June 2, 2006

Good Morning:
First I'll apologize for my lack of blogging this week. Being on the west coast did not give me a lot of time to do much besides meet with folks and do The Daily Incite. But I'll be back in the office next week, so look for a flurry of activity to catch up.

Leadership is a fleeting thing and the perception of power seems to change overnight. It's very interesting to see Symantec acting like a loser. In looking at this story (link here) about how Enrique Salem (the head of Symantec's consumer business) answered questions at an analyst meeting, they are legitimizing Microsoft with a lame story about how they are going to "stay ahead." Sure that is harsh. Last time I checked, Symantec had like 100 million desktops deployed and Microsoft does not. Not for AV anyway. So how did Microsoft get anointed the market leader, after literally releasing the product this week? Right, because Symantec is giving it to them. They are playing defense and not acting like a market leader. Symantec better find their cajones and do it quick - before this becomes a self-fulfilling prophesy.

Have a great weekend.

Top Security News

So you catch an insider, now what?
So what?- This is an interesting article about the prosecution of an insider at Paine Webber that allegedly (yes I still believe in innocent until proven guilty) planted a ton of malware and took down the trading network for weeks. The article makes it sound like they have this guy dead to rites, but we'll see if they can take it over the finish line and get a conviction. This (and cases like it) should establish what is needed from an evidence standpoint to make these convictions stick. This is another buying catalyst for Log Management, in that if you do it right (and keep forensically valid logs for a long time), you should have the data needed to determine and prove when someone does something bad. This kind of stuff should make the LogLogic guys pretty happy.
http://www.informationweek.com/story/showArticle.jhtml?articleID=188700855

Email security partnerships are fleeting
So what? - This news peg about PostX and SendMail buddying up, but it gives me the ability to discuss how retarded the partnerships in the email security space are. After meeting with a few of the gateway vendors and the encryption vendors, I see that nothing has really changed since I left the space. Everybody "partners" with everybody else, they all consistently screw each other over in deals (especially at the end of the quarter), and if the gateway is leading the outbound filtering and encryption project, the customer perceives very little difference between folks like PostX, Voltage and PGP. The only thing that alleviates this constant partner swapping is on-the-box integration. It's unlikely the gateway vendors will integrate multiple products on their boxes, so if you see real integration (using the encryption vendor's API) then the deal is more strategic to both parties.
http://www.sendmail.com/company/news/20060601/

Mossberg has big security on its heels
So what? - It must be good to be Walt Mossberg. The very influential technology columnist for the Wall Street Journal literally makes or breaks companies. And he gives vendors the business, which is entertaining. Check out Dan Farber's coverage of Walt's interview with Symantec's John Thompson and RSA's Art Coviello at the D4 conference. I don't know what D4 is, but they are certainly getting heavyweights. The net of the discussion is that neither John nor Art had any decent answers as to what can be done to ensure Walt does feel like a "part-time system administrator." It's sad that in a public forum like that neither executive could make a compelling case for why security should be separate from the OS and how it's going to get better. I guess we all just need to draw the conclusion that it's not going to get better.
http://blogs.zdnet.com/BTL/?p=3130

Anemic network security growth
So what? - Infonetics came out with their quarterly numbers this week on Q1 2006. 2% growth in the network security market. Yep, it's mature and it's a market share, zero sum game. If someone buys CheckPoint on Crossbeam or adds a Netscreen device - someone has lost a unit. Clearly this pie is not growing, so folks like CheckPoint and ISS better communicate a more strategic vision for how they are going to address other issues - like content and application areas. By the way, I think future market projections are crap, but these folks (more Infonetics than IDC) are pretty effective at looking backwards, especially for mature markets.
http://www.marketwire.com/mw/release_html_b1?release_id=0132685

Top Blog Postings

Does education work?
Christian Koch asks the question that I'm sure most of you are thinking. Are you wasting your time by trying to educate the end users as to what they should and should not be doing from a security standpoint? The reality is it's frustrating but a necessary evil. Period. Sure, you are going to have stupid people that will never get it and we can only hope that Darwin does his magic and these folks work themselves out of a job (and are no longer our problem), but for all the others that want to do the right thing - we need to keep on keeping on.
http://www.limited-exposure.org/2006/06/01/will-employee-education-ever-work/

You need to track access requests
This tip on SearchSMB makes a point that is commonly overlooked, especially in small companies. You need to formally track (and log) requests for password changes and new access to systems. Even if it's from someone you've know for many years. If something were to happen, you (as the administrator) do not want to be on the hook because someone was taken in a social engineering attack. Joel Dubin's answer is very comprehensive and right on the money.
http://snipurl.com/r8m6

Defense in depth is still cool
Michael Farnum (yes you should read his blog) agrees with my continued belief in defense in depth. Clearly we cannot depend on just one layer, not matter how potentially effective. That's also why I believe inherently in the Pragmatic Security model, which includes both infrastructure and information security - WHICH ARE DIFFERENT. That is inherently a layer. I am also reminded about the half-life of pictures on the Internet seems to be a million years, since Michael digs up a pretty old photo of me. That was during my marketing days and it must have been a good day because my eyes weren't bleeding.
http://securityplace.blogspot.com/2006/05/does-believing-in-defense-in-depth.html

What Spafford is thinking
Eugene Spafford from Purdue (one of the legends in the security business) give an interview to NetworkWorld where he waxes poetic on what's going on in security. For the most part, I buy into his thinking. New applications (like VoIP) create new exposures that we need to adapt to and the perimeter is disintegrating. I'm not sure I buy into his thinking on homogeneity. Maybe from a purist's security risk perspective this is an issue, but from a customer standpoint - it makes life much easier. I know, I know. Easy doesn't mean secure and not secure is a bad thing. But ultimately security is a risk/reward decision and every administrator must determine how much they are willing to spend, willing to inconvenience their users, and willing to integrate disparate technologies for what is an unknown incremental increase in "security." The reality is that no one vendor is in a position to control both infrastructure and information security, so looking pragmatically at the issue provides some remedy from the so-called monoculture.
http://www.networkworld.com/news/2006/052206-purdue-spafford.html?page=1

Recently on the Security Incite Rants Blog

Read Thursday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-june-1-2006