April 11, 2007 - Volume 2, #60

Good Morning:
Thanks to the kind folks in Milwaukee for hearing me rant for a couple of hours about the Pragmatic CSO and other assorted topics. There is nothing like talking to a couple of dozen of Milwaukee's Best and I didn't even have to make a run to the recycling bin. Nor did I have any kind of hangover this morning. Sorry, I couldn't resist. Just being in Milwaukee, seeing the big Miller HQ downtown, the Leinenkugel factory, and my foggy but fond memorys of the Beast - I was getting thirsty.

But the trip was very instructive and not just from the perspective of continuing to refine how I talk about the P-CSO. Clearly one of the things I need to work on is patience. I guess I've known that for a while, but the fine folks from Milwaukee made that abundantly clear. They are nice and mid-Western. No rush to do much of anything. As I'm sitting in the rental car line, the desk agent is chatting it away with all of these folks from around the States. She was very pleasant, but my blood was boiling. I wanted to say, "Quiet down, process the paperwork and let me get out of this damn airport." 10 years ago I probably would have. But yesterday I didn't. I chewed on my tongue and made my bit of pleasant conversation when I got to the front of the line. Lo and behold, I was rewarded with not only some karmic points, but also a car upgrade. To a Grand Marquis! Woo-hoo. That's an upgrade? Give me the friggin' PT Cruiser.

The thing was I wasn't even in a rush. I had a call to do, but I had already notified my client that I was running late and we move the call back a bit. I had plenty of time to find a coffee shop to locate for the day. But I felt rushed. That's where patience comes in and that's why I need to work on it. Everyone has their shtick and I'm just wired to be impatient. But it's kind of a hassle and it increases my stress level for no apparent reason. And there are plenty of reasons for me to be stressed out, I don't need to add to them by worrying about 10 minutes in a rental car line.

But that's just me and if it's not patience, it'll be something else that I have to work on. Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

The death of AV is greatly exaggerated
So what? -  Today must be Groundhog Day. I'm on the road in a familiar city in a familiar hotel, running late (for a change), pounding out the TDI and having to once again debunk some "research" about the value of signature-based AV. Is AV dead? According to Jaquith and Robin Bloor (at least if their thoughts weren't taken out of context) in this NetworkWorld article (here), they are calling for the end of AV. At least that's the headline. Huh? Let's try this again. Signatures are one component of an anti-malware defense. Not the only, not even within a traditional anti-virus program. Do these products work great? Of course not, that's why you need layers. And sophisticated users that tend not to do stupid things online can get away without having an AV engine. But that's probably not even you and it's certainly not your users. I'm not a fan of repeating history, and if anything signatures help me stop the attacks I've seen before. Sure there are variants, but these things get updated every hour or so. I will concur with Andy's point that AV is a hard business, and staying on top of it is very resource intensive for the vendor - but a crappy AV vendor is a $100 million+ business - so I won't cry too hard for them.
Link to this

Eye candy IS smart presentation
So what? - Fratto wonders a bit (here) whether network visualization technologies are just fancy pictures or are they useful. My opinion on this is very straightforward. You need it, even modestly sized networks need to be able to visualize what's going on. Why? Because you need to be able to figure out when something is not right. What's that they say about a picture is worth 1000 words? It's true. Security (at least pragmatic security) involves being able to react faster. Since you can't know what's coming at you (with any level of certainty), you need to be able to detect issues faster and network monitoring using a visualization/analysis tool can help with that. Now what I'd really like to see is something lower end to hit the mid-market. The existing solutions tend to be enterprise-class, and there is a big opportunity in the mid-market, but over time it will be subsumed into the network (and network security) management suite, which is probably provided by the network gear provider. But make no mistake, there is nothing wrong with eye candy if it helps you react faster.
Link to this

Centralizing access control? On a mainframe???
So what? - This ESJ article (really an article this time, not a thinly veiled byline sales pitch) wonders about the role of the mainframe in security nowadays (here). Personally, I think this is a ridiculous concept and bears little resemblance to how computing is done. In this coming age of virtualization, the mainframe is pretty much another server. Sure there are more controls and reliability, etc. and it sure is expensive, but do applications know they are pumping data to a mainframe? Not really. So does a product that routes all access requests to a mainframe (even for Windows resources) make sense? Not really. Not so much on doing single-sign on centrally from the mainframe either. There are cheaper and more focused appliances that do the same damn thing. It's not like scale is an issue anymore, maybe reliability - but that's still a software thing. Crappy software is still crappy, even if it runs on the mainframe. If some folks are figuring out what to do with their big iron, I have to believe there is something more interesting than trying to use it as a high-speed access controller. How about using it as a jungle gym for geeky kids? That's an idea.    
Link to this

The Laundry List

1. Eric Cole digs into laptop encryption, but from an innards perspective. Interesting reading. - here
2. Guardium gets into the leak prevention business, as long as all your sensitive data is in a DBMS. To be fair, they are positioning as complimentary to broader leak prevention products. - here
3. GRISOFT introduces an anti-rootkit tool for the right price. Free. - here
4. Reconnex goes to Provilla to get endpoint leak prevention. - here

Top Blog Postings

Communicating security to business people
As I was going through the P-CSO introduction yesterday in Milwaukee, I saw a lot of heads nodding. It's my hope (maybe a bit of my arrogance too) that constructs and thinking like the P-CSO will help train the next generation of security leaders. But if you think a 12-step program is a bit hokey for you, check out this James McGovern post because it makes many of the same points. He also does it in about 1000 words, and I took about 240 pages. But his point of "Security is a business issue, and many decisions should be made by business people," could not be more pragmatic. It is our job to give the power brokers enough information to make decisions. They need to decide how much they want to spend to protect certain business systems. They need to ultimately figure out what isn't going to get done. You (as security professional) need to help them understand both sides of the decision.
http://duckdown.blogspot.com/2007/04/explaining-security-to-business.html
Link to this

How about the security of security products?
Rebecca Herold is doing some good work, I've been linking to her a lot lately. Either that or the rest of the blogging community has been mediocre, including some ranting loudmouth in Atlanta who is not AndyITGuy. But this post also makes a good point about not trusting anyone or anything. Symantec had to patch an ESM hole this week, and we all remember the Storm-worm that targeted the Big Yellow AV. McAfee and Trend have also has had some issues lately. Candidly, I'm surprised it doesn't happen more often. Microsoft software is used on hundreds of millions of computers, so clearly they are the primo target for the bad guys. But between Symantec and McAfee, you also have hundreds of millions of targets. Remember, the bad guys don't care how they own your machine, just that they own it. I suspect we'll be seeing a lot more of these AV suite attacks. Month of Symantec bugs anyone?
http://www.realtime-itcompliance.com/digital_library/2007/04/security_products_must_be_secu.asp
Link to this

The balancing act of security
Layer 8 does a good job here of describing the push and pull of being a security professional nowadays. "It’s a balancing act of risk, reward, enforcement, and manipulation.  My job is to get my organization to follow its own rules.  Secondarily, it’s to help my organization make good decisions in how to follow its own rules, when the way isn’t clear." I couldn't say it better if I tried. He (I presume he's a he) lays out a lot of what it takes to do security right. I also get that the P-CSO 12 step isn't for everyone, though I appreciate the mention. But the real analogy that I like is at the end, being a security professional is more like Jiminy Cricket than Jack Bauer. You must be the conscience of the organization, not the superhero slaying the dragons out there. This is an outstanding post.
http://layer8.itsecuritygeek.com/index/layer8/the-great-balancing-act/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite