The Daily Incite - May 2, 2007
May 2, 2007 - Volume 2, #72
Good Morning:
I mentioned last week about how the G people have come down on CIOs for not being innovative and that the US could suffer because IT is not leading, it's following. I don't really buy that because IT is about helping the business, making it more efficient and possibly opening up revenue streams. But it gets back to who drives the business, is it the line of business and operational folks or is it IT? My opinion (and it's probably only mine) is that innovation comes from the business and it's enabled by technology. If a CEO expects his/her CIO to be coming up with new products (unless they are a tech company), I think that is very Dilbert-esque.
Yes, there is a point. I also recall mentioning back at the RSA conference in February there really wasn't much innovative stuff there. That security had become an industry and that the pace of innovation was clearly slowing. I didn't think much of it at the time, but as I combine a number of these data points - things are starting to become clear.
That status quo isn't going to work for consumer security. As I discuss below, VeriSign (and some other banks) are looking at providing consumers with one-time passwords (see below) on their credit cards. This feels like solving tomorrow's problem with yesterday's technology. And it's not good enough.
We need to fundamentally rethink how we protect data (see below) and it will have a ripple effect on pretty much everything - especially the application world. If I knew what the answer is, I'd be building it - but I don't - so I can only continue to call for a new line of thinking around data security. While I'm making my wish list, it needs to be transparent as well. Or as transparent as possible anyway.
Alas, I'm not holding my breath on this one because change is hard and this would require great change. Yet, we are going nowhere fast relative to solving the problems. There is your Catch-22 moment for this morning.
Go do something, that's usually the best way I know to feel empowered. We can't really control who and/or what is going to solve the problem (unless you are building a solution), so I default back to doing something I have control over.
Have a great day.
Technorati: Information Security, CSO
 The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com | Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast)  |
Top Security News
OTP is not the answer
So what? - "You down with OPP? Yeah you know me" But we cannot confuse the rap classic Naughty by Nature song with OTP or one time password. OTP has been around for years, and it's been very useful for remote access authentication. You still see lots of folks with their SecurID key fobs dangling from their ID badge or on their key rings. But it's never really been deployed internally to do local LAN access. Why? Cost. Not only of the token, but of managing the token and it was never deemed cost justifiable relative to the data that was being protected. So now OTP is going to be used on credit cards, for millions of consumers? Yeah, I don't think so. VeriSign's initiative to do this is covered in this InformationWeek article. We've seen a lot of folks default back to tokens, whether it's eBay/PayPal or Entrust's $5 token. But they are forgetting it's not the cost of acquisition, it's the cost to manage the systems and relative to what is being protected - it's just not worth it. It'll be interesting to see the first few pilots with banks issuing these OTP credit cards. I suspect their "shrinkage" will be less than their cost to manage a OTP. Yeah, you know me.
Link to this
It's time to think different
So what? - Apple's slogan for years was "Think Different." They really meant, it's OK to be one of the 3% who use our stuff. It makes you unique. Now there are 5% of "us." As Tim Wilson points out in his Dark Reading column, it's kind of folly to try to keep data in place. We've been thinking about protecting the devices and not the data. I know a lot of people are going to spend a lot of money on leak prevention stuff, and they should - but you won't be able to cover all the bases. Tim's more important insight is why are we still dealing with the devices, not the data itself. He's exactly right. I think you'll hear a lot of folks like Tim and I beating the drum for something different. But neither of us is in much of a place to figure out what that is. It's not DRM/ERM, as least as the technology is packaged today. It's got to be something like that. A meta-data systems that allows entitlements to be associated with the DATA, not the application or even the user. And certainly it's got to be bigger than the devices. I also don't think we'll increment our way to the answer. This is going to require some big time disruption. Any takers?
Link to this
Drumbeat for Black Hat starts already
So what? - I wonder if Black Hat has jumped the shark. First, a cretin like me goes to the show now, and that's never a good sign. Talk about a narc. But clearly it's more about marketing now than anything else. When you have folks talking about their research and what they've found 4 months ahead of time, this is all about promotion - not about security research. In this PCWorld article, Joanna Rutkowska previews that she's basically figured out how to rootkit Vista and break BitLocker. And she'll teach folks all about it at a Black Hat training session. The fact she's broken it isn't really surprising, since it was just a matter of time. I do wonder if she's working with Microsoft on addressing her findings. I can only hope. But this is about generating more interest in the conference, which will result in higher registrations for CMP and fill up her two and three day training classes. At the end of the day, it's all about putting asses in seats. At $3000 per seat. They should just rename the show - RSA Vegas.
Link to this
The Laundry List
- Fratto thinks Lockdown is a (sys)log. Basically their syslog analysis capabilities are not ready for prime time. You can also read Shimmy's view. - Network Computing Review
- Juniper's latest firewall/IPS products show novel new Layer 7 capabilities. Novel in 2005 anyway. - Juniper press release
Top Blog Postings
Gunnar's Blueprint
I'm really glad to see Gunnar Peterson publish his ideas on a security architecture blueprint. It starts with business goals and ends with assurance. That's all good and very Pragmatic. He links to a snazzy little PDF he wrote that describes the components of the blueprint. Well actually not so little, it's 12 pages - but it's pretty tightly written. Best of all, Gunnar puts a little example in there of how you'd apply the blueprint to a code analysis project. As you'd expect, it's pretty application centric, since that's what Gunnar does for a living, but it's great that he is at least putting something out there. Maybe it will provide some strategic context for your own security efforts.
http://1raindrop.typepad.com/1_raindrop/2007/05/security_archit.html
Link to this
Better late then never
Farnum describes a vendor's best day on his ComputerWorld blog. Basically he (as the reseller) and vendor work their asses off to get a customer to try a SIEM product. They install it and low and behold - it finds something. They do some analysis and determine a host is owned - EVEN THOUGH THE IPS SAYS THE ATTACK WAS BLOCKED. I'm sure the customer will find budget to buy the product, but it's not going to help much. This shows everything that is wrong with SIM. You are looking in the rear view mirror and by then it's too late. The machine is already compromised, but not based on anything that the SIM told you. These guys had to follow-up with some traffic analysis to determine that, in fact, the host was owned. That's why integrating traffic analysis (basically NBA) into the SIEM environment is critical. The network knows, and clearly the firewalls and IPS devices can be fooled. You need to look forward and backward to really do security monitoring.
http://www.computerworld.com/blogs/node/5450
Link to this
Respond quicker - where have I heard that before?
Jim Reavis echoes a common Pragmatic refrain in this post. We need to plan. The first 4 steps of the Pragmatic CSO is all about planning. Then you need to do, but ultimately you need to react and you need to do it faster. Jim can call it "respond quicker," but it's all the same thing. Things are going to happen, and you can't plan for everything. But you need to have a well-worn containment strategy in place to deal with these incidents. And you also need to monitor more aggressively, so you get a further jump on something bad, which can make the difference between a manageable situation and a catastrophe. I'm sure you folks are getting sick of me constantly beating the drum for the P-CSO, but I've been writing about this stuff for a long time and it's nice to see other (sort of) respected commentators reiterating the same points.
http://www.riskbloggers.com/jimreavis/2007/05/plan-plan-plan-plan-react/
Link to this
Recently on the Security Incite Rants Blog
Check out the latest on the Security Incite blog
http://blog.securityincite.com/
Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite
@May 2nd post
About the bozos. Sorry, I couldn't resist. Some cretin said I have to get in people's faces more and I have recently been reading about Guy Kawasaki's SAS keynote:
Kudos to you and the Dark Reading guys for realizing that the status quo is not working and there is a need to fundamentally rethink data protection. You (and others) have been pointing out that there is not much happening in the way of innovation, at RSA or any other show apparently, and that data protection is not about endpoint devices.
However, according to Kawasaki, and I think he knows a few things, he says that "successful bozos, are the most dangerous of all since people tend to believe them", but "their very success on the previous curve makes them unable to comprehend, much less embrace, the next curve". Does this suggest that you and Tim and other security pundits will not be capable of recognizing the next curve, even when it is in right in front of you? Will you and the whole industry always default back to that which gives you control, but deep down that you also know is failing?
You say it is time to think different and you asked if there are any takers .
We are willing to step up to the plate.
I have been chatting with you over some time about Trustifier technology.
Trustifier is a security sub-system that adds internal controls to existing commercial systems and networks in the form of a kernel level policy enforcer, to convert them into trusted ones with full multilevel security.
The technology converts the system into a user-centric, deny-by-default access and audit system for all authorized users, including the system administrators and security officers, at the data file level. Trustifier enforces a pre-emptive lockdown of the system by controlling access to system and network calls in a mathematically closed and complete system, which is provable. Systems and data are protected against users, application bugs and malware.
The technology starts at the core where the crown jewels are kept and then disperses rules via an agent to clients throughout the network, to the perimeter or in designated trust channels to regulate where and to who, data may be released to, and how it may be used, without exception. It does not matter what device you use or where you plug in, if you are not on the white list you get nothing.
We are now willing to prove that this technology works, is manageable and cost effective to anyone who is interested. The good news is that it is only mildly disruptive. It is designed to integrate with existing IT environments.
We think we are on the next curve. Bring on the bozos.
Rob,
With all due respect, you've been hounding me for 18 months about your technology and can still not prove it (with reasonable customer references) nor explain it. And to me O/S level protection, which is effectively what you do, is still focused on the devices. You are not protecting the elements of data, but rather what the data can do on a specific machine - I think. There is a difference. Candidly, I am not willing to waste any more time until you can substantiate your outlandish claims.
Mike,
Trustifier technology is not limited to the host it is installed on. It extends into the network. It also protects from the os layer to the user layer. The multilevel security aspect is data assurance, allowing users of different security clearances to access documents according to appropriate sensitivity ranking. In this day and age of privacy concerns and protecting customer data, how does confidentiality not matter? If this is not information-centric security, what is?
I admitted up front to you, from the start, that my own personal lack of technical experience in the field limited my ability to explain Trustifier's workings to you, but I don't think I have ever wavered in the claims that I have made in that time. The point of this exercise is if it worked the same way as everything else, it wouldn't be innovative would it? You know that there is no way for these claims to be made with status quo technology. You say so yourself all the time. Your incite yesterday was about the need for real innovation. Who else is coming forward?
I have been suggesting that Ahmed take time to follow-up with you for the last 6 months. I think I can get him to do so later this month. Let's talk then and see if we can come up with some way to prove our case to you in a meaningful way.
You may be a bozo (hey, you have called yourself worse) Mike, but I think you are a very smart one, raising necessary questions and showing much leadership in the security community. I WANT to prove our claims to you, because they say a skeptic convinced becomes a true believer. I am just not able to do so on my own.
Cheers,
Rob