October 11, 2007 - Volume 2, #141

Good Morning:
Gosh this week has just flown. When you are spending many hours a day knee deep in screen shots, portals, and other consumer-oriented security stuff, the time just flies by. It's funny, but I took for granted how hard it is to make complicated stuff seem simple. As I'm preparing the steps for Security Mike's Guide, I gain a true appreciation of the things that I previously took for granted.

Like what the Control Panel is. Or how to log into the wireless access point. As I was working with my test group, it became apparent what a huge undertaking it is to remove the complexity of dealing with today's computer systems. Basically I can't. All I can do is try to give as specific instructions as I can because Windows is FAR more complicated than it should be. I've said it before, but it doesn't just work.

I am really jealous of the folks that make it look easy. Like Dave Grohl of the Foo Fighters. I got to see them live last week and it was just a great show. In a small venue (the Tabernacle in ATL) with a few thousand of my closets (and seemingly sweatiest) friends, the Foos played for 2 hours and did a great job, especially since it was only the 2nd stop on their new tour. They made it seem easy and a good time was had by all.

Like when you see a talented hacker sit at the keyboard and break into stuff. It seems so easy until you take the controls and draw a blank. How do I do a SQL Injection again? I always had great respect for the Sales Engineers in the companies where I worked. Those were the guys that made the difference and in many cases closed the sales. Maybe not the contractual stuff, but if these guys couldn't make the box dance on its side, the deal was lost. And most of the products I've brought to market were REALLY complicated, which made a skillful SE that much more important. They had to make it look easy because no customer in their right mind (unless they are on the lunatic fringe) would take a product they know to have mind-numbing complexity.

I may be giving away a huge secret here, but that is one of my best landmarks to understand where a market is. Can an IT generalist that works in a mid-market company deal with the technology? In anti-spam, it happened pretty quickly. In DLP, not yet. Thus one becomes a mature market in record time, and the other grows at a good pace, but not an exponential pace. NAC is in the same boat. Most folks still need a PhD to get 802.1X to work and although not a firm requirement for NAC, the two tend to go hand in hand - for the early adopters anyway.

So every time a vendor tells me their market is exploding, I ask how many customers they have, what is the typical size of their customers, and what is the average deal size? From those three questions I can generally get a feel for whether a market is 12 or 18 months from mass deployment or if the entire market will never cross the chasm.

Since I've given you one of my closely guarded analyst techniques, I assume you folks will write the Incite on Monday, OK? I'll be spending the weekend coming up with some new analyst tricks since I've got to stay one step ahead.

Have a great weekend.


Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

The (web app scanner) ball finally stops rolling
So what? - After only 4 months, the folks at Network Computing are finally done with the "rolling review" of web application scanners. I'm kind of happy that I didn't stay up late to get the results in from the West coast, like on election night. Not that the analysis isn't good and very helpful - it is. But it really can't take 4 months to state that the tools aren't really ready for prime time. They like Watchfire's ability to handle AJAX and the user experience of Acunetix's offering. In fact, all of the products had some strengths, but don't expect that scanning your web apps will be as hands off as doing a network scan. Qualys these tools ain't. But maybe in 5 years they will be mature enough, assuming that the new parents of the big guys (IBM and HP) continue to invest in the scanners, which is not a foregone conclusion. Now if I could only put these reviews on my Tivo or maybe wait for the entire season to show up on NetFlix. The one episode at a time thing just doesn't work for me. But it is all about selling advertising, so maybe the serialized review is here to stay.
Link to this

