July 16, 2007 - Volume 2, #104

Good Morning:
I remember when I was a kid, growing up outside of New York City and there was a pretty serious winter storm. I remember a couple of feet of snow. Being maybe 10 or 11, I guess my Mom coaxed me to attempt to clean the driveway. We had a snow blower, but I wasn't old enough to use it. So I dutifully went outside with my shovel and in a massive effort of futility tried to move the snow. The more I moved, the more seemed to be there. 

What does this have to do with anything? No, I didn't leave my brain on vacation. A week in the tropics certainly didn't make me yearn for the snow either. But as I started this morning digging through the stuff that accumulated during my vacation, I had the same feeling. The more times I hit "J" in Google Reader, the more stuff seemed to be there. The more things I tagged in del.icio.us, the more I needed to tag. So it will be a multi-day process to dig out.

I had to acknowledge that because it was already noon before I looked up and figured I should start writing and leave some of the reading for later. I guess I shouldn't be surprised, but I am. It's been so long since I've really unplugged that I guess I forget about the sheer volume of stuff I process on a daily basis.

The vacation was outstandingm thanks for asking. After 13 years, the Boss and I still have fun together. I'm a lucky guy. Not that I expected anything different, but we spend so much of our daily existence keeping the ship afloat that sometimes you forget the carefree days before big mortgages, kids, and other grown-up responsibilities.

For those of you looking for a place to unplug from the world, I highly recommend the Four Seasons in Nevis, West Indies. We did splurge, but wanted to celebrate 10 years of marriage in style. It being the low season, there weren't many folks around - which was great by me. The last thing I want on vacation is to be surrounded by the chaos and activity that I get every day. It has maybe the best golf course in the Caribbean, though I didn't play during the week. I was too busy hanging out on the beach or by the pool, doing some snorkeling, and not worrying about much.

In case you are wondering, I was able to unplug almost instantly once we left the US. That was a new experience for me, but whatever stress I have is now self-imposed, so I wasn't worried about anyone poking me in the eye (besides the Boss). It was great not spending the first 3 days of the vacation trying to relax. I got through 3 books (Barry Eisler's The Last Assassin, Ludlum's The Janson Directive, and Cussler's Trojan Odyssey) and outlined my summer project, but I never felt the proverbial anvil over my head. Maybe that's because I left the anvil behind at my last "job", and that's a really good thing.

And I can also say that VoIP is truly a disruptive technology. We brought the Boss' laptop because I didn't want to be tempted having mine around and used it to call the kids. Sure the high speed access cost $15 per day, but other calls to the US cost a whopping $.02/minute. We used Gizmo, though I'm sure Skype would have been fine too. I loaded up $10 at the beginning of the week and we still had over $7 left at the end. And we checked in every day. Better yet, I didn't get raped after an hour on the phone with Delta to change our flight home. Compared to the $1.49/minute that cellular roaming would have cost or the even more outrageous hotel international calling rates, it was a real deal.

Of course, I missed the big Google/Postini deal, but I'll add my two cents below. I'll also weigh in on the ROI discussion started up by the Zen Master as well.  Lots to do, but that's good. I am refreshed, sort of tan, and ready to jump back into the fray. Though a week on the beach doesn't suck, it would get old after 3 or 4 months. Sharing my Incite never seems to get old. That's my story and I'm sticking to it.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Introducing Google-ini
So what? - Of course, the big news of last week was Google's $625 million acquisition of Postini, one of the most promising security IPO candidates. Most of the conversation around the deal centered around Google's focus on Microsoft, and that is clearly one of the key drivers for the deal. But let's hope (for their sake) Google does a better job with Postini than Microsoft did with FrontBridge. After thinking about it for a bit, I think Chris Hoff has it exactly right. Google realizes bandwidth is plumbing (and not highly valued), thus are focusing on building out a new "application network" targeting small business. Though I don't believe they are focused on compliance, as this article would lead you to believe. Google correctly views security as a feature of its other stuff, which it is. So it'll be built into all of their business oriented applications. Thus I suspect Google will continue to buy security stuff that works with their Web-centric model. And these guys are like Microsoft 15 years ago. Iterating like crazy and getting it done. Being a security guy, the idea of all my business data in Google-land is still disconcerting, and their ability to natively and cleanly sync with the Blackberry are real obstacles for me - but they will fix those issues and I suspect within 2 years have a suite of services that will allow a guy like me to shut down Office and turn off Exchange and embrace my Web-top. Let's also look at some derivative impacts. It seems that MessageLabs and Proofpoint are the last email security players of substance left. I'd be surprised if either was still independent at the end of the year, and I'm not alone. Sure there are a bunch other players, but Barracuda is the other large one and they would have some issues integrating their business model into an acquirer. And everyone else is really too small to make an impact. So good for Postini and good for Google, who is clearly a player to be reckoned with across the technology landscape.
Link to this

Endpoint war drums are beating
So what? - Although it seems that Microsoft is focused on fighting the last war (as opposed to Google fighting the next one), they will be marching all the way to the bank. The AV bank, that is. Usually it takes either serious technical innovation to disrupt a mature and generally uninteresting market, but that's unless you have a couple billion sitting around that you can use to buy a spot in the market. And that is exactly what Microsoft is doing as they roll Forefront out to the masses. The SMB masses via the channel anyway. $50 million is the tip of the iceberg and SYMC and MFE are exposed. Big AV can protest all they want, but Microsoft will be a player in the endpoint security market and they are going to take their pound of flesh from someone. To really kick the incumbents below the belt, if I were Microsoft's BD guys, I'd be looking at Bit9 or Sana for the behavioral stuff and maybe Exploit Prevention Labs to add LinkScanning to the mix. Bundle those in and watch Big AV squeal. Kind of like in Deliverance. Now that's a nice mental image, eh?
Link to this

White list - duh!
So what? - And just when you thought that false positives won't kill you. This NetworkWorld coverage of a law firm missing a big hearing because the notification was caught in the spam filter is very funny. Unless you were involved in the case. It's amazing to me that some folks don't take very simple precautions to ensure this stuff doesn't happen. So I'm all for tightening up your defenses, especially relative to spam, but be smart about it. Figure out what 10 or 20 domains YOU CANNOT BLOCK and set up white list entries. You don't want to white list everything, but something from 'federalcourt. gov" probably should be let through, even at the risk of it being spam. And have your uses monitor their quarantines. Nothing is 100%, so you need to keep the technology honest. Sure it takes up some time, but not nearly as much as explaining to your client why you blew the case.
Link to this

The Laundry List

Top Blog Postings

ROI rears it's ugly head
Just when you thought it was safe to go back into the water... It seems that the Taoist poked the bushes a bit and the dormant ROI fiends jumped out. Thankfully Richard did a good job of beating them back. First was his interesting case study on how to try to make the case for monitoring, especially when you are resource and money constrained. Then having the discussion expanded by the likes of Alex Hutton, Cutaway and Ken Belva, Richard unleashes both barrels in two posts (No ROI? No Problem and Security ROI Revisited) in justifying a statement at the end of the case study post that should already be self-evident - "The bottom line is that security saves money; it does not create money."  Now Belva and I got into it a bit last year, and we agreed to disagree. And I still pretty much disagree with these attempts to "quantify" the value of security. So how do Pragmatic CSO's justify monitoring, which is a key aspect of the operational process? It's all about reacting faster. Can you mitigate damage faster and you do a few scenarios to "show" how money can be saved by fixing stuff faster. Are the scenarios trumped up and theoretical? Let's hope so because if you are using real data, odds are your predecessor has created quite a mess for you to clean up. But that's part of the game. In reality, P-CSO's sell their senior team on a PROCESS and get them to buy into the process by running their security operations as a business. Spending a lot of time to really quantify risk and build an air-tight business case is (in my experience anyway), time you are not spending doing your job.
http://taosecurity.blogspot.com/2007/07/network-security-monitoring-case-study.html
Link to this

What did that kid eat?
After going through the baby to potty trained process with 3 of them, I can say I've never seen a blue poop. Not even after a bunch of blueberry icy pops. Blue tongues and teeth, yes. Blue clothes, absolutely. It seems the alimentary canal absorbs the blue before you see it again, thankfully. My bud AndyITGuy talks about a slow, blue poop security model in this post and you have to give the guy some props for working all that up into something sort of tangible. I'm not sure I like the name, but the reality is a lot of organizations do enough to get by, but don't really protect much of anything. And that's OK because even that little bit could be enough to offer enough resistance to get a bad guy to move on. But as Andy says, it's certainly not the way to go about your daily activities. What you want to do is build a strong security program that espouses the benefits of taking security seriously. Yes, that's what the Pragmatic CSO is all about. 
http://andyitguy.blogspot.com/2007/07/slow-blue-poop-security-model.html
Link to this

NAC and VoIP - not so much
Break out the Borat voice again and thank Shimel for calling out Tim Greene's lame column on VoIP and NAC. Here's how I think this went down. Tim has nothing to write about. Some vendor pitches him on how NAC can help protect VoIP by keeping bots off the network. The newsletter deadline looms, so he writes it up. As Alan says, you can sort of scan a VoIP phone a little, but is that really the danger? You can sort of find bots using a pre-connect check, but is that the best way to detect a compromised machine? No and No. This is another case of security marketing gone wild, where everyone tries to attach themselves to every possible bandwagon, no matter how tenuous the connection. And every so often they get lucky and a tired, over-stretched beat reporter buys into it. Sad, but true. Now if you are justifying your NAC project based on protecting VoIP devices and traffic, my hat's off to you. Clearly you have everything else locked down tight and the only FUD you have left to throw at your senior team is VoIP.  
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/07/nac-and-voip.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite