November 29, 2006 - #162

Good Morning:
Today let's talk about objectivity and therefore integrity. It seems that the news that Amrit and Stiennon are going back to vendor-land has kicked up a bit of dust about how objective us analystas really are. Yes, I have an opinion (here). No, I have no plans to go back to vendor-land. But read the comments in Thomas' original post that got this whole discussion going (here), it's pretty interesting reading and most of the opinions are consistent. Objectivity is about the PERSON, not the job. Integrity is all about the person.

I'm not sure how long I'm going to be doing this analyst thing (because I don't really have a "plan"), but I know it's for a while. Does that make me more objective than a G-analyst that is talking to a few vendors about leading up their strategy efforts?  Maybe yes, maybe no. It depends on the person. Unfortunately for the folks that take their advice, you pretty much can't know. So what do you do? Exercise free will and make up your own mind. An opinion you get from me (or any other analyst) is another data point in your research. Ultimately you need to make the decision and you need to live with it. I don't.

OK, off soapbox. Kind of a slow news day. Looks like the US Feds are once again under the gun (here), this time for not testing their security controls enough. If that's the case, then they should be under the gun. Gartner analyst John Pescatore gives a retrospective interview on his 25 years in the business (here). But it reads more like he's getting ready for a farewell tour, like when Kareem retired and they gave him cars and other lavish gifts in each city. If he comes to Atlanta, maybe they'll give him a Lincoln Town Car, which is the official car of old people. I'm kidding, I doubt Pescatore is going anywhere.

In blog-land, Mitchell Ashley figures that appliances are going the way of the dinosaur (here). Not so much. And Dr. Anton, wonders what security is really about (here). But best of all, George Ou really called a post "Worm spreads through Symantec AV hole" (here). I'm sure he's going to get a lot of page views on that. Doubt the web filter would flag that as porn.

Before I go, let me wish my Mom a Happy Birthday. Within the next month, she is retiring after 41 years as a Pharmacist. That's a long time and most pharmacy customers are pretty much assholes. They are sick and they want their drugs. It's no fun. But this starts a new chapter in her life. Enjoy the ride Ma and have fun every day. And don't deal with assholes anymore. You don't need to.

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Whole-disk encryption hits the big time
So what?- Every company (well almost every company) has mobile employees. So that means pretty much every company has data that is sensitive that walks out of the building on a laptop every day. Every single day. Given many of the recent privacy breaches, a lot of folks have just opted to encrypt now, think later - and it turns out they will be right. Whether you want to just encrypt all the data on the mobile device (whole-disk) using either hardware (which this article is about) or software, or use some kind of policy driven tool that allows you to encrypt certain parts of the disk - it doesn't matter. But at this point, those that handle private information (which is pretty much everyone) need to have some type of encryption deployed on their laptops. The good news is that this capability will quickly become part of the desktop/endpoint security suite. So don't be surprised when other Big Security players take Check Point's lead and go get themselves a whole-disk encryption capability.
http://www.esj.com/news/article.aspx?EditorialsID=2303
Link to this

Feds not big on testing
So what? - It must be no fun doing information security for the US Government. Basically, the spending orgy after 9/11 is done, and there are all these wacky mandates (HSPD-12, FISMA, etc.) that you have to adhere to. Your workforce is perhaps a bit apathetic and you have folks like the US House of Representatives Committee on Government Reform trying to figure out how well you test their information security controls. I guess my first question is why is a House of Reps committee even asking that question? I guess it's my tax dollars hard at work. But the point they bring up is pretty significant. Having a security plan is a start, but it's only a start. Implementing controls makes that plan a reality. But the attack surface and vectors change. Not every day, but often enough that you need to be constantly figuring out where and how you are at risk. So unless you are testing those controls (and testing can happen in a lot of ways), how can you be sure there isn't a hole big enough to drive a truck through? Right, you can't. So plan, implement and practice/test. Then practice/test again. And maybe again.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061127/605814/
Link to this

Clearswift's timing is impeccable
So what? - How do you miss anti-spam? Seriously. If you were the leader in the email content filtering space, how was it possible to just miss anti-spam and let that market go to upstarts like Brightmail and CipherTrust? You'd have to ask Clearswift. The MIMEsweeper guys were everywhere in the early 90's, when content filtering hit it's mark. And surprisingly enough, they are still in a lot of places because many customers built very specific content filtering policies for their business and it would be brutal to replicate those on other devices. So now Clearswift is getting into the web filtering business, with an appliance no less. But it's not all bad. Assuming the product works (and web filtering is not brain surgery), they've still got a monster customer base to try to sell to. And folks are not happy with their incumbents, so web filtering is this year's anti-spam. We'll probably see some more consolidation. You've got services starting to make a dent, and the market is all about swap-outs. Boy, I don't miss that at all.
http://www.clearswift.com/news/item.aspx?ID=1059
Link to this

The world according to Pescatore
So what? - Man, Pescatore is "experienced," which I think is a code-word for old. I guess if he wasn't someone I've known for 10 years and who I think likes me, that would be kind of harsh. But it's not because even through he at least 10 years older than me, he's got no gray hair. So that must count for something, no? Basically, he does this interview which is kind of a career retrospective with NetworkWorld. Are they putting him out to pasture? Seems kind of strange. Kind of like writing your auto-biography when you are 30. But I digress. John has been in the business for a long time and he's seen a lot of stuff - probably twice. So his perspectives on being an analyst and how security has evolved over the years are interesting and along the lines of how I think. The best quote is about how security compares now to when he started: "As the money started exploding, a lot of snake oil started to creep in. It's sort of just like any other market these days. That's been a big change. It's no longer the religion or cause that it once was. It's just another market." It's just another market.
http://www.networkworld.com/news/2006/112806-consultants-pescatore.html
Link to this

Top Blog Postings

Appliances are not T-Rex
With all due respect to Mitchell Ashley, appliances are not headed for the boneyard anytime soon. Why? It's a convenient form factor for the mass market to deploy. Mitchell is more talking about networking appliances and makes the point that hardware is evolving fast enough that there is a liability to locking into a fixed feature appliance platform. And if you need to scale to 10-20 GIG of throughput, he may be right. You'll need to be on the front end of the processing curve (or use equipment with specialized ASICs) for mass scaling use cases. But most of the world is not like that. So, let's talk about virtualization. Yes, large enterprises (and even some small ones) are increasingly virtualizing their data centers with products like VMware. But do I want VMware running in my perimeter? Not so sure about that. I do believe that appliances targeted at data center security applications will need to evolve to work in a virtualized environment. BUT, not necessarily on the perimeter. I may have a box that virtualizes security applications (which is what Crossbeam does), but it's still a box. But let's be clear, most "appliances" are software running on an industry-standard (read Intel) appliance platform.
http://www.theconvergingnetwork.com/2006/11/why_appliances_are_dinosaurs.html
Link to this

What do you think security is?
Dr. Anton asks a pretty insightful question in this post. Is security about fighting hackers or protecting information? Obviously each of you have your own opinion, and I've got one of my own. Since this is my party, I'm going to tell you mine. Security is NOT about fighting hackers. Not by a long shot. That's like saying being an FBI agent is about wire-tapping phones. Fighting hackers is a means to an end. It's one of the things we do, in order to meet our core imperative - the 5 reasons to secure (you can read a teaser here). I'll be doing a much more detailed treatment of the 5 reasons in the Pragmatic CSO. Suffice it to say, protecting information is a lot closer to what security is (to me anyway), but the term "information" is a bit restrictive. Corporate assets? That's probably a bit better. But we also need to limit corporate liability (which is an intangible asset, I guess) and ensure compliance. So I think security is about the 5 reasons to secure. But that's just one man's opinion.
http://chuvakin.blogspot.com/2006/11/so-you-think-that-security-is.html
Link to this

What category are you?
Ravi Char does a very interesting post that is built around a chart with # of security breaches on one axis and security preparedness on the other. Those with a high number of breaches and low preparedness are now "aware" or the issue. Ravi's point is it's easy to get these folks to take action because they've been nailed. Those with a high number of breaches, but high preparedness are "unlucky." I have another word for them. FIRED! Sure, everyone can have bad luck, but if you have a large number of breaches then you are doing something wrong. Those with low breaches and low preparedness are "lucky." True dat. Finally those with low breaches and high preparedness are "desirable." Let's all work hard to be desirable (and not just to our significant others). Ravi is right on the money here. 
http://ravichar.blogharbor.com/blog/_archives/2006/11/27/2531513.html
Link to this

Worm spreads through Symantec's hole
Like most adolescent males, my mind spends a lot of time in the gutter. Never mind the fact that I'm 25 years removed from being an adolescent. But I read this headline of a George Ou post and yep, I'll admit it - it made me laugh really hard. Basically Symantec AV opens up a port on a PC, and the worm probes that port to try to find a Symantec vulnerability that was patched in May. Update your AV. Duh! George then gets back to his general disdain of PC AV products, but whatever. I just thought the title of the post was funny.
http://blogs.zdnet.com/Ou/?p=380
Link to this

Recently on the Security Incite Rants Blog

The Righteous Path of the Analyst
As Amrit and Stiennon head back to vendor land, it got Thomas Ptacek to wonder whether being an analyst is just a training ground for a high-level marketing position at a vendor. Given that I was an analyst, then became a marketing guy, and am now back to being an analyst, you'd figure I'd have an opinion on the topic. Well, you'd figure right. Check it out.
http://securityincite.com/blog/mike-rothman/the-righteous-path-of-the-analyst

Inciting: Threat Management Panel
I'll be doing a live panel on Threat Management on Thursday. Check it out and hear me rant in real-time.
http://securityincite.com/blog/mike-rothman/inciting-threat-management-panel

Passwords are dead? Long live passwords!!!
http://securityincite.com/blog/mike-rothman/passwords-are-dead-long-live-passwords

Vendor Pet Peeves
http://securityincite.com/blog/mike-rothman/vendor-pet-peeves

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-11-28