May 21, 2007 - Volume 2, #82

Good Morning:
On Thursday I ranted a bit about being more mellow and maybe doing less work and more play. Ah, the best laid plans as it is now Sunday afternoon and I'm cranking out the newsletter. Yes, I'm cheating - but there is a good reason. The rest of my Sunday and Monday morning are chock full of family stuff - so there!

After the morning with the kids (as the Boss and her Mom went to a show), this is the only time until tomorrow night that I'll have to do much of anything. Once I'm done with this, we'll be heading off to the park to enjoy this glorious day. Then the Boss and I are going to see Ty Barnett. It's been way too long since we've seen live comedy, so it'll be nice to get a few laughs in before the mayhem of the week kicks in.

Tomorrow is no better, since bright and early my oldest's school is kicking off Field Day with some type of opening ceremony, where Leah is singing. She was practicing all through lunch, so I'm sure she'll be great. Then it's off to a meeting, then to the airport, and back on the road for a couple of days. That's why an hour of so of Sunday is all you get.

Enough about me (even if it is my favorite topic), let's talk a bit about metrics. I moderated a very cool panel at the All-Ohio InfraGard/ISSA/ISACA conference in Columbus on Friday. Along for the ride were Steve Weber of Cardinal Health, Jack Jones of CBC Companies (who also moonlights in working with Alex Hutton at Risk Management Insights), and Jerry Bowman, a physical security consultant who has also done some IT security in the past. These guys were great, but their focus wasn't on traditional metrics - it was on "risk management." Yep, I tried to nail each of the guys down on what that really meant, but defining it is hard. Jerry had a great response because in his world, risk management means a body count of zero.

Steve Weber talked about the importance of getting an early win. After spending a few years tackling infrastructure security issues, he'd have taken a different path if he had to do it all over again. He's very focused on the application layer now and figuring out how to show security improvement along those lines. He would have focused on the application layer much sooner because with the scale of his organization, it took him years to lock down the infrastructure and there is still work to be done. He needed an early win and told everyone in the crowd to find something that can be fixed quickly. Take a baseline and show improvement FAST. This was great advice.

Jack Jones focused a lot on the need to quantify to the level of your audience. He works in insurance and obviously those folks don't see even a $10 million dollar loss as very significant. They have claims for that pretty much every day based on fender-benders. So he needed to make sure he quantified everything and could substantiate his numbers. More great advice.

But the biggest message I took from the panel was the criticality of presenting information about risk to business people in business terms. Then THEY can make business decisions about what is an acceptable risk to take. As I've long said, the answer is out there, not in your head. Our job as security professionals is to make sure the business people have enough information to make a reasoned decision.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast)

Top Security News

At least 1/3 of NAC is heating up
So what? - It was actually funny to see a blog battle between Michelle McLean and Shimmy about the importance of pre-admission control and some stuff around inline vs. out-of-band (Michelle, then Alan, then Michelle, then Alan). We have become entirely too civilized in security blog land of late. But they were really playing off of a recent Network Computing survey about the state of NAC. Unfortunately they are still only asking questions about pre-admission control. The article isn't half bad and the graphs at the end show some interesting data (like Cisco is far and away the mindshare leader in NAC), if your viewpoint is restricted to that focus. Unfortunately (for Alan anyway), I happen to be largely in Michelle's camp, which is that NAC becomes interesting after you've connected to the network. But by most accords, it seems the pre-admission side is heating up as the vendors (besides Caymas, I guess) are all telling my about record quarters, huge pipelines, blah blah blah blah. But since I believe pretty much nothing that most vendors tell me, I did triangulate the data a bit. The users and resellers are also telling me of increased interest, but it's still about kicking tires and figuring out the best way to solve the variety of problems that NAC purports to solve. I still think we will look back in 12 months and talk about how NAC hasn't lived up to the hype, my position on that hasn't changed.
Link to this

Marty on the perfect storm and open source
So what? - Enjoy it while it lasts. Now that Marty Roesch works for a public company, he can only talk maybe one out of every three months. Officers of public companies have very limited windows where they can talk about anything, so this interview in Network Computing was a treat. If only Marty said anything. First he starts off by talking about the "perfect storm" that resulted in FIRE's Q1 miss. I guess if you blow a hole in your own hull with a Howitzer than that qualifies as a perfect storm. But I've beaten that one to death already. Then Marty goes to debunk myths that FIRE is only about IDS. Right, they do RNA and other monitoring,SIM and other type of stuff. Blah blah blah. I think the only nugget that was sort of interesting is how Marty describes the power of the open source community. He's right, IF (and that is a huge friggin' IF) a company can get other folks to contribute. Most open source initiatives are pretty much a Go2Market strategy for a vendor looking to be "different". Sourcefire is one of the unique companies that have actually built a business and managed to keep the community alive and engaged. But new companies are trying every day, and pretty much all of them will fail.
Link to this

More survey mayhem
So what? - Looks like one of the most plum jobs adjacent to the information security industry is to be Larry Ponemon's accountant. Yet another Ponemon survey was commissioned by a Dallas law firm that drew the conclusion that - are you sitting down? - encryption would have saved most of the respective asses of the respondents when a data breach hits. Yeah, that's news. But there were actually some interesting data points in here. Only 43% had an incident response plan. And 82% failed to consult with legal counsel before responding to an incident. I guess this survey was sponsored by a law firm. Can you imagine the nerve of those security folks? To actually move decisively to contain an incident, as opposed to wait for your $400/hr lawyer to show up. Off with their heads, I say. But actually that 43% number bothers me. A key tenet of the P-CSO is to make sure you live to fight another day. How can you do that, if 57% of those folks out there don't have any plan to respond to an incident. Whether it's 43% or 80% of folks with a documented plan doesn't matter. You better be in the right bucket. You'll thank me later.  
Link to this

The Laundry List

Top Blog Postings

Another incident response nightmare
While I'm ranting about the need for a defined incident response plan, let me point to a post from the Security Monkey, who tells the tale of a forensics pro called in to clean up a real mess. Turns out this guy was called in by a network manager, who's applications were reacting strangely. Yup, the network was owned and his incident response team was nowhere to be found. There were no plans to pull the suspect machines off the network or have a hot standby or anything to keep things available. These kind of stories really underscore the need to have everyone on the same page when the brown stuff hits the fan. If one group is acting out of step (or not acting at all), the whole process goes nowhere fast. Right, at that point it's dust off your resume time.
http://blogs.ittoolbox.com/security/investigator/archives/my-csirt-plan-has-fallen-and-it-cant-get-up-16310
Link to this

Can we move fast enough?
Chandler Howell brings up some interesting points in this post, especially since I've been talking about metrics quite a bit lately. There is definitely a velocity issue that we have to deal with. The bad guys are moving and innovating much faster than the good guys. This disconnect means that even some of the general metrics we'd want to gather wouldn't be very useful in actually making decisions. And that's the entire point of metrics, right? But the real nugget is in the last paragraph where Chandler makes the point that many of us are too caught up in "winning" or "losing" and the real point is to make ensure the attacker goes after someone else. "The key is to ensure that the impact of incidents and cost of countermeasures does not exceed a tolerable level over time..." Of course, we (security folks) don't determine what is tolerable, the business folks do that. We just provide them with the data. 
http://thurston.halfcat.org/blog/2007/05/18/risk-of-what-more-reasons-not-to-manage-risk/
Link to this

The shoemaker's children
Tim Wilson takes a few "security" companies to task for stupidity in this post. Too bad Tim is a bit misdirected here. This story is about stupid mistakes, not security companies. Since when is IBM a "security company?" They do some security stuff, but if you asked any of their HUNDREDS of THOUSANDS of employees what IBM does, I'd say a big goose egg would say security. And the TSA? Give me a break, they are more of a theatrical troop than a security organization. Tim's point is to show that security companies are far from perfect and he's right. Symantec, McAfee, et al seem to be constantly patching some buggy software that created exposures. And I don't want to minimize the sins of these companies that didn't protect data appropriately. The reality is I'm not sure any big company is really a "security" company anymore. And that is based on the behavior of their employees, not their branding. Yes, better security awareness training can help with that.
http://www.darkreading.com/document.asp?doc_id=124401
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite