October 4, 2006 - #129

Good Morning:
Let's be happy today. I was pretty ornery yesterday, getting into it with NetworkWorld and then raining venom on the Toorcon jokesters (here). But today is a new day and let me highlight some happiness. Yesterday was "Deal Wednesday," so the shareholders of Citadel must be happy (here). OK, maybe happy isn't the right word, but they got an exit thanks to McAfee. Of course, it was a fire sale. But in my experience it's better to have a fire sale than to pick through the ashes after the fire has run it's course.

There were lots of other partnerships announced as well, including Cyber-Ark and Courion in the identity management space (here). Two encryption deals made the cut as well, with Reconnex and PostX getting together (here) and Tumbleweed and iPRESIDUM doing a deal as well (here). Lots of deals, so it seems people are starting to get the picture about "Big is the new small.' If you aren't big, you better act big and having active business development to both add product and distribution value is a critical success factor in the security business nowadays.

In blog-land, let me point out a little lesson on search marketing (here). It's hard to delve into a topic in which billion dollar businesses are built in one hundred words, but if you aren't the big dog in a market - it's usually in your best interest to buy the keywords of those that are. What's the worst that can happen? You get invited to the dance. Stiennon's piece kind of questions the market presence and power of Google, but that's too heavy for me. Google is here and I try to figure out how to best leverage that for me. Why ask why? If you aren't thinking about #1, I assure you no one else is either.

Have a great day.

Technorati: Information Security

Top Security News

Deal: McAfee buys Citadel - embraces remediation
So what?- The days of only reporting on stuff are coming to an end. Well, for those products that only do reporting anyway. We've seen folks like ArcSight get into the remediation game (via acquiring ENIRA) and now McAfee figures having a top flight vuln scanner isn't enough - so they buy Citadel for a song and a dance to gain their remediation technology. I think this is a good move because it continues to round out McAfee's offering. It also finally puts targets on the heads of the other configuration management/patching vendors (ConfigureSoft, PatchLink, Shavlik, et al). Vulnerability management needs to include remediation. So IBM/ISS could use some of this stuff (and it plays well with Tivoli). Yes, Symantec will also need to have this to complement the BindView stuff picked up last year. Everyone needs remediation because we security folk get paid to fix things - not just report on them.
http://www.mcafee.com/us/about/press/corporate/2006/20061003_000000_e.html
Link to this

Script kiddies strike again
So what? - It's all about productivity nowadays, no? You can read about how Mike Murray manages his day here. And script kiddies are no exception. They want to be more productive because they certainly don't want hacking to cut into their XBox or MySpace time. Of course, that type of generalization reinforces the old concept of a hacker. Now it's probably some set of dudes in Eastern Europe or China using hacking "toolkits" to set up phishing sites, compromise data, own machines to be used in botnets, etc. The increasing prevalence of these kits makes perfect sense, given the fact that it's usually the arms makers and dealers that make the money during a war. You have a set of easy to use tools for unsophisticated bad guys to use and the folks that make the tools clean up. I'd say that's the American way, but I'm not sure how much happens in America anymore. It won't be too long before you have hacker networks franchising. Now that would be interesting...
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=193101628
Link to this

Provisioning extends to the machines
So what? - In kind of a Terminator-ish turn of events, I guess machines are people too. Well, not really people but close enough since they have credentials and privileged accounts that need to be protected. This partnership between Cyber-Ark and Courion is pretty interesting in that it's clear that neither"privileged user management" nor provisioning stand alone over time, but there is clearly leverage in these folks working together in the short term. Courion needs to continue finding areas to differentiate from their mega-competitors. You know, small companies like IBM, CA, and Oracle. And Cyber-Ark needs to continue finding additional paths to market given their stuff is a logical extension to the user provisioning infrastructure. 
http://biz.yahoo.com/bw/061003/20061003005688.html?.v=1
Link to this

Plugging leaks (in email anyway)
So what? - When I was in the email security space, it was clear that checking outbound mail (for compliance and intellectual property leaks) was a similarly sized opportunity to blocking the bad stuff coming in. My former shop did deals with all of the encryption vendors and the positioning was pretty straight-forward. The email security gateway was the brains of the operation, deciding what needed to be encrypted when and how, and the encryption engines were just there to get it done. That inevitably is changing as many of the encryption vendors have invested in their own policy engines to control more of the problem space. But the encryption players are just fine being dragged along into deals as well. The deal between Reconnex and PostX is the first example of a leak prevention/encryption alliance and I think there will be others. The leak prevention guys get the ability to actually do something besides flag and/or block policy offenses and also get to go after the outbound email budget. The encryption vendors continue to diversify their channels. I do take a bit of an issue in calling this the first "content-aware" email encryption appliance, given that Proofpoint and Voltage have been shipping a one-box solution for a while. But that's just marketing folks...
http://www.reconnex.net/news/articles/pr_10.03.06.asp
Link to this

Outbound content protect extends to the inside
So what? - In the second content filtering and remediation partnership announced yesterday, Tumbleweed and iPRESIDIUM are collaborating to start to apply some scrutiny to internal mail as well. One of the architectural challenges of trying to enforce email policies on the gateway is that you only see the outbound mail. That's fine when all you are worried about is compliance and IP leakage, but if you are regulated or need to maintain a better feel for what is going on internally, it was a challenge because routing all mail through the gateway is not the answer. Evidently iPRESIDIUM has a mail server plug-in that applies policy to the all mail going through the server (who can send what to whom based on content) and can redirect messages to Tumbleweed for remediation (either storing it on a staging server, restricting access or encrypting it). On a related note, Tumbleweed also has brought on encryption legend Taher Elgamal (yes, the guy that invented SSL at Netscape) as chief product guy (here).
http://www.tumbleweed.com/news/press_releases/2006/2006-10-03.html
Link to this

Top Blog Postings

Encryption is not a panacea
Since we are on the topic of encryption, let me highlight a post from Jeff Hayes last week on how much encryption is really needed. I agree with him that a blanket, "encrypt everything" policy doesn't make sense. You need to look at your information assets, figure out what is most important to be kept private and act accordingly. This will also vary by size of company. Clearly a large enterprise can build an encryption "utility" that will allow them to more flexibly provision applications and data stores to be secure, but they can afford to do that. SMBs will act more tactically and encrypt only what needs to be secured. These are two different methods to end up in the same place - a portion of highly sensitive data will be encrypted.
http://mycsosolutions.net/2006/09/28/encryption-as-a-knee-jerk-reaction-2/
Link to this

Hot or Not? - I'll believe it when I see it
Ed Moyle points out that SC Magazine is rolling out an new feature called "Hot or Not" in their book to maybe deflate some of the hype around the security business. Isn't SC Mag one of the perpetrators of the hype machine? Of course they are. So have they found religion? That remains to be seen, but I do believe there is an opportunity for someone to deflate the hype around our business and add some levity and value-add perspective. Oh yeah, THAT'S WHAT I DO. SC's first Hot is laptop theft, which of course is a problem. As Ed points out, we'll see when it comes time to examine some "not" categories and see what happens then. Even folks in the "not" bucket have ad dollars too.
http://www.securitycurve.com/blog/archives/000456.html
Link to this

A scanner in every household
Back in the early days of the PC revolution, you may remember that Microsoft's motto was "a PC in every home and office," or something like that. I wonder if we aren't seeing a similar dream from Ron Gula in this post. Ron runs Tenable (which provides Nessus and other vulnerability management products) and usually focuses his blog on how to make Nessus run better. Of course, this post is still Nessus specific, but I'm mentioning it because its more applicable from an architecture perspective on how to scale vulnerability scanning with multiple scanners to enterprise proportions. The post also does a good job of pointing out some caveats of using more scanners that can increase scan time (like running them on VMware images). Yes, it's in Ron's best interest to sell more scanners (or give them away and sell the management and reporting), but this provides some context for why that actually makes sense.
http://blog.tenablesecurity.com/2006/10/distributed_vul.html
Link to this

Buying a competitor - one customer at a time
One of my favorite quotes comes from Michael Dell. He was consistently asked in the wake of the HP/Compaq merger why Dell hadn't done large acquisitions. He answer was something like "we acquire our competitors one customer at a time." It's a really great perspective. I'm reminded of that when Stiennon wonders why some companies buy AdWords about their competition. That's an easy one, but I've also spent enough time as a marketing guy to learn a thing or two. When someone searches Google for a certain company, they are looking for something. Odds are they aren't tire kickers or else they'd be looking for more generic keywords (like NAC or firewall, as opposed to Check Point or Juniper). If I don't have the brand presence (and marketing budget) of a big guy (so the prospect isn't going to look directly for me), I can piggy-back on their branding efforts by showing up on that search. The customer will look at more than one solution, so maybe then I get onto the list of vendors to be considered alongside the big dog. It's cheap, it's easy and as Richard points out, it's legal. Richard also wonders about Google's place as the middle man in all of this search advertising, but that's too heavy a topic to deal with this AM.
http://blogs.zdnet.com/threatchaos/?p=412
Link to this

Recently on the Security Incite Rants Blog

A case of fictional disclosure
So the Firefox 0-day exploit was really a joke. Gosh, I'm rolling on the floor. Where can I get tickets to their next show? In this post, I lay out the case for why the two perpetrators need to be drawn and quartered. Disclosure is a very sensitive topic now, so if we are questioning even whether many of the exploits discussed at well-known hacker parties even exist, that is bad for everyone. But I do encourage critical thinking (unlike some other former media customers of mine), so check out Ivan Arce's comment in this post too. He thinks I'm being too harsh and that sending these guys out of an airlock as a deterrent won't accomplish anything. Maybe he's right, but hearing the woosh of the airlock always makes me feel better. Some other folks side with me on this one - like Jerri Ledford (here) and Ed Bott (here).
http://securityincite.com/blog/mike-rothman/a-case-of-fictional-disclosure

NetworkWorld bids me adieu
Yesterday was the last day of my illustrious 6 months as a NetworkWorld columnist. Evidently it's OK to have an opinion, as long as it's not critical of them. After getting all worked up about my slamming of their recent Enterprise All-Stars feature, they decided they no longer needed my services. Which, candidly, is fine by me. But this kind of activity really underscores how fundamentally the tech media business is changing. Web 2.0 is going to make some of the existing tech media into Dinosaur 2.0, and I think a lot of that will have to do with how well these folks embrace user-generated content - some of which is gong to be highly critical of their work.
http://securityincite.com/blog/mike-rothman/networkworld-bids-me-adieu

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-10-03