September 11, 2008 - Volume 3, #76

Good Morning:
Today is a solemn day in the US. It's the day we remember the senseless attack. The fallen innocents. The serious chaos that resulted. We also need to celebrate the resilience of a democratic and free way of life. The terrorists wanted to cower us, and not so much. Our financial markets recovered in days, not weeks. Our country rallied to fight against the common enemies. There is no purpose in winging about still being in the Middle East or any of the other debates smart passionate people argue about today. That is not respectful of the memory of those lost.  

I was actually in Boston on Sept 11, 2001. I flew into Logan that morning. By the time I got to the office, the first plane hit and they were trying to find the second. CNN.com had crashed, so one knew what was going on. Then my CEO brought out his little TV and we watched until the towers came down on a 4" screen. I finally had to take the train home to DC 2 days later because all the flights were still grounded.

I don't think I was ever so happy to get home and hug my wife and baby (Leah wasn't yet a year old).

As serious as 9/11 is, September 12 is truly a celebration in my house. Tomorrow we'll wish the twins a Happy 5th Birthday. I remember both 9/11 and 9/12 of 2003 like it was yesterday. I was wrapping up a sales rally at TruSecure and hoping to not get the "call" that the Boss was going into labor before I finished up my last presentation for the field. She was 37 weeks pregnant and carrying almost 14 pounds of baby. She could have popped at any time.

But she held on until the scheduled birth on 9/12. The funny thing is that we know another 3 or 4 kids that have 9/12 birthdays as well. We picked that day and evidently we weren't the only one's with this idea. We didn't want the twins to have any kind of stigma to the day they entered the world.

My folks kept telling me that time just flies, and it really does. I look at Lindsay and Sam and I'm just amazed. They were born one minute apart, but they are so very different. They've got different temperaments, personalities, opinions, and likes/dislikes. Yet, they are best friends. We went to our niece's birthday party last weekend (Happy Birthday Rachel!) and saw the two playing together, they were inseperable. And it was really cute.

Happy Birthday Lindsay and Sam. 

Have a great weekend. 

Photo: "9/11 Reflections" originally uploaded by Sister72

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Too busy? Nah, just addicted to the status quo
So what? - Running my own business, I know a bit about investing time now to save time later. Whether it's systematizing some business process, outsourcing some busy work, or just trying to do things smarter - sometimes you have to suck it up and invest the time now because you won't be able to scale later. Looking at this Dark Reading article on SIEM reminds me of those decisions. But I think many security managers are missing the point of what a security management platform is supposed to do. It's about control and automation. The reality is no human can wade through the morass of data that comes out of our security devices. Add in a bunch of other devices (like the network) and any shred of monitoring (like NetFlow, for example) and there is just no way a human scales. So you need tools. Saying you're too busy to do your job is a cop-out, pure and simple. Now if it was just about time, then I can accept that. But this is about not being able to do your job, so the too busy excuse just doesn't hunt. But it's not just the customers that are at fault, it's a continued indictment of the security management market that the solutions still don't go in cleanly and with little integration. When a customer doesn't have the time to implement a solution that will change the way they do things (for the better), then lots of things are screwed up.
Link to this

You don't just get honey from that honeypot
So what? - I talk pretty frequently about testing your defenses (Hack Thyself!) and the importance of using the same tools and techniques the bad guys are trying to ensure you are protected. Interesting post here by Jimmy Ray in the NetworkWorld Community about the importance of running your own honeypot. Is this to "trap" the bad guys? Nah, it's to learn. By checking out attack traffic and spending some time analyzing how the honeypot was attacked (and presumably compromised), you can learn what's happening out there. You can see potential new attack vectors that will allow you to tune your defenses. But ultimately you keep your knowledge fresh, and in a business as dynamic as security, that's where the real honey is.
Link to this

99% Guarantee - That's bold!
So what? - I do appreciate bold marketing campaigns, and when I saw this release from Secure Computing guaranteeing 99% effectiveness, I though it's a pretty bold move. Though it would have been a lot more relevant 3 years ago. I can't recall the last time I saw catch rate being used as a differentiator. Doesn't everyone know that all the devices are equally mediocre? Today one is at 98%, tomorrow 93% and the next day 100%. That's the way spam works. It's still a serious arms race. So let's say a customer is swayed by the thought of a 99% guarantee. How do they know? Oh, Secure's appliance tells them what the catch rate is. I wonder if they've hard coded an automatic 99.1% catch rate in the reporting engine. Yes, I'm joking. It's kind of like the fox reporting that they haven't eaten any of the chickens, even though the hen house is empty. So let's say the box does say you only get a 97% catch rate, what then? You get a 3 month extension on your maintenance. Right, it's not like they are going to give you the money back on the box. Or let you pull it out and buy something else. So, don't look behind the curtain and appreciate this for the sound bite that it is.
Link to this


The Laundry List

Top Blog Postings

The business should be managing business information
Interesting nuance here from Shrdlu about separating business information from identity/security information. Anyone that deals with SOX now understands about separation of duties. You don't want any single individual to be able to commit significant transactions. This idea of 'information separation" is similar. The example used is the difference between the IAM system (mostly for authentication and authorization) and a CRM system. The IAM system doesn't need a lot of detail besides who you are and what you are supposed to get to. I get the leverage of integrating disparate silos of data to enable new analysis or new processes, but when we are talking about defense - it's strictly a need to know basis. So stay focused on security, not on data management. You should have other folks to do that for you.  
http://layer8.itsecuritygeek.com/layer8/wonky-thought-for-the-day
Link to this

Are you a playa?
Arthur Treacher makes a great point on Emergent Chaos about whether you are involved in the discussion or not. Basically, pulling an analogy from the fine economic risk management field, if you aren't privy to the wider set of data, you can't do your job. And that's exactly the point for security folks. If you aren't consulted during the architecture phase, if you don't know about mergers or divestitures, if you have no idea about a totally new Internet-based business being launched next week - THEN YOU CAN'T DO YOUR JOB. How to fix the situation? Well, there is no easy answer to helping you build credibility. It's all about evangelizing the program, setting milestones and then hitting the milestones. Yes, it's about being Pragmatic.
http://www.emergentