1. Let's all have a moment of silence for Microsoft's OneCare. Basically Redmond has decided to play the "if you can't beat them, give it away" game with consumer AV. I saw this first on the ZD Zero Day blog, though it's been big news the past few days. I guess it's a shelf space thing. They'd probably rather use their precious retail shelf space on higher margin stuff, especially given much of the retail electronics channel is either consolidating or going away. I'm sure it was a hard decision and a bit counter-intuitive for MSFT, given they usually throw money after losing markets for years. How will this impact the existing AV players? Not much. Inertia is so powerful in the consumer market and unless the incumbent screws it up, consumers tend to renew. Not even Microsoft's brand could help that.
   
2. Kudos to the PCI standards council for actually listening and rolling out their quality process for assessors (pdf). That's right, this is QA for QSA's. But it's sorely needed. The variability is shocking. Some assessors are so inflexible, it's like they have a broom in their backside. Others are like jello, molding to whatever the customer wants. By implementing standards (or at least trying), this allows the clearing banks and card brands to point the finger at rouge QSAs. Sort of like risk mitigation for a standard that supposed to provide risk mitigation. The credit card business is figuring it out. Why take any risk, if you can blame someone else.
   
3. What's in conventional wisdom? Not a hell of a lot. NetworkWorld looks to get a bunch of opinions about topics like security in obscurity, open source security and the like. Some of the opinions are interesting, but I'll get back to something I harp on frequently. If you adopt "standards" and do what everyone else is doing, you are working at the lowest common denominator and the bad guys have your playbook. In today's world, that's not good enough. Conventional wisdom will get you killed.
   
4. Earlier this month, Adrian at Securosis did a detailed analysis of database monitoring data collection options. I'm a big fan of all things monitoring and at some point folks will realize the database is pretty important, and therefore it's pretty important to monitor the database. Adrian and Rich have published a lot of stuff about it and even if you aren't ready to attack this issue yet (you have other blocking and tackling to take care of), read the posts and start to familiarize yourself with the vernacular. If you aren't doing it now, you'll be playing catch up later.
   
5. Yes, I like monitoring on the network as well. That tends to look like network behavioral analysis (the products formally knows as NBAD). NetworkWorld does a fairly detailed primer on the technology and helps customers to understand how it works and where it fits. It's NetworkWorld, so it's not perfect, but it's a start. Remember, monitoring helps you REACT FASTER and the network never lies. You may not need (or afford) a dedicated NBA offering, but figuring out how to monitor your network is critical to being a successful security professional. And yes, my overlords offer NBA as a part of the product.
   
6. Will biometrics ever get there? I've been in this business for a long time and every couple of years the idea that biometrics is the solution to something peaks its head out of the muck. Is now the time? Given we have constant cost containment objectives in a tight economy, using stronger authentication and attaching that to a SSO could make some sense. But I'm still skeptical. Yes, SSO makes sense since it does streamline the user experience. But strong authentication on top of that? Not so much. So I'm still in the camp that biometrics are still a technology looking for a problem to solve.
   
7. Standalone NAC or DLP? Not so much. NetworkWorld covers a Nick Selby presentation that lays out the reality that these functions are features - not companies. We've already seen a number of deals (and companies going out) and we'll likely see more. But not that much more. Most of the big folks that need technology in this space have it. That means there are a lot of independents, who's options are to continue to slug it out, perhaps execute magnificently and eventually go public like Sourcefire. Not sure I'd wish that on anyone I know, since running a public company is at least Ring 4 in hell. Or maybe the accept the reality of the market and find a partner (like Reconnex), regardless of price. Fact is, Selby's right about one thing. It's a buyers market out there and most of the buyers are looking for big time bargains.
   
