June 24, 2008 - Volume 3, #59

Good Morning:
As I've mentioned, this is the summer of concerts for me. Though it should be really called the "Champions Tour," because it seems every act I'm going to see is over 50. Right, just like the golf tour - but it seems the purses keep going up in the music business. No wonder I heard on the radio yesterday that the Stones are thinking about another world tour. And if the rumors of a Zeppelin world tour come to fruition - I'll be there.

Welcome to the new music business, which is fine. Even if the record labels aren't adapting fast enough, it's good to see the artists evolving and making sure they can still live the life depicted in Nickelback's "Rock Star" song. It must be nice.  

I mean even the New Kids on the Block are back together and touring. Sorry, but I'll be passing on that show, but they are able to fill 10,000 seats. Which is horrifying, but whatever? The NKOTB fans probably think I'm crazy for going to see bands like Steely Dan and Boston.

Or R.E.M. The Boss and I went to see Atlanta's own hometown rock band on Saturday night. And that's what I want to rant about today. I'm sure out of the 12,000 or so folks at the show, the 10 most rude happened to be seated right next to us. Arghhh.

First up is the talking. I just love those people that go to a show and proceed to talk about their nails or their goiters or whatever. But since they are at a ROCK CONCERT, they have to scream at the top of their lungs to be heard. Well guess what? That means everyone around them also gets to hear about their goiters. Thankfully the Boss is a tough broad, and she just gets right up into the grills of these folks and tells them to talk after the show. 

Then there is the smoking. Evidently empirical evidence that smoking KILLS you means nothing to these folks. Maybe it's the rebellious stage, but when you see a 50-something smoking away, you hope they carry decent life insurance. Actually, I don't hope because I don't care what they do. But they are kind enough to share their second hand smoke with me for the entire show. Arghhh.

Of course, we can't forget about the drunk ass that leaves his seat every 15 minutes to get another big draft beer. Listen, I'm the last guy to come down on someone for being a drunk ass, but I try my best not to spill 75% of my draft before I get back to my seat. Yes, watching a show isn't as comfortable when you are drenched with someone else's nasty beer.

I'm sure I could go on all day, but what's the point of that? I guess my only choice is to laugh. It's not like I'm going to stop going to shows. So that means I'll need to deal with the talkers and smokers and drunk asses. And I'll like it.

Have a great day.

Photo: "Shut Up!" originally uploaded by Camps

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

How good do we think we are?
So what? - I know a lot of security folks, and I don't know too many that think they are actually "secure." Most know exactly where they could be killed and how, but they either don't have the budget, resources or executive mandate to fix the issues. So when I see a survey (commissioned by CDW) that shows IT has an inflated view of their security posture - I wonder who they are talking to. I really hope they are not confusing ignorance for arrogance. I do know a lot of IT folks (who tend to wear security as one of their many hats) who don't know any better, so they say they are pretty secure. They haven't had a system cratering event lately, so they must be doing OK. Well we know the truth and it's probably not OK. Though there were a couple of other interesting tidbits in here. The first is 77% of IT people figure their users think security systems are "easy to use." I guarantee you they've never asked that specific question. Doing a security perception audit one of the things I recommend in the P-CSO, and a great majority of the folks working through the program hadn't ever done that. Second was that the incessant security marketing mantra of the insider threat is working. Most IT people are most concerned about insider risks. But overall, I suspect this survey is worth little more than the paper it's written on. If you ask dummies about how dumb they are, they very rarely admit they don't know much of anything. 
Link to this

Two years and counting for NAC vendors
So what? - It seems the Big G now figures that NAC startups have two years before they are "flattened" by Cisco and Microsoft. Hmmm. Basically, their thinking is that a large portion of their client base (large enterprises) are predominately Cisco and Microsoft, so if you wait long enough the big vendors will stop screwing it up and close off the market for everyone else. I'm not one to look for shades of gray, but in this case the world really isn't so black and white. First of all, we need to separate out the NAC client vs. the NAC infrastructure, which is really the network infrastructure. Microsoft will dominate the NAC client. In fact, I don't know of anyone that is actually still trying to win that battle. Maybe the start-ups still have their own agents, but that's a matter of history and convenience. No one is blowing smoke in my rear about having huge client market share. Now as I've said a LOT, NAC functionality becomes weaved into the fabric of the network. Thus internal network security (note, Mr. Hoff, that I said NETWORK security) will largely be a feature of the switches you have running your campus. In two years? Unlikely. I'm talking about a generational shift, and those take 5-7 years - best case. Now I will concede that NAC start-ups that want to sell for a premium have a fixed window, and candidly I think 2 years is too long. The bigger players that have crappy NAC and no strategy or ability to build it will figure that out over the next year. Then they'll start buying stuff. So the risk for the NAC start-ups isn't being flattened, it's being the irrelevance of being the last one standing.
Link to this

The call of security management - more data!
So what? - Saw an announcement from ArcSight cross the wires this morning, about a new set of integrations between SIEM and Identity Management. Normally I don't like to cover product announcements and certainly not Barney partnerships, but this one is interesting. Why? Remember that the REACT FASTER doctrine (and Mogull's React BETTER corollary) are all based upon the data that you collect and your ability to mine it for gold. Being able to correlate actions within the IT infrastructure and trace those back to a specific user is cool. These IP to ID bridges have been in place for about 18 months. It seems this pushes things a bit further in actually working with the policy engines in the IdM platforms to figure out whether an action is actually acceptable. Personally, that seems a bit like a holy grail and I'm not sold on it actually working (Barney releases are easy, true technical integration at enterprise scale is hard), but the concept is pretty interesting. In order to contain damage, you need to know where to look and being able to leverage policies out of the IdM environment can provide some really cool information to help a skilled analyst narrow down the issues a lot faster, and that is what reacting faster is all about. On another note, ArcSight announced their earnings last week (conference call transcript) and they should be applauded for their second quarter of anti-FIRE behavior (right, they actually made their numbers).
Link to this


The Laundry List

Top Blog Postings

A 12-step program for meetings
It seems I'm not the only one who is pushing for all of us to come to grips with our addictions. My group is called Security Products Anonymous (it's the centerpiece of the Pragmatic CSO) and it seems AndyITGuy wants to start a group called Meeting Attenders Anonymous. But how are they going to meet? It would be counter-productive to attend a meeting about not wanting to attend any more meetings, right? Check out the post, since it's very funny. But Andy's cry for help at the end of the post rings true. Well, not for me anymore - but for a lot of the people I work with. I remember how crazy we thought the guys from Cabletron were back in the early 90's because they had no chairs in their meeting rooms. Right, it's hard to have an all-day meeting when you are standing up. After years of wasted time trying to "group-think" or "work through the issues," I can now appreciate how quickly decisions would have been made if I was standing up and couldn't access my email. I feel for the CSOs out there that spend more time in meetings than doing things. But let's be clear, the job of the CSO is PERSUASION, and that means meetings and a lot of one on one face time with the senior executives. If you don't like that, then maybe you aren't cut out for the C-title. Which is fine, but come clean about it. 
http://andyitguy.blogspot.com/2008/06/hello-my-name-is-andy-and-i-attend.html
Link to this

These are true public servants
I'll admit that I have no tolerance for bureaucracy or politics or kissing the rings of the power brokers within an organization. That's why I don't work in one anymore. This post on BlogInfoSec delves into the challenges of being a public sector CISO. Imagine not only having to deal with the bad guys (and gals), but also the organizational headwind of things like FISMA reporting, lost laptops, career paper pushers and funding based on... well, I'm not really sure what it's based on. Right, that is a challenging gig. When the main objective is more about covering your ass then it is about actually doing anything - that's got to be hard, especially as Todd says - there is no place to hide. And in no way am I taking a shot at all the security professionals that have chosen a path of public service. If anything, I take off my hat (if I ever wore a hat) and tip it to all of you. You've got the patience of saints, and a true desire to make a difference. It's great, but banging my head against a brick wall every day just isn't for me.
http://www.bloginfosec.com/2008/06/18/being-a-government-security-ciso-life-in-the-fishbowl/
Link to this

Wait! Stop the Presses! Security isn't a product!!!
I think I just set the record for the number of exclamation points in a snippet title. Bully for me. First off, I do want to recognize that in yesterday's Special Incite, I inadvertently painted Hoff into a virtualization security technical box. That was not my intention and Chris has been doing a lot of work to talk about many of the issues I described yesterday. To follow up on those thoughts, let's bring Amrito into the discussion and his post on security as an "operational" problem. This really gets to the heart of what I'm talking about when I say security is a feature and that it must be built into the infrastructure. Yes, we need our CSO to do the high level persuasion and to figure out what is most important to protect. Then our security architects figure out how that stuff needs to be protected. But then who actually protects it? Right, it should be the ops groups - but as Amrit points out this is a slow evolution. Both because many organizations are holding onto their security empires, but also because the vendors haven't necessarily integrated the tools that are required to make this kind of model work. I'm not in the excuses business, but the laggards aren't going to be creative to find a way to make it work. They'll wait until they have no other choice. So, as with everything else - it always takes longer than you expect and a lot longer than it should.
http://techbuddha.wordpress.com/2008/06/19/security-as-an-operational-problem/
Link to this