June 14, 2006

Good Morning:
First thing, I'd like to welcome all the new readers that have joined over the past week or so. Let me know what you think and if you have suggestions for improvement, I'm all ears. Next I'll point you to the "why I blog post?" (link here) from Monday. I've gotten some great comments on that one, so thanks for all who contributed to the conversation. One comment from Michael Farnum was particularly interesting in that he was somewhat surprised I was actually honest about the economic driver for me to blog. To Michael and everyone else, I am brutally honest and I say what I think - to a fault. It's gotten me into a lot of trouble over the years, but I don't know any other way to do things. The Spin-Meister in me says that my style is "bold, refreshing and irreverent" and that's a good thing. Other folks just think I'm an ass, which is OK. Both camps are right.

On to security news, with Webroot introducing a new version of their anti-spyware stuff which includes rootkit protection. Good for them, they got their first before the big security players. It's a hard problem, so it will take the other guys some time. Looks like they bought themselves a bit more rope, but this doesn't get them off the hook of offering a complete anti-malware solution. They've got a ton of money, so they should just buy a smaller AV shop (like Kaspersky or Authentium) and start acting like a big boy. As I frequently say, if you don't act big, you'll never get big!

Have a great day.

Top Security News

Webroot does rootkits
So what?- I've said for a while that big security needs to figure out how to stop rootkits. All McAfee has done is said it's hard. Symantec clearly knows how to use rootkits (they got pummeled a few months ago about using one), but can they stop them? Mum's the word on that one. It's opened up an opportunity for folks like Xploit Prevention Labs and now Webroot. We've all be saying Webroot needs to stay ahead of the curve and become a more sophisticated anti-malware (as opposed to just anti-spyware) play to survive. Their new enterprise version adds kernel-driver protection to address rootkit type stuff and gives them a bit more runway. Of course, a press release doesn't mean something actually works - BUT at least they are trying to fix the problem rather than just complain about it.
http://www.webroot.com/resources/archive/pr/0606-SSE3.html

Is Microsoft at the ForeFront of anything?
So what? - This InformationWeek article is interesting and also wrong. The angle Larry Greenemeier is playing is whether Microsoft will have an impact in the enterprise and when. Of course, they get some other analysts to weigh in questions Microsoft's credibility and also pointing out folks don't buy a version 1 from Microsoft. All of those points are right, BUT they are forgetting that Microsoft is not targeting the large enterprise with ForeFront. Mid-sized businesses have much less of a perception issue and ultimately it usually gets back to what their VAR tells them to anyway. ISA Server has had limited impact because of it's form factor (software), when customer wanted to buy appliances. But it's not because it doesn't work. It's also interesting to have folks say that tools like Sybari are version 1, that stuff has been around forever. GeCAD and Giant are also fairly mature technologies, so I don't get that argument. And this idea that Microsoft updates software infrequently is also crap. I get an update to my MSFT anti-spyware more often than ZoneAlarm and they do patch the OS every month. That argument just doesn't hold water. I've got lots of issues with Microsoft and how they do security, but it ain't around whether they update the software frequently enough.
http://www.informationweek.com/story/showArticle.jhtml?articleID=189400785

Just what we need - more email encryption
So what? - It never ceases to amaze me that companies can enter a small market with undifferentiated technology and expect to be successful. Yes, encryption is becoming more important (I've written about that a lot), but I'm not a fan of desktop-based email encryption. EaSecure is a new company that uses "envelopes," but it's really PKI-based email. Sure you can try to mask the complexity of issuing credentials, etc. - but it's still there. Customer hate complexity. And they don't have any central policy (so the user needs to determine what should be secured). After we sold SHYM, some partners and I were working on a similar concept. I didn't work out and I'm glad because we would have gone down in flames. But I guess you need to marvel at the entrepreneurial spirit. Slightly more interesting is Intrusion, Inc. bundling a email encryption system with their leak prevention device. This is a much better deployment model, since the users don't have to worry about it. Policy says encrypt and it encrypts. And who knew that Intrusion was even still around?
EaSecure: http://biz.yahoo.com/prnews/060613/nytu065.html?.v=54
Intrusion: http://biz.yahoo.com/prnews/060613/datu034.html?.v=56

CounterStorm releases 2.0
So what? - So I spoke to the CounterStorm folks earlier this week and they have an interesting approach to threat management. As opposed to just using one tactic, they use a bunch like pattern matching, "honeypots" to watch dark IP addresses, and anomaly detection. By itself, all of these techniques aren't interesting, but by CORRELATING the information from each technique about a specific IP address, they can pinpoint bad behavior more accurately. This approach works great in the spam detection space and it will become important in threat management. Their technology approach is clearly ahead of their marketing (it took them way too long to explain what they do), but that's a better place to be than the alternative. Keep an eye on these folks, large enterprise may find this an interesting alternative to IDS/IPS sensors everywhere.
http://www.counterstorm.com/news/releases/pr060612.htm

PostX and Goodmail: Give me a "B," Give me an "A," Give me a "R"
So what? - What does that spell? BARNEY. Sometimes I see a business development deal and just laugh. Hard. This is one of them. Now the reality is that for statement delivery of which PostX is a dominant player, their customers are probably interested in figuring out how to get those statements through the spam filter. So there is some logic here, but "integration." Give me a break. I also love the last sentence: "Available immediately, the combined solution will be available through all the normal sales and distribution channels used by the respective companies." Oh yeah, this is a tight collaboration for sure.
http://www.postx.com/about_postx/news_events/press/20060613

Top Blog Postings

A new wave of hackers?
Evidently the folks at Kaspersky think $100 laptops for the developing world is a bad thing. Thankfully Techdirt calls them out on their ridiculous contention. It is true that as more devices connect to the Internet, there will statistically be more hackers and fraudsters. But today's hackers are very sophisticated and typically need to be able to use techniques that I'm not sure would even run on a $100 laptop. And even if they would, so what? If anyone is thinking that either by wishful thinking or by restricting folks access to the Internet, we are going to make the hackers disappear - I need to smack you upside the head. The threats are out there and they aren't going away, so we need to focus on protecting our own.
http://techdirt.com/articles/20060613/130246.shtml

The skinny on VoIP security
The Matasano folks have been busy and we are all the worse for it. Thomas is MIA (though he did explain that he's busy) and Dave Goldsmith is picking up some of the slack, but hopefully they'll get their product done soon and get back to what's important (for me anyway) and that's having them blog early and often. Dave picks up on the hype machine spinning about VoIP security and provides some clarification as to what's really at risk. Nothing he says is wrong, but I'm still not sure how/why it's different than what we already get with traditional phone lines. Folks have been using the phone for fraud for a LONG LONG LONG time. Did we really think they wouldn't find a way to do that over VoIP? If anything, the lack of a "central" VoIP directory (I mean phone book) makes it harder to get all of these new numbers. And to think that spam doesn't happen on your regular line is ridiculous. Working out of my house, I know my phone rings at least 20 times a day with telemarketing calls and I'm on the friggin' do not call list. I continue to think this is all much ado about nothing.
http://www.matasano.com/log/330/oyp-vey/

More open source security
Darknet points us to Oedipus in this post, which is a web application security tool targeted at penetration testers. Though we haven't seen new large scale open source projects to take on things like SIM or anomaly detection, there has been some activity around vulnerability testing. To me, it's just a matter of time before the open source business model dominates the start-up end of security. Why? Because it works and security early adopters will take niche technology (without a lot of the enterprise bells and whistles) to solve very constrained problems. Once a solution is out there and it works, it's just a matter of time before big security acquires it to build into their "suites." We only need to see a few more of these successes like Sourcefire and Tenable to get the picture.
http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/

Check out Hoff's bolo tie
Not to be outdone, Chris Hoff needs to make an even funnier poultry reference following up on Alan Shimel and my IDS/IPS evolution posts. Besides Chris' clear comic genius he does make a number of good points about the divergence of what I'll call "little UTM" vs. "big UTM" and the need for larger enterprises to abstract security into a "services" layer. Another great insight is the need to use all of the techniques (firewall, IDS, IPS, anomaly detection, and more) to adequately protect the infrastructure. Sure, I've been saying that for a while - and it's great to have folks agree with me, but more importantly it's right.
http://rationalsecurity.typepad.com/blog/2006/06/idsips_finger_l.html

Recently on the Security Incite Rants Blog

Perimeter defense - Tastes like chicken!
In this post I rant a bit about Alan Shimel's positions regarding the evolution of IDS/IPS. I posit that the move of IDS/IPS vendors to look more like UTM or even post-admission NAC solutions is both a logical and inevitable conclusion. I also take the position that customers will need both pre-admission and post-admission control over time. All the while making a reference to Godzilla's friend Rodan. You can't get this kind of stuff from big research, now can you?
http://securityincite.com/blog/mike-rothman/perimeter-defense-tastes-like-chicken

Security marketers - Fight complexity now!
It's been a while since I riffed on security marketing, so I revisit the topic by discussing complexity in product positioning and how to eliminate it. With 5 tips to start the process of simplifying your value proposition, this post is important for any of you working in a marketing capacity.
http://securityincite.com/blog/mike-rothman/security-marketers-fight-complexity-now

Read Tuesday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-june-13-2006