Good Morning:
The travel gods conspired against me last night, so I decided to do another extended laundry list, as opposed to a full TDI this morning. I'll wrap up with a TDI tomorrow morning.

1. PCI is a priest? Why not a Rabbi? OK, Newby isn't talking about real religion, but many practice security as more mysticism than science. Personally, I think doing it right involves a lot of art, but Rob brings up some decent points. - Rob Newby's blog
2. I guess we really can't get away. The Mogull rants in his Dark Reading column about how consumerization is attacking the business world and how that will impact security - Mogull Dark Reading column
3. A rehash of the old immune system metaphor for security. It's still as effective as ever. But at the end of the day, most folks don't take care of themselves, what makes us think they'll take care of their security? - NetworkWorld coverage
   
   
4. Curphrey figures GRC isn't interesting, but the framework to integrate people, process and technology are. The wonderful thing about an acronym is that GRC can mean anything to anyone at anytime, and it usually does. Do you need ERP for compliance? That's the crux of the GRC debate. - Curphrey blog
   
   
5. Is it better to build or buy security monitoring? No religion or dogma here. I don't care. Just make sure you monitor. - SearchCIO-midmarket coverage
   
   
6. Why use the old thing, when you can have a shiny new object? Lonervamp asks the question, but I suspect he already knows the answer. Security sales reps need new BMW's - that's why! - Lonervamp blog
   
   
7. MXLogic introduces a paid research service to help stay "ahead" of the bad guys. If I've said it once, I've said it a million times. It's much more lucrative to apply a crystal ball to the financial markets. So if you have one, why waste time in security? - Enterprise Systems Journal coverage
   
   
8. Clearswift bolsters DLP capabilities on their email gateway. Is it "good enough?" Depends on who you ask. I suspect the DLP vendors have a million reasons why you need a costly, hard to integrate dedicated infrastructure. - Clearswift release
   
   
9. New computer: $600. Cost to clean it up after it's been on the network, unpatched for 5 minutes: $2000. The fact that some people still connect unpatched machines to the network: priceless. That's right - 5 minutes to pwnage. I wonder if the XP service pack downloads that quickly? - NetworkWorld coverage
   
   
10. Mitnick gets a tell-all book deal. He'll detail how many ways you can use KY in the slammer. And maybe a bit about social engineering. I can't wait to hear what tale of woe has resulted in his "issues." Maybe he wasn't hugged enough as a kid. - Silicon Alley Insider
    
    
11. Even the "red team" can get better. Of course they can. We all can improve in what we do. I like the fact that the Government has people responsible to test defenses. If you aren't testing, you'll be surprised and security folk hate surprises. - Veracode blog
    
    
12. The chum is in the water. After Enrique basically tells the channel he's going to screw them, it seems there are a few options for VARs to consider besides the Big Yellow. You think? - CRN slideshow

Photo credit: "The Addam's Family Laundry" originally uploaded by DanielaNob

I'm back....

But I also have a lot of catching up to do, and I'm not going to be able to get through all the news and blog posts that accumlated without comment while I was away. So I figure I'll do a little extended laundry list action today and maybe Wednesday (perhaps even Friday if I'm so motivated) to at least point to the things I found interesting.

The Extended Laundry List

1. Stiennon's sense of timing continues to amaze. Now he's talking about the most important networking trend of 2008 (it's July bro) to be new routers with (wait, wait, wait, wait)... multiple functions. When will IDC coin the URM term (unified routing management). - Stiennon's blog
   
   
2. Most consumer security stuff is downloaded, according to NPD. No surprise there, but the fact that 36% is free (as opposed to 42% being paid) is kind of interesting. Long live AVG and Avast!, slaying the AV cash cow one download at a time. - NPD release
   
   
3. pdp talks a little about Mozilla's Weave and the ability to save passwords in the cloud. Oh crap. "Hack the cloud, get the goodies" is right. Keep your eyes peeled, it's just a matter of time before the trains wreck. - GNUCITIZEN
   
   
4. NAC as a personal firewall? Or NAC capabilities within the agent that runs on my device? Just what we need, more confusion on what NAC does. Thanks Tim. - Tim Greene's NetworkWorld newsletter
   
   
5. Matasano finally ships Playbook (it used to be Clockwork, I think). If you have a bunch of firewalls check it out. - Matasano blog
   
   
6. NexTier introduces yet another DLP appliance, this one evidently tells you what files are important. I wonder how many patents they have on the ESP algorithm. - NetworkWorld coverage
   
   
7. AT&T takes a page out of the Cisco poster boy marketing model and puts Amoroso on a press tour. It's about time, it's not like this is novel stuff. - GCN interview
   
   
8. The king of marketing futures, Microsoft counters the FFX 3 launch by talking about how IE8 will improve security. Malware blocking, smarter filtering, and XSS support, amongst other stuff. Guess they've been perusing the FFX add-ons page. - NetworkWorld coverage
   
   
9. Deal: Since the SafeNet deal was nixed, nCipher gets a big UK defense contractor called Thales to put them out of their misery. That key management stuff is pretty big outside of the military. Uh huh. - NetworkWorld coverage
   
   
10. Deal: NitroSecurity figures they've had enough Mad Dog and they go for some RippleTech. They get log management and some database activity monitoring (and a kick ass hangover) - NitroSecurity release

...must come down. You know that old saying. I think it was a dude named Newton that first came up with that gravity thing, right? Well it seems that while I was blissfully away at the beach, the virtualization market came back to reality a bit.

Between Diane Greene being thrown out of the VMware car at a high rate of speed and their acknowledgement that VMware revenues will be a bit lighter than expectations over the rest of the year, you get the feeling that a bit of the helium in the virtualization balloon is escaping into the atmosphere.

By the way, that doesn't mean that I don't believe that virtualization is a critical technology and that it's going to be growing quickly for a long time to come. I do. With legitimate competition from Microsoft and Citrix, VMware now has a fight on its hands. Which is great for customers, as pricing will come down and innovation go up. That's they way competitive markets work.

Since I do focus on security, this is just more ammo for me relative to my positions that virtsec is largely a hype market for the next few years. I don't need to rehash that again.

So why bring back up the topic of virtualization? I just like to poke fun at all of the folks that believe the world changes overnight. Yeah, mostly vendors, but the media (and a lot of analysts by the way) are also willing accessories to the crime. Disruption does not happen in the blink of an eye. I believe that old adage that we overestimate change over a two year period, but underestimate change over a decade. I've seen it and lived it, and it will happen again.

In 2018 (as if I could predict further out than breakfast tomorrow), the fundamental computing infrastructure will be radically different. You could guess that a lot of processing will happen in the cloud and that we'll have open (maybe even secure) APIs to weave together our interfaces, logic, and data. Yet things in 2010 will look largely the same as they do today.

Maybe. Who the hell knows? If there is any rationalization I'm coming to grips with is that I'm pretty crappy at predicting.

In fact, we all are. This is going to be a major research focus of mine in the second half of the year. How do we make decisions when we are crappy at predicting the future? Stay tuned for that.

Photo credit: "img_0906" by mbeldyk

Good Morning:
On the last day of vacation last year, I started the post with: 

But this year, I'm sure things will be a bit different. First of all, we've been with the kids. So it's not like I've gotten away from screaming kids. And "working" a few hours each day has kept me reasonably current with what is going on.

As Dorothy says, there is no place like home. She was right. I'm looking forward to sleeping on my own bed, using my own stuff, being back in my own routine, and enjoying all of the angst I constantly create for myself. Being able to go away for a few weeks is such a luxury, and we are very fortunate to be able to do it. But at the end of the day, being away makes you appreciate being back.

And it's time to get back. You'll see a special Incite on Monday, and TDI returns on Tuesday.

Have a great weekend.

Incite #10: Hack Thyself

Given that there is no panacea on the horizon, security professionals start to understand the concept of risk management, as opposed to throwing money down the security toilet on the latest, shiniest widget. Security organizations must start to put a premium on prioritizing activities, based upon what’s important to the business, as well as what is really exploitable in their environment. The only way to figure out the latter is through a new function called “security assurance,” which focuses on breaking stuff (networks, systems and applications) before the bad guys do.

Read the original Days of Incite post on this topic.

6-month grade: B+

I love how you can be right and wrong at the same time. First things first, it's clear that the term "risk" is much more in vogue this year than "security." I guess most folks think that risk is a more business oriented term. But no matter, I do think that slowly, but surely many practitioners are understanding that not everything is going to get done and focusing on the activities that reduce the most risk is not a bad thing.

How do you know what that activity is? Well, you need to be able to isolate real risk vs. theoretical risk. The only way I know how to do that is to actually test your stuff. Yes, I'm a big fan of testing of pretty much everything. I've said that about a million times. Unfortunately the tools to test the really important stuff are still pretty immature.

Yes, I'm referring to applications. The tools to do automated pen testing for networks and systems are maturing quickly. There aren't a lot of them, but the one's out there work pretty OK. But in reality, network and systems are not really the path of entry for most attackers nowadays. It's the applications.

And the tools to penetrate applications are still early. Sure they are maturing, but you still need a bunch of big brained dudes to figure out the logic errors that are more likely the cause of application compromises. Any scanner is going to do a decent job of finding XSS or SQL injection flaws. Though that is still low hanging fruit for attackers because not enough people are running scanners on their apps. 

Alas, Rome was not built in a day and neither are the application security testing tools. I can only hope (and I know hope is not a strategy) that the big companies that have acquired these tools continue investing in making them better. Or the start-ups (yes, there are still a few out there) will drum them.

Yet the real reason this is graded as a B+ is that I'm not seeing enough of the organizational change I predicted (and again, hoped for). I know a lot of folks that testing is PART of their job, but not the entire thing. And that means they don't get to it as religiously as they should. Not by a long shot. 

I can't stress enough the need to test all aspects of the system, and to be serious about it. So the sooner someone is appointed the internal "white hat," the more likely you'll find problems before your customers do. Capiche?

Photo credit: "black & white hats" by w00kie

Good Morning:
At this point, I'm probably chewing my arm off - ready to head back home and get back to my daily routine. I've come to embrace the fact that even if I didn't have to work - I still would. The life of leisure just isn't for me. I'm not the type to want to play golf every day or sit at the pool or out by the beach.

It's not that I don't appreciate the ability to turn things off and just relax a bit. It's important. But it's not something I want to or could do for months at a time. I'm a builder. I like to create new things and creating a lower golf handicap is not really what I'm talking about. As I mentioned on Monday of this week. It's not something I feel bad about either.

So over the next two days, I'll be ramping back up to jump into my routine. By Monday, we'll be back at the home base. The kids will be gearing up for another couple weeks at camp, and I'll be back to being pulled in 15 directions. And I can't wait.

Yes, vacation is great. But if you aren't looking forward to getting back to your life, then you need to change your life. Have a great day.

Incite #9: Get the Jumper Cables for DLP

Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.

Read the original Days of Incite post on this topic.

6-month grade: C+

I hate waffling, but ultimately I have no choice but to waffle a bit on this Incite. Clearly I don't think the DLP market is going great guns, and I constantly hear anecdotes about big DLP projects being pushed out or pilots kind of stuck in pilot mode. Yet, on the other hand, I also hear anecdotes about some of the acquired DLP vendors beating their internal projections, mostly driven by the reach of the acquiring company. I guess the truth is kind of in the middle and very hard to really calibrate.

That's why I hate making market size projections. I guess I'll take a mental note to remember that next year, when I'm preparing the 2009 Incites.

But let's get back to the fundamentals of the DLP space. The reality is, as this business and the product offerings mature, the problems is less about catching bad stuff at the gateway and more about protecting the data at rest. That's really where it's most vulnerable. I should probably say FINDING the sensitive data at rest, since you need to figure out where it is before you can worry about protecting it.

And that gets back to a key hallmark about DLP, is that it's more about process than it is about a product. Sure you can buy a gateway to look for regular expressions (like SSN#'s and account IDs) or even use some sophisticated information fingerprinting algorithm, but unless you know what you are trying to protect and why - then the inherent value of the DLP will be limited.

I think that's really the concept I was trying to isolate in the Incite, but of course it came out like a Kimbo uppercut delivered to the jaw of the entire category. My point is that without a process to allow data leak prevention to actually prevent anything, you need to have an underlying process to figure out what's important, find it, and then ultimately protect it.

And without the process, the product is a pretty (I guess I should say a VERY) expensive way to find the low hanging fruit, and your existing mail and web gateways can probably find the low hanging fruit.

Photo credit: "Old Jumper Cables" by Dann Solo

Good Morning:
Today I need to send a shout out to my father-in-law Sandy, who turns 75 today. SEVENTY FIVE! Wow, that's a long time. I'd say something about spring chickens and being old, but he's one of the youngest guys I know. Sure there is a lot of mileage on his motor, but it still runs pretty OK. There are 75 year olds that are more like 90, waiting for their call to the great beyond.

And there are the 75 year olds that are more like 50-somethings. The difference? Engagement. It's as simple as that. Those that aren't engaged with hobbies, activities, maybe even a job are just waiting to die. Maybe it's because they have health problems or whatever, but there is clearly a correlation between someone's activity level and how young they appear.

Sandy is a stock broker and he loves it. He "works" pretty much every day. Not because he has to, but because he wants to. He would chart stocks even if it wasn't his living. In fact, he did chart stocks on nights and weekends before he became a full-time broker in his late 40's. It's his passion and his passion keeps him young. I can't tell you how much I've learned from watching someone actively engaged day after day, year after year, doing something they love. These are lessons I weigh every career decision against.

Happy Birthday Sandy. I'm looking forward to many more.

Have a great day.

Incite #8: Protect the Vault (that's where the money is)

The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause. 

Read the original Days of Incite post on this topic.

6-month grade: B+

In Incite #6, I talked about a hot market (full disk encryption), even in a crappy economy. Database monitoring is neither high profile nor particularly exciting - but it's happening slowly but surely. As opposed to the overheated NAC hype that set unmanageable expectations, database monitoring (for the most part) has flown under the radar. To be clear, this is still a very early market and the buying dynamics are still rather complicated (does the DBA or the security guy own/buy it?), but enough folks are looking at and interested in this space - that it'll end up being larger than another over-hyped market - DLP - this year.

But I don't want to get ahead of myself here, we talk about DLP tomorrow. Now the good news for the stand-alone database monitoring folks is that the big database folks have their respective heads in dark places. They are all focused on becoming something else, and a security vendor isn't high on the list. Oracle is an apps vendor, Microsoft is an everything vendor and it's not clear what Sybase is - but it's surely not a database vendor. So all these guys do offer their own flavors of database security, but it's clearly not a focus - which creates opportunities for the start-ups.

Is this a top priority issue? Does it need to be solved right now (like full disk encryption)? Nope. Unless you auditor has specifically required you to do so, as part of a compensating control for secure applications. So a lot of organizations will defer this purchase for a while. But I'll make the case for why it's important to do this sooner, rather than later.

Surprisingly enough, it gets back to REACT FASTER. Remember, we want to monitor as much as we can because we don't know where the next attack is going to come from. The network is really the first place we want to monitor (because the network doesn't lie), but after that I want to see what's happening in my database - that is where the money is, after all. Monitoring is good. So as you are looking at your priority list, keep that in mind.

What about the second half of the Incite, which is about encryption infrastructure. You know, that centralized key management function that allows those pesky little keys to be managed across applications. Kind of like a utility. Well, that's still nowhere. Encryption can and should be relatively transparent to developers, users, and pretty much everyone. In big environments, I get the value of centralizing management and escrow of the keys - but those use cases are few and far between. Most folks don't need it, and should focus on something that will yield more value in the short term. Like monitoring. :-)

Photo credit: "Bank Security Guard" by madaboutshanghai