1. Security really is everyone's responsibility. Phil Schacter over at Burton makes that point, and reinforces it with this pithy quote: "Security is also not something an organization can purchase from any vendor or combination of vendors." There have been a lot of us preaching this gospel for a long time. Yet, I'm happy to yield the floor to Phil so he can reiterate the point. But now that we've said it, what are we going to do to MAKE IT HAPPEN. Right, it gets back to training, process, and accountability. TPA. Hmmm. I kind of like that.
   
2. What happens when you chop the head off the hydra? I can't remember very well, but in the monster movies I used to watch as a kid, if you chopped off the head of the monster, two or three would grow back in its place. Now that the Internet community has shut down McColo, do you think the flood of crap into your inbox is going to stop? Fat chance. Fisher speaks to some folks that echo that sentiment. Clearly, there will be a bunch more to pop up to take its place. It's an economic thing. Until consumers stop clicking and buying, there will be another 50 McColo's before we are done.
   
3. Deal: Barracuda takes out another small company no one has ever heard of. Buying 3SP, now the low-cost box maker has a SSL VPN to drive through their channels. These folks have broadly expanded their product line over the past year, but the question remains whether a typical small company (that likes to pay $3K for a box) wants 5 boxes. Or 1. I suspect they want 1, and it's not like these environments have massive bandwidth requirements. So it's about time Barracuda started integrating these functions into an integrated device. Oh the horrors.
   
4. Everyone is gunning for you when you're #1. Cisco is put through the ringer by NSS Labs because the security modules that go in routers and/or switches don't perform as well as stand-alone gear. Duh. If performance were the only arbiter of security product success, a number of well-known companies would be gone. But little things like simplicity and inertia also weigh into the buying process. Also interesting in the article is a Nemertes survey that says lots of users view Cisco as their "strategic" security vendor, with Microsoft coming in at #2. Guess I need to revisit the dictionary and see what strategic means.
   
5. I'll take a menthol, please. Enrique Salem takes the reigns at Symantec as John Thompson rides off into the sunset as they close the MessageLabs deal. This has been in the works for years and Enrique has been taking on more responsibility since the Brightmail deal brought him back into the fold. If anything John Thompson did make bold moves to remake the Big Yellow after years in the desert. Now the question is what to do will all the high priced parts.
   
6. Free as in beer. Both NetWitness and Mandiant release free tools to help investigators figure out what's going on. NetWitness makes their Investigator product free (of course, the infrastructure to deploy it at scale - not so free), which is a great way to build an upsell path to their enterprise product. Likewise Mandiant's Memoryze does memory analysis, which aids in investigations. I think this is great for the industry, since being able to investigate an incident is one of the top skills needed for tomorrow's security professionals. Kudos to both NetWitness and Mandiant for contributing to the cause.
   
7. Sun's recent layoffs seems to have created a frenzy in the media. Uh, like this wasn't expected. They have been moving around the deck chairs on the Titanic over there for years. Kudos to the MySQL guys that got paid in cash. But the best analogy I saw was from Serdar on his InformationWeek blog wondering if Sun is the GM of IT? There answer is there are a lot of GMs of IT. DEC was maybe the original, but maybe GM is the DEC of automakers. Anyhow, big companies missing product transitions and going away is not a new phenomena. It's happened before, and it's going to happen again.
   
8. EMC launches a new "cloud" computing company, called Decho, which is really just two of their acquisitions bundled together. Perhaps they are looking to have VMware lightning strike twice. They've got about the same chances as the same tree getting hit by a lightning bolt. When you look under the covers, the Mozy online backup service is interesting (and everyone should be backing things up into the cloud - for $5/month, why not?). And it's not clear what Paul Maritz's PI thing was even doing before he got the call to rescue VMW. Regardless, this cloud bandwagon is going to be here for a while. Wait for everyone to jump on. 

1. Shrdlu goes to town here about the counter goals of security, privacy and compliance. The conclusion is that these groups really should be separate because they all have different objectives that will conflict with each other. In a perfect world, where we all have tons of resources, that's absolutely right. But in the real world, we are likely not staffed to do that. But we can factor in those objectives when setting our success criteria and allocating resources. You need to be a bit schizo to do security anyway, and this is one of the reasons. Another gem in the post is the conclusion that compliance is a LOWEST COMMON DENOMINATOR and if you aren't out ahead of compliance requirements then there is no way you're either secure or compliant.
   
2. Seltzer wonders if Government networks can be secured. His answer? Theoretically they can. The reality, no they can't. But it's not anything they are doing right or wrong. No large network with the scale of the US Federal Goverment can be secured. There are just too many ingress and egress points and too many different folks configuring, changing and reconfiguring things. But that's the same for any large enterprise as well. The goal shouldn't be to "secure" the networks. If that's the success criteria, then we can't be successful - so why bother? Defining success is the most important task for a senior security professional, and being perfect (which is what "security" requires) isn't practical. So manage those expectations with care.
   
3. Microsoft talks about how they've evolved their SDL (security development lifecycle) to support web applications and the Agile development process. Once again kudos to Microsoft for using their own sausage machine as a way to both illustrate what to do (and sometimes what not to do), and use that experience to educate the rest of us. The reality is that things need to happen faster on web time, but the SDL necessarily make you take more time to ensure the right controls and tests have happened. It's definitely a bit of an impedence mismatch, so there is no wonder that most web applications are crap from a security perspective. It'll be an ongoing battle, but at least you can point to Microsoft and maybe jump over the inevitable potholes.
   
4. Do not fight fire with fire. This quick little answer on NetworkWorld's community answers the question of whether it makes sense to auto-respond to sp*m. The answer? Not so much. Those messages are sent using spoofed addresses, so the only thing responding will do is clutter the network with more crap. So hope that your filter catches things, and if not send it to the circular file. Richi Jennings has a similar answer on the Ferris blog, but focusing on out of office messages.
   
5. Deal: CA acquires Eurekify to add to their role management capabilities within the identity suite. This deal was actually pretty predictable since CA has been selling the solution for a while based on an OEM. And the consolidation train continues down the tracks.
   
6. There is no free lunch. Techdulla talks a bit about Microsoft's new BizSpark program, which helps startups by giving them an MSDN license for 3 years. This is all about priming the pump and remember there are very few incremental costs to stamping out a few more DVDs. Sure a little support, but Microsoft is so massive, it's a rounding error. And given that a lot of start-ups use open source tools (because the price is right), presenting a threat to Microsoft over time - this approach makes sense. Just be clear, they do intend on making it up on the back end.
   
7. Is DLP a nice-to-have or a must-have? That's the hundred million dollar question. Code Green moves to attack the enterprise DLP opportunity, but I'm still not a fan of this market. Not that the technology isn't required, but it isn't a stand-alone. I've been hearing that the Symantec folks (former Vontu) are doing well in DLP, but the remaining stand-alone companies are struggling. McAfee taking out Reconnex won't be the last fire sale we see. And as the economy tightens, I don't think it's going to get better for the vendors. Someone get some fire wood. We're going to throw a bunch more DLP companies on the pyre in the near term.
   
8. Check Tim Green's latest NAC column out to see an example of good marketing. A bunch of NAC vendors are now starting to look at additional use cases for the technology and to expand it's relevance. They chirp in Tim's ear and he goes and validates it. It's exactly the right thing to do, since unless there is a clear COST CONTAINMENT aspect to any new project, it's going nowhere fast in a down economy. 

1. Yes, it can happen to you. Looks like neither the Obama or McCain campaigns were reacting faster, since the FBI had to tell them they'd been owned by some foreign government (allegedly, of course). But it highlights the fact that if someone wants to get into your stuff, they are going to. Period. So you need to be able to detect funky activity (like important policy documents been moved to outside services) and investigate quickly. I can tell you that it's unlikely the FBI will proactively alert you, like they did the campaigns.
   
2. Looks like a new new thing is strong authentication for SaaS offerings. I've seen a few start-ups targeting that space (TriCipher and Symplified), but the big dogs are coming home. VASCO announces an initiative to extend their authentication infrastructure to the cloud. It seems more like fluff and strategic intent, but it's clear none of these folks that make a lot of money milking tokens are going to give up their cash cow easily.
   
3. I'm with Imperva's Sharon on his point that you should test your applications after every change. Besides the fact that the PCI powers believe it's the right thing to do, it actually is. Software is pretty complicated and changing it usually results in a bunch of regression problems that can create vulnerabilities. Actually, you don't have to test after you make an application change. You can wait for the bad guys to let you know you've made a mistake. And they will.
   
4. Regardless of what Stiennon thinks, "consolidation" continues unabated in the security space. Now it's Marshal and 8e6 joining together as a "merger of equals." Equals of what is the question, but strategically it does make sense since email and web filtering are coming together as this "content" security layer leveraging common service such as reputation.
   
