March 11, 2008 - Volume 3, #25

Good Morning:
By the time you read this, I'll be in the air probably mid-way over the Atlantic on my way back to the States. As I mentioned yesterday, it was great to get "across the pond," but I'll also be glad to be in my bed and hanging with mi famiglia tonight. Of course, I have some other observations about Europe.

For those of us in the States, we take room for granted. I guess in some cities, they build up - but for the most part folks in the US build out. That's what urban sprawl is about. In Europe, that's not really an option. Space is a premium, so they do everything they can to conserve it and use it effectively. The most obvious indication of that is the cars.

The cars are small. Like ALL of them. Many of you have seen Mini Coopers. The Mini is a giant over in Europe. The Smart fortwo is real small deal and kind of cute in a weird Luigi kind of way. But I will admit that every time I saw one pass by, I checked for clowns. Seriously, anything that small has to be a clown car in the circus. The Europeans thought I was crazy, but so now they can join the Americans in that realization.

The fortwo is so small I wanted to put it in my carry-on bag and take it home. I'm pretty sure it would fit in the overhead bin. But knowing Delta, they'd charge me for an overweight bag. They have to get paid somehow. And the Europeans drive these things fast. As you are walking on the sidewalk, they'd buzz by - but you'd pay no heed. How much damage could a toy car do?

Of course, the car isn't a toy. And allegedly it's coming to the US very soon. I'm not sure how it will go over with the US mentality - bigger is better and more power is best crowd. They say it's safe, but I learned a bit about Physics in college and I have to imagine the Smart fortwo versus the Expedition doesn't really end well, for the passengers in the Smart anyway.

Though interestingly enough, I saw no mini-vans. I wonder what the soccer moms drive over here, although I guess they should be called futbol moms to be geographically correct. I did see one Hummer on the streets. I guess that guy got lost and took a wrong turn somewhere along the line. That car was sorely out of place. Can you imagine the conversation? "Damn Alice, we should have made a LEFT at Ocean City - what kind of crappy navigator are you?" Again, it is good to get out of my little comfort zone and see other cultures.

Hopefully you've gotten a little flavor for my quick roadtrip, if you consider 9 hours in a plane quick. We'll tackle important stuff on Thursday. Like the idiocy of Daylight Savings Time. Or maybe Eliot Spitzer's most excellent adventure and my new favorite acronym - KYDIYP. Bonus points for anyone that can tell me what it means. And no, don't put a blog comment in, this is a family blog. Send me an email.

Have a great day.

Photo credit: Blue Smart fortwo uploaded by Fleur-Design

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Who pitches and who catches?
So what? - This SearchSecurity tip from Sasan Hamidi brings up an interesting point. If you are going to marry the networking folks and the security folks, well... I'm not going to go there. The reality is integration is happening pretty much everywhere. Yes at the endpoint. And yes, in the perimeter. Yes, we are trying to get as much security "into the cloud" as we possibly can. So the idea of integrating the operational centers for security and networking does have some merit. How many screens with green and red network maps do you need? Of course, Level 1 integration is pretty straight-forward. But I'd caution against trying to truly integrate some of the more technical nuances. At least now. As the tools get better and we see the networking vendors continue to increase their security quotient - this will become more feasible. But now, we are still talking about integration on the glass.
Link to this

Don't pipeline that wave, or you'll run aground
So what? - I'm still a fan of the very public execution. If someone violates the security policies, with extreme prejudice, they should be taken out to the square and made an example of. That's the best way to send a message to the troops that the rules are to be followed. But this article in SecurityProNews indicates that it's not just inappropriate behavior that is getting people thrown out of the car. It's excessive surfing. How can that be? If folks are surfing too much, then they aren't getting their work done and they are fired for being crappy at their job. How is that "excessive surfing?" Maybe I'm splitting hairs here, but to me the distinction is important. If your policy is to basically trust your employees (though you should also be verifying their behavior), then excessive surfing is not a crime. As long as they get their work done - that is. Although you read about shops like Patagonia, where excessive surfing could really be an issue. Though it's the REAL McCoy.
Link to this

Chevron is Pragmatic, who knew?
So what? - Based on this coverage about a conference pitch made by Chevron's CSO - they are certainly acting pragmatic. Of course, the fact that CSO Richard Jackson was probably doing this stuff when I was still hawking PKI software notwithstanding, there are a lot of good nuggets in here. Don't be afraid to take a stand about where things are going. Be creative about how the security program is positioned within the context of the business. The reality is, there isn't much novel about this kind of approach. I certainly don't claim to have found the secret to cold fusion. But most security folks don't get it yet. Don't bury your senior team with security metrics they just don't care about. I say it in pretty much every pitch I give nowadays. Security is not a technical function. Unless you want to do a crappy job at it.
Link to this

The Laundry List

Top Blog Postings

What is the world coming to? VCs think mid-market is where it's at...
Boy, the enterprise security business is really crappy and hard right now. Not that I didn't know that, but to see an early stage VC like Bessemer's Dave Cowan actually acknowledge that is pretty shocking. VCs hate the mid-market. It's hard to get to. The customers are unsophisticated, so they don't appreciate technical differentiation. You have to pay a king's ransom to the channel to get the time of day. They figure you have to work just as hard to sell a $10,000 deal as a $500,000 deal. Not sure if that's Cowan's perspective, but that's what I heard very consistently through the years from the VCs. But I guess that's got to be easier than trying to compete with 800 companies chasing after the same 500 enterprise customers. I remember they VCs told me I was an idiot for wanting to launch a backup appliance into the mid-market back in 2002. They were right about me being an idiot, but dead wrong about targeting the mid-market. Of course, that is little consolation 6 years after I failed to get funding for that idea - but it's consolation nonetheless.
http://www.stillsecureafteralltheseyears.com/ashimmy/2008/03/dave-cowan-of-b.html
Link to this

Some mod WAF use cases
Sir Ivan of the ModSecurity does a short post here discussing some of the obvious use cases for web application firewalls. The technology certainly could be used in this context, but the WAF market is still suffering from a serious misperception issue. It's not clear what a WAF does that a general "deep packet inspection" firewall doesn't . You can talk about protocol decodes and other capabilities until you are blue in the face, but customers still don't get it. I think Ivan's got the right idea about doing a series based on use cases to make the technology seem more real. That's what I'd do if I was a WAF marketing guy. But I'm not, so I can just point to it. Listen, I'm a fan of more layers, where possible, and if you can do a WAF, then do it. But it gets back to figuring out if that's going to give you the best bang for the buck relative to other things you can do. Maybe like DB monitoring gateway. Yes, I know that's an apples to oranges comparison. I know that in general it's better to get your protection closer to the attacker. But a WAF doesn't help to detect insider malfeasance on your database. BTW, this isn't about a DB security gateway versus a WAF. It's about understanding that limited resources make you decide between what is usually two good, legitimate product categories. It all gets back to your tolerance for risk and your budget. 
http://www.modsecurity.org/blog/archives/2008/03/web_application_4.html
Link to this

Suites vs. best of breed: Schneier's answer is none
Interesting intellectual exercise from Schneier here about how security ends up shaking out in the long term. Big is the New Small indicates that it will be the suites that win over time, and I still think they will. But the idea that the answer is neither and that outsourcing will be the death knell in the security business is interesting, but ultimately wrong. It's true that customers don't really care about security, but I can tell you they absolutely HATE their carrier or cable company. The idea that they would trust them to provide security in the cloud is a joke. Even now, most of the ISPs offer some variant of a free AV offering and most customers don't use it. They've been conditioned to buy a product and not from their carrier. Sure it's nonsensical, but inertia is a hard thing to fight. And how long would it be before the AV vendors were whining to Brussels about the telcos. They don't even do business there, but you think that's going to stop anti-trust sniping. And the other thought I have is that even if these markets were to go away over the long haul, the companies will be around for years and years and years. Just consider that Novell is still around and they still have like a cool billion on the balance sheet. Trying to wait for Big Security to die would give new meaning to the long and slow goodbye.
http://www.schneier.com/blog/archives/2008/03/security_produc_1.html
Link to this