May 9, 2007 - Volume 2, #76

Good Morning:
Being the parent of small kids, it's always interesting to get to the point that the kids start bending the truth a bit. When they are really little, they are like the soothsayer's stone. Ask a question and you get an answer. It may be as sophisticated as "I wanted to," but it's what they think. There is no spin, which is refreshing considering what I used to do for a living.

Then at some point, they evolve a bit and start trying to cover up what they do and why. Usually it's not a big deal, but you get a lot of finger pointing. This is particularly an issue with the twins. Something will end up on the floor, broken and I'll ask who did it. Sam instinctively says Lindsay, and Lindsay says Sam. Every single time. When I push back, they both say "Leah" in unison. After I stop laughing, I put both of them in time-out. What else can I do? I'm not going to get a straight answer, so at least I'll get 2-3 minutes of peace.

Most of the time when I talk to vendors, it feels like I'm talking to the twins. They pitch me on some undecipherable technical gobbledy-goop and want to show me their friggin' interface. I keep telling them, I don't care about the interface - I want to know what problem you solve. And most security stuff happens behind the scenes. It's not like they can show me the decision tree an IPS takes to determine if a packet is bad or good in a demo. But showing the analyst a demo is in Marketing 101, so they feel compelled to do it.

I always ask why they win, what makes them different and then I am really talking to 3 year olds. We do this better than them. And the other guys inevitable say they do the same thing better. That's why I don't believe anything until I get it validated in the field.

It's even funnier when I talk to someone that hasn't done their homework and checked my bio before we talk. They try to snow me with some sophomoric trick and they are shocked when I call them on it. Oh, you are using the  "you can't prove this either way trick," the "we've suspended the law of physics trick," or some variation on the "name dropping Fortune 50 companies you had an intro meeting with trick."  Believe me, I know them all. I've used them all. My bullshit detector is finely tuned.
 
Of course, it's the end-users that end up caught in the cross-fire. Most users are used to vendors slinging mud at each other and having to put on hip boots to wade through the crap to get at some semblance of the truth. But it's these games that force me to continue pushing users to test everything significant they want to buy. The last thing you want is to be sold a bill of goods that you then get to explain to the CIO why the first choice isn't working out.

Users need to do their diligence and believe nothing that you can't prove in your lab. This general skeptical stance will save you a lot of heartburn after you have the product installed. Trust me on this. I'm just glad I am in a spot now where I'm only expected to tell my version of the truth. Like my tagline says, No Bull. No Bias. Real Incite. After 8 years in the Gulag, telling the truth has been liberating. But that's just me.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast)

Top Security News

How big before ITIL matters?
So what? - I feel like railing a bit on folks that just don't like to think. These big frameworks, whether it be COBIT or ISO 27001/2 or even ITIL are in vogue because as opposed to thinking, folks just want the answer. Sorry, there is no standard answer. This SearchSMB article on what ITIL is good for within a mid-sized company is kind of interesting, but I just don't buy it. Let me be clear on this. A framework is a good starting point, but it's only a starting point. Folks that buy a guide or attend training looking for a roadmap to better operations and/or security are going to be disappointed. Why? Because security isn't really in our control. There are millions of external factors and we need everyone to buy into the program. No cookbook can help you with that. Big companies are so complicated that even a big, heavy framework would provide a simplified view of the world, so I'm cool from that context. But it just seems that for a mid-sized company, they'd be better off figuring out the 2 or 3 most critical business systems and protecting those. 
Link to this

And I thought I was grumpy
So what? - Ira Winkler makes me seem like I'm on some top flight happy pills. He spouts venom at pretty much everyone and I've yet to see him write or be interviewed on anything that he actually likes. Finally, I can point the Boss at an example of someone even grumpier than me. In this TechTarget Q&A, Ira rails against folks that do the "what's old is new" trick. You know, things like Microsoft Office macro attacks and evidently Google hacks. Clearly for those "in the know," this isn't new stuff. Unfortunately many many folks out there are NOT in the know. And you know the old adage: "Those that forget history are bound to repeat it." So I'm actually cool with people talking about stuff that is both old and well-known. Of course, if a vendor is portraying old solutions to old problems as new - then you call them out. But reminding us about what we need to remember is all good. And how did Ira get them to print his college portrait? Maybe I should dig mine up from when I had dark hair.
Link to this

Strange database security coincidences
So what? - It's amazing to me how for the same flight routes, multiple airlines have exactly the same price. That's not collusion? Isn't that a no-no? But I digress. The database security market is starting to heat up and it seems like vendors are colluding about what to announce when. Not from the customer side, it's still very early, though the need is there, companies are trying to figure out what it looks like. I'm talking about the hype engine. Yesterday Guardium announced the ability to monitor database hosts to identify insider attacks. Amazingly enough, Imperva announced what seems to be the same thing, just with different words. Yes, my phone will be ringing off the hook this AM with both vendors telling me why they are better/different. I wonder if I can put each vendor in time-out and get some peace for 2-3 minutes? And if that wasn't enough, a new company called Sentrigo announced some funding to address what seems to be the same problem, though it's not exactly clear what they do quite yet. I've spent many years in the security business and I've never seen three vendors announce largely the same thing ON THE EXACT SAME DAY. Spooky. Like the Database security gods are pulling some serious strings from above. Rod Serling is rolling in his grave right about now.
Link to this

The Laundry List

1. Cisco announces FQ3 earnings and guidance disappoints. Stock down 5% after-hours. No Hoff, keep your wet-naps. I thought you knew trees don't grow to the sky. And Cisco spends more on toilet paper than Zix sold last quarter. - Cisco earnings Zix earnings
2. RSA uses EMC storage. Really? And that was worth $2.1 Big? - EMC press release
3. Oracle logs database activity. Shocker. I'm sure log management vendors are quaking. - Oracle press release
4. Another one for the shocker files, 78% of companies monitor web use. The other 22% have porn addicted CIOs. Maybe Ira is right, we already know everything. - NetworkWorld article

Top Blog Postings

More from Farnum on SIEM
I definitely like the direction that Farnum is taking with his blog. He's talking about what is going on out there and he's seeing a lot of stuff. It looks like SIEM is one of his favorite topics and it'll be interesting to see how long he remains on the bandwagon. I know he has a lot of folks are looking at SIEM, and I suspect a lot of those will deploy it this year, and most of them will be disappointed. But probably not Farnum. I suspect there will be lots of service hours to bill to make the SIEM work. I speak to folks very frequently and SIEM still requires a lot of tuning and that impacts time to value and what do you do with the data once you have it? As Farnum himself says, you need a human to interpret the data. But that human is basically just telling you where you've already been. Tom Bowers has the right idea in this SearchSecurity column to integrate NetFlow data into the SIEM and get some useful data. Gosh, never heard of that idea before... The last bone I'll pick with my Farnumian friend is about the whole compliance thing. Be very very careful on this. It all depends on how the vendor stores the data. If it's not cryptographically secure and forensically clean, the auditors won't trust it. So you may have figured out that compliance can pay for the project, but you'll be holding the bag with data you can't use.
http://infosecplace.com/blog/2007/05/08/another-educational-institution-another-siem-eval/
Link to this

Malware numbers don't matter
Dan Sullivan is looking for better numbers on malware attacks and he uses the old "if you can't measure it, you can't manage it." That's bunk. Users shouldn't care about what's happening OUT THERE, they should be focused on IN HERE. How many malware outbreaks have you had? What about % of spam. There is an infinite amount of badness out there, I don't think it's productive to worry about it. Sure the data makes for nice graphs, but how do you use this data. To try to scare your CIO/CFO into buying more security stuff? That doesn't work too well. I'd rather Pragmatic folks spend that time learning more about your business. Talking to the folks that run operations. Understand what is really important to the business. I don't know much, but I have a good idea there will be more malware tomorrow than there is today. That's about all you need to know.
http://www.realtime-websecurity.com/articles_and_analysis/2007/05/resources_and_tools_for_measur.html
Link to this

Taking on the sacred cow
Thankfully I'm not the only one who thinks Schneier is a blow-hard. Sure he's very visible and he does a bit to make security more of a topic for the general public, and I'd sure like to have his readership - just imagine what I could do with that. But Kurt Wismer asks if old Bruce has finally jumped the shark. The answer is yes and no. If anything, Schneier is a master-marketer. By reviving his long-standing positions on things like software liability and the fate of the security industry (they alternate about every 6 months) he stays in the public consciousness. Again, masterful marketing, but little new value. By the way, Art Coviello said almost the same thing at RSA and everyone was aflutter about that too. Looks like us security folks are going through a low self-esteem period. We matter folks and our job function isn't going away. So let's get beyond this and actually spend more time proving our worth than worrying about whether there is any.
http://anti-virus-rants.blogspot.com/2007/05/do-we-really-need-bruce-schneier.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite