November 3, 2006 - #149

Good Morning:
Today I'm inspired. People overcome great hardships every day and a lot of other people decide they are going to thrown in the towel and accept the path they are on. Ultimately, those kinds of decisions are very personal, but I greatly admire those that can face the reality of their situation, make a decision that they are going to overcome it, and fight like hell every day to make that a reality. Yes, Josh Blue was really funny last night. But seeing him in person gave me a much better appreciation of what he has done and the challenges he deals with every day. It also reminds me how lucky I am.

Let's talk about moving pieces. The wonderful thing about consolidation and partnerships is that it makes for a constantly evolving map. I loved playing Stratego when I was a kid and also Risk. Sure, part of it was world domination, but it also highlighted the importance of strategy and covering your flanks. So Red Hat is under siege. First Oracle introduces a competitive offering for 50% of the price, and now Microsoft/Novell buddy up (here) to offer patent protection for those using Novell's flavor of Linux. And Oracle buys Stellent, which is in the content management space, but now makes Oracle vs. EMC and IBM a much deeper battle. But this is a lot of the constant noise we hear in the industry every single day.

But, what's a customer to do? You need a strategy (here) and you need to overcome your challenges and you need to fight like hell every day to make that strategy into a reality. There will always be a lot of moving pieces, so stay focused on the prize. And the prize is defined in your security strategy document. In blog-land, I need to break up the little fight between Shimel and Ross Brown (here) and make the point that security research does not equal elitism. Finally, Ed Moyle points out the super-heated air coming out of the AV vendors (here) about a college professor's curriculum. Again, maybe they should focus more on figuring out how to work with PatchGuard and less on stupid stuff that has not bearing on their business.

Have a great day.

Technorati: Information Security

Top Security News

Microsoft does Novell (again!)
So what?- I got deja vu yesterday when I read about the Microsoft/Novell Linux deal. Not about the time that Microsoft buried Novell in the LAN game, but rather when Microsoft made the investment in Apple and committed to continue providing Office on the Mac for years. It was kind of a rescue pack that gave Apple enough breathing room to figure out the iPod and become cool again. Will Novell become cool again? Probably not and the pundits are right - this is about Oracle and Red Hat. But I don't care about that. Let's talk security. Microsoft's security products ONLY support Windows platforms. They've just acknowledged a multi-platform world, but they sell single platform security solutions. I understand the consumer market is different, and they are fine there. And many would argue that Microsoft would never be credible in the enterprise security space anyway, but until they can support more than just Windows (maybe SuSE Linux is next for Forefront) - that is sure to be the case.
http://news.yahoo.com/s/nm/20061103/tc_nm/microsoft_novell_ballmer_dc_3
Link to this

No Strategy, No Execution
So what? - I shouldn't be surprised, because I know that many IT professionals just meander from place to place during their day, not knowing whether they are coming or going. But sometimes you see a very effective piece that puts it all into context. Read this CSO article about strategic planning. Why? Although the 5 steps are a bit high level, enough meat is there to remind you why you need to take a step back every quarter or so and make sure you are accomplishing what's good for the business, for your team, and for you. Of course, much of our day is going to be consumed with tactical brake/fix stuff, that's goes with the territory. BUT, if you don't know where you are supposed to be going, you certainly never know when you get there. Risk centricity, measurable goals, appropriate time frames - this is good stuff.
http://www.csoonline.com/read/070105/fivesteps.html
Link to this

Encryption is a multi-faceted thing
So what? - When people say encryption, 9 out of 10 times everyone's eyes glaze over. Of course it's important, but it's just not very exciting. And for mere mortals, it's confusing. And I'm not even talking about how the algorithms work, it's about how to deploy the technology. I keep hearing from everyone and even see bloggers talk about how you need to "just do encryption" (here), but encryption is everywhere, and nowhere. Maybe it's there. Do you know? Do you care? I think that's the point, besides this article - which provides a decent overview on the different aspects of the "encryption" market - encryption still means too many things to too many people. So we need to start seeing some subsets of the "encryption" business and it needs to continue to be more transparent. SSL is everywhere because the users don't know it's there. Users (and consumers) don't want smart cards, they don't care about certificates - they just want to be secure. Encryption is a key (no pun intended) part of that, but the users don't want to know about it.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=193402715
Link to this

Building a "security aware" culture
So what? - This tip on SearchSecurity is about how to tactically get a security awareness training done. There are lots of decisions to make (target, format, etc.) and this piece does a nice job of laying those out. So if someone drops an awareness training project in your lap, then this is probably 80% of what you need to get started. But this article really misses the point of security awareness, and that's to have it built into the culture. You can certainly outsource the training aspect, but you can't outsource the culture. To me, security awareness is not a one-time thing. It's not some box you check on your auditor's list. It's something that senior executives need to drive to the masses. From the first day a new employee steps in, to the day they leave - it needs to be clear that the organization takes security seriously. Am I dreaming? Probably. But I assure you that your organization goes to great lengths to keep your systems up and protect your intellectual property and brand, no? Security is intrinsic to those efforts. But I'm probably preaching to the choir on this one.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1220543,00.html
Link to this

Seltzer gets PatchGuard right
So what? - I think we've all been dancing around the PatchGuard debate for a while, but Larry Seltzer finally nails it. Coming to the conversation two weeks later usually helps, but his assessment and conclusions are right on the money. PatchGuard breaks the existing security industry business model, by impacting how 3rd parties provide value. I've said numerous times that's what this is all about, but Larry says it better. I also know of HIPS players that tell me they can work with PatchGuard. See? Innovation at work. Maybe they were lucky. Maybe they were good in that their architecture didn't rely on the type of kernel integration that PatchGuard stops. In any case, the health of the 3rd party vendors is now strictly depending on innovation (not milking an old cash cow), and that's the way it should be.
http://www.eweek.com/article2/0,1895,2049960,00.asp
Link to this

Top Blog Postings

Encryption...Just do what??
So Rebecca Herold is a big fan of encryption. So am I. This piece is really about encrypting data on a mobile device and her disappointment that more people don't take that threat seriously. Get over it. We'll get there, but it takes time since it requires a behavioral change. I'm still not sure why I need to encrypt my Blackberry if it's password protected (given my content will be destroyed if someone tries to brute force attack it), but I'm a bit slow on the uptake. But let me bring the conversation up a bit. Encryption is a lot of things, and just wholesale advocating encryption everywhere is ill advised. Rebecca is just trying to get some mileage out of her title, but still - it's misleading. Though her point is solid, we've got personal and private data on those PDA's so they warrant being part of the data protection architecture. But I'm not sure encryption is the answer to solving that problem.
http://www.realtime-itcompliance.com/privacy_and_compliance/2006/11/encryptionjust_do_it.htm
Link to this

Security will be embedded
Every time Chris Hoff writes something, I wonder if he's back. It's been months since he's consistently been involved in the conversation, and I've missed his participation. This piece though strikes me as a bit defensive and backwards looking. I guess Chris just had the epiphany that Cisco's "Self-Defending Network" is a marketecture. Of course it is. And yes, it's in Cisco's best interest to have security everywhere, OVER TIME. I understand that your business is to sell a "virtualized best of breed security as a service layer" stuff, but to think that the trend is not towards having security capabilities embedded within the fabric of the network suffers from a bit of tunnel vision. Maybe you don't like Cisco's plan to get customers there, but they will get there. To be clear, I'm not talking about right now, this is a path that we'll follow for the next 5-7 years. But at that time, it'll be about how to most effectively MANAGE the embedded capabilities. So your "virtualized service layer" morphs into a management layer. But I suspect you already know that, but it's more fun to bang up Cisco and talk about arm bars.
http://rationalsecurity.typepad.com/blog/2006/11/defending_the_s.html
Link to this

Break it up, jokers
When a fight breaks out between two of my friends, I usually have to step in. Not right way, mind you - I like to see a few hay-makers thrown probably more than the rest, but at the point where there is no use in letting it continue. So Alan and Ross, go to your respective corners and let it go. Shimel likes to stir the pot, and Ross doesn't like to be stirred. Shimel fancies himself the NY street smart tough, that works on behalf of the "everyman." Thus, it's convenient to paint a research-driven company like Ross's as "elitist." That's bullshit, plain and simple. Any company that just makes products for the "forefront of security research" won't be in business long.  Neither of you take that approach. And get past the network vs. host battle. The perimeter is contracting and multiplying, not going away. Security needs to be both in the network and on the host. But let's talk about research, because that's what this is really about. My position is clear, research makes security products better. It also happens to be good marketing, and it has nothing to do with talking down to the customers. Fact is, customers don't want to worry about what's bad and lurking out there, certainly not the everyman. Some customers are interested in attacks and alerts, others aren't. They all want someone smart to watch their back. That's why a research-driven marketing program is so powerful in today's security world. I'm not saying that you need to do research and issue press releases to be successful, but you do need to keep your products up to date with the latest threats - whether you sell to the common man or not.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/11/security_for_th.html
Link to this

Boy it's hot in here
As Ed Moyle points out, its from the hot air coming out of the AV vendors. They are all in a tizzy again about the Calgary professor that actually teaches his students how to hack, so they can know how to better protect themselves. Don't all those "extreme hacking" courses teach the same thing? How else are you going to learn how to defend stuff, if you don't understand how it works? And the AV vendors won't hire folks that come out of that program? That's a shame, but a stupid position. The good news is that there are probably 800 other vendors that would like to have that expertise, and about 1,000,000 user organizations. So kids studying computer security now aren't going to have a hard time getting jobs. But the AV vendors certainly seem to be practicing a bit of obscurity themselves. 
http://www.securitycurve.com/blog/archives/000475.html
Link to this

Recently on the Security Incite Rants Blog

Obscurity, redux squared
I couldn't help it, I had to clarify some of my comments on obscurity when Chandler Howell called me out. Basically, I'm not a fan of absolutes. As much as I like to be black and white, that's not the way the world works. So I put together a few questions that I think indicate whether obscuring information about exploits and defenses could work. Note I said COULD, not would and not should. And no, today is not Dr. Seuss day. But hopefully this clarifies my position on obscurity a bit, at a minimum.
http://securityincite.com/blog/mike-rothman/obscurity-redux-squared

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-11-02