February 28, 2008 - Volume 3, #20

Good Morning:
I've gotten soft. I've lost the competitive edge. It's hard to admit, but it's true. I just don't have the stomach anymore for a knock-down, drag out fight. I'm fed up with finding the negatives of an opponent and fed up with the zero-sum game. For most of my life, it was all about I win, you lose. Or vice-versa. Now I'm tired of that.

The thing that set me off is the increasingly vitriolic run for the Democratic Presidential nomination. It's crunch time and as I should have expected, the campaign is getting pretty negative. When a candidate is backed into a corner, they tend to act pretty desperately and with a short term perspective. I find it disheartening and annoying, but I get it. A run for the White House is a zero-sum game. Either you win or you don't. So inevitably the discussion will turn negative because it's too hard to focus on the good, when the bad is so inflammatory and gives the 24/7 news circuit something to talk about. But it's annoying nonetheless.

I think Lenny Kravitz is right: "It Is Time For A Love Revolution."

The same thing applies to a lot of the security markets. Selling products to customers is a zero-sum game also. You make the sale and put food on your table or your competitor does and puts food on their own table. Are you drinking their milkshake? Or are they drinking yours?

When you view it as survival, then people will go to strange (and disheartening) ends to win. I used to see it every day. I used to do it. If you've ever bought something for more than $100K, you know what I mean. At some point in the sales cycle, the gloves come off. It became less about what my product can do, and all about what their product couldn't. And what the customer needs was usually not part of the discussion. I win, you lose. That was the mentality. I know it's a fact of life and how things work, but it's annoying nonetheless.

That's why I'll never take a marketing job again. I would rather take a job as an athletic cup tester. You know, the guy that puts on an athletic cup and gets kicked in the nuts 1000 times a day to stress test the product. I don't know if that's even a job, but if it was I would take it.

I just can't envision myself doing what it takes to win in a highly competitive market. I'm not sure I ever was able to do what it takes. I fooled myself and played the game, but it was very unfulfilling. Of course, it took almost 3 years of being out of it to have that epiphany.

Thus, I've made the distinct and very personal choice to focus my efforts on the positive. If what I do isn't a win-win for everyone, then it's not too interesting for me. I don't want to achieve "success" by bringing someone down. And I'm incredibly fortunate to have found a way to do exactly that. Have a great weekend.

PS: This week we'll finish up the Days of Incite. I posted #7 yesterday and #8 is cued up for later this morning.

1. Express Your Inner Bean Counter
2. It's time for an audit revolution
3. Best of Breed DOA
4. Weaving security into the network fabric
5. Night of the Internet Dead
6. Laptop encryption hits the big leagues
7. The SDLC is your friend
8. Protect the Vault (that's where the money is)
9. Get the Jumper Cables for DLP

Photo credit: marcn

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

VMsafe? Yeah, right...
So what? - One of the things I posited on Monday was what Microsoft would do if they could reinvent Windows today. From scratch. No compatibility problems. No need to be constrained by what it is or the billions of licenses out there already. I guarantee there would be no 3rd party security market around the OS. All that stuff would be built in. VMware sort of has that opportunity. Of course, they do have a technology and it's been around for a few years. But they are aggressively moving to build security into the hypervisor. Interestingly enough, with their new VMsafe technology, they are opening up the hypervisor to 3rd parties to integrate value-added security functions - but with rules anyway. And as Pete points out, no one is bitching about it. Certainly not like Big AV running to the EU when Microsoft locked down access to the Vista kernel. Anyhow, VMware is playing the game like a maestro right now. Open up the interfaces, but on their terms. Throw some scraps to the dogs to keep them fed, for a little while anyway. And eventually control the entire secure virtualized platform themselves. Oh yeah, that wasn't in the announcement - but make no mistake, it's coming, and the rest of the security business won't realize it until it's a done deal.
Link to this

The PCI Circle of Blame - awesome
So what? - Great piece by Andrew Conry-Murray at InformationWeek about the "circle of blame" that is PCI. In all the chaos in trying to get "compliant" (whatever that means), we have lost the real reason for PCI. That is all about risk mitigation for the banks and to eliminate US Federal oversite of the retailers. If they could figure out some way to blame the retailers for online theft, then they could restrict their losses and increase profits, right? That was the plan anyway. Of course, it's all under the mantra of doing the right thing for customers, but let's be very clear that if there wasn't a huge economic impact - there would be no PCI DSS. And the banks don't care too much about who ends up paying for the fraud (whether it impacts retailer profits or ultimate end pricing), as long as it's not them. Got to love free enterprise, no? The article also goes into the subjectivity of PCI compliance and how some of the retailers are able to game the system. This shouldn't be surprising, given that people have been gaming the "system" since the beginning of time. Ultimately companies need to decide whether they are going to protect data or not. If they are, then they need to think about security - not because a PCI mandate has forced their hand. Security FIRST, it still stands.
Link to this

What's up with the IPS market?
So what? - Sourcefire announced it's Q4 and Full Year Results yesterday and they were mixed. Revenue was at expectations, but earnings were below estimates due to heavier investments. The Street hated the numbers. Stock was trading 8-10% lower in the after-hours market last night. More interestingly, CEO Wayne Jackson is stepping aside and President Tom McDonough was not mentioned as a candidate to succeed Jackson. That doesn't mean Tom isn't a candidate, but they are going to look outside as well. I guess after missing the first 2 quarters since being public and just eeking out greatly reduced expectations since then, you have to wonder whether Wayne was tossed out of the car at a high rate of speed. Of course, we'll never know the back channel discussions that go along with CEO changes, but ultimately we need to reassess the entire IPS market and figure out if there is any there there. Rumors abound of another dedicated IPS company getting out of the hardware business and with TippingPoint being spun out at some point from 3Com, you have to wonder whether any of these dogs will hunt over the mid-term. The answer is a resounding no. Mr. Market is speaking and stand-alone is not on menu. They all seem to want combination platters, which is yet another sign of the maturity of the network security business.
Link to this

The Laundry List

Top Blog Postings

Amrit says, "Join the Collective"
Someone revoke Amrit's Netflix subscription, since evidently he's been binging on Star Trek:TNG. The herd wasn't a good enough name for his idea of sharing threat information to make everyone smarter. So he traded in his spurs for a trip with the Borg, dubbing the idea "collective intelligence" now. I guess resistance is futile. Amrit makes the common points (especially for an endpoint and server configuration management CTO) about the inherent issue of relying only on the network and needing to also ensure the endpoints are protected as well. He picks a fight with Bejtlich and Stiennon by generally mischaracterizing their positions - but it's Amrit, so you can't get that mad at him. The reality is it's always been about layers, and even the Richards agree with that. You don't rely on a single layer of security for ANYTHING. Then Amrit talks about some kind of self-healing contraption and it's need to stand alone from the back-end infrastructure. It sounds like anarchy to me and makes me wonder whether he's just gotten out of Marty McFly's DeLorean after taking a meeting with Skynet. That's what I think of when the term self-aware devices is mentioned. Maybe there will be a punchline in the 3rd post that will bring all this stuff together in a way that makes sense.
http://techbuddha.wordpress.com/2008/02/17/evolving-information-security-part-2-developing-collective-intelligence/
Link to this

The ramifications of Internet anonymity
Much to the chagrin of all of the privacy denizens out there, I've always had an issue with Internet anonymity. It just feels wrong, although I couldn't really explain why. I understand the position of the other side, that people wouldn't blow the whistle or spill the beans if they had to own up to their actual identity. But the reality is that anonymity enables trolls, but more fundamentally circumvents accountability - and we run the risk of training an entire generation that whatever they do doesn't count - as long as they are pretending they are someone else. Andrew Keen's post on the topic is very thought provoking and makes sense to me. A lot of sense. Aside from the very clear cases of persecution from faceless and anonymous cowards, the idea that my kids won't need to accept responsibility because they are in one of their online "personas" is unacceptable to me. I may be the last guy sitting in a row boat in the middle of the ocean, but I'll go down swinging. Even if I'm swinging at invisible trolls who like being able to snipe from behind their keyboards. That is before they need to put that oxy-clear on and do their math homework.
http://www.internetevolution.com/author.asp?section_id=556&doc_id=146514
Link to this

Customers don't care about security - Lesson 1,000,214
The failure of extended validation certificates must be the millionth time we've had to come face to face with the reality that consumers don't care about security. That doesn't mean that we don't try to show them the light, though at times my SecurityMike persona seems more to be a guy standing on the street yelling religious dogma into a bullhorn, than someone actually trying to change behaviors. Ivan Ristic (the guy behind ModSecurity) makes the point that EV certificates have taken off like a lead balloon. That's a pretty predictable outcome because a lot of the millions of commerce sites need a bit more of a reason than VeriSign needs to increase its growth rate to triple the price (if not more) of their SSL cert. Do customers buy more if the green bar is in their IE7 browser? Do customers even know the bar is green? Right. The beauty of HackerSafe as a marketing symbol is that it's right in your face. When you are about to hit the buy button, you see the certificate and are deluded for a minute that your private information is actually safe. But the green bar? It's not in your face enough, and that why EV certs have gone nowhere.
http://blog.ivanristic.com/2008/02/extended-valida.html
Link to this