September 12, 2007 - Volume 2, #131

Good Morning:
Happy Birthday to Lindsay and Sam. That's right, my twins turn 4 today. It's kind of anti-climatic a bit because we had the big birthday blow-out last Saturday, but we'll still have a fun day. I'll make an appearance at the twins' school and we'll do a cake and the like. That's one of the best things about working for myself - I can blow out for an hour or two during the day and hang with the family.

The Boss and I actually picked September 12 as the twins' birthday. Since there were two of them and it was a high risk endeavor, the Boss had a scheduled C-section. We were pretty set against having them born on September 11. It didn't make sense to be trying to celebrate birth and mourn death on the same day - not if we didn't have to anyway. Even six years later, Sept 11, 2001 is still firmly etched in my mind.

I remember flying into Boston (I was working at SHYM at the time) that morning. I remember heading into the office and hearing some buzzing about planes and the World Trade Center. I remember watching the towers fall on my CEO's handheld TV that he takes to Pats games. I remember trying to get in touch with my folks to let them know I was OK. I remember being stuck in Boston for 4 days and having to take the train back to DC. I remember everything and odds are I won't forget. I hope I don't forget.

My condolences to anyone that lost a love one 6 years ago. That pain never goes away.

Little did I know that 2 years and 1 day later we'd welcome the twins into the family. Twins don't run on either side, so that was truly one of the big surprises I expect to have in this lifetime. But it's all good - it's just hard to believe it's been 4 years. They are little people now. Most interesting to me is the dynamics between all the siblings. To see how they interact and are actually becoming friends is cool to see.

Tonight also starts the Rosh Hashanah holiday. So we close the book on Year 5767 and look to open the book on 5768. I usually take some time over the next 10 days or so to reflect on the last 12 months, and get my arms around what may happen in the next 12. I used to be much more of a planner, but now I kind of let things flow. I still set goals, but I'm not as focused on them. They are more like mile markers to me. Things I want to do, as opposed to things that I have to do. I guess that's good, in that I don't need to continue achieving things on a list in order to feel fulfilled.

So L'Shana Tova to any of your celebrating tonight. I wish you happiness, good health, prosperity, and fulfillment in this New Year. Follow your dreams, listen to your gut, and try to laugh a bit every day. That's about the best we can do.

Have a great day. I'll be back on Monday with a big announcement that I expect will keep me pretty busy over the next year.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

ArcSight hopes to reach the starting line
So what? - I remember the day META Group went public. Our CEO, Dale Kutnick, said something that stays with me to this day. He basically told us that the IPO is a great accomplishment, but it's only the beginning of the road to building a long term, sustainable business. Now ArcSight has filed their S-1 with the SEC to do an IPO. I love S-1's because there is nothing to hide. No more hiding behind "we are a private company and don't divulge X, Y or Z." So what do we find in ArcSight's S-1? They did about $70 million on the top line. Almost 40% of it was services, which indicates the category is still very integration centric. Product license growth was significant between 2006 and 2007. ArcSight's 10 top customers were about 31% of revenues. That's an average of $2.3 MILLION for the top 10 customers! Those are big deals. Deals that size are hard to sustain over time. It's also good to be ArcSight CEO Robert Shaw, who owns 10% of the company. But to his credit - he's making concessions now that the company is going to public. Now he has to pay his own yacht and country club fees. My heart goes out to you man.
Link to this

Which one is Dopey? Sleepy? Grumpy?
So what? - CRN has an interesting bake-off between 3 security suites. So how did McAfee do against Symantec and Trend? Well, they actually compared Kaspersky, Grisoft, and Panda. 3 of the AV dwarfs. Of course, these dwarfs are bigger than 95% of the vendors in other security categories, but I digress. The one thing I come away with is that all the products are decent, thus I'm going to state the obvious. AV (and other malware defense) suites are true commodities. All stop viruses and other malware attacks. The vendors will try to differentiate based on this widget or that, but in reality these suites are pretty much the same. So it gets down to price. Shop hard and buy based on price. Yes, you want to use a different engine on the desktop than on the perimeter gateway. But there isn't a lot of value add and in a lot of cases, there is value-subtract. If the desktop suite breaks stuff (like the firewall just turning off applications and the like), then it is subtracting value. By the way, CRN likes Panda the best - but all of the solutions from the Snow White triad and the dwarfs are good enough. And yes, good enough is good enough.
Link to this

CIO Security Survey - same old, same old
So what? - Yes, security is an industry. It's increasing being baked into the infrastructure. Not well enough or fast enough, to be clear, but it's happening. The 5th CIO "Global State of Information Security" confirms what most of us already know. Here is a list of the "conventional wisdom." We don't get enough money, our trading partners suck, we know we are exposed, and that banks tend to be out ahead of the adoption curve. Yep, pretty predictable. The thing that surprised me was that there is no difference in security spending between small and large companies. They spend the same percentage. Hmmm. That's counter intuitive, but shows why mid-sized companies continue to be behind the 8-ball. A big company spends more money, that's obvious. But given the attack surface does not scale up linearly with the size of company (a large company with 100,000 employees probably doesn't have 100 times the number of web sites with sensitive information as a company with 1000 employees), you'd think mid-sized companies would need to spend more on a relative basis to be secure. Maybe that's why those folks are the path of least resistance.
Link to this

The Laundry List

Top Blog Postings

Click or brick - it's all about tracking the supply chain
Remember a few years ago, when click and mortar was all the craze? Some companies get it and some don't. Like when I can't return something I bought at HomeDepot.com to the store. Very very annoying. And we all pay higher prices because of "shrinkage" and other fraud that adds friction to the commerce system. I'm pretty interested in how products flow through the supply chain and sometimes "disappear" without a trace. Some companies must figure it's a cost of doing business. But Ed Dickson points to a seemingly interesting technology that addresses whether returns are legitimate by tracking the product through it's route from manufacturer to customer. It's a pretty long and rambling post, but there's some good stuff in there. Especially if a lot of the big (and high demand electronics manufacturers) started actually tracking their products. It would clearly cut down on fraudulent returns, and maybe help to drive down costs a bit too. We call all use that. 
http://fraudwar.blogspot.com/2007/09/siras-pi-tracking-theft-to-source.html
Link to this

Best of breed vs. suites (again)
Marcin brings up the age old discussion about best of breed vs. integrated suites - yet again. He puts together a few scenarios and wonders if someone would spend an extra $37,000 to be "more secure." He does point out that an integrated suite may result in streamlined management, which could make the $30,000 savings a lot more than that. But ultimately I think the entire discussion is a red herring. There is no right or wrong answer, it's all about what you are trying to protect. On the desktop, I think an integrated agent makes sense, since it (allegedly) reduces complexity and eases management. Nothing wrong with that. On the perimeter? Again, integration can make sense - but if you have the expertise and requirement for lots of knobs and specialized protection - then that may work for you. There are no absolutes, only the context of solving your business problem. the esteemed folks at Goldman just published their security survey and it seems that best of breed is alive and well in the large enterprise, but integration is a trend in the mid-sized segment and below. According to them anyway, but that finding is consistent with lots of the conversations I'm having.
http://www.tssci-security.com/archives/2007/09/10/buying-best-of-breed-versus-bundled-services/
Link to this

I don't even know how to spell Haiku
I'm going to end today with a little humor from your favorite (and mine) security innovator - that's right the inimitable Chris Hoff. Last week he published a little poem about our security history and everything rhymed. Which is quite an accomplishment - I'm not kidding. I remember back in the mid-90's doing a security thing for my NetworkWorld column in the rhythm of "'Twas the night before Christmas" and it was brutally hard. And my attempt really sucked. Although I can't really do justice to the entire piece by excerpting it, just check this out:

Perimeter Viagra. That's awesome. I guess it would be good for Stiennon if everyone bought six and could go all night. Thanks to Hoff and his poison pen for allowing me to laugh a bit.
http://rationalsecurity.typepad.com/blog/2007/09/security-haikuo.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite