September 6, 2007 - Volume 2, #129

Good Morning:
What is the key to happiness? Yeah, I know - it's a deep question and probably a little heavy since we are all shaking out those summer cobwebs now that September has arrived and we need to get back to work. I ask because like most of you, I'm still looking. I haven't found the answer, even though I think I'm closer than I was two years ago. Actually, I'm not sure there is an answer. Maybe it is that "one thing" that we learn about in City Slickers.

I went to a party last night with a bunch of old friends and colleagues. Some were happy, quite a few were sad. The folks that were happy spend a lot of their time doing stuff they like in an environment they enjoy. The ones that are sad aren't, but it seems they are too comfortable to make a change, even though they hate what they are doing.

What's that about? If anything, seeing old friends reiterated how much I enjoy what I'm doing now. Sure there are days where I miss the battle and the camaraderie of being in the foxhole of security as customers and competitors are firing live ammo at you. Sometimes I wonder if I'm getting soft and losing my aggressive streak because I don't need to "go for the throat" on a daily basis anymore.

I've come to realize that those days are in my rear view mirror. I don't need to bite the heads off of bats anymore to get a rush. The stuff I learned in the field was invaluable to make me a better analyst and teacher and mentor and friend. But being able to get past it and embrace what I really enjoy is a good thing. I've stopped questioning my path and started enjoying the trek.

So I'm assigning you some homework this weekend. Are you doing what you love to do? Do you even know what you love to do? If you can't definitively say yes to both of those questions, then you have some thinking and contemplation ahead of you. Spend some time figuring it out. You'll be glad you did.

Ultimately you decide how you spend your day and it's in your power to change things. Not mine. As much as I wish I could shake some of my complacent friends, smack them upside the head, and get them to take some action because they are stale and they are wasting time - I can't. I hope they remember that time is the only thing we don't get back.

Have a great weekend.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Hiring good engineers is everyone's problem
So what? - For such a thriving market, it is a little mind boggling that we can't seem to find the technical folks we need to do security right. David Strom has a tip on SearchSecurityChannel about how VARs looking to get into managed security need to find security engineers. The advice is pretty light, but it makes a very important point. It's not just VARs that need these folks. End users and vendors also need to hire great security engineers as well. This is become a systemic issue, by the way. We are definitely not training enough folks to keep pace with the growth of the attack surface and the need for businesses of all sizes to do security more seriously. So what to do? We're going to need to grow some. That means big companies need to start a "farm system," where capable and young technologists learn the security trade. This will involve some formal curriculum and training, but also a lot of learning in the school of hard knocks. In a perfect world, we can hire great folks that already know exactly what we need them to know. Of course, this world is far from perfect, so count on growing your own.
Link to this

Understand the secrets of vendor pricing
So what? - When I had marketing jobs, a lot of folks were a bit surprised that I had no formal marketing training. Actually, most said that explained things, but that's a different story for a different day. But it worked out because the reality is, you can't learn to market security products from a text book. Or any technology products for that matter. Especially when you think about pricing. NetworkWorld has an interesting article that tries to explain how software pricing works, but doesn't do a great job because there really isn't a good explanation. Pricing is based upon perceived value and real ability to pay. It costs less than a dollar to generate a DVD with code on it. But large enterprises will pay HUNDREDS of thousands for that software. Right, it's about value and competition and ultimately what a vendor thinks their customers will pay. It's not really more scientific than that. It was very interesting to live through Barracuda's entry into the anti-spam market, where they very quickly reset smaller company's perceived value for the technology. And once that perceived value goes down, it doesn't go back up. I learned that the hard way.
Link to this

Revisionist history 101
So what? - I know I've been hammering the NAC space lately, but I can't help it. There is so much silliness going on, I just can't hold my tongue. And since I don't have to - HA! I just let it fly. By introducing oneNAC, Cisco is hoping that we all forget how they got to their current place. Tim Greene does his beat reporter best to regurgitate Cisco's propaganda in his NAC newsletter. Cisco is clearly trying to spin a story that the NAC appliance is about a non-disruptive means to add NAC and their NAC framework is a more "strategic" direction. Now the time has come to merge the two into "one-derNAC." Of course, a few of the NAC dwarfs (Shimel and McLean) need to have their say about Cisco's plans, but that shouldn't be a surprise. When Cisco passes gas, these guys suffocate, so they are going to have an opinion. But back to the topic at hand. Let's be clear, the NAC framework was the direction until two things happened. First, no customers were interesting in the NAC framework. It was too early, it was too heavy, and it didn't solve any customer problems. Details, eh? Second, they bought Perfigo and then had something less disruptive that customers were kind of interested in. Ergo, this wasn't a "planned" set of options to provide customers - this was real-time improvisation based upon market realities. Which, by the way, is fine and the right way to do things. I just object to trying to recast the past to make it seem like this was the plan all along. That's a load of crap.
Link to this

The Laundry List

Top Blog Postings

Integration at multiple layers of the security stack
Would someone please give Hoff something to do? A real workload, some kind of big innovation to work on in his new shop. Something! Anything! My friggin' head is going to explode. All he does is write thought-provoking blog posts that pokes at a lot of the idiocy in the market. In this post, the inimitable Hoff talks about how we've added agent after agent after agent on the desktop and now it kind of looks like the network perimeter. He's right and most of Big Security has responded by increasing bundling much of their worst of breed technology under one interface, but that's veneer at best. When your defensive products are burning up 30% of your desktop CPU, then you're doing something wrong. And as much as Intel and AMD want you to buy a bigger, faster chip to keep up - it's the wrong answer. But this creates quite a quandary because laptops need in depth protection when they venture away from the mother ship and end up in malware cesspools like coffee shops and airline clubs. So what's the answer, O Great Hoffian one? Actually killing the endpoint cash cow and doing the right thing by sharing data between the networks and devices? Yeah right. Nice idea. Maybe that will work in Naive-land. Hoff is right in that the existing security business is largely built on greed and milking cash cows. We are ripe for disruption, but I don't see any on the near-term horizon. So the cows will keep pumping milk and the parasites (like me) will keep talking about it.
http://rationalsecurity.typepad.com/blog/2007/09/we-used-to-worr.html
Link to this

What spurs competitive advantage? Not security, that's for sure.
I guess Ken Belva must be on vacation. How could he let Mark Curphrey's shot across the bow about security and competitive differentiation go by with nary a whimper. Maybe I missed it, that's possible. At the risk of having Ken jump on me again (I'm OK with that risk), I'm with Curphrey. Security doesn't help you sell more products. It should, but it doesn't. Bad security seems to not hinder your ability to sell things either. Ask TJX about that. Mogull speculates that if this was happening every day, then folks would stop shopping at TJX, but I'm not so sure. Most folks just don't care. And the folks that do care, know they are only liable for $50 and the banks usually don't enforce that. Of course, it's good for the security business if these institutions never catch on and keep pumping money into the security industry. So I won't tell if you don't. OK? Mum's the word.
http://securitybuddha.com/2007/09/04/security-and-privacy-are-not-competitive-advantages/
Link to this

MSFT on password policies
Steve Riley does a good job clarify why Microsoft handles password policies they way they do. They don't set mandatory account lockouts and rely on third parties to disable dead users. Whatever. Personally, I think account lockouts are critical. Yes, they are a pain in the ass and yes they are expensive, since a human has to unlock the account (usually). And no you don't need to lock out the user after 5 failed attempts, it can be 20 or 30 and still be effective. You aren't penalizing the user, but rather trying to block a dictionary attack. Disabling unused accounts needs to be part of the de-provisioning process and although there is technology that can make it happen - I don't think that's Microsoft's problem. I am coming around to the idea of using long passwords, but not complex passwords. The reality is I need something that I can remember. Having to add special characters and capitals and not being able to repeat numbers seems kind of silly to me. Ultimately you have to balance password complexity with potential loss and help desk costs to figure out what makes sense in your organization.
http://blogs.technet.com/steriley/archive/2007/09/04/passwords-policies-once-again.aspx
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite