Report Card: 2007 Incite #4 - Trust No One

40% of the way there. Let's keep pressing forward.

Incite #4 - Trust No One

The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-4-trust-no-one
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-10-2007

Final grade: B

Yes, customers continue to struggle with the idea of protecting against the insider threat. They all know it’s a problem, yet with the sheer number of things that need to be done – many organizations are stuck in analysis/paralysis mode. Do they do DLP first? What about NAC? What about just contracting the perimeter and installing a whole mess more firewalls closer to the data that needs to be protected?

We’ll talk about DLP later (Incite 6), so let’s focus on NAC now. Suffice it to say, everyone is acknowledging that the technology disappointed relative to expectations in 2007. How could it not? But what will 2008 have in store? Probably not a lot different. Can you hear the wails of the VCs with hundreds of millions invested in the space? The early adopters will continue looking at how to overhaul their campus networks and do it in a more secure fashion.

Everyone else will wait until they clean up the other projects, which are ahead of NAC on the priority list. Little things like IPS and the like. Yes, there are still folks in the mass market focused on IPS and not some of these other shiny functions that we spend most of our time dreaming about. NAC standards efforts will continue to lag, although the new, open source OpenSEA 802.1X supplicant effort will pick up steam – basically because there aren’t any other options.

But to me, the last clause is what is most important about this Incite and the reason this was only graded as a B. The security monitoring philosophy is not spreading as quickly as it should. So many security folks are still married to the idea of blocking everything and have not grasped the folly of trying to outsmart the bad guys. In one man’s opinion, focusing on REACTING FASTER and doing that through a strong monitoring capabilities is a lot better (and more sustainable). Maybe some more folks will start to get that in 2008. One can hope, no?

Check out the other posts in the Report Card series.