Incite Redux - July 13, 2007

Good Morning:
Knock knock. Who's there? Real life. Real life who? Real life dumb ass. You better enjoy your last day of vacation because in a scant 36 hours you'll be back home to the sweet sound of screaming kids, the reality of bills to pay, and the general mayhem that is your daily existence.

Of course it's not that bad. Since I'm a big fan of change, if I wasn't happy - I would change it. But I'll be glad to get home and sleep in my bed, hug my kids, and get back to what I do best - pissing people off with my magic fingers and an Internet connection.

Since I'm writing this over a week ago, I have no idea if the weather has been good or bad this week. If the facilities were top notch or just overpriced. Or if I've gotten through the 2 or 3 books I brought along for the trip. But no matter, I'm sure the vacation was wonderful. Even a crappy vacation is usually better than the same old same old.

I'm hopeful that I'm tanned (as much as a pale face like me is going to tan anyway), relaxed and rested. That being away has made me appreciate how lucky I am and got me to focus on appreciating the good, not just fixing the bad. Overall I'm doing pretty OK and a week away from home is usually a good reminder of that.

But it's time to get back to business. It's not just what I do, it's what I love. I'm lucky to be able to make a living from doing something that I really enjoy. So enough of this vacation stuff. Let's get ready to rumble. The TDI is back - on MONDAY.

Have a great weekend.

Incite #9: Help Wanted: Fortune Teller

CSOs need to increasingly flex their psychic abilities as exponentially increasing attack surfaces mean new controls must be targeted to protect the most likely targets, which are identified by discerning the true value of corporate business systems and increasingly sophisticated (and productized) security research. Network behavior analysis allows organizations to “react faster” by understanding network traffic dynamics, but integration with remediation solutions lag, forcing customers to continue to do the heavy lifting themselves.

Read the original Days of Incite post on this topic.

6-month grade: C-

Security researchers are the new rock stars. They sneeze and 500 bloggers write about it and soon after the technology trade press starts buzzing. Put Thomas Ptacek and Joanna Rutkowska in a mud ring and let it start to fly. And anyone with a fuzzer can now claim security researcher status.

The reality is, I run the risk of whiffing on this Incite because I overestimated the ability of the researchers to do relevant work. Fighting over whether hypervisors are exposed? Makes great news fodder, but close to 100% of the devices out there DON’T have hypervisors running. So how does this research really help customers do their jobs better?

I know, I know. If we don't do the basic research, then we won't be ready when a new, innovative attack happens. I guess I'm just a little bit bored with all this theoretical attack mumbo-jumbo. I think a lot more folks should be focused on helping to understand today's attacks, as opposed to thinking about tomorrow's. After all, unless we get through today - there is no tomorrow.

Most of "today's" research analyzes the latest patches from Microsoft, Apple and Oracle – big whoop. Sure, helping a user to understand which patches to apply and which not to is valuable. But it seems the answer is just do them all because lots of folks have tools to make that a one button endeavor.

The Month of X bugs projects have been pretty useless too. Why? It seems the hackers have gotten lazy. They are content waiting for the patch cycle, reverse engineering the exploit, and 0wning the dummies that can’t figure out how to apply the patch in a timely fashion.

The most exciting exploit announced was Dino Dai Zovi’s Safari bug, which turned out to be a Java problem in QuickTime. The only reason that even exists is because of the $10,000 bounty. It’s just not interesting otherwise.

And then you get the potential liability around disclosure. Presentations at security conferences are routinely canceled now under the threat of litigation. Most of the research work for small shops and it’s not in their best interest to pay chicken with a multi-billion dollar vendor with scads of lawyers. It’s easier to cancel, take the PR benefit (since everyone talks about the fact that the session was canceled), and move on to the consulting work that pays the bills.

I guess we just haven’t found the business model that makes security research pay quite yet. It’ll happen because it needs to. Mr. Market will ensure that – but unfortunately it probably won’t be in 2007.

Incite #10: Time to get PC(I)

PCI is the new SarbOx as unsophisticated CSOs continue to try to “buy” compliance. The lack of regulatory enforcement and increasing scrutiny by bean counters finally kill compliance’s golden goose and force CSOs to justify more security spending on something other than compliance. Pragmatic CSOs understand that a strong security program addresses compliance requirements, so they focus on warming relations with auditors and communicating their results in business terms to the business people that matter.

Read the original Days of Incite post on this topic.

6-month grade: D

Much to my chagrin, compliance is still alive and well. This goose continues to lay golden eggs. Of course, the eggs are stamped with PCI, as opposed to other regulations – but it seems every time that compliance is on the ropes, a new set of legislation on stone tablets emerges from Mount Sinai to save everyone.

Even though there has been precious little enforcement, hardly any recent perp walks, and increased scrutiny on security expenditures (yes, that is happening), nothing is derailing the compliance juggernaut.

So it’s time for me to move to Plan B. Let’s figure out how to use compliance in the most effective way. How to play on the continued fear and get what you need, while sending the bill to the compliance guy. Basically much of that is outlined in the Pragmatic CSO.

The process is pretty simple. Find out what is important to the business, protect it, communicate your successes and make deposits in the credibility bank. You can trade your credibility currency for compliance money when you need something.

Sounds too simple? I thought so too. But it's not. For about 5 years running the death of compliance funding has been greatly exaggerated. I’m no bandwagon jumper, but it’s time for me to accept reality and pull the splinters out of my backside.

Compliance will remain a factor for 2-3 year planning horizon. Now I need to go get some Tums, since eating crow wreaks havoc on your digestive track.