Subscribe in a reader
The Daily Incite - September 29, 2008
September 29, 2008 - Volume 3, #79
Good Morning:
It doesn't seem to be common knowledge, but we are in the midst of a
gas shortage in northern ATL. I suspect it's all over the metro Atlanta
area, but I can only speak for the 10 mile radius I scoured on Friday
trying to get gas for my car. I must have passed 15 different stations
that had no gas before I got lucky. A friend called with a tip on a
station that just got a delivery and had gas. So I dutifully waited in
line for about 40 minutes and filled up. Thanks to the iPhone, I could
still be reasonably productive - but still, that's 40 minutes I'll
never get back.
We also got lucky last week when the Boss went to go fill up the van.
She dropped the kids off at school and only had to wait 10 minutes at a
local shop. I just drove by that specific station and the line is
around the corner to get into both entrances. It's basically a mess.
Of course, it's great when the government is very supportive of the
plight of the citizens. Our own esteemed Gov. Purdue thinks the
shortage is "self-induced."
Evidently he hasn't
tried to fill up recently. It doesn't seem easy to govern with your
head up your ass, but I guess he's trying.
I was talking to my Mom over the weekend and we talked about the 1973
gas crisis. Obviously I was very young, but I still remember Mom
loading my brother and I into the Volvo station wagon at 5 AM to go
wait in line to fill up. I guess those were scary times, but 5 year
olds don't really understand that. I guess what goes around, comes
around and here in the ATL it's coming around.
Tight supplies are being caused by the fallout from Hurricane Ike.
Evidently a significant portion of refining capacity is still offline
or ramping back up slowly. It reminds me that we are still very very
dependent on fossil fuels to drive the economy. And as those fuels wane
or become more expensive or are increasingly controlled by unfriendly
parties - our economy is at risk. Sure we've got to work through this
mortgage mess on Wall Street. But energy is clearly the biggest issue
we (as a global community) face over the next 10 years.
We are doing our part by not doing unnecessary driving this week until
supplies loosen up. Even though I don't need a new car, I'm seriously
thinking about putting my name on a waiting list for a hybrid. Maybe
this time I'll actually do it. And as soon as they come out with a
hybrid van, we are there. Sure it's a bit more money up front and the
direct payback in terms of dollars is a bit suspect. But it's hard to
put a price on the heartburn we suffer from driving around on E, hoping
the next service station has fuel (and you won't have to wait in line
for a
couple of hours) before we run out of gas and have to walk home.
And before I forget, Happy Birthday to my kid brother. His birthday was
over the weekend. We had a lot of fun hanging out with the kids running
around and creating havoc. As tough as things are, you've got to take
the time to celebrate the good times. And to step back and enjoy the
ride a bit. Sometimes it's hard, but you need to make a specific focus
to make it happen.
Have a great day and I should be back on Wednesday, since tomorrow is a
holiday for me. L'Shana Tova to all observing tomorrow.
Photo: "No
Gasoline"
originally uploaded
by eschipul
Technorati: Information
Security, CSO,
Security
Mike, Internet
Security
 The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com  |
Top Security News
And in this corner the white list...
So what? -
Larry Seltzer takes in a video
interview of Mark Russinovich
(yes, the Sony rootkit guy and one of the big brains pushing
Microsoft's security strategy) and questions the viability of white
lists. To paraphrase Larry, white lists are cool if you can shove a
policy down a user's throat (like most corporates can), but they are
useless for consumers. To be fair, Larry does say he hopes he's wrong
because he buys into the concept of executing only authorized
applications. Amazingly enough (especially if you ask the Boss), this
situation isn't black and white. The reality is there is a continuum
and we need to understand that. Even in the corporate world, there need
to be gradations of lock-down, which treat different groups
differently. Since the finance team is dealing with very important
data, their devices should be locked down tighter than some other
group. Same goes for consumers. They should have options to
incrementally enforce greater levels of lockdown. You can sort of do
that through different browser configuration and parental controls, but
it's hard and requires a lot of pieces, and any savvy kid is going to
be able to get around it. There is definitely a place for white lists
in your security arsenal, but you need to make a choice as to how
strictly you enforce them (and subsequently how much clean up you are
willing to do).
Link to this
Who are you? What are you doing
in my house?
So what? -
I love those movies where the main character wakes up and is in a
totally strange place, surrounded by "family" that he doesn't even
know. Lots of silliness tends to ensue and then the person wakes up and
realizes it's been a dream. They learn some heavy lesson and become a
better person. You wonder if the folks at IBM look around what's left
of ISS and wonder what the hell happened? Most of my contacts at ISS
are gone. That's actually to be expected, since it takes a different
kind of person to survive and thrive in a Big Blue culture. But what's
more interesting is how two years after the deal, the ISS group is
trying to become relevant again. Now
they are making product announcements
and talking about how security fits into IBM's overall strategy.
Time flies when you are having fun, no? But two years of fun?!? That's
what makes me chuckle about these big deals. How can any semblance of
integration, which takes two years, be something to cheer about? IBM
dropped $1.3 billion on the deal and as a result ISS has all but
dropped off the radar. Of course, I'm sure they show up in a lot of
deals that just go to IBM (and wouldn't be seen by a guy like me), but
still. $1.3 Big is a lot to spend to wait around for a couple of years
to figure out which end is up.
Link to this
Microsoft rides a paper surfboard
to the top of the Wave
So what? -
The Forresters checked out a bunch of data sheets and decided Microsoft
was "top of the NAC heap." Not sure if they used those words, but
that's what Tim
Greene says were the results of
Forrester's NAC wave. That kind of finding is pretty
laughable. There is no question that Microsoft will be a player and
they will absolutely own the agent that checks desktop device
integrity. But to think they've got something that is enterprise-ready
is a bit strange to hear. Even better, they put in a disclaimer saying
the study isn't based on "units sold or performance tests," but how
well the products will "meet the challenges of a set of real-world
deployment situations." At least Gartner's ability to execute rating is
based largely on company revenues and product sales. So basically this
was an RFP process. And Microsoft prepared the best response. Great.
People that really buy products understand that a good RFP response
gets you into the bake-off. That's when things like "performance tests"
start to matter. That's why I find it ridiculous that vendors get
judged on this qualitative crap. Ultimately customers only care about
whether a product can solve its problem, not whether the vendor gives
GOOD RFP. Smart customers understand these types of reports can maybe
provide a little perspective on identifying the long list of vendors to
chat with. But to base a buying decision on it is irresponsible.
Link to this
The Laundry
List
- Security budgets are still all over the map. Jim Reavis does a seriously unscientific poll and finds predicting budget impact to be a shot in the dark. I'm still standing by my thinking that the next 18 months will be bumpy - even for security folks. - Risk Bloggers
- I'd say Fortinet breaks out the wallet again, but it's likely a change purse. They acquire Secure Elements and become firmly established as the first guys to call in a fire sale. - Secure Elements release
- Astaro tries to out-barracuda Barracuda with a $499 email security appliance, which includes encryption. Keep a lookout for their new billboard and radio campaigns. Maybe they can get Astro from the Jetson's to be their corporate spokes-dog. - Astaro release
- John Sawyer reminds us that Fort Knox isn't secure, if you leave the door open through a faulty configuration. Same goes for firewalls. - Dark Reading blog
Top Blog Postings
Vulnerability <> Risk
Let's focus on PCI a bit, since within a week DSS 1.2 will be "live"
and of course, anyone that want to do credit card business must comply.
Rich talks a bit here about what's required to perform a real "scan"
that the auditors will accept. Many IPS devices will actually block a
number of the scan techniques, which may force the customer to open
ports and/or turn off their IPS to let the scan run. Let's get back to
the idiocy of counting vulnerabilities. A vulnerability is only
important IF it can be EXPLOITED. If the IPS is going to block it, then
who cares? What am I missing here? Let's say the vuln could be
exploited by launching the attack from inside the network (and then
presumably avoiding the IPS). Great, then the scanner should be able to
run from the inside of the network to mimic real-life attack vectors.
What is so hard about this? Turning off your defenses to complete a
test and check a box for an audit is just plain dumb. And an assessor
that pushes a customer to do this is bordering on negligent. Hopefully
the PCI groups emerging quality assurance efforts will make sure this
kind of stuff doesn't happen.
http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/
Link
to this
Do as I say or do as I want?
Remaining on the PCI topic, Anton brings up a great point about how
prescriptive something like PCI (and every other regulation) can/should
be. Ultimately the choice is between telling someone exactly what to
do, even though that may not be relevant for their environment (like AV
on Linux). Or saying you need to "protect private data," but not offer
specifics as to what that means and leaving it up to the customer to
screw it up. It's a tough call, but over the past 10 years we've shown
that just focusing on the outcome desired (as HIPAA, GLBA, and SoX do)
is not a recipe for success. Not by a long shot. Of course, PCI is a
bit overbearing and it's getting more so every time they have a
meeting,
but I'd have to say on balance - having more detailed guidance has been
much more useful than not. At least folks know which boxes they should
be checking.
http://chuvakin.blogspot.com/2008/09/is-pci-dss-prescriptive.html
Link
to this
That's right, no one wants to buy
encryption
I'm not sure what they are saying most of the time, but the Voltage
blog certainly does post a lot of stuff. Yet this post resonated with
me because it's reflecting a lot of the anecdotal evidence I've been
tracking for a while. No one cares about encryption. It's not that they
don't want to protect their data - they do. But they don't really want
to delve into the details of how it happens. They want it "built-in."
If they look at a SaaS offering, they want it to be secure, their data
encrypted and they don't want to worry about it. When they buy
applications or have an integrator build them, security should be a
feature. Maybe it's encryption, maybe it's not. The customer shouldn't
really care. If full disk encryption is important for mobile employees
(and it is), they want it built into the endpoint suite. Again, they
don't want to worry about it or manage it. Looks like Jim Bidzos had it
right all those years ago. Encryption is a tool kit, design-win type of
business. The success is based upon having more folks build the
encryption into their solutions, than getting customer to bolt it on
after the fact. Transparency is still in vogue, especially when
thinking about encryption.
http://superconductor.voltage.com/2008/09/whats-going-on.html
Link
to this
RE: Vulnerability <> Risk
Mike, I think ultimately you are correct that a vuln is only interesting if it can be exploited. However, just two points.
First, it is still difficult to know when a vuln will actually be exploited. Sure, it might be an internal machine witho nly ports 80/443 open and needs port 445/139 open to pop. But What if the server next to it get popped? This then opens up the original server in question unless host-based firewalls are properly maintained (I'd argue they rarely are.). Even so, ports 445/139 need to be open to at least a domain controller...
Second, an IPS is only useful if it can sit between the traffic. This is great when it sits where a firewall typically sits, at a chokepoint between two networks of differeing trust. However, with systems on the same network, an IPS is pretty ineffective. Fine, I'll grant that you could span all the traffic to it so you can generate alerts, but it then won't be able to stop anything because it's only getting a copy, and likely later than what the servers get when talking to each other.
So, I think your point ultimately has merit, but that's assuming a lot of effective security, which might not be the point to our roles in the network. :) I think a scan both with protections on and without protections has value, especially when commenting in the "countermeasures implemented" box for those items. But I still wouldn't want to be unaware of those vulns hiding beneath the surface.
Mike, you are very correct that there needs to be a gradation of lockdowns. However, there is a continuum of relative trust within, as well as between groups. Those at the top of the chart within a user group are usually trusted with more sensitive docs than a clerk 1. What is more, how can one manage secure data hand-offs between groups, which also may be asymmetrical?
That is something we do by the way. Trustifier offers 127 levels of gradation within and between groups. That allows a lot of flexiblity for sub-groups in and between management and functional staffing groups, and allows for the ranking of devices as well as users/roles.
Mike,
Did you read the actual Forrester report or just the article in Network World? I don't know where those disclaimers came from.
Page 2: "Forrester conducted product evaluations in May 2008 and interviewed 30 vendor and user companies"
The Forrester evaluation clearly was not an RFP:
Page 4: "Current offering. We evaluated each vendor’s NAC solution across overall product architecture,
access control architecture, enforcement architecture, policy architecture, scalability,
manageability, managed and unmanaged systems, compliance, and the strength of the solution,
against 12 scenarios based on client conversations.
· Strategy. We evaluated each vendor’s NAC strategy across product strategy/vision, product
support, corporate strategy, and the financial resources to support the strategy.
· Market presence. We evaluated each vendor’s presence in the NAC market through its installed
base, revenue, revenue growth, services, number of employees, and number and quality of
channel partners.
How is that different from Gartner? Sure, I doubt they hauled products into a lab but few analysts do. It looks to me like they covered all the other bases for large enterprise NAC products shipping in Q2.
Amazingly enough, Forrester doesn't have me on their distribution list, so I didn't read the actual report. I find it hard to believe that Forrester set up these products and ran them in any kind of technical environment. I'm willing to bet they "evaluated" these products based upon a survey, which is just another form of RFP.
The point about Gartner is that they at least has some provisions for market share and revenue heft. Yet I've also come down on them before because of the same reasons. I don't do quadrants or any other type of vendor rankings because I don't believe there is much value there.
I understand it's the way the game is played, but that doesn't mean it's right.
Mike,
I've read the Forrester Wave NAC report, Gartner's "MarketScope" on NAC, and other analyst reports. I don't get the impression any of them are suggesting you go out and buy a vendor's product based on reading their analysis alone. I look at these as good sources of comparative information when researching a technology or market to help determine who the 'players' are who may deserve a closer look.
True, the Forresters and Gartners out there don't typically test products in labs, so I don't expect that type of insight or analysis from them.
You seem to have a bias toward lab tests versus the "qualitative crap" (your words, not mine) from the analysts. Tests are valuable too, but they're just another source of information to maybe help narrow the list of vendors a bit.
Consider this though - several now-defunct NAC vendors managed to score impressive-sounding reviews at one point from some of the folks that do actually test products. Where are those award-winning products now? In the scrap heap - and customers were left holding the bag.
Why? Possibly because some of the "qualitative crap" wasn't taken into consideration, like... Does this vendor have a sustainable business model? Do they have a sound strategy and a strong roadmap for moving forward? Have they been burning cash for years but making no forward progress? Do they have the financial resources to keep the doors open? You know, crap like that.
Au contraire, I'm a big fan of the qualitative analysis. And Forrester (and Gartner) for their part don't tell customers to buy off their "short lists." But many customers are lazy, so they take a lot of these reports at face value. I don't think analysts should be doing lab tests. BUT I DO THINK CUSTOMERS SHOULD.
That's my point. I fear a lot of customers will look at NAP and figure they've got a winner because the report says so. And from what I've seen, they'll be disappointed. Yes, that is based on anecdotes, but it's about as scientific as the Forrester report.
I've been an analyst for a long, long time. I know how to play the game. And there is value in a wave and a MQ, when used within the proper context. If your scenario and use cases match up to the analyst's, then it's fine.
But way too many customers use these reports in lieu of doing their homework. That's what I'm trying to get people to avoid.
I don't expect Forrester (or Gartner) to run products in a lab. Joel Snyder is plenty good at that. None of the analyst firms I'm familiar with test products. Like you said, that's probably just the way the game is played. I also imagine analyst reports would get a lot more expensive if they included extensive testing.
What analysts do have is the ability to reach lots of end users, consider the market from the 50,000 ft level and provide some perspective which isn't just vendor hype. In that respect, I think Forrester wrote a reasonable report and it's worth reading. As far as I can see they clearly identified the leading large enterprise NAC vendors.
Certainly if I was in IT at a large enterprise and considering NAC, this report might save me a lot of research, especially the vendor comparison spreadsheet provided which you can customize.
I'm interested to know what other approaches you would take Mike?