May 31, 2006

Good Morning:
Greetings from the west coast, where it's still pretty early. Not a lot of news yesterday, but I'll highlight the emerging media frenzy about these new consumer security suite services from the likes of Microsoft, Symantec and now McAfee. I tend to think it's much ado about nothing, since it's really more of a new pricing model (and one that McAfee has been using for years) than anything else. But it give the media something to write about.

I'll be at the Inbox show for most of the day (my panel is at 11 AM PST), so I'll try to do a quick post about the show during the day.

Have a great day.

Top Security News

Let's get it on - Consumer AV services battle commences
So what?- On the day Microsoft releases OneCare (http://biz.yahoo.com/ap/060530/microsoft_security.html?.v=3), McAfee announces their intention to bring to market a service offering (Falcon) that pretty much looks and smells like OneCare and Symantec's Genesis. Candidly, I'm not sure what all the friggin' hype is about. McAfee has been packaging their stuff as a service offering for years (I should know I've been a customer) - and consumers/SMB folks don't know the difference between a "service" and packaged software. There doesn't seem to be anything new in Falcon, besides a cool code name. But Microsoft is treading on their turf, so Symantec and McAfee need to respond and protect their territory. Microsoft is a legitimate competitor and will eventually drive costs down, which is good for all of us.
http://www.mcafee.com/us/about/press/corporate/2006/20060530_183520_u.html

Another "identity-based" network security offering
So what? - Anyone remember Securify? These folks were a security management player a few years ago and evidently they didn't go away. Now they are playing into this emerging space of "identity-enabled" network security devices. Fact is, it's basically an IPS that is doing some cross-referencing with identity information. So now you can tell who is doing something as opposed to just an IP address. I don't think this is too novel, but I'll be speaking to these folks over the next week or so and if there is anything interesting - I'll let you know.
http://www.securify.com/news/pr_sec52.html

Big UTM is on the way
So what? - Big UTM is happening, and it's the service providers that are driving the market this time. The economics of the situation just make sense. For ISPs and other big carriers space is a premium and complex management costs them money. So they are looking for integrated solutions bringing together predominately yesterday's security technology (firewall, IDS/IPS, etc.). The service provider side of the house doesn't really need to deploy complicated application-oriented security solutions at this point (except maybe email hygiene). Fortinet is throwing their hat into the Big UTM space (along with Crossbeam) with some new blades for their chassis-based offering. Folks like Nokia are at risk unless they bring forward a compelling larger form factor UTM offering.
http://www.fortinet.com/news/pr/2006/pr053006.html

Melding search and security
So what? - Red Herring has a good overview article on the emerging offerings that pinpoint sites in your search results that spread malware, adware and other nasty stuff. Of course, SiteAdvisor selling to McAfee is the cornerstone of legitimizing this "market." And the SiteAdvisor folks did a great job of creating a lot of economic value in a short amount of time. That being said, these "secure" search results are not a stand-alone market. The offering needs to be built into other already resident security products because where this technology is most needed is the consumer space, and those folks don't have any idea technology like this is out there. So look for McAfee (and possible ScanSafe with their Scandoo offering) to bundle this type of offering into the ISPs consumer portals and also build it into the desktop security suite. Yes, the technology is needed, but consumers are not going to pay extra for it.
http://www.redherring.com/Article.aspx?a=17031&hed=Melding%20Search%20and%20Security
 
Automated pen testing hitting its stride
So what? - Just like folks realized a few years ago that doing a monthly vulnerability scan of their network wasn't often enough, those same folks are realizing that the annual penetration test is no longer enough either. Core Security has built the market for automated pen testing software, which uses real exploits to figure out whether you are really AT RISK, as opposed to just vulnerable. I did a webcast (link here) at the beginning of the month that details how and when you should think about adding automated pen testing to your security arsenal. The news is a few enhancements to the CORE IMPACT product to more effectively mask efforts and evade detection, more effectively testing your network security defenses.
http://www.coresecurity.com/common/showdoc.php?idx=541&idxseccion=50&idxmenu=32

Top Blog Postings

Defense in depth in the age of UTM
This is an interesting post from Dave Piscatello about what impact UTM has on a defense in depth strategy. Do you sacrifice security because everything runs on one box? He comes to the conclusion (which I agree with) that you can still implement defense in depth leveraging UTM by having additional devices protecting other parts of the network. And the consistency in policy and logging formats outweigh any perceived hit to security.
http://hhi.corecom.com/arc20060501.htm#BlogID530

Revisiting the rootkit discussion
Ellen Messmer refers to an article (link here) in this week's NetworkWorld about rootkits. Evidently John Pescatore, one of the G-men has come out saying that rootkits are not always bad and that there are some use cases for using "stealth technology." I said back in March that rootkits are not always evil (link here), so evidently I was ahead of the curve. The real challenge is that religion has gotten involved in the discussion. There are vociferous folks (like Mark Russinovich and Bruce Schneier) who believe the technology is always bad. I'm much more pragmatic and if it's going to make life easier or prohibit savvy internal folks from turning off the security protections, then it's something to consider.
http://www.networkworld.com/weblogs/security/012260.html

For IDS, the answer is both
One of my 2006 Incites was called "Losing the Religion" because I thought the religious discussion about signatures versus behavioral techniques for IDS/IPS was just stupid. Just like in the AV market, the answer is both. Alan Shimel revisits the topic in this post making the point that consolidation will happen with the two flavors of IPS coming together. This has already happened, as evidenced by Arbor's OEM deal with ISS. It was probably a pricing issue that prevented an outright acquisition. Alan also makes the point that behavioral based approaches are more effective for post-admission NAC. That may be true, but you have to get the traffic to the IPS box to make that model work. That's why I've been talking about security being more tightly integrated into the switch, so you don't have to totally overhaul the flow of traffic through your network to be able to enforce these NAC policies.
http://ashimmy.typepad.com/ashimmy/2006/05/are_signature_a.html

Consumer and business markets are different
This post on the Ferris blog just underscore the point. The story is basically about consumer ISPs suffering some backlash from over-aggressive spam filtering policies, even going so far as to block all traffic from some Asian networks. That seems a bit over the top to me, but businesses can and should be more aggressive. I also think that quarantining potentially undesired messages is a better way to go. Yahoo does that for me, so I don't see why the consumer ISPs can't just do a subject re-write adding a [Potential SPAM] tag to the message and then forwarding it on its way. But that would be too simple, eh?
http://blog.ferris.com/2006/05/isps_with_overa.html

Recently on the Security Incite Rants Blog

Read Tuesday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-30-2006