March 14, 2007 - Volume 2, #44

Good Morning:
I write one thing about SIM and every friggin' vendor that I've never heard of has to reach out to me and tell me how great they are. Confused? OK, let me reset a bit. Yesterday, a new column hit in SearchSecurity called "Reviving SIM," which you can check out here. Basically, I reiterated what I've been saying all year. 1st generation SIM is pretty much dead, and those that want to survive need to either focus on log management or more real-time network detection (which means they need to bring in NBA data).

But of course, lots of folks were lining up to get briefing slots to tell me how great they are. Without even hearing their pitch, it's a load of crap. Maybe I'm being unfair, but I've seen this movie before - too many times to recollect. Some I'll even give some time to, and then I'll slice them into little pieces. Because what they are doing is the same old, same old. Take some log files, correlate it a bit, put it in a crappy looking "dashboard" and say they are next generation.

Gosh, I love this business.

On a happier note, a piece I did in SearchSecurityChannel is also out there (read it here). It's about getting and maintaining customer loyalty. It's targeted towards VARs, but the lessons are universal. Take care of your customers, do the right thing, sell them what they need. Really simple stuff, so why don't more folks do it? Guess that is one of the mysteries of life.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Complacency killed the cat
So what? - This story by Tim Wilson (here) is pretty distressing, but it's also true. Basically, if SMB folks think they've got security under control, they are wrong. I'm not just saying that because I try to help out security folks and target my offerings at mid-sized businesses. It's because there is too much to cover. So where is the confusion? It's largely around what security is. Most folks think they have AV at the desktop and a firewall and life is good. Until it's not. They don't get application security, they probably don't get endpoint security, and they most assuredly don't get data security. But they think they do, so hackers can rejoice - there remains a lot of low hanging SMB fruit to chase.
Link to this

Monitoring for the internal threat
So what? - OK, so this is a veiled marketing piece masquerading as a byline in ESJ (here), but it makes a couple of key points. First, network security monitoring (to use Bejtlich's term) is perhaps the only chance we have to figure out what is happening on the network and pinpoint whether it's good or bad. And the current generation of tools isn't getting it done. Of course the author, Bob Pratt (who I've known since his VeriSign days) makes the play for what his product does (or will do, when it ships...) and we'll see. Folks like the late Intrusic and GraniteEdge made similar claims, but ran aground. So we'll see if this next batch (who will use the Identity-aware term) fare any better.
Link to this

Symantec barks at the moon
So what? - This CRN article is pretty entertaining (here). Basically they spoke to a few Big Yellow resellers who are pissed. The latest version of Symantec AV is a dog (which we already knew) and these folks are looking at alternatives. Big whoop. 99% of them will do nothing, so the Big Yellow machine will keep on chugging along. Inertia is a tremendously powerful force. Until it isn't. Symantec's partners will give them one bungled upgrade, but not two. So if they don't clean up their act for the next rev - they will suffer because there are about 900 alternatives that the partners can sell at any given time.
Link to this

The Laundry List

Juniper exodus continues, CFO and head of enterprise gone. Is there anyone left that can spell E-N-T-E-R-P-R-I-S-E. - here

Top Blog Postings

7 Habits of Pragmatic CSO
Tom Olzak gets is mostly right in this column on TechRepublic. The good thing is that it's mostly common sense, but not enough of us do it on a daily basis. Focus on business models before technology? Check - that's Step 1. Identity and prioritize business pain. Check - that's Step 7. The point is that none of this is brain surgery. We just need to do it, consistently - every day.
http://blogs.techrepublic.com.com/security/?p=177
Link to this

Profiling the insider
Scott Wright does a good post here about trying to detect insiders, but most importantly how to deter their bad behavior. First, there are lots of different insider-types. As a recent discussion on the Trusted Catalyst list detailed, experienced security folks tend to develop a spidey-sense and can "feel" where trouble is going to happen. But it's really deterrence that will make the biggest difference in the end. How do you deter this behavior. Scott says "The combination of policy, awareness and other safeguards provide layers that make it more difficult for an insider threat to succeed without being caught." I say a public execution or two relays the message LOUD and CLEAR. You take our stuff, we are coming after you. Some say the death penalty doesn't work, but I say if it makes one bad guy think about pulling the trigger - then it's worth the collateral damage.
http://securityviews.com/blog/2007/03/13/its-not-that-you-cant-trust-them-but/
Link to this

Advice from the FTC
Rebecca Herold points us to a paper from the FTC (that's Federal Trade Commission for non-US types) that does a good job of really simplifying what is needed to protect private information. The problem isn't that hard to comprehend. Find out what you have, protect it, and toss the rest. I also like the idea of how they suggest folks get ready for security incidents. That is great advice. Check it out, especially if you know folks that do small business stuff.
http://www.realtime-itcompliance.com/information_security/2007/03/protecting_personal_informatio.htm
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite