Incites Redux - June 22, 2006

Good Morning:
Wrapping up the Incites Redux today, let's look at application security, end user education and the looming battle between Microsoft and Cisco. My hit rate for these three is less than stellar, but the race is not over. These are multi-year trends that will play out over a long period of time. But it gives me the opportunity to poke myself in the eye, so there is some value in that.

Relative to Cisco and Microsoft, it became clear that I never published a Day of Incite post back in January on this topic. Sorry about that. But security is only one of the key battlefields for these two. As Howard Anderson points out in a recent NetworkWorld, they are also battling over collaboration infrastructure and there will be more. Guess the old adage about picking on someone your own size has resonated with these two.

In the classics section today, I point to some of my personal favorites because they are the unbridled, brutal opinion pieces that I'd like to be known for. Life is too short to pull punches and worry about being politically correct. So I don't.
 
Have a great day, and I'm not going to publish tomorrow - taking a true day off. The Daily Incite will resume on Monday and I'm sure I'll have a lot to say.

Incite #10: Built to Last (Securely)

As application security functions are further integrated into UTM platforms in 2006, focus shifts to actually building software securely. The high tech vertical will lead the way in embracing behavioral changes for developers, source code analysis tools, and techniques to protect data at rest. New Web 2.0, SOA and on-demand application architectures with better security models increase in importance.

6-month grade: C-

Gosh, where do I even start with this Incite (link here). I still inherently believe that this Incite is correct, though I have little proof of it 6-months in. Basically, having a background in application security, I know this stuff is hard. Hard takes time. So unless you consider anti-spam to be an “application security function,” not a hell of a lot has happened relative to UTM integration of higher-level security functions.

Well, that’s not exactly true. Crossbeam does offer application security products from Imperva and Forum on their UTM platform, but of course, that’s not their own software. Customers do what this stuff, by the way. But it’s going to take a while for the folks that build UTM using their own software (or open source) to get to the application layer. It’s hard.

The challenge in making any kind of secure software process work is software. When under the gun (and what software company is not under the gun ALWAYS?), it’s the behavioral changes and the activities that don’t directly contribute to perceived revenue that get tossed. Application security falls squarely into that category. Of course, no one factors in what happens when your application gets hacked and you need to patch it and the cost to ice the black eye you get in the market. But that’s a story for another day.

The only reason this wasn’t an outright F is because these new application architecture are becoming more important. Yet, it takes years for new ways of building applications to become prevalent and we are early in that process. So this will help, but not anytime soon.

The other aspect that I’ll mention is the need to separate APPLICATION security from DATA security. These are different disciplines and I believe that most security folks are concentrating on DATA security. It’s under their control and these laptop thefts are becoming a big problem. I’ll be treating these disciplines differently moving forward.

Incite #11: It's Time for "Stupidity School"

Though distasteful, security professionals will be forced to undertake a structured and comprehensive education program to stop employees from doing stupid things. Given the sophistication of attacks and the difficulty in stopping them at the perimeter, educated personnel may be the only defense.

6-month grade: C

Just because it’s right doesn’t mean it’s going to happen. This Incite on end user education (link here) is a great case in point. No one I talk to says it’s not important, but they also don’t have good answers to get it done. And it’s hurting us because as attacks continue to get more targeted, the only defense is going to be making sure our PEOPLE do the right thing.

But when the list of tangible things to do is very long, and I don’t know any security folks that don’t have long lists – something drops. There are very few legitimate options to solve this problem, so most folks default to doing nothing, except continuing to clean up the mess. Certainly makes an entrepreneurial minded type of guy like me think that there’s got to be a better way to solve this problem.

In the short term, our only chance may be to back into a solution by relying on some of the work done by consumer-minded organization to train folks out there. Organizations like Internet Keep Safe (iKeepSafe.com) and Blue Coat’s K9 Web Protection offer some educational materials that are home-focused but can apply to a work environment.

So, it’s unfortunate – but it looks like we’ll continue treating the symptoms and not the illness for the foreseeable future.
time.

Incite #12: Battle of the Titans

The big will continue to get bigger in 2006, as frenetic consolidation continues as product line breadth outweighs actually functionality. By the end of 2006, it becomes apparent that the real battle is between Cisco and Microsoft to control the architecture of networks and applications moving forward. As with other huge “marketectures,” users are caught in the crossfire, but 2007 will see enough additional functionality for those embracing homogeneity to see a wave of infrastructure upgrades. Vendors not strongly aligned with one of the two titans face irrelevance by 2009.

6-month grade: B+

The big are getting bigger. Cisco is buying stuff, Microsoft is buying stuff, so are Symantec and McAfee. Despite Cisco and Microsoft continuing to play nice in the sandbox, I think folks are realizing that there is a battle looming and it’s between these two.

Do Symantec and McAfee get marginalized over time. Absolutely, unless they once again remake themselves and add value to the architecture stacks that Microsoft and Cisco offer. But this will take years, but that’s the natural order of things. Those that fight evolution typically perish.

I’ve started to hear about a bit more pushback on homogeneity, which really means folks don’t want to write Cisco a huge check to upgrade the infrastructure just yet. Of course, even if someone had a huge check for Microsoft – they don’t have the new stuff to sell. So the 2007 – early 2008 timeframe for these waves of infrastructure upgrades feels about right, when the products are available and the value propositions a bit more clear.

But that does create an opportunity this year for upstarts that are trying to break in. So the secure LAN switch/NAC vendors have a window of opportunity for the next 12-18 months to get traction and get bought by Big Security. Those providing ways to protect a mixed XP/Vista environment consistently also have a chance in the near term. Lord knows customers aren’t going to get there overnight, so co-existence is important and it’s not something Microsoft wants to do.

So, the battle is looming. And those of you that are neither Microsoft nor Cisco need to figure out how to work within their architectures and add value, or else you go away. Pretty much business as usual.

Classic Security Incite Rants

Snyder's Hack Job
This is possibly my favorite post since I started Incite (it's neck and neck with the Farce of Market Sizing) because it's me at my most venomous, yet inciteful. Counter-intuitive, but logical and eviscerating a nemesis at the same time. It doesn't get much better than this folks. I guess I need to deal with it being all downhill from here.
http://securityincite.com/snyder-hack-job

Novell enters the "Hall of the Walking Dead"
In this post I take Novell to task for years of poor execution and bad decision making. Sure maybe I'm kicking the guy when they are down, but customers have to choose every year whether to further commit to a vendor, so it's never too late to poke someone in the eye that deserves it. Given that today Novell's CEO and CFO got fired, it seems their Board agrees as well.
http://securityincite.com/blog/mike-rothman/novell-enters-the-hall-of-the-walking-dead

More musings on the anti-spyware market
In this missive, I take on some of the folks that believe that anti-spyware can stand alone. It doesn't. Period. But this kind of perspective is critical to end users that again, need to vote with their dollars every day. Depending on the nature of your problem, you many want something stand-alone for now. But not forever - that's my point.
http://securityincite.com/blog/mike-rothman/more-musings-on-spyware-as-a-stand-alone-market