April 28, 2008 - Volume 3, #41

Good Morning:
Friday night I went to go see the Boss. No, not the Boss that I live with, but THE BOSS. That's right, Bruce Springsteen and the E Street Band. I do have to admit that I'm not the biggest Bruce fan. I do love his classic stuff. But he jumped the shark with Born in the US and was in a slump for a couple of decades. A few years ago, things started moving in the right direction (IMO anyway). The Rising was OK and showed some life and the new album (Magic) is fantastic.  

But that's the recorded music. If Springsteen comes to your town, you go. Those folks put on a great show. They played for about 2:45 and took like no breaks. The band was tight, really tight. You can check out the set list, but what was most impressive was the number of audibles they called during the show. Bruce would pull a poster naming a song out of the crowd, motion to the band, and they'd launch into it.

You can tell, even after doing this for 35+ years, they all still love it. It's their passion. There isn't anything they'd rather be doing. It was inspiring and got me to thinking about how many of us can say the same thing. Is there anything else you'd rather be doing right now? Do you feel that way more often than not? 

That's a pretty instructive question. Be honest with yourself. If the answer isn't what you think it should be, then start thinking about what changes you can make. Life is too short to be doing stuff you hate. It's not always possible, but you can strive for it, no?

Which brings me to my next topic, of a guy that has maybe too much passion. The NFL draft was this weekend, which means that loudmouth Mel Kiper, Jr. was everywhere at all times. What a gig that guy has. I'm not sure what he does for the other 11 months of the year, but starting at the NFL combine, all you hear is Kiper. He's less grating then he used to be, but still. Thankfully we won't have to hear from him again until next March.

The G-men had a pretty good draft and being a Falcons season ticket holder, I'm hoping Matt Ryan lives up to the hype. The few days after the draft are always about what could be. Living in the future is OK, but sooner or later you need to get on the field and play. When does training camp start again?

It doesn't feel like Monday, does it? I think the weeks just keep running and running and running. I'm taking some time off towards the end of the week. So I'll be doing a P-CSO newsletter tomorrow and then the final TDI for the week on Wednesday. Many miles to traverse between now and then.

Have a great day.

Photo: "Bruce Springsteen & The E-Street Band en Madrid" originally uploaded by Bisharron

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Great, 2.7 million people that have no idea what's going on
So what? - It must be good to be the ISC2 nowadays. If you believe the survey they commissioned Frost and Sullivan to do, there will be 2.7 million security professionals by 2012. The survey also goes into a bunch of skills these security professionals need. Amazingly enough getting a CISSP is top of the list. I'm kidding. The survey is interesting, but (and I know you are shocked) I have a different opinion. I think there will be 0 security professionals in 2012. That's right, ZERO. I think there will be network folks that specialize in security, and also some data center folks and even more application folks that are security specialists. OK, these are word games and a bit of semantics, but I think it's an important point. If anyone thinks their only job is going to be security in 4 years, I suspect they'll end up as a petroleum product sooner rather than later. OK, maybe not 2012, but I'm with most of the big mouth security pundits in saying security as a business will be going away within a reasonable long term planning horizon (7-10 years). So start practicing, "I do secure networks." Not "I do network security." There is a big difference. 
Link to this

Will the ASA be pretty too?
So what? - You have to hand it to Scott Weiss. After he made mincemeat of all the anti-spam players (his IronPort does more in a quarter than the other anti-spam appliance vendors combined, or pretty close to it), now Chambers has given him the keys to the entire security car. I suspect he has his branding folks working on new bezels for all of the security appliances. A pretty box is a box that sells, don't you know. OK, sour grapes and kidding aside, Weiss is out flogging the idea of reputation on all of the security devices. This isn't a unique story (Secure and BorderWare have also been espousing reputation everywhere), but there is something there. If I can get a clue about the intent of someone trying to connect to my networks, then I have a better chance of reacting a bit faster to what they are doing, as opposed to waiting for my IPS to figure out it's really an attack. Reputation has worked very well in the anti-spam business. Its utility isn't as clear in the web filtering space and even less on the firewalls, but the concept makes sense.
Link to this

NAC differentiation is hard to come by
So what? - Sometimes I just have to laugh. Or I'd probably string myself up from a tall tree in the neighborhood. Dana Hendrickson lampoons a recent Impulse Point release talking about "Green NAC." No, that's not a NAC appliance you leave outside too long and it gets all mossy. These folks figure they can save you 92% in energy costs. Is that a key NAC differentiator? That would be first I heard of that. And the basis of the argument isn't that their industry standard appliance is any more power efficient than the other guys. It's that they require fewer appliances. Boy, that's a stretch. Let's suspect disbelief and think for a minute if this was true, why not just get one of the UTM devices that claims to do NAC as well? Wouldn't that save even more power because everything is on one box. While we are at it, why don't we just run VMware on the mainframe and have everything virtualized on the Big Iron. Power to the People. Bring back the mainframe. Bring it back right now! Who knows how to tie a noose?
Link to this

The Laundry List

Top Blog Postings

Maybe a grapefruit will work better?
Chandler rues a bit on the challenges of building a set of security and/or risk metrics that are relevant to mahogany row. It's hard and it usually means that we security folks have to keep a few different "sets" of books. The reports that are focused on business relevance and the reports that are operationally centric and help to figure out what is going on. There are probably more. Chandler's main point is that the risk folks and the security folks (in financials you usually get a lot of organizational separation and disparity) aren't on the same page relative to accepting risk by enforcing policy compliance. Yeah, that's mouthful, but the reality is that the risk folks don't want to accept anything besides everyone else working to eliminate all risks. Then they can point the finger when something goes down. Not that I'm pointing fingers because it's a natural reaction. But the reality is many of these metrics are actually apples and oranges and Chandler's first (and most important) point is that many of the metrics we track do not compare well "across industries or even within industries." That's a big problem because without a relative point of comparison, you have no idea how you are performing.
http://thurston.halfcat.org/blog/2008/04/14/metrics-and-oranges/
Link to this

Another 5 from Amrit
This time the BigFixer is focused on 5 security metrics that matter. Amazingly enough, they all can be pumped out of his configuration management system. OK, low blow, but I know AW can take it. The reality is that we've already proven that having managed devices that adhere to a strong security configuration can help eliminate issues. But how many of us keep metrics along those lines? Do you just assume that all of the devices use these standard configurations? Amrit's 5 metrics aren't brain surgery, but I tend to think most practitioners can't answer these questions with data. Which is, of course, a huge problem. But as Chandler's post also intimates, we've made very little progress relative to security metrics and that's because it's hard. I'm talking a lot of the smartest folks out there on this topic and there are still a lot of disagreements about what should be counted, why and how. Until we get on our own page, how can we expect the rest of the organization(s) to get on board as well?
http://techbuddha.wordpress.com/2008/04/24/5-security-metrics-that-matter/
Link to this

Has marketing figured out metrics any better?
Since I'm not that smart, I try to find other analogies or comparisons that can serve to show how a security problem can be solved by what someone else has done in some other business. Being somewhat of a marketing hack (or former marketing hack anyway) myself, I thought I'd see if the marketing folks have figured out a way to hold ourselves accountable and prove value because marketing is an "overhead" function as well. At least if you ask most CEOs and sales folks. Sports fans, the news is not good. According to Francois, "Not only are some companies measuring the wrong things, a majority of them have no ability to measure anything at this stage." Sound familiar? It gets better. Most marketing organizations that can't prove marketing ROI have no one assigned to drive a metrics process. And a lot of marketing ROI is negative, so there is an inherent disincentive to really count and become accountable. The similarities are frankly a bit unsettling. Marketing has been around a lot longer than security as a discipline, and they've made very little progress. Are we wasting our breath even talking about this metrics stuff? Should we just stick our head in the sand and how we can still get our projects funded from the grace of a higher being? Or maybe we just learn how to tie that noose.
http://www.emergencemarketing.com/2008/04/16/measuring-marketing-effectiveness-is-hard…/
Link to this