5. Hopefully you all have added the eIQviews blog feed to your reader, so you can get more Rothman all the time. Our compliance evangelist, John Linkous, is doing a series on Security Information and Event Management (SIEM) over the past week and will finish that up with two more posts. The first two (Part 1 and Part 2) deal with defining SIEM and pinpointing some of the issues. That miraculously enough eIQ solves. :-) How bout that marketing puke!
   
6. Is SRP good enough? eWeek takes a look at Microsoft's Software Restriction Policies, which is simplistic white listing. I've been pretty vocal as to the importance of white listing moving forward and it's good to see Microsoft pushing forward on this. As a feature, of course, which means the independent vendors doing this need to continue pushing on additional value, and then hope that Big AV realizes they need this to get a deal done.
   
7. Is a content pirate getting you down? I tend to just disregard when some unscrupulous folks syndicate my feed and sell advertising around it. But if you are a bit more vindictive than I (though I have my moments), you can take an approach like Ian Lurie, who maps out a path (which anyone can do) to make it pretty unsavory for someone to steal your stuff.
   
8. The more things change... Secure Computing recently did their Q3 threats report and as much as many voted for change - it's still more of the same. Though political attacks predominated, we still have to pay attention to email security. Or run the risk of repeating history. 

I was filling the tank over the weekend and I was kind of shocked. I was able to get gas for $1.93 per gallon. I can remember waiting in line and paying over $4 only a few weeks ago. I filled the entire tank for about $35, which is kind of shocking.

It's amazing how far and how fast gas prices have come down. At the end of the day, I don't control gas prices. It seems the financial speculators do. They drove up crude oil and now the brought it back to earth. All I can do is manage my own fuel consumption, and hopefully I'll keep the focus on driving less - now that gas seems to be at a reasonable price. For a little while anyway.

A lot of folks are worried today. Worried for their jobs. Worried for their health insurance. Basically just worried. And justifiably so, but that doesn't make worrying either productive or worth doing.

A lot of the stuff happening around us is out of our control. I can't control gas prices, no more than I can control if a big prospect decides to push out a project. No matter how hard I work or how much I worry - the end result is going to be the same.

So don't worry, be happy! I think I've heard that somewhere before.

The other is the serenity prayer. I'm not really a religious guy, but this one also makes a lot of sense to me. "$deity (thanks Hoff) grant me the serenity to accept the things I cannot change, courage to change the things I can, and the wisdom to know the difference."

Go get something done today, and stop worrying about the stuff that you can't control. You'll be happier for it. I promise.

Photo: "Don't worry" originally uploaded by partsnpieces
Photo1: "Cheap Gas! Midwest City, Oklahoma on 30 Oct 2008 - $1.97 per gallon" originally uploaded by wfryer

1. PwC does their annual information security survey and finds security is still driven by compliance, as well as mergers and Web 2.0. Hmmm. First of all, I wonder if/how that has changed over the last 6 weeks. Back over the summer, I still saw compliance as the primary driver, though Web 2.0 was driving a lot of hype and getting folks to kick tires a bit. Virtualization security fit into that latter bucket as well. I do expect security spending to hold up better than other software markets, but that doesn't mean it's going to hold up well.
   
2. Cisco announces a good quarter, but a crappy outlook moving forward. Their security business grew 19% year over year, which is again further evidence that 1) it doesn't matter if your product is best of breed, and 2) big is still the new small. But check out their earnings call transcript because there is some great stuff there about how to deal with a downturn. Great stuff.
   
3. An agile Big Yellow? Hold the presses. Symantec has started their own internal incubator to give folks the ability to develop ideas outside of the "machine" or the big process the drives product development in a multi-billion dollar company. Actually this is a great idea, since the risk profile of leaving the mother ship and starting a new company is pretty ugly right now. I suspect a lot of engineers would jump at the chance to start new things, but within the warm embrace of a reasonably safe paycheck. And who knows, maybe some of them will actually come up with something.
   
4. Understanding the "brave new world." Chris Wysopal of Veracode eloquently discusses something that we probably already knew, but didn't want to say. Everything is a target, which means everyone has to worry about little things like application security. Of course, this is great news for Chris at his day job, though because everything is at risk doesn't mean everyone will decide they want to address that risk. Yet, I don't want to minimize the point, which is that you can't assume they don't want to target you anymore.
   
5. Little companies need IPS too. SourceFire goes down market with a few appliances targeting smaller organizations. I know, I know - it's not an IPS. It's their 3D system, which does more than just IPS things. Blah blah blah. The important part of this is that at some point every company needs to figure out how to get smaller companies to pay them money. And they also have to figure out the channel, since that is how you get to smaller companies. This is actually pretty predictable given the background of Burris (the new CEO), and is the right direction to go in.
   
6. 20% of 0 is still 0. Speaking of budgeting and security spending drivers, SearchSecurity highlights a recent survey saying community banks are going to increase security spending. I wonder if they took the results of the banks that aren't going to survive out of the analysis. OK, that was probably a low blow, and I suspect the survivors will have to spend more on security, but it's not clear how many survivors there will be.
   
7. OMG Gartner is blogging. Not Gideon Gartner, but some Gartner analysts. And it doesn't seem to be overly filtered. That's kind of cool. Pescatore is one of the security bloggers and makes the point that the Morris worm is no longer a teenager. Funny thing is that I was actually at Cornell when the worm hit. I vaguely remember some discussion about it, but it didn't seem like such a big deal. But then again, if it wasn't made with hops or agave, it wasn't much of a big deal to me back then. He shows all the major outbreaks since then, which is always good to see graphically.
   
8. While FIRE is going down market, Code Green is going up market with a new enterprise-focused DLP platform. I'll make the same point I made before, but in a converse way. It's very hard to build a self-sustaining business only on the back of SMB as well. There are very few examples of that. So you do need to play in both. Now the real question is whether DLP is enough of a stand-alone market to support either the SMB or enterprise segment. 

1. IT security spending not darkened by economic gloom? Really? I guess according to the folks that NetworkWorld talked to. I still don't believe it. I recently read a survey in ChangeWave investing that showed even the vaunted security software market is poised to contract a bit next year (though less than everything else). I think it's ridiculous to think that in what will likely be a fairly severe recession that anything is "not darkened by economic gloom." Rain is not selective folks. When it pours, everyone gets wet.
   
2. Hoff puts a lot of the coming economic turmoil into context, basically saying a lot of the doom scenario folks are fearing were already in motion. Playing off a piece by Amrit, the Hoff makes the point that "Times are tough. So are we." Yes, we are security folks. But that doesn't mean we don't need to continue focusing on how to do more with less and do that more better than before.
   
3. Are we entering the age of whitelisting? Seltzer thinks so, and I do think the whitelisting solutions are maturing enough to be useful. I've been a big fan of whitelisting for quite a while, but also understand that it's a feature. It's another defense mechanism to make things work better. It's not in lieu of other methods of detection, it's to supplement what we already do. If we keep that context in order, I think whitelisting has a bright future.
   
4. If you can't beat them, join them. Webroot finally rolls a full consumer security suite to take on the Big Yellow, Little Red and the other 7 dwarfs of AV. Of course, even the smallest of dwarfs is bigger than the ENTIRE DLP market. But that's another story, for another day.
   
5. This guy can break your stuff. Interesting interview from Dennis Fisher with the guy from that Tiger Team TV show. Remember, these guys can get into your network. The question is how easily and how can you pick off the lowest hanging fruit. And also to remember to test your stuff. Guys like Chris Nickerson can do it proactively, or bad guys in foreign lands can do it also. You tell me how you want your facial delivered.
   
6. Azure sounds like something I want to put in a shot glass, but it's really Microsoft's cloud computing umbrella. The point is not about whether cloud computing will happen. It's about how you think about protecting your information when that information is no longer within the walls of your enterprise. It's happened already (salesforce.com, anyone?), and once Word and Excel don't suck in a hosted version, it's going to happen a lot more. Most security folks have basically stuck their head in the sand. That's not going to be an option for too much longer.
   
7. I read yesterday that airline traffic is approaching post-9/11 levels. That's not good for the airline industry, though I seem to be keeping them afloat single-handedly. NetApp uses that excuse as a reason to cancel their user conference. Regardless of the reason, it's time to start thinking about how to collaborate more effectively in a remote context. "Virtual trade shows" have pretty much sucked to date, but I expect a lot of innovation in that space. Because it's becoming less cost effective every day to pack up the 20x20 and head off to a show to stand around with 100 vendors. Conference organizers take note. There is a new day dawning.
   
8. Great explanation here by Michael Howard on how the recent out-of-cycle patches happened for Windows. This is a great example of having (and executing on) a containment strategy. Stuff is going to happen, even with the vaunted SDL on watch. Michael pinpoints how the vulnerability slipped through and what they are going to do to make sure it doesn't happen again. This is the way it's supposed to work folks. Once again, we can all learn from how Microsoft handles the security of their O/S.