February 27, 2007 - Volume 2, #35

Good Morning:
Not sure what is in the water, but I want to discuss another deep topic this AM. Yesterday it was about equality, and today it's about community and mortality. It's pretty strange when you chat with people you hardly know, but they know a lot about you. That's the blogging effect and at first it's a bit unsettling, but I've come to really enjoy it. I choose to share some details of my life because I think its entertaining and it helps me find common ground with all of you. And I really appreciate your stories that you send (via email or phone) that relate. As I say in the preface to the Pragmatic CSO, I work alone but I never feel alone.

Another great example of a community is how one of my former colleagues and friends, Mary Catherine Bassett, has been using her blog (here) to document her father's journey as he fights a pretty rare and devastating cancer. As you read each of MC's posts, you feel like you are there fighting the battle with Bill and the rest of the Bassett's. You feel her pain and concern, but what comes across most clearly is the love this tightly-knit family has for one another, especially under the most strenuous of situations. It's truly an inspiration to all of us that don't fight this kind of life and death battle daily and those of us that do.

I guess it gets back to the reality that we need to enjoy every day because we don't know how many of them we have left. Maybe check out Mike Murray's book (here), which helps to focus you on your passion and find your calling in life. I do plan a full review on Mike's book because I think it's great, but life seems to keep getting in the way. The fact that I've found what I like to do on my own just reminds me how lucky I am. If you spend every day grumpy about what you AREN'T doing, then you need to re-evaluate what you ARE doing and why. Being grumpy is no way to go through life.

It's another milestone day, as today is the last Day of Incite for 2007. Yesterday's piece on security research and network analysis is here. Today's piece will be a bit of a rant on compliance, focusing on PCI. It's good to see that I'm not alone in my thinking that a good strong security program leads to compliance, not vice-versa. That Catalyst guy (Michael Santarcangelo for those that don't know him) puts up a post (here) that could have been written by me, except that it's nice. Which is not surprising because I've heard Michael is an exceedingly nice guy.

But it definitely reiterates one of the cornerstones of the Pragmatic CSO methodology and my research in general. There are no shortcuts, no panaceas and no way to get around the brutally hard work of securing your business systems. So roll up your sleeves and get to it. Things don't get done by wishing them to be done, now do they?

Have a great day.


Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Deal: PatchLink goes scanning
So what? - PatchLink acquired Harris STAT yesterday (here), and it seems to confuse Alan (here) and Mitchell (here). But my StillSecure friends are too close to the business (given they have a competing product) to see the forest from the trees. For those of you that don't know about Harris STAT, they have a vulnerability scanner that is used in a lot of government agencies. It's pretty clear PatchLink is starting to take pages out of the Patrick Clawson playbook, who is their CEO (he formerly ran CyberGuard). Buy some 2nd tier stuff for cheap to aggregate a few existing security functions, but don't really worry about integration. Then sell it to someone else and make it their problem. Patching/remediation and scanning are first cousins (part of the process I call "security assurance"), so it does make sense for it to reside under one roof. Is there leverage in integration? Not so much. But there is leverage in growing the customer base and giving PatchLink an entry (even if it's tenuous) into the US Government space. After all, with Citadel going to McAfee and Altiris going to Symantec - there aren't a lot of chairs left and the music is going to stop soon. Clawson is betting a bit more heft will help them find a chair.
Link to this

Messaging Security must be a trend
So what? - It's been interesting to see the resurgence in importance of messaging security. Of course my sense of timing is impeccably terrible, as I entered the space right when the large enterprise players were about to be Barracuda'd and I left 2 quarters before things started hopping again - driven by image spam and significant volume growth. Now everyone in the space wants to play in all sectors. Yesterday, I added Secure Computing's partnership with some no-name service provider (here) to the laundry list. After TDI went out, Trend Micro announced a whole mess of messaging security initiatives (here). Nothing novel here, but I still don't see the need to do much on the email server, with a strong gateway posture - unless it's free. But there is a bigger trend at work here. I said at RSA that anti-spam has started feeling like anti-virus to me, though maybe 25% of the total opportunity. Everyone needs it, and that leaves an opportunity for smaller and marginal vendors to make a pretty good living. Upon further reflection, it seems that content security (to paint it in a bigger box) is increasingly becoming what's next for the AV vendors as they grapple with commodity pricing and Microsoft on their home turf. Sure there are some gateway/networking vendors that will cater to the large enterprise (Cisco, Secure Computing), but the mass anti-spam market looks to be very AV-like with some competitors that we know pretty well. 
Link to this

Black Hat needs the cavalry
So what? - I'm starting to figure out Black Hat's marketing strategy and it's pretty powerful. Have a company threaten all sorts of legal action (like Cisco two years ago), get lots of press and generate interest for the event. Work out the issue at the last minute and live off the buzz. The next year, speculate as to what going to blow up to relive the buzz. Do it again. Brilliant marketing, but it does depend on a set of bozos (this year it's HID) that think highlighting the issue through threatened lawsuits will make it go away. How does threatening litigation help in burying a well-known attack vector? Now I'm a big fan of responsible disclosure (not I'm not going there now), but HID doesn't seem to have an oar in the water on this one. At least based on Paul Robert's account (here). This is not a new attack and HID presumably had time to understand it and fix it. No? Why they are making a big deal out of more of a "tutorial" is beyond me. But CMP will be riding this one all the way to the bank and this isn't even their big show (that's Vegas over the summer).
Link to this


The Laundry List

Symantec spins in circles, finally releasing their 360 offering - here
Apere's box focuses on network/identity integration. It appears to be yet another identity-aware device. - here
Truston jumps into the identity theft recovery business. - here

Top Blog Postings

More on virtualization security
I highlighted the Dark Reading article on virtualization security yesterday (here) and thankfully Matasano Thomas has added some depth to what the issues really are. Or at least what they could potentially be. Thomas' opinion is for folks to get out ahead of it and build a policy about what applications can share hardware before it's too late. Kumbaya brother, but I don't get the feeling that folks understand what virtualization is enough to define a policy that's worth the paper it's written on. And that would also involve the security folks being involved before something goes production, and that's a pretty big challenge. Pragmatic CSO's strive for that, but it's a long road and few are there yet. But I remained convinced that virtualization security is going to keep some smart guys pretty busy for the next few years.
http://www.matasano.com/log/708/dark-reading-on-virtualization-security/
Link to this

Shades of gray
I've been a fan of application control solutions as another means to fight malware for quite a while (it even warranted it's own 2006 Incite) and it seems that over time the market will actually get there. As KJH (Kelly Jackson Higgins for short) points out on her Network Computing Blog, there are a bunch of companies that take white-listing/application control approaches. To be clear - these are features, not companies. Kelly's post highlights Savant, but all of these folks are pretty much the same (Securewave, Bit9, etc.). And the clock is ticking because the folks that tend to do signatures (black-lists) can pretty much add this at will. Some (like Sophos) are incrementally building it in, others will probably buy. But there is no shade of gray in my assessment - application control is a feature of the desktop suite.
http://www.darkreading.com/document.asp?doc_id=118192
Link to this

Buy this guy the P-CSO
LonerVamp relays a tale of real woe from a mailing list about a guy who's organization is not really open to security. Ultimately this guy got frustrated and is leaving. That's too bad, it doesn't have to be that way. Suffice it to say, I know of a lot of folks that have given up and looked for a place that is more receptive to what they can offer (at least from a security perspective) and I'm cool with that. But taking a more proactive approach to dealing with management EARLY in your tenure is critical. You need to set the right tone and sell the powers that be on why security is important. You must set appropriate expectations. If anything, the Pragmatic CSO (here) process will help you figure out if you have any chance of success a lot sooner. Isn't that worth $97?
http://www.terminal23.net/2007/02/a_tale_of_two_security_viewpoints.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite