The Daily Incite - July 24, 2006

Submitted by Mike Rothman on Mon, 2006-07-24 06:56.
Today's Daily Incite

July 24, 2006

Good Morning:
Hope everyone enjoyed their weekend. I for one, had a good one but it was far from restful. We took the whole kit and caboodle to Chattanooga, TN to meet some friends passing through. It's a fun city with a lot to do for the kids, but let's just say one of my twins is in the throes of the "terrible 3's," so it makes life exciting to say the least.

On the security front, today I'm focusing a bit on management. Not that I really planned it this way, but when I took a look at the interesting articles I flagged over the weekend, most seemed to touch on management in one way or another. To be clear, my position on this hasn't changed much. I don't think security management is a standalone activity. It needs to be subsumed into a bigger log management category or be aligned with operational management capabilities that the NOC and data center folks have been building for years.

Another of my eclectic blog links is this one (here) from Seth Godin. Right, the "small is the new big" dude. I think I'll forgive him for that little transgression (how dare he go against my mantra) because so much of his writing is so insightful. Here he deals with how to give good feedback, and it starts with "it's not all about you." A good part of what I do for a living is to provide feedback and I like to think that I'm pretty faithful to these rules (even though I didn't know about them until yesterday). Whether we do things or manage things or pontificate on things, we all probably provide feedback in one form or another. "Be a mensch" is what my Grandma would say, and that's what Seth outlines here.

Have a great day.

Top Security News

Security sales down, but it's still a priority
So what?-  The summer months tend to be slow in tech-land and this year is no exception. More troubling is what seems to be a fundamental and significant tightening of the belts of corporate spenders, at least relative to IT stuff. We've seen most public security companies announce weak quarters, at least from a revenue standpoint. Sure they make their earnings numbers, but that is by dialing back spending more than anything. This survey from CRN, indicates that security is still a priority, but just as the rising tide lifts all boats - the falling tide does the same thing. So it may be a bumpy 2H of the year as we figure out whether the economy is really slowing or whether we're just taking a well deserved break.
http://www.darkreading.com/document.asp?doc_id=99567
Technorati tags: ,
Link to this


Can you stop "insider" software developers?
So what?- I hate articles that basically just point out yet another hole, but don't give a relative likelihood that it's an issue. Just annoys the crap out of me. This article makes the point that software developers can plant logic bombs, etc. in their code and it's hard for the good guys to catch it. No sh*t, Sherlock. But give the relative likelihood that something like this will happen, don't you think time is better spent closing that gaping hole in your perimeter that the bad guys can drive a truck through? Or close up your conference rooms and WiFi, so you don't get uninvited strangers who just discovered NetStumbler. To be clear, there are too many things to fix. We can't fix them all, so we need to prioritize effectively and maybe your developer is stupid enough to leave something in there during a code review, but probably not. So if they want to blow you up, they probably can. We need to trust the people in these positions, and I know that's a bad answer, but fact is we've got so much other stuff to do - I don't see how the rank and file ever gets there. (No Hoff, that's not another cop out, just being realistic.)
http://www.informationweek.com/story/showArticle.jhtml?articleID=190900488
Technorati tags: ,
Link to this


eWeek likes LogLogic
So what? - This is a pretty good overview of the log management space, in the form of a review of LogLogic's Release 3. Doesn't that sound like software? Well it does, but LogLogic sells an appliance that gathers and reports on log events. You can use it to generate compliance reports and also pinpoint security issues. Yup. But as with every emerging market, now you've got a lot of competition (highlighted in my next two snippets) which brings lots of customer confusion. In a nutshell, you (as the buyer) need to understand your scalability and reporting requirements. Depending on those, the right solution will come into view.
http://www.eweek.com/article2/0,1895,1988869,00.asp
Technorati tags: ,
Link to this


SANS Log Management Summit coverage
So what? - Richard Bejtlich just saved you a lot of money. He observations and notes from the SANS Log Management Summit were truly outstanding. It's like you were there. A couple of things struck me, most of all how he has grouped log management and security information management together. He's bought into the "repositioning" of all the SIM vendors because they realized their business add little to no value. But as he also points out, large companies need to be able to deal with 150,000 events PER SECOND. So unless your box was built for that kind of volume, you ain't going to get there. So we'll see soon enough who can scale and most that can't. I also agree that sooner (rather than later) customers will get frustrated with existing LMI solutions, but that's when the true leaders will be established.
http://taosecurity.blogspot.com/2006/07/sans-log-management-summit.html
Technorati tags: , ,
Link to this


SIM: Enterprise management redux?
So what? - I found this post at Dark Reading pretty interesting, if only because Tim Wilson is right, but I'm not sure he understands why. He starts the article kind of surprised that SIM is shaping up to be like enterprise management of the mid-90's. The patterns ALWAYS repeat themselves. Pretty much every technology market develops in the same way, so it's kind of like Groundhog Day. You try different stuff, but you always end up at the same place the next day. Secondly, my recollection of the enterprise management wars seem to be different. I remember a ton of customers who were really pissed that they spent a bunch of money on things like SunNet Manager, OpenView and NetView. Sure SNMP turned out to be the winning protocol, but that was like 1% of the promised value. The rest was bloated and non-useful. So yes, there are lots of similarities between SIM and enterprise management - and I suspect we'll see the same suspects (HP, IBM, CA) picking off SIM vendors for pennies on the dollar, integrating them into their now useful (10 years later) enterprise management suites and proving that there never was a standalone market for SIM.
http://www.darkreading.com/blog.asp?blog_sectionid=327
Technorati tags:
Link to this


Top Blog Postings

Final note on responsible disclosure
The mysterious MCW Research (do you have a last name dude?) follows-up some of Shimel's postings last week with a bit more detail relative to who benefits from immediate disclosure and how irresponsible it is. I think we've all come to the same point, which is immediate disclosure is just wrong. Give the vendor some time (3 months, 6 months, whatever) to fix the problem. If they don't, then definitely go public - but Michael's idea here of sending the POC code to IDS and IPS vendors is a good one. Let them get the signature out there and then release to the public. Moreover, perhaps work with a 3rd party patch vendor too. Oh there aren't any real 3rd party patch vendors? There will be...
http://mcwresearch.com/archives/237
Technorati tags: ,
Link to this


Global Security Week - what are you doing?

Thanks to Rebecca Herold for pointing out Global Security Week, where you can and should spend some time educating your users. This year's theme is Identity Theft. For a change I am swimming upstream relative to my thinking that security education is important. Most security practitioners get continually frustrated with their attempts and the continual stupid things that end users manage to do, but that doesn't mean that the efforts are not important. They are just not sufficient. You still need the technical measures, but I will go down swinging on my beliefs that security education is an critical piece of the security puzzle.
http://realtime-itcompliance.typepad.com/itcompliancecommunity/2006/07/have_you_starte.html
Technorati tags: ,
Link to this


Web site security is about more than the site

Spamroll points out that even if you spend some time making sure that your web site is secure, your database may not be. Fact is, most web applications are architected to both abstract the database and make it inaccessible, but not always. So once again, information/data security is something that needs to go hand in hand with infrastructure and application security. Topics like this also point to the importance of periodic penetration tests, in that application scanners may not always point out all the holes, an experienced penetration tester will. Back when I was at TruSecure, we had guys that could break an application in about 10 minutes and there are lots of other folks that can do similarly. And that's after it got a clean bill of health from a scanner...
http://www.spamroll.com/blogarch/2006/07/your_site_seems.php
Technorati tags: , ,
Link to this


Hackers pass the "AV test"
I'm kind of pissed I didn't think of this first. Of course hackers are using the widespread AV programs to test their creations before they let them out into the real world. Spamroll points out this is a good thing and I agree. I saw the same thing with Spam Assassin in the anti-spam business. In fact, the provider I use to send out the email version of TDI let's me run the message against Spam Assassin before I send it out. Of course, these are the lowest common denominator tools and AV is a different ballgame, but the techniques are the same. Goes back to the logic of running one AV engine on the gateway and another on the desktops. Cover your "bases" so to speak.
http://www.spamroll.com/blogarch/2006/07/popularity_of_a.php
Technorati tags: ,
Link to this


Recently on the Security Incite Rants Blog

Dark Reading's Top 10 IT Security Myths Demystified - Part 1
Over the next week or so, I'll weigh in on Dark Reading's Top 10 IT Security myths and give you my perspective. In this first installment, I take them on relative to whether there is a data security epidemic and the idea of whether Microsoft alternatives are really that much more secure.
http://securityincite.com/blog/mike-rothman/dark-readings-top-10-it-security-myths-demystified-part-1

EAC Blog: The Age of Research Accountability
The folks at TechTarget were kind enough to allow me to repost the work I did on the Expert Answer Center to my own blog. This post sets the stage by going into a bit about me and why the status quo of IT research made me nuts. So nuts that I decided to do something about it.
http://securityincite.com/blog/mike-rothman/eac-blog-the-age-of-research-accountability

Read Friday's Daily Incite

http://securityincite.com/blog/mike-rothman/TDI-2006-07-21