8. How secure is PaaS (platform as a service) options? Stuart King challenges the smart folks that says they aren't ready for prime time with a pretty simple question. Do you think a service provider has better security than you do? Hmmm. That's interesting and also true. Most enterprises are woefully unable to secure their own stuff. I can tell you platform providers spend a lot of time and money on security. Not enough, but there isn't enough time or money to do enough. I do think that on balance, most service providers will be more secure than the average enterprise. But they better be because it's the difference between trying to rob a bank and mugging people on the street. The banks security is going to be better because they've got more to protect (and more to lose). To net it out, PaaS is an interesting option and will become more interesting as time goes on, but we do have to start asking the right questions relative to security.
   
9. When did NetworkWorld become TeenBeat magazine? As a little end of week humor, check out this slide show about IT's "Hottest Rock Stars." You know, the folks that can fill a room and make young girls and maladjusted programmers swoon. Times have to be tough in the media business if they are resorting to this kind of crap to generate page views.

1. Security really is everyone's responsibility. Phil Schacter over at Burton makes that point, and reinforces it with this pithy quote: "Security is also not something an organization can purchase from any vendor or combination of vendors." There have been a lot of us preaching this gospel for a long time. Yet, I'm happy to yield the floor to Phil so he can reiterate the point. But now that we've said it, what are we going to do to MAKE IT HAPPEN. Right, it gets back to training, process, and accountability. TPA. Hmmm. I kind of like that.
   
2. What happens when you chop the head off the hydra? I can't remember very well, but in the monster movies I used to watch as a kid, if you chopped off the head of the monster, two or three would grow back in its place. Now that the Internet community has shut down McColo, do you think the flood of crap into your inbox is going to stop? Fat chance. Fisher speaks to some folks that echo that sentiment. Clearly, there will be a bunch more to pop up to take its place. It's an economic thing. Until consumers stop clicking and buying, there will be another 50 McColo's before we are done.
   
3. Deal: Barracuda takes out another small company no one has ever heard of. Buying 3SP, now the low-cost box maker has a SSL VPN to drive through their channels. These folks have broadly expanded their product line over the past year, but the question remains whether a typical small company (that likes to pay $3K for a box) wants 5 boxes. Or 1. I suspect they want 1, and it's not like these environments have massive bandwidth requirements. So it's about time Barracuda started integrating these functions into an integrated device. Oh the horrors.
   
4. Everyone is gunning for you when you're #1. Cisco is put through the ringer by NSS Labs because the security modules that go in routers and/or switches don't perform as well as stand-alone gear. Duh. If performance were the only arbiter of security product success, a number of well-known companies would be gone. But little things like simplicity and inertia also weigh into the buying process. Also interesting in the article is a Nemertes survey that says lots of users view Cisco as their "strategic" security vendor, with Microsoft coming in at #2. Guess I need to revisit the dictionary and see what strategic means.
   
5. I'll take a menthol, please. Enrique Salem takes the reigns at Symantec as John Thompson rides off into the sunset as they close the MessageLabs deal. This has been in the works for years and Enrique has been taking on more responsibility since the Brightmail deal brought him back into the fold. If anything John Thompson did make bold moves to remake the Big Yellow after years in the desert. Now the question is what to do will all the high priced parts.
   
6. Free as in beer. Both NetWitness and Mandiant release free tools to help investigators figure out what's going on. NetWitness makes their Investigator product free (of course, the infrastructure to deploy it at scale - not so free), which is a great way to build an upsell path to their enterprise product. Likewise Mandiant's Memoryze does memory analysis, which aids in investigations. I think this is great for the industry, since being able to investigate an incident is one of the top skills needed for tomorrow's security professionals. Kudos to both NetWitness and Mandiant for contributing to the cause.
   
7. Sun's recent layoffs seems to have created a frenzy in the media. Uh, like this wasn't expected. They have been moving around the deck chairs on the Titanic over there for years. Kudos to the MySQL guys that got paid in cash. But the best analogy I saw was from Serdar on his InformationWeek blog wondering if Sun is the GM of IT? There answer is there are a lot of GMs of IT. DEC was maybe the original, but maybe GM is the DEC of automakers. Anyhow, big companies missing product transitions and going away is not a new phenomena. It's happened before, and it's going to happen again.
   
