March 29, 2006

Good Morning:
Every so often you need a good rant and to just become a bit unglued. For some reason, that InformationWeek blog post going after Morgan Stanley set me off. So I ranted and it felt good. I work hard to be optimistic every day, but not idealistic. Just like you, I have a business to run and ultimately I'm going to need to do what it takes to be successful.

I do not excuse going outside the boundaries of the law or reasonable ethical behavior (hello Enron), but business is a relationship sport and if it bothers you that someone is profiting from their relationships, then maybe it's time to head into academia. Fact is, it's not different over there. Who do you think gets the tenured slot? Right, it's the one that had the best relationships. OK, I'm off the soapbox now. I've got work to do.

Have a great day.

Top Security News

Crossbeam Expands Partnerships (http://www.crossbeamsystems.com/press_032806.asp)
So what? - This round-up announcement is the first step in validating a few of my 2006 Incites. UTM has always been perceived as an SMB solution, but clearly there is interest on the part of larger enterprises to get bigger UTM boxes. Crossbeam has an interesting architecture and a lot of partnerships to get something like this done. So we are moving towards "No Mas Box" and "Losing the Religion" since many capabilities can be added to a single box. To be clear, I am not anointing anyone the winner in enterprise class UTM at this point. I think it's important that companies own their intellectual property and that is Crossbeam's blind spot. BUT, they will push the likes of Cisco and Juniper to integrate on a common chassis sooner rather than later and that's a good thing.
 
Altiris Integrates Pedestal (Finally) (http://www.altiris.com/Company/PressReleases/2006/03282006.aspx)
So what? - It's always interesting to see how long it take companies to integrate acquired technology. In this case it was about 9 months before Altiris built hooks from Pedestal's SecurityExpressions and AuditExpress into their configuration management offerings. This is a good development because finding a vulnerability (or policy violation) is not interesting until you can actually remediate it. It's not enough to just KNOW that something is broken and the increasing number of scan, analyze and fix solutions is working to close the policy/vulnerability loop.

Alcatel Supports Microsoft NAP (http://biz.yahoo.com/prnews/060329/daw015.html?.v=50) 
So what? - Remember Xylan? Alcatel bought them a couple hundred years ago and seemingly buried the layer 3 switch technology. Of course, they still sell the stuff, but they aren't very visible. So I chuckle when I see a press release about a company that has largely been invisible in the enterprise network space announcing support for a technology that isn't going to be available for another 12-18 months (given Microsoft's delivery prowess). OK, you got me. It's a slow news day when this is all I can come up with.

Beyond Security Launches Something  (http://www.beyondsecurity.com/press/2006/press28030601.html)
So what?- Beyond Security says they do "security analysis that changes the face of vulnerability management." OK, whatever. This is a great "drive-by" candidate because it's not clear to me what they do. I have an extra 15-20 minutes later today I may try to figure it out. So, why mention it in the Daily Incite? Basically, I am a fan of eliminating the vulnerabilities as soon as possible. Optimally during coding, but certainly before deployment. These guys say they can do that. My big concern is that the product does not really target a PERSON in an organization. Is is the QA manager? Tools from folks like SPIDynamics and Cenzic have targeted that guy with little success. Is it the network security guy? The idea that the network security guy would test an application before deployment is minimal. I'll delve into this a bit more during the drive-by

Webroot is the Best - Just Ask the Guy They Paid (http://www.webroot.com/resources/archive/pr/0603-veritest.html)
So what? - Normally I wouldn't waste the time to validate a claim from an "independent" testing lab that something is "3x more effective" then something else, as Webroot announced yesterday. What do you mean by "effective?" And that's just the tip of the iceberg. But I'm ranting today, so I may as well poke these testing labs. In general, I have a big problem with a so-called independent testing lab that gets paid to test products. When I was in the spam business, we had this happen TO us, so I'm still a bit sore. Basically, the vendor pays one of these jokers, gives them the competing products. The lab guys get NO assistance and NO training on the competing products, while you guessed it, an SE from the sponsoring company makes sure their box is optimized. Sure, these folks have "fair testing policies," but Consumer Reports they are NOT. Take that to the bank.

Top Blog Postings

More Info on the Fidelity Laptop Theft
The story just keeps getting better. I love these news items where more information keeps dribbling out and I laugh harder with each one. That is not to say that having personal information for over 200k HP employees stolen is a laughing matter, it's not. But the sheer idiocy of how this happened does warrant a laugh (or ten). Tom Smith goes through the blow by blow on his Information Week blog.
http://www.informationweek.com/blog/main/archives/2006/03/data_security_o.html

Ed Moyle on Monocultures
Ed Moyle, who I find almost as vitriolic as me (and that's a good thing), rants a bit today about monocultures and basically challenges Dan Geer's classic Microsoft monoculture paper that got him fired from @stake. He does show Dan the proper respect in saying he wouldn't challenge Dan, and then he challenges him. Pretty funny. BUT, the point is a good one. In biology a mono-culture is problematic because some type of viral outbreak could wipe out the species. But I wouldn't call desktop (or server) homogeneity a mono-culture because we have other defenses. If you are only looking to Microsoft to provide a secure computing environment, then you are pretty dumb. You surround Microsoft with other defenses to make sure you've got a layered security offering. Duh!
http://www.securitycurve.com/blog/archives/000364.html

Classic Lindstrom from his Hurwitz Days
I guess when Hurwitz imploded Pete Lindstrom was able to take all his writings and content with him. I guess he's posting some classic, but relevant stuff. This post is a pretty entertaining goof on Dr. Laura and what it would be like if she was a security officer. The point Pete makes is that "security is not about no, it's about how." That is as relevant today as it was back in 2000.
http://spiresecurity.typepad.com/spire_security_viewpoint/2006/03/dr_laura_as_inf.html