Hey Aunt Bessie, you pwned!
So what? - In the words of Fake Steve Jobs, much love to Qwest for taking a stand and promising to inform customers of bad behavior on their consumer ISP (via Larry Seltzer). The analysis from Danny at Arbor that I recently highlighted showed that the numbers are starting to look ugly for ISPs intent on keeping their heads in the sand relative to zombie machines on their network. The good news is that someone is doing something. I wish they would actually commit to removing these folks from the network, as opposed to just "informing" them and helping them get clean - but it's a start. The bad news? Qwest is a marginal player and it may help them fight off Comcast in Denver, but it's not going to help enough folks, nor put much pressure on the bigger ISPs. It'll be interesting to see how this shakes out, as once someone proves that there is actually an economic benefit to having a cleaner network - the other ISPs may need to step up.
Link to this

Core vs. context
So what? - Is it me or has Geoffrey Moore jumped the shark? Of course, Crossing the Chasm and Inside the Tornado were classics that still hold true for how technology markets develop. His later work, not so much. Although his ideas in Living on the Fault line about core vs. context do make a lot of sense. The general idea of focusing on where you can add value and let other folks do whatever you can't is really embodied in this NetworkWorld profile of a SaaS provider that has outsourced their data center. Most of these folks are in the software business, not the data center business - so I'm cool with it. That being said, a SaaS that holds my sensitive data is responsible for my sensitive data. These folks should have an in-house (not outhouse) CSO that is ultimately accountable to make sure my data is protected. They need to ride herd on the outsourcer. I'm all for outsourcing, as long as I have one throat to choke.
Link to this

The Laundry List

Top Blog Postings

It gets back to monitoring
Dr.A has a good post here about how to detect an attack, when even the logs don't really show an issue. As Anton points out, it's all about anomalous behavior. In this case, the attacker was logging into the 0wned box legitimately. So that wouldn't raise the red flag anywhere. But you can detect strange behavior, like logging in from remote locations or at strange times. Massive data movement or other non-standard use cases are also clues. Reminds me of that Dupont situation, where they stumbled onto a huge intellectual property theft because someone was moving a lot of data at weird times. Still aren't sold on monitoring as a way to REACT FASTER? Not sure what else I can do to prove it out, except keep banging you on the head about it.   
http://chuvakin.blogspot.com/2007/10/more-on-ftp-or-again-and-simple-user.html
Link to this

I'll take IFOCE for $100
Quick, would you rather be CISO/CPO of a social networking site or the proctologist for the International Federation of Competitive Eating (IFOCE)? Me too. Trying to figure out what the eaters do with all those hot dogs isn't very interesting, but it definitely beats being the lone wolf within a hot Web 2.0 start-up saying "hey guys, shouldn't we be protecting against 45 year old perverts soliciting our 13 year old neighbors?" As Rebecca Herold points out, security in a Web 2.0 world is a misnomer. Since everything is user generated, and there is no real identity system - you basically have no idea what is going on. I don't see how the problem is going to get better either. That fine line between forcing verification (and detracting from the conversation) and the wild west of anonymity that exists today is more like an ocean. Alas, we can't have it both ways either. We can vilify folks like Facebook for having no controls, but at the end of the day they are just laying train tracks. It's not practical to think they'll be able to check the background of everyone that gets on the train.
http://www.realtime-itcompliance.com/privacy_and_compliance/2007/10/who_would_want_to_be_a_ciso_or.htm
Link to this

Why worry about the 4 P's, when you have the big L?
Francois at the Emerging Marketing blog wonders whether the 4 P's are still relevant. Come on folks, you don't remember your high school business course? Or were you too busy hacking away during computer club to learn about product, place, promotion, and price. The reality is that traditional marketing hasn't really found it's way into the security industry. How else can you explain a hack like me pretending to do marketing for many years? Truth be told, I was at computer club in high school too, not studying the 4 P's. Unfortunately, the 4 P's have come to mean product (it's shiny and big and fast), place (everywhere since we are everything to everyone, you want to buy one?), promotion (how much VC money do we have left?) and price (before we pull their pants down, or after?). And he forgot the one big L of security marketing. Right, LIE. That's the old standby that seems to make the 4 P's = 0.
http://www.emergencemarketing.com/archives/2007/10/are_the_4_ps_still_releva.php
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite