their systems, which is kind of against the "good guy's code of ethics." Remember that SaaS is a CLOSED SYSTEM. The provider owns the software and provisions stuff through a browser. There is no need for customers to patch anything. So the researcher then goes to the vendor, maybe to the press - then probably to the clink for breaking the law. Chris' conclusion is right, SaaS vendors need to do 3rd party certifications (or at least publicly available pen test results) to verify that they are cool. It'll just take one train wreck to adversely impact the entire delivery model.
http://www.veracode.com/blog/?p=13
Link to this

Why your analyst pitch sucks
This snippet is targeted towards my vendor readers out there. Sorry to break it to you, but your slides suck. That's why I favor not using slides at all and just talking. Most folks just use their main corporate deck, and that's exactly the wrong thing to do. I don't care about your customer slide, I don't care about your investors (actually, I probably know all this stuff already) and I'm not buying anything from you. I'm not expecting you all to build your pitch around the Pragmatic CSO framework to appeal to my ego (though that would earn brownie points), but focus on the customer problem and how you solve it. Leave out the "best at this" and "leader of that," I don't believe you. And the best tip in this post, 'don't follow a script." If you are reading slides to me, odds are I'm checking my email while you are blathering away. Read this post, and then toss the PPT.
http://armadgeddon.blogspot.com/2007/01/ar-101-series-dont-use-sales.html
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite