September 20, 2007 - Volume 2, #134

Good Morning:
What's the difference between Bill Belichick (the coach of the NE Patriots) and pretty much every other coach in the NFL? Besides 3 Super Bowl rings, that is? He got caught. That's right, he got caught. You don't think every other team has spies in the stands trying to decipher signals to gain an advantage? Of course they do. I'm sure many also use video, as Belichick did. But Bill got caught and now he's a villain.

I did a little rant a few days ago about "hating your competitors," especially relative to competitive intelligence. Given the fact that the Belichick story won't seem to die, and the fact that in the security business it's VERY competitive and everyone is looking for an advantage, what is cool and what isn't? And if you are an end user, how can you know what is real and what isn't and most importantly - whether it matters?

I could write a book on this topic. Maybe I will, but I've got my hands full with Security Mike for a while, so I'll try to summarize fairly quickly. As I mentioned on Monday, no one can assume the competition doesn't know all about your stuff. I don't care what business you are in. You have competition and you need to assume they know all about your stuff. That means you need to know about their stuff.

So how do you do it? Let me use security as an example. You need a box. It's most helpful if the competition will just sell you the box. Barracuda did. It was nice. Drop shipped it right to our offices. The other folks, not so much. So we had to be creative. I can't say much about this kind of creativity until the statute of limitations runs out, but suffice it to say the resellers can be your friends. I also know of an instance where a so-called "independent reviewer" procured a box to review and sent it to a competitor. I guess that's kind of being creative too. In a "2-5 year with an option for parole after 18 months" way.

Once you get the box, you need a lab. You need to bang on your competitor's box and find out where it's strong and where it's weak. Then you need to help your field teams understand that information and use it to your advantage. And at times, some of the competition will lie about what they've found about your box. Sometimes they'll just make things up. If you are a vendor, that's why your SE's are probably the most valuable employees that you have. They need to know how to overcome those objections and make sure you get a chance to be evaluated.

In enterprise sales cycles, it's all about the eval. Especially in security. So do whatever you have to do to get the eval. Make sure your SE's can make the box dance. And also understand that all the competitive posturing in the world isn't going to help if you've lied to the customer about what your box does and what the competition's doesn't. The eval doesn't lie.

If you are a customer, do you care about this stuff? The answer is a resounding no. You are worried about solving your technology problem and if the vendors are more focused on their competition than solving your problem, then you probably aren't talking to the right vendor. And define your long list quickly and get to the eval. The longer you wait and let the vendors snipe at each other, the more confused you are going to be.

The moral of the story is this: Everyone is doing it, so you need to as well. Belichick got caught, but let's be clear, everyone is trying to steal the other team's signals and get access to their game plan. Same goes in our security industry. Some are more ethical than others, but at the end of the day - you can't be competitive unless you have that information. If that makes you queasy, then you probably should find something else to do.

And with that, it's time to get back to work. Have a great weekend.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Ameritrade - Please report to the Principal's Office
So what? - If some of the contentions made in this blog post from Paul McNamara are true, then Ameritrade has got a lot of downside liability to deal with relative to the data breach announced this week. At first it was like, "big whoop, another data breach." But if Ameritrade basically ignored warnings that their data had been compromised, they are going down the river and they don't have a paddle. Do you see the class action vultures flying over the mountains? This could keep them busy (and fed) for quite a while. The problem is that Ameritrade is playing dumb. They better have a lot of documentation that they took the issue seriously, did an investigation, and found nothing to worry about. If not, then they've got a lot of explaining to do. I guess their forensics guys could find that the bad guys took another route to pwn the machines, but even so - it wouldn't mean the first notification wasn't real as well. Ultimately we are all waiting for the forensics report and then the vultures will know where the feeding frenzy will be.
Link to this

You build your own ASICs, why?
So what? - There was a time and a place where building cool chips and having them do cool things really made a difference. We may be passed that time. For example, IronPort recently announced they have done some work to increase throughput by more effectively using Intel multi-core chips. An 800% increase? Who knows and who cares? I really hate that "mine is bigger than yours" positioning and marketing. The point is that it's not clear that vendors are going to get appropriate return for taking on the risk of building their own chips. That doesn't mean you'll be able to get a 10GB IPS by loading some open source software on the old Pentium 3 you have in your closet. There will need to be other packet acceleration technologies utilized and the like (especially if decoding SSL traffic is a requirement), but for a lot of the compute activities - your standard PC chips are going to do great and continue following Moore's Law (or some less aggressive corollary). Lest you think I'm all about software on standard hardware, I'm not. Ultimately customers want SOLUTIONS to their problems, so they expect the vendor to integrate everything and tie it up with a nice, little bow on top. It's just not clear that there is a lot of value in spinning ASICs anymore.
Link to this

Deal: Raytheon buys Oakley Networks
So what? - I guess Raytheon needed some new shades to deal with the nuclear glare of their defense work, eh? Oh, this isn't the guys that make sunglasses? Right, Raytheon bought the Oakley Networks that does DLP stuff. Oakley has always been strong in the Fed space, so there is synergy with Raytheon, but this is a pretty strange combination. Clearly monitoring your data usage, making sure it doesn't leak and then being able to investigate an issue is pretty important for some of the Federal agencies, but it's not clear that Raytheon is the kind of organization that is going to be able to move fast enough to keep pace in an emerging, dynamic high-tech market. So we'll see, but there is very little history of emerging technology actually prospering in a beltway-bandit type of environment.
Link to this

The Laundry List

Top Blog Postings

I place you in the motor-mouth camp
It's funny when the metrics guys start going after each other. In this post, Lindstrom doesn't like to be put into a "camp," and he takes Andy Jaquith to task for doing so. This reflects Rule #1 of being an analyst. Do not allow someone else to put you into a box because then it's much harder to change your mind and someone may actually remember a position you took in the past. The reality is that we all continue to struggle in coming up with a good way to measure what security people do. Model or measure? Does it matter? If you check out the comments, Andy does his best to apologize for using Pete's name in vein. I'm not so nice. Pete has a 150 page deck of drivel about all the stuff you can measure and model, but very few examples of people that are actually doing so and in a relevant way. I guess that's why I continue to be so negative on many of these measuring (or modeling) efforts. Not that we don't need to measure - of course we do. But so far we've done a crappy job of it. Unless someone decides to become the poster child for measuring security and shows everyone else that this stuff works, I just think most of it is a big waste of time.  
http://spiresecurity.typepad.com/spire_security_viewpoint/2007/09/am-i-a-modeler-.html
Link to this

Who watches the watchers?
Bejtlich brings up a great point about monitoring activities and whether ultimately we can trust the data. He took offense to a piece in Dark Reading that says a forensic tool as "immune" or even "resistant" to tampering. Per usual, Richard is right, but there are always a million reasons why we shouldn't do something. The reality is that any technology is open to tampering, so the bad guys can try to cover their tracks. As long as you know that is a possibility, then you can get back to work. Sure you should trust the data coming from your set of monitoring/forensics tools, but you also need to verify it. I like the idea of putting these log records somewhere else (yes, probably in a log management platform) and signing and sequencing them. So even if your tool is compromised, you've got the data elsewhere and you can look for deltas in the information set. I know it's easy to say, "why build it once, when we can build it twice for twice the price." In this case - if what you are protecting is valuable enough, then it's worth looking at ways to make sure you can detect a bad guy/gal trying to cover his/her tracks.
http://taosecurity.blogspot.com/2007/09/comment-on-netwitness-article.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite