The Daily Incite - October 25, 2006

Submitted by Mike Rothman on Wed, 2006-10-25 09:02.
Today's Daily Incite

October 25, 2006 - #142

Good Morning:
One of my favorite TV lines came from A-Team. You remember the A-Team, right? Basically, all hell was breaking loose and then miraculously everything works out in the end, at which point Hannibal Smith - the leader of the A-Team - would always say, "I love it when a plan comes together." I'm not going to get overly specific at this point, but I'm launching some new stuff in January and I'm spending a large portion of my time working on that now. All hell is definitely breaking loose, but it's all good because I know this plan is going to come together.

In security-land, it seems that PatchGuard has already been broken (here). Which is a shocker, NOT! Basically backwards compatibility sentences us to continuing to be vulnerable to lowest common denominator attacks. The deal of the day is BT buying Counterpane (here), it increasingly seems there is less and less room for independent MSS players. And finally it looks like Websense has stopped the bleeding (here) relative to making their numbers in Q3. BUT, the question remains (not just for Websense, but for every other security company too) who is going to win as these functions come together. 

In blog-land, there was lots of activity, so let me hit the highlights. Amrit brings up a good point about defending against the "less than zero" attacks (here) and eLamb does a bit of personality typing and psychoanalysis on security folk (here). Let me also highlight a good series of posts (here) on compensating controls which gets at the question of how many layers do you need.

Have a great day.

Technorati:

Top Security News

PatchGuard is 0wn3d
So what?- Thanks to Mitchell (here) and Shimel (here) for pointing me towards the big security news this AM, which is that Authentium claims to have figured out how to bypass Vista's PatchGuard by utilizing a loophole (I mean feature) meant to help Vista support older hardware. This is the fundamental truth of Microsoft's problem. As long as they are constrained by requiring backwards compatibility, the problem is NOT going to get better and we are not going to make much progress. Period. End of story. So it looks like we are in for another 7-10 years of grinning and bearing it, that is until we finally disrupt the status quo desktop driven computing paradigm and move everything to ultra thin clients built on a Secure OS utilizing ubiquitous bandwidth that only accesses locked down web-based applications. Someone get me that Blue Pill, I must be having those delusions about a world where we are not controlled by hackers again.
http://www.eweek.com/article2/0,1895,2036585,00.asp
Link to this


Deal: BT buys Counterpane
So what? - Well, that didn't take long. After the SecureWorks/LURHQ deal and IBM/ISS, it was just a matter of time before someone took out Counterpane. Interestingly enough it was BT, since they fancy themselves to be a global telecom power like AT&T and Verizon here in the US and Deutsche Telekom in Germany. Verizon (actually MCI before the Verizon deal) had bought NetSec and AT&T rolled their own MSS offering, but it's clear that big carriers are now seeing MSS as another value-added service. I'd say that was good news for the remaining standalone players, but with the exception of DT (who also has rolled their own) - there aren't many big carriers left to take these folks out. Certainly none with a big enough US presence to make a difference or to write a big check. That leaves the systems vendors/outsourcers like HP and EDS, who will probably make a move at some point. All of these companies dabble in MSS, but in order to be serious they should be buying something. But it needs to happen soon because you don't want to be the last guy without a seat when the music stops. Also interesting was no mention of price (which means it was small) or revenues (also meaning it was small and not material). They do list Counterpane's assets as $6.8 million, but who knows what that means.
http://www.btplc.com/News/Articles/Showarticle.cfm?ArticleID=386c1b2f-0860-4afc-8f4a-26a066c12d10
Link to this

Entrust and VeriSign bury the hatchet
So what? - It must be a cold day in hell if Entrust and VeriSign are collaborating on anything. I guess it goes to show what measures companies will go to when they are losing traction in an emerging market. It seems that both have realized that they are not RSA in the next generation consumer authentication space and they better act soon or most of the Financials will jump on RSA's eFraudNetwork, leaving ENTU and VRSN holding the bag. So what do they do? Propose a standard for building a collaborative fraud intelligence network that is both vendor-neutral and allows companies to download or submit new fraud patterns. The answer is a STANDARD? Is this a joke? It's not April Fool's day, is it? What they should have done is say outright that whatever fraud networks ENTU and VRSN have will interoperate TODAY, instead of submitting a standard to the IETF. In 5 years, they may get the standard - but by then RSA will have 80%+ market share. I'm all for an "open" fraud network, but it's about taking action and getting everyone that is not RSA to play ball (ENTU and VRSN are a good start, but there are lots of others trying to compete as well) and then providing an alternative, not a standards document to gather dust at the IETF.
http://biz.yahoo.com/prnews/061025/daw028.html?.v=76
Link to this

Websense stops the bleeding
So what? - After missing two quarters in a row, Websense has made it's Q3 numbers. Good for them. Actually pretty much everyone has made their numbers, which means either we are seeing more strength in the sector or the expectations were tamped down by the challenging Q1 and Q2 results. Either way, it's good to see security vendors selling stuff. That's good for everyone. But this brings up a more fundamental question that is bigger than Websense. Will formerly best of breed vendors be able to add stuff to their product line and win? If you look at Websense, they are adding leak prevention and web proxy/caching to their product line. They also have a "security suite" thats adds more functionality as well. So ultimately all of these vendors are moving to the same place (broad, "integrated" security products) and we will have winners and there will also be big-time losers. But I think it's fair to say that our definition of security 'best of breed" applications will change because no one is standing still and staying in their category.
http://biz.yahoo.com/prnews/061024/latu113.html?.v=60
Link to this


The auditor is your friend
So what? - Well, not exactly - but certainly someone you have to learn to deal with. In this "Reality IT" column in Network Computing, a real user talks about how he deals with auditors. He's right in that the auditors want to see your policies, documentation and log files. I agree wholeheartedly in being "friendly" with the auditors. It's nothing personal folks (I guess sometimes it is), they are there to do a job and you should be as helpful as possible. There is nothing to be gained by pissing them off. In my research, I've also learned it's very helpful to walk the auditors through your security architecture (to show them that all the bases are covered or that you know certain bases aren't) and also to walk them through a real example of incident handling - to show that when something does go down, you are in control. Auditors will not scrutinize every log file if they are confident that you have a layered and tight security architecture and that you know how to react with something does happen. But that's been my experience, let me know if yours is different.
http://www.networkcomputing.com/showArticle.jhtml?articleID=193104452
Link to this

Top Blog Postings

Knowing you've been zero-day'd
Yesterday I talked mostly about "less than zero" day attacks requiring intelligence into the hacker networks to figure out what should be protected first. Amrit adds another key piece of the defense puzzle and that's knowing when you've been had. The sooner you can catch a problem, the easier it will be to fix. He talks about the role of network behavior analysis (or anomaly detection) as one technology that can help, and he's right. By tracking your network traffic and watching for things that are out of the ordinary, you can catch when a machine has been compromised. But to be clear, NBA is another tool in the tool-set and integrating with remediation capabilities is absolutely critical. Knowing you have a problem is one thing, being able to fix quickly is quite another. Over time, NBA becomes part of the intelligence in a "smart, secure" network. We are seeing this already with Cisco basically bundling their MARS event management product everywhere they can and companies like Q1 trying to do the same with Juniper and Enterasys. Stand-alone NBA players need to get remediation fast, or risk missing the boat.
http://techbuddha.wordpress.com/2006/10/25/nba-for-network-wide-visibility/
Link to this

There is no "security"
The guys over at eLamb have an interesting post here that talks about the different personality types that we find in security-land. To illustrate the point, he breaks out the old Myers-Briggs personality test. There are 16 different personality types and it's a bit narrow to try to bucket security people into just two, but the points are valid. You have some aggressive, outgoing types (ESTJ) that are trying to catch bad guys and do so by building rules to abide by. That's what turns their crank. Then you have more reserved folks (INFP) that are focused on results and know that sometimes you need to think differently and cut corners to get the job done. I am a combination of these types - as an INTJ (which is 1% of the population) I'm always trying to find a better way to do things and give people plenty of latitude to figure it out themselves. They just better be right. My point is that you have folks from all different walks of life and perspectives that end up having to do the job. Security is not a job that is ever "done," nor can you put every permutation into policy or manual, so regardless of your personality type to not want to slit your wrists every day, you need to get comfortable with the idea of failing and understand that you never know what's going to get thrown at your head each day.
http://elamb.org/there-is-no-such-thing-as-security/
Link to this

How many friggin' layers?
I talk about layered security a lot. I'm sure many readers are a bit confused as to what I mean and why it's important. Check out this series of posts from Jim C (who specializes in SCADA security) about layering controls and why it's important because nothing is 100% effective. Part 1 is here, Part 2 is here. Part 3 goes through the math, which is something we made a big deal of at TruSecure. If you use 5 layers of compensating controls that each eliminate 80% of the risk, then your applicable risk is less than .03% (.2*.2*.2*.2*.2 = .0003) Of course, the challenge in not in the math, it's in figuring out which controls are truly compensating (or synergistic in TruSecure lingo). But you don't need to take my word for it, just do the math and think logically. Layers work.
http://dcssec.blogspot.com/2006/10/layering-controls-100-compliance-3.html
Link to this

Who needs a time stamp?
I respect entrepreneurs that can go after an idea for many years, with little discernible success and keep at it. But at some point you need to call it a day or try to find a partner that can use your technology to add value to their own platform. Stiennon highlights Surety in his latest podcast, which is a company that provides a validated time stamp for documents, etc. You can clearly see the need for a legitimate time stamp on evidence, logs, etc. to ensure they both haven't been tampered with and are from when they say they are from. I guess I wonder why this market has gone nowhere for years. I first met Tom Klaff back when I lived in VA in 2003 and he'd been at it for a couple of years at that point. I also briefly worked with their engineering guy at TruSecure, so I'm pretty familiar with what they are trying to do. I'm not saying that there is no market for what Surety is doing, it just seems like a feature of a content management system. 
http://blogs.zdnet.com/threatchaos/?p=427
Link to this

Recently on the Security Incite Rants Blog

Less than zero requires intelligence
Shimel coined a very catchy term "less than zero" that encompasses an unknown (to the good guys) exploit and ultimately requires different tactics to defend against it. These are not attacks that can be stopped by a technical widget or some other do-dad. It's about security intelligence because of the infinite attack surface, we need to figure out where the bad guys are spending their time. The only way to do that is by penetrating their hacker networks and figuring it out. You know, good old fashion detective work. I also work a Running Man analogy in here, so don't miss it - just click it!
http://securityincite.com/blog/mike-rothman/less-than-zero-requires-intelligence

What you can learn from Patton
My friend Scott Santucci has an interesting post about General Patton and some of his accomplishments. He works that around to making a point about why sales and marketing in tech-land is so difficult today because we are focusing on differentiation where there really is none and training sales folks about arcane technology when things are moving way too fast. So what's the answer? Scott lays it out here (and practices it for big technology companies every day), but in a nutshell it's about initiating a conversation based on the customers business problem, not the cool features of your technology.
http://securityincite.com/blog/mike-rothman/what-you-can-learn-from-patton

Read yesterday's Daily Incite

http://securityincite.com/TDI-2006-10-24