The Daily Incite - March 26, 2007

Submitted by Mike Rothman on Mon, 2007-03-26 07:34.
Today's Daily Incite

March 26, 2007 - Volume 2, #50

Good Morning:
So let me get this straight. March Madness is dominated by the favorites this year. What happened to Cinderella? Seeing two #1 seeds and two #2 seeds in Final Four hopefully will make for some great basketball, but not a lot of drama. At least most of the games were pretty entertaining. A few last second baskets to pull a rabbit out of a hat and a few 15+ point comebacks that show you a team is never out of the a college basketball game.

The Final Four is in Atlanta this year, and with Ohio State and Florida in the house - many of my friends will be hitting the ticket scalper sites this week to get their seats. Not me, I'm heading down south for a weekend with a few college buddies. We haven't gotten together in over two years and this was the only weekend that worked for all of us. Oh well. If the Cornell Big Red ever makes it to the Final Four, I promise to be there. Transportation provided by my flying pig, of course.

The weekend went way too fast. Spring is here and the kids wanted to be outside. But it's also pollen season, which is particularly bad in the ATL. Thankfully I don't have allergies, but half of my family does. So half the time they look stoned. Nothing a little Visine doesn't cure, but nonetheless once everything has bloomed - I'll sell my stock in Kleenex.

It's also the end of the first quarter. I want to thank all the folks that bought the P-CSO thus far and my strategy and speaking clients. I've had a great Q1 and there is some exciting stuff right around the corner. But you'll need to wait until Friday to hear about it.

I'm off to slay a few more dragons, have a great day.

Technorati: ,

The Pragmatic CSO
The Pragmatic CSO is Here!


Read the Intro and Get
"5 Tips to be a Better CSO"


www.pragmaticcso.com

Top Security News

It's all in the point of view
So what? -  Though it's short, this interview with 3 pretty high profile CSOs in NetworkWorld is interesting (here). Not in anything that they say, no surprises there, but in how their perspectives are totally different because of the businesses they are in. The fellow from PayPal is worried about fraud and phishing. Shocker. The guy from Prudential worries about NAC (since he's got lots of independent agents that access systems) and laptop theft. The CSO of Boston Scientific is worried about content monitoring since all of his intellectual property is digitized. Clearly there are horizontal problems that need to be solved by security technology, but the reality is each industry has their own drivers for why they are worried about a certain technology, especially in the large enterprise.
Link to this

Extrusion prevention means something different to everyone
So what? - Network Computing is taking an interesting approach to reviews nowadays (here). They are calling it the "rolling review" and they lay out a market sector and then over a certain amount of time review and publish their findings on each submitted solution. This is an interesting idea because it probably makes much better use of their lab resources. But this is a crappy answer for a customer who is in the midst of trying to buy something. They don't want to wait for another 2 weeks to get the next review. They want all the information when they need it, which is right now. OK, off soapbox. The first incarnation of the rolling review will be on what they call "database extrusion prevention," which seems to me to be a DB monitoring and blocking tool. There are only a few vendors in this space, though I guess all the database players could say they do this. I guess I have a little broader perception of extrusion prevention and know that it's about more than protecting the SQL back-end. It'll be interesting to see how the reviews shake out.
Link to this

The hypocrisy of Oracle
So what? - All the hub-bub about Oracle suing SAP hit on Thursday after I was done with TDI, but it had me rolling on the floor. I have better things to do than read through a 40 page lawsuit, but lots of other folks did and basically saw a company (Oracle) crying over spilt milk (here is PBJ's coverage). Having spent 15 months of hard labor in the anti-spam business, I know a thing or two about bare-knuckles competition. Everyone has everyone else's box. Half of the competitors have access to a company's Salesforce database. Everyone knows all the deals that are happening, at least the big ones. And in a business with two real competitors, I'm not sure what Oracle is crying about here. Like the folks in Redwood Shores didn't invent bare-knuckles competition. That is probably (or at least was) the most aggressive sales culture out there. You bet folks at Oracle had access to the products of the competition. Every company that is serious about surviving in a crowded market does this kind of competitive analysis. Maybe this is another example of the 2007 Technology Lawyers Employment Act. But big companies have big legal staffs and can afford big legal bills. Make no mistake, SAP didn't do anything that most of the other companies in technology do every single day. So as a security professional do you worry about this? Maybe, just understand that your product (whatever you make) is likely in the hands of the competition and act accordingly.
Link to this


The Laundry List

A few marketing tips for VARs. Like do something (and get the vendors to pay). I'm not sure what that's so hard. - here
The first words from McAfee's DeWalt (as of 4/2 anyway). He needs to figure out what's going on. No kidding - here

Top Blog Postings

It's about the data
Digging into the archives a bit, Amrit discusses the importance of securing data, and used the metaphor of lost/stolen assets to get at the point. I agree and want to reiterate the importance of both an outside-in (traditional) way of viewing the risks and also an inside-out perspective. Most folks don't do the latter. Maybe they are throwing some hard disk encryption around to make the problem go away, but it's going to take a more fundamental approach to make this happen. Through my leak prevention research, I'm honing in on a process for data security. As with everything I do, it's pragmatic, easy to understand, and not really technical. But it's packaged in a way that hopefully gets the points across. After Q1 is done, I'll get on to publishing a lot of the stuff that been in my head, but I haven't had the cycles to write down.
http://techbuddha.wordpress.com/2007/03/17/dealing-with-lost-or-stolen-assets/
Link to this

Do we need SSL?
Pete Lindstrom asks an interesting question here, do we really need SSL? Does it do anything? Do most of the consumers out there even notice the lock or the green bar or whatever, or are they just numb? Though provocative, I don't think the question is relevant. SSL is out there and it's nearly universal for any kind of commerce related transaction, at least at the communications layer. Lots of folks believe that SSL meets a compliance need. Now I'll be the first to say that compliance does NOT equal security, but nonetheless it's not like people are going to turn off their SSL as long as the auditor says it's good. Does it increase the security of the transaction? I think it does. There are always ways to beat the controls and defenses, but it eliminates a path of least resistance like simple packet sniffing that is used by the unsophisticated. Especially in public places (like coffee shops, etc.).
http://spiresecurity.typepad.com/spire_security_viewpoint/2007/03/has_ssl_outlive.html
Link to this

Mind map of the future
Santa has just concluded a pretty interesting experiment using a mind-mapping application to get some smart guys to philosophize on the future of security. First this shows that if you get a crowd together, they will come up with some interesting stuff. But of course, it needs to be fleshed out some more to become actionable. Right now, the map is kind of a laundry list. I know there are plans to take some of these ideas and go deeper, and that's a good thing. It's about time someone has taken a more community oriented approach to pushing a security agenda. Hmmm. That gives me a few ideas, but you'll have to wait until Friday to hear them.
http://www.securitycatalyst.com/2007/03/25/advancing-the-future-of-security-a-mind-map-experiment-conclusion-next-steps/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite

http://securityincite.com/security-incite-rants/daily-incite