August 20, 2007 - Volume 2, #122

Good Morning:
Gluttony. That's definitely my favorite of the seven deadly sins. Though Sloth is up there, but my kids have a different idea most days that make being a sloth pretty hard. I kind of dig greed at times as well, but I'm working on that. But back to gluttony because I just got back from a boy's weekend in NYC and it was definitely gluttonous.

Though not as gluttonous as we expected, due to an unexpected curve ball thrown by Mother Nature that beaned the air traffic control system right in the head. We suffered from Luger Interupptus on Friday night because we couldn't get to the city for our 8:45 pm reservation at Peter Luger's. To provide some context, our flight was scheduled for 1:45 PM. After two boardings and unboardings, a trip to the tarmac (to wait for almost 90 minutes) and then a line of about 30 planes backed up heading to the northeast - we finally got to NYC at 10:15 PM. Only 6 hours late. Big bummer. I guess we'll hit Luger's next time and make the reservations for Saturday night.

We didn't let that get us down, although we could have. Thankfully my ATL posse (and the assorted family and friends we had meet us at our varied events) is pretty even keeled, so we kind of dealt with it. The rest of the weekend was great. As you tend to do in NYC, you eat too much, drink too much, and stay out too late. 36 hours of gluttony. That's what boy's weekends are for, no?

On Saturday the weather was glorious. Mid-70's, sunny and just awesome. We started at Carnegie Deli for a late AM breakfast. Of course there are less "touristy" delis, but one of the group hasn't really toured NY, so we wanted to show him the sites. Then we headed up to the Upper East side for some cocktails on our way to the Yankees-Tigers game. One of my boyz is a huge Detroit fan and another a big Yankee fan. The Detroit fan was a bit sad after the game, but it was nothing that 20 beers didn't solve. We then grabbed some pizza (yes, the pizza everywhere else just sucks) and then partied in the Village until... well I'm not sure when we got back. Yep, it was that kind of night.

Then a NYC bagel on Sunday AM and back to the airport to resume real life. NY and I have a love-hate relationship. I hate the lifestyle, but love the food, culture and activity. So it's a great place to visit, but I can't imagine living there again. There are people that can't imagine not living in NYC, but I'm not one of them. I'll just visit a few times a year and enjoy the balmy (I mean hot as balls) weather and more laid back lifestyle in the South - thank you very much.  

It'll be a full week of activity as I finish up my summer project. Busy busy. Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Deal: Sourcefire gets crabs, I mean Clams
So what? - They say not to go out without your raincoat on, and it seems Sourcefire has caught a case of clams with their ClamAV purchase taking out the open source AV project. Of course the open source yenta has a lot to say on the deal, and he's largely right. Sourcefire knows how to monetize open source and they are going to do that with ClamAV. Does this get them into the UTM space as many are speculating? No. If they were to buy the IPTables project and OpenVPN, then perhaps then. But having an AV engine run on an IPS box is not UTM. The good news is that Sourcefire is doing something. The bad news is that this deal isn't going to move the needle on making them a long term power in the network security space. Good try, but no cigar.
Link to this

What's hot in security?
So what? - We are definitely coming to the end of the summer. Kids are back in school and never mind the 90 degree weather, the leaves will soon change and it'll be time for another fall (football, YEAH!) and then winter. How do I know? At the end of the summer, I usually have a lot of folks give me a ring and ask me what's hot because they took the summer off (after their deals closed or they decided to make a change) and they want to know what to focus on for their next gig. Many of my contacts are start-up types, so these folks are looking for a good combination of hype and market potential. They want to be early enough into a space that competition is still emerging, but not so early that early adopter customers don't know what the technology does. My two candidates are database security and DLP. Yep, I think database security is poised to break out over the next 12-18 months, for large enterprises anyway. As this SearchSecurity post indicates, there are some real customer drivers behind securing the database. It's not the first thing a customer should do, but as they look to lock down for PCI and the like, it's definitely something to consider. Likewise DLP is over-hyped, but also solves a problem. That market is a bit further off from where I'm sitting and competition is increasing. Chris Harrington rants a bit about the space on his blog. Of course there is NAC, but I don't tell my friends to enter that space now. Too much hype, too much competition. Those markets are about as fun as a root canal, although I do know some folks that dig gut-wrenching pain.
Link to this

Yup, wireless security is a feature
So what? - Sometimes it feels like my life is Groundhog Day. I seem to have the same conversations with the same folks about why their market is a feature of the larger security stack. If you weren't convinced that wireless security was pretty much there, check out this interview of a Cisco wireless exec talks about the stuff they've built in for security. Now I'm not saying that Cisco is the end all be all and everyone else should just give up. Folks like Aruba have built good companies filling in the gaps. But they are a broader wireless infrastructure player, not a security specialist and they are doing acquisitions to bolster their internal security prowess. The big objection I hear from wireless security players is focus. "Big companies like Cisco aren't focused on wireless security and our stuff is more secure and better" is a pretty common refrain. Then I go into my "good enough" spiel and remind these folks that the big guys will be good enough for the vast majority of the market. So if you are on the end-user side, find a solution that meets your needs. There is no award for getting the "most" secure stuff, if your requirements are more modest.
Link to this

The Laundry List

Top Blog Postings

Another beautiful day in SecurityLand
This post from Layer 8 is dying to be made into the first comedy book about being a security officer. Not sure who peed in shurdlu's diet coke, but this post is a riot and there is a lot of truth to it. Here is a quote about why security is great: "You can issue a lot more ridiculous commands in the name of security, and what’s more, you get to see them enshrined in corporate policy." And on compliance: "C*mpliance.  Whoever invented that word was one sadistic mofo.  It’s got shades of National Socialism mixed with the dusty funk of 65-year-old auditors, with a couple of power ties from the ‘80s thrown in.  I can use it to justify any expenditure, kill millions of trees in a single reporting period, and give sweet desk jobs to all of my friends, no matter which consulting company they work for.  I can turn my 5-year-old’s artwork into a PowerPoint slide and make the management think it’s the newest ITIL model.  Then I can rotate it 90 degrees, flip it 180, and sell it to them the following month all over again." Seriously awesome stuff. Has the security version of Dilbert been born?
http://layer8.itsecuritygeek.com/index/layer8/introducing-the-bsofh/#When:14:23:00Z
Link to this

Virtualization security is also a feature
The folks over at VMWare have been busy. Sure, creating $18 billion of value last week evidently took up a lot of press cycles because they didn't even do a release announcing their acquisition of Determina. Doing a kind of Google-like, we'll buy something and build it in, the plan evidently is to use Determina's memory IPS capability to further protect the hypervisor from security attacks. Will it work? Who knows? But the fact that VMWare is even doing this deal indicates that they understand that their business is all about trust. Do you trust that they hypervisor is secure? Do you trust that it's not compromised, thus pwning my infrastructure at the bare metal layer? If a big time security issue was found in the hypervisor, there would be a run on the bank and the market cap losses would be measured in 10 figures. Maybe 11 figures. So spending a little to try to get out ahead of the curve is a good idea. But as Hoff discusses in a broader post about virtualization security, it's not clear what scraps will be left on the table for anyone else.
http://rationalsecurity.typepad.com/blog/2007/08/oh-snap-vmware-.html
Link to this

Keep your Wi-Fi secure-Fi
Just in case you are wondering what kind of security advice is available to the masses, check out this post on Web Worker Daily. Being a nomad myself, I do pay attention to this site because they tend to have some good tips for folks who spend more time in coffee shops than anywhere else. So when they started dispensing security advice, my BS detector when into high gear. The advice is decent, which basically equates to connect via a VPN on any kind of open Wi-Fi network. They also advocate using a firewall, but don't necessarily help to configure it or provide any advice along those lines. Though I don't dig when they say things like a personal VPN product is "just as secure as VPNs found on large networks" or that a $100 product offers "airtight security." The reality is that even with these tools a machine can be owned. Though it's good to see at least someone pay some attention to security and maybe help Web Workers become a bit less of the path of least resistance.
http://webworkerdaily.com/2007/08/15/keeping-your-public-wi-fi-sessions-secure/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite