November 15, 2006 - #157

Good Morning:
Howdy hump day. A rainy Wednesday here in ATL and I can feel the calluses starting to thicken on my fingers as I continue to crank away at writing the book. News has definitely slowed down a bit heading into next week's Thanksgiving festivities here in the US, so I'm stretching a bit for news. I may contract TDI over the next couple of days to reflect the holiday season.

Speaking of news, it seems everyone wants a piece of Symantec. First, Microsoft finally gets a beta out of their Forefront products (here). Early returns are favorable on the products, but clearly they aren't full suites yet. IronPort has also decided they are no longer friendly with the Big Yellow (here). They didn't outright say Brightmail sucks, but even Mr. Magoo could see that if you read the release. So much for their great "partnership." If you didn't see this coming, you should go see Mr. Magoo's opthamologist too.

In blog land, Andy IT Guy vents about his anti-spam gateway going down (here). Remember my friend, you get what you pay for. The Mogull deflates the hype around the IE vs. Firefox anti-phishing performance (here). Yep, they both suck. And I actually have something decent to say about Webroot (here). My contrarian roots are showing big time now.

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Microsoft continues to target the Big Yellow
So what?- I've arrived. I'm not sure where, but I've found my way onto the Microsoft analysts list for security stuff. Me and probably 1500 of my closest analyst friends, but I'll take a heads up any way I can get it. So one of the things I forgot to cover yesterday is Microsoft's announcement of the public beta of their previously announced ForeFront client security. Which is the analogous to Symantec and McAfee's business AV products. But more interestingly, MSFT announced a rebranding and renewed focus on the Sybari stuff, which runs directly on the Exchange Server and also on a Sharepoint server. Yep, they are going after Symantec's bread basket. Being a fan of layers, I advise most organizations to run AV at the gateway and also on the server. I do recommend that folks use different scanning engines on the various layers, so Microsoft should do pretty well now that they are focused on protecting the Exchange server. Finally, Microsoft also added some application optimization features to the Intelligent Application Gateway (which is the Whale product). Secure accelerated access - that's what the perimeter is all about.
http://www.microsoft.com/presspass/features/2006/nov06/11-14forefront.mspx
Link to this

Damned if you do, damned if you're not Cisco
So what? - On Monday, Juniper announced a new version of their Unified Access Control solution (read NAC), which finally integrates the Funk Odyssey client and the Steel-Belted Radius server. Whoopee. It supports 802.1x, as well as the TCG's TNC. More whoopee. Gosh, I feel like Bob Eubanks on the Newlywed Game. Lots of whoopee going on. But Shimel is a little chagrined (here) that the announcement was a big ho-hum and some analysts even panned them for supporting the standard and making that the central point of the new release. I guess I'm in the ho-hum camp because I'm still of the opinion that NAC standards are meaningless. You get guys like Joel Snyder doing interoperability tests and crowing for TNC support (or at least interoperability between the 3 factions - C-NAC, MSFT NAP and TNC), but customers don't care. Well, let me clarify a bit. If you ask customers about interoperability, they say - sure, do that. But no one is not buying the Cisco NAC appliance (or any of the other 3rd party solutions) because they are not interoperable. They just aren't. If Juniper is going to hang their hats on standards, they'll be sorely disappointed as the market gets away from them FAST.
http://www.juniper.net/company/presscenter/pr/2006/pr-061113.html
Link to this

Risk Management has been hijacked
So what? - Someone call the TSA. I thought we were going to reinforce the cockpit doors that protect the sanctity of our product categories. Well, someone screwed up because risk management has been co-opted by all sorts of security product and services vendors from McAfee to KSR, a new managed security player that is allegedly taking an application-centric view on security services. They actually call themselves a Managed Risk Services Provider. I'm going to puke. Not sure exactly what that means, but it's pretty clear that it has something to do with Risk Management. Looks like Alex Hutton at RiskAnalysis.is is going to have lots to talk about for quite a while - debunking all this crap. As opposed to doing firewalls and IPS, KSR is going to focus on authentication, identity management and endpoint security. That's kind of interesting, but ultimately I think they'll learn about the economics of MSS pretty quickly and the lesson will not be pleasant. It's all about leverage and managing independent authentication and IDM environments for customers does not lend itself to leverage. Those are very customized implementations. They also acquired Neohapsis, so this is looking more like a services roll-up with a new paint job rather than something truly novel. But we'll see.
http://www.ksr.com/pressrelease.pdf
Link to this

Picking apart Vista didn't work, so let's try the Mac
So what? - SecurityFocus pointed me to some research that Symantec has published about Mac OS X. A while back, I remember ranting incessantly questioning why Symantec was be picking apart a pre-release copy of Vista and pummeling the security model. It wreaked of desperation. At least this work analyzing the Mac OS X security model is a little more grounded. Most interesting is the report's contention that the most important thing for Mac administrators to do is make sure their users are educated. Wow. Sure, they should buy an AV package (for what I'm not sure) and make sure not to run as an administrator (in Mac OS X it doesn't matter, they still require you to authenticate before installing anything). I'm happy to see Symantec lead with education. That's an important message. And even though Apple still has a pretty hostile stance towards security folks, there have still been no major issues identified that would result in more than a minor annoyance.
http://www.securityfocus.com/brief/358?ref=rss
Link to this

My spam thing is bigger than your spam thing
So what? - Image spam is all the rage. A few weeks ago, I ranted a bit about how reputation is a good thing to stop bad mail, but it has nothing directly to do with image spam. Then subsequently, Tumbleweed and now IronPort have made image spam-specific announcements to get into the fray. First, we all just want it to stop. Don't tell me how you do it because as a customer, I don't care. But IronPort's announcement is interesting because it's the first demonstrable proof that they are now at war with their former buddy Symantec. All over this release is how spam signatures (which is Symantec's main spam technique) suck and it's IronPort's own engine (combined with their reuputation service) that is great. Of course, you can't substantiate their claims of 98% catch rate either way. That's why it was so infuriating to compete in that market (and try to maintain some semblance of ethics). You can't prove or disprove anything, so you need to constantly do a "my thing is bigger than your thing" competitive positioning. That got old real fast. But if anything, it's nice to see that nothing has changed in the spam business - and I'm glad to be out of it.
http://biz.yahoo.com/iw/061115/0184588.html
Link to this

Top Blog Postings

Pissed off customers are bad for business - maybe
While I'm on the topic of anti-spam, let me point to an Andy, ITGuy rant about his Barracuda mail gateway dying and his inability to get any kind of technical support. Andy is very grumpy and justifiably so, when mail stops - that's a bad day. Suffice it to say, it's not the first time I've heard this issue, but I also wonder why he's surprised. He probably paid $3k for the box plus a bit more for the "maintenance." One of Geoffrey Moore's tenets in Crossing the Chasm is that when a product hits the tornado and then mainstreet, your main job is to fulfill. Not to worry about keeping all your customers happy. You are selling too many boxes do to that, but if you don't focus on fulfillment, someone else will sell the customer a box. Clearly Barracuda focuses on fulfillment and unfortunately, Andy learned this the hard way. Will this hurt Barracuda? Probably not because it's not like their customers do an extensive review or evaluation before selecting their box. Thankfully, Andy got his mail back up, but now he's pissed off enough to look at something else. The good news is that there are a ton of options and he should probably consider a service. Sure it's an ongoing cost, but he wouldn't have to worry about the box anymore and from what I hear, the leading email security services players actually answer the customer support line.
http://andyitguy.blogspot.com/2006/11/poor-tech-support.html
Link to this

Deflating the anti-phishing hype
Thanks to the Mogull for shooting a few BBs at the IE7 vs. Firefox 2.0 anti-phishing hype balloon. Nice to hear the loud pop and the hot air being released back into the atmosphere. Rich is absolutely right in that both pretty much suck and the reality is anti-phishing is still more about consumer education than anything else. Unfortunately there is no panacea for that problem. Since I'm heads down writing for a bulk of each day, I don't have time to follow phishing sites and see what happens, but I'm glad to see someone is doing it. And given that I tend to spend some days wearing all black and sitting in a dark coffee house debating security issues, I'll give Rich a little space. Move on, use multiple toolbars if it makes you happy, but more importantly don't be an brainless automaton that just clicks links and shares personal information. That's probably the best anti-phishing defense I know of.
http://securosis.com/2006/11/14/firefox-2-vs-ie-7-anti-phishing-who-cares-use-multiple-layers/
Link to this

Webroot continues to get pummeled
Webroot just can't catch a break. The vendor that everyone loves to call dead continues to get it from all sides. This time it's Ed Moyle that pig piles (using his own term), by questioning whether Webroot is an "emerging vendor" according to CRN anyway. Ed, I wouldn't put too much stock in anything that CRN writes. They cover every market space that sells through the channel (which is everything), so they are two miles wide and maybe an inch deep. Maybe. But back to the point, Webroot convinced the pretty experienced Peter Watkins to ditch Elemental (not sure what that says about Elemental, BTW) and take the reigns of the company. Their biggest problem remains that they raised a lot of money (a significant portion went directly to the founders) at a high valuation. They evidently keep selling stuff and after meeting with CTO Gerhard Eschelbeck at CSI, I can say the story actually holds together. They just have done a poor job of communicating a strategy and demonstrating success. Kind of reminds me of Check Point a bit. Big customer base, well worn technology - but underlying market shifts and an industry that is looking for thought leadership from the leader - but there is none to be found.
http://www.securitycurve.com/blog/archives/000482.html
Link to this

It's the physical layer stupid
First, I'm flattered that McAfee has chosen to call their corporate blog, Security Insights. Like with their Security Risk Management strategy, it seems that McAfee's product namers are on vacation. So they just copy any old thing. Secondly, what is with having each post done by "editor?" That's not the way to spur conversation. At least Symantec lets their research guys post their opinions using their own names. But this post hearkens me back to my early days as a network guy. At least 6 out of 10 times the problem was with the physical layer. Unplugged cables, shorted patch cables, faulty patch panels. I saw it all and got pretty good navigating my way around a punch down block. In the security space, we also need to pay attention to the physical layer. If only to restrict access to critical servers and devices. Having a strong perimeter is all good and well, but if someone can gain access to your server room, that's a bit of a problem, no? I'm not necessarily talking about facilities security (though that is increasingly being bunched together with infosec), but making sure that information security professionals make sure that the facilities cannot be compromised too easily.
http://siblog.mcafee.com/?p=29
Link to this

Recently on the Security Incite Rants Blog

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-11-14