8. EMC launches a new "cloud" computing company, called Decho, which is really just two of their acquisitions bundled together. Perhaps they are looking to have VMware lightning strike twice. They've got about the same chances as the same tree getting hit by a lightning bolt. When you look under the covers, the Mozy online backup service is interesting (and everyone should be backing things up into the cloud - for $5/month, why not?). And it's not clear what Paul Maritz's PI thing was even doing before he got the call to rescue VMW. Regardless, this cloud bandwagon is going to be here for a while. Wait for everyone to jump on. 

1. Shrdlu goes to town here about the counter goals of security, privacy and compliance. The conclusion is that these groups really should be separate because they all have different objectives that will conflict with each other. In a perfect world, where we all have tons of resources, that's absolutely right. But in the real world, we are likely not staffed to do that. But we can factor in those objectives when setting our success criteria and allocating resources. You need to be a bit schizo to do security anyway, and this is one of the reasons. Another gem in the post is the conclusion that compliance is a LOWEST COMMON DENOMINATOR and if you aren't out ahead of compliance requirements then there is no way you're either secure or compliant.
   
2. Seltzer wonders if Government networks can be secured. His answer? Theoretically they can. The reality, no they can't. But it's not anything they are doing right or wrong. No large network with the scale of the US Federal Goverment can be secured. There are just too many ingress and egress points and too many different folks configuring, changing and reconfiguring things. But that's the same for any large enterprise as well. The goal shouldn't be to "secure" the networks. If that's the success criteria, then we can't be successful - so why bother? Defining success is the most important task for a senior security professional, and being perfect (which is what "security" requires) isn't practical. So manage those expectations with care.
   
3. Microsoft talks about how they've evolved their SDL (security development lifecycle) to support web applications and the Agile development process. Once again kudos to Microsoft for using their own sausage machine as a way to both illustrate what to do (and sometimes what not to do), and use that experience to educate the rest of us. The reality is that things need to happen faster on web time, but the SDL necessarily make you take more time to ensure the right controls and tests have happened. It's definitely a bit of an impedence mismatch, so there is no wonder that most web applications are crap from a security perspective. It'll be an ongoing battle, but at least you can point to Microsoft and maybe jump over the inevitable potholes.
   
4. Do not fight fire with fire. This quick little answer on NetworkWorld's community answers the question of whether it makes sense to auto-respond to sp*m. The answer? Not so much. Those messages are sent using spoofed addresses, so the only thing responding will do is clutter the network with more crap. So hope that your filter catches things, and if not send it to the circular file. Richi Jennings has a similar answer on the Ferris blog, but focusing on out of office messages.
   
5. Deal: CA acquires Eurekify to add to their role management capabilities within the identity suite. This deal was actually pretty predictable since CA has been selling the solution for a while based on an OEM. And the consolidation train continues down the tracks.
   
6. There is no free lunch. Techdulla talks a bit about Microsoft's new BizSpark program, which helps startups by giving them an MSDN license for 3 years. This is all about priming the pump and remember there are very few incremental costs to stamping out a few more DVDs. Sure a little support, but Microsoft is so massive, it's a rounding error. And given that a lot of start-ups use open source tools (because the price is right), presenting a threat to Microsoft over time - this approach makes sense. Just be clear, they do intend on making it up on the back end.
   
7. Is DLP a nice-to-have or a must-have? That's the hundred million dollar question. Code Green moves to attack the enterprise DLP opportunity, but I'm still not a fan of this market. Not that the technology isn't required, but it isn't a stand-alone. I've been hearing that the Symantec folks (former Vontu) are doing well in DLP, but the remaining stand-alone companies are struggling. McAfee taking out Reconnex won't be the last fire sale we see. And as the economy tightens, I don't think it's going to get better for the vendors. Someone get some fire wood. We're going to throw a bunch more DLP companies on the pyre in the near term.
   
8. Check Tim Green's latest NAC column out to see an example of good marketing. A bunch of NAC vendors are now starting to look at additional use cases for the technology and to expand it's relevance. They chirp in Tim's ear and he goes and validates it. It's exactly the right thing to do, since unless there is a clear COST CONTAINMENT aspect to any new project, it's going nowhere fast in a down economy. 

1. Yes, it can happen to you. Looks like neither the Obama or McCain campaigns were reacting faster, since the FBI had to tell them they'd been owned by some foreign government (allegedly, of course). But it highlights the fact that if someone wants to get into your stuff, they are going to. Period. So you need to be able to detect funky activity (like important policy documents been moved to outside services) and investigate quickly. I can tell you that it's unlikely the FBI will proactively alert you, like they did the campaigns.
   
2. Looks like a new new thing is strong authentication for SaaS offerings. I've seen a few start-ups targeting that space (TriCipher and Symplified), but the big dogs are coming home. VASCO announces an initiative to extend their authentication infrastructure to the cloud. It seems more like fluff and strategic intent, but it's clear none of these folks that make a lot of money milking tokens are going to give up their cash cow easily.
   
3. I'm with Imperva's Sharon on his point that you should test your applications after every change. Besides the fact that the PCI powers believe it's the right thing to do, it actually is. Software is pretty complicated and changing it usually results in a bunch of regression problems that can create vulnerabilities. Actually, you don't have to test after you make an application change. You can wait for the bad guys to let you know you've made a mistake. And they will.
   
4. Regardless of what Stiennon thinks, "consolidation" continues unabated in the security space. Now it's Marshal and 8e6 joining together as a "merger of equals." Equals of what is the question, but strategically it does make sense since email and web filtering are coming together as this "content" security layer leveraging common service such as reputation.
   
5. Hopefully you all have added the eIQviews blog feed to your reader, so you can get more Rothman all the time. Our compliance evangelist, John Linkous, is doing a series on Security Information and Event Management (SIEM) over the past week and will finish that up with two more posts. The first two (Part 1 and Part 2) deal with defining SIEM and pinpointing some of the issues. That miraculously enough eIQ solves. :-) How bout that marketing puke!
   
6. Is SRP good enough? eWeek takes a look at Microsoft's Software Restriction Policies, which is simplistic white listing. I've been pretty vocal as to the importance of white listing moving forward and it's good to see Microsoft pushing forward on this. As a feature, of course, which means the independent vendors doing this need to continue pushing on additional value, and then hope that Big AV realizes they need this to get a deal done.
   
7. Is a content pirate getting you down? I tend to just disregard when some unscrupulous folks syndicate my feed and sell advertising around it. But if you are a bit more vindictive than I (though I have my moments), you can take an approach like Ian Lurie, who maps out a path (which anyone can do) to make it pretty unsavory for someone to steal your stuff.
   
8. The more things change... Secure Computing recently did their Q3 threats report and as much as many voted for change - it's still more of the same. Though political attacks predominated, we still have to pay attention to email security. Or run the risk of repeating history. 

I was filling the tank over the weekend and I was kind of shocked. I was able to get gas for $1.93 per gallon. I can remember waiting in line and paying over $4 only a few weeks ago. I filled the entire tank for about $35, which is kind of shocking.

It's amazing how far and how fast gas prices have come down. At the end of the day, I don't control gas prices. It seems the financial speculators do. They drove up crude oil and now the brought it back to earth. All I can do is manage my own fuel consumption, and hopefully I'll keep the focus on driving less - now that gas seems to be at a reasonable price. For a little while anyway.

A lot of folks are worried today. Worried for their jobs. Worried for their health insurance. Basically just worried. And justifiably so, but that doesn't make worrying either productive or worth doing.

A lot of the stuff happening around us is out of our control. I can't control gas prices, no more than I can control if a big prospect decides to push out a project. No matter how hard I work or how much I worry - the end result is going to be the same.

So don't worry, be happy! I think I've heard that somewhere before.

The other is the serenity prayer. I'm not really a religious guy, but this one also makes a lot of sense to me. "$deity (thanks Hoff) grant me the serenity to accept the things I cannot change, courage to change the things I can, and the wisdom to know the difference."

Go get something done today, and stop worrying about the stuff that you can't control. You'll be happier for it. I promise.

Photo: "Don't worry" originally uploaded by partsnpieces
Photo1: "Cheap Gas! Midwest City, Oklahoma on 30 Oct 2008 - $1.97 per gallon" originally uploaded by wfryer

1. PwC does their annual information security survey and finds security is still driven by compliance, as well as mergers and Web 2.0. Hmmm. First of all, I wonder if/how that has changed over the last 6 weeks. Back over the summer, I still saw compliance as the primary driver, though Web 2.0 was driving a lot of hype and getting folks to kick tires a bit. Virtualization security fit into that latter bucket as well. I do expect security spending to hold up better than other software markets, but that doesn't mean it's going to hold up well.
   
2. Cisco announces a good quarter, but a crappy outlook moving forward. Their security business grew 19% year over year, which is again further evidence that 1) it doesn't matter if your product is best of breed, and 2) big is still the new small. But check out their earnings call transcript because there is some great stuff there about how to deal with a downturn. Great stuff.
   
3. An agile Big Yellow? Hold the presses. Symantec has started their own internal incubator to give folks the ability to develop ideas outside of the "machine" or the big process the drives product development in a multi-billion dollar company. Actually this is a great idea, since the risk profile of leaving the mother ship and starting a new company is pretty ugly right now. I suspect a lot of engineers would jump at the chance to start new things, but within the warm embrace of a reasonably safe paycheck. And who knows, maybe some of them will actually come up with something.
   
4. Understanding the "brave new world." Chris Wysopal of Veracode eloquently discusses something that we probably already knew, but didn't want to say. Everything is a target, which means everyone has to worry about little things like application security. Of course, this is great news for Chris at his day job, though because everything is at risk doesn't mean everyone will decide they want to address that risk. Yet, I don't want to minimize the point, which is that you can't assume they don't want to target you anymore.
   
5. Little companies need IPS too. SourceFire goes down market with a few appliances targeting smaller organizations. I know, I know - it's not an IPS. It's their 3D system, which does more than just IPS things. Blah blah blah. The important part of this is that at some point every company needs to figure out how to get smaller companies to pay them money. And they also have to figure out the channel, since that is how you get to smaller companies. This is actually pretty predictable given the background of Burris (the new CEO), and is the right direction to go in.
   
6. 20% of 0 is still 0. Speaking of budgeting and security spending drivers, SearchSecurity highlights a recent survey saying community banks are going to increase security spending. I wonder if they took the results of the banks that aren't going to survive out of the analysis. OK, that was probably a low blow, and I suspect the survivors will have to spend more on security, but it's not clear how many survivors there will be.
   
7. OMG Gartner is blogging. Not Gideon Gartner, but some Gartner analysts. And it doesn't seem to be overly filtered. That's kind of cool. Pescatore is one of the security bloggers and makes the point that the Morris worm is no longer a teenager. Funny thing is that I was actually at Cornell when the worm hit. I vaguely remember some discussion about it, but it didn't seem like such a big deal. But then again, if it wasn't made with hops or agave, it wasn't much of a big deal to me back then. He shows all the major outbreaks since then, which is always good to see graphically.
   
8. While FIRE is going down market, Code Green is going up market with a new enterprise-focused DLP platform. I'll make the same point I made before, but in a converse way. It's very hard to build a self-sustaining business only on the back of SMB as well. There are very few examples of that. So you do need to play in both. Now the real question is whether DLP is enough of a stand-alone market to support either the SMB or enterprise segment.