The Daily Incite - June 1, 2006

Submitted by Mike Rothman on Thu, 2006-06-01 10:26.
Today's Daily Incite

June 1, 2006

Good Morning:
JUNE! Hard to believe, May is now in the rear view mirror. I can comfortably say yesterday was my last appearance at INBOX. The session I did was sparsely attended by users, and although there was good conversation about email encryption - I left the panel not sure what we accomplished. INBOX has always been a weak show and despite have Guy Kawasaki's keynote - I can't imagine any of the sponsors there found the experience worthwhile. But enough about that.

I've been talking for a little while about the need for financial institutions to provide two-way authentication. Check out a blog post from George Ou below, as it seems that over 300 bank websites were redirected to a fraud site. Solving the problem is going to take one part technology and two part outbound customer education - but it's critical and it's going to happen this year - driven by the FFIEC guidance. Strong authentication is hot baby!

Have a great day.

Top Security News

Deal: AmbironTrustWave buys Lucid Security
So what?- Slow week for deals, evidently some of big security must have lost their checkbooks over the Memorial Day holiday. In a private-private transaction, AmbironTrustWave - a PCI and compliance specialist - has bought Lucid Security, an upstart IPS vendor. This is an interesting combination, but it's not clear whether its interesting good or not so much... Lucid's positioning was based on a high end database back end that was able to add and correlate data at high rates. So what does TrustWave do with it? And competing in the overcrowded IPS space is not a good answer. Probably use the data engine to provide more applicable compliance oriented reports.
http://www.atwcorp.com/pressReleases.php?n=Lucid

Norton 360 delays?
So what? - What is going on at Symantec? Seems to be pretty significant execution problems over there now. The latest Big Yellow spin is their new service offering may not be available until mid-2007. I'm a bit perplexed by this. It's not like they are doing anything really novel, besides packaging as a service and re-branding the offering. Maybe integrating some backup stuff, but it really shouldn't take a year to come up with a new logo. That give Microsoft a year to provide existing Symantec customers with an option and another year for McAfee to drive more business through the AV channel and it's not like there is big brand loyalty in the consumer AV space. It's hard to continue milking the cash cow, if it takes a year for the cow to show up in the barn.
http://www.securify.com/news/pr_sec52.html

Security management becoming more actionable
So what? - Whether it's by acquisition (ArcSight/ENIRA) or partnership, the security management vendors seem to have gotten the picture that providing information - typically from the rear view mirror - without having the ability to remediate what you've found is not interesting to customers. Skybox Security and AlterPoint announced an integration yesterday where you can take the information gleaned from Skybox's models to feed AlterPoint's configuration management engine directly. Of course, with a business development driven deal you never know how tight the integration will be until you see it - but this is the right direction for Skybox and gives AlterPoint better information to figure out what needs to be reconfigured.
http://www.alterpoint.com/news/releases/release.php?idnum=54

Virtualization train is leaving the station
So what? - When I was in the email security business, getting customers to check out your stuff was always a challenge. You had to bring the box and there are pretty stringent change control mechanisms that big companies use which make a trial a pretty major endeavor. But with virtualization technology, and software only "trials" or free versions of products - it's now a lot easier for administrators to just play around with the technology. The news peg is StillSecure making their free IPS product available on VMWare for Windows. Again, the announce is not groundbreaking, but the ability for customers to check out their stuff before buying it and eliminating a lot of the friction to getting a trial in place is the right model for increasingly mature IDS/IPS technology.
http://www.stillsecure.com/news_events/prdetails.php?id=301
 
Wireless security is a feature
So what? - Over time some markets develop and some get subsumed into other categories before the innovative start-ups can get established. Wireless IDS/IPS is one of those markets, where security is so intrinsic to the infrastructure - the vendors of wireless gear must have "good enough" security embedded into their platform. That doesn't leave a lot of room for folks like AirTight, AirMagnet or AirDefense. Sure big companies have enough people and enough specialized problems to buy some equipment, but it will never break out and become a larger market. So that means Plan B for these vendors. AirTight has announced a new "architecture" to integrate a bunch of capabilities to add value to an existing wireless infrastructure. It's too little, too late for these specialists. Which is how it works sometimes in the big city.
http://www.airtightnetworks.net/news/news_company48.html

Top Blog Postings

300+ banks "redirected"
As mentioned in the intro, 300 banks homepages have been redirected to a fraud site. But it was only one service provider that was compromised. George Ou has the details here, but SSL is one part of the equation. I think something more visual is going to be required to get consumers really bought in. I know my Mom won't be able to check the validity of the SSL cert and it will be a while before Vista shows up with it's green "high assurance" bar. The banks need to take this bull by the horns and make some more demonstrable progress.
http://blogs.zdnet.com/Ou/?p=238

Ditch Skype - not likely
So Skype had a security hole and it was patched within a day. Big deal. Now the G-men are saying for employers to ditch Skype altogether. Depending on the policy of the organization, this may be the right thing to do - but because of concerns relative to information leakage, not because Skype is insecure. And small businesses, especially those that do a lot of work globally - there would be a dramatic cost impact of getting rid of Skype. And could you stop it, even if you wanted to? Short of implementing application control in each desktop, I'm not so sure. So this just feels like Gartner is trying to drum up some interest for their security conference next week, as opposed to really adding to the discussion.
http://www.informationweek.com/story/showArticle.jhtml?articleID=188700351

The true impact of the VA data theft
Pete Lindstrom is trying to use logic to clarify the real impact of the VA data theft. To be clear, the theft was terrible and and I feel for all of the veterans out there that are now at an increased risk. But the interesting part of Pete's post is that because of the sheer magnitude of the theft (26 million records) means that each veteran is actually LESS likely to be compromised. Pete correctly indicates that an SSN requires a considerable amount of extra work to "monetize" it. And there is no way the bad guys can get to all 26 million records. I know it seems a bit strange (and certainly wouldn't make a veteran feel any better), but Pete's thinking is correct.
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/05/100.html

More analyst idiocy
Most of the time I just let a lot of the pretty silly things that some analysts say pass by without a comment. But I found two that I just couldn't let lie because they don't really help customers think about the problems they face. The first is some Forrester speculation on whether Symantec is now an acquisition target. BY WHO? Come on. Microsoft? Cisco? Give me a break. Forrester thinks Symantec is not big enough to compete with the "big boys." Huh? The Big Yellow is challenged now, but they do as much in security as anyone else out there. Including Cisco and Microsoft. And who is going to pay in the neighborhood of $20 BILLION for Symantec. This line of reasoning is nonsensical. And the G-men weigh in on instant messaging security, which just goes to show they seem to always be 6 months behind the market. I mean check out this quote: "Dedicated IM hygiene products are the best way to protect and manage IM usage.." Perhaps they figured out how to make the time machine work, but you are supposed to go forward. Not backward. Yes, IM security is something customers need to deal with, but it's a feature of a broader content security offering.
Forrester on Symantec: http://www.forrester.com/Research/Document/Excerpt/0,7211,39471,00.html
Gartner on IM Security: http://security.tekrati.com/research/News.asp?id=7151

Recently on the Security Incite Rants Blog

Read Wednesday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-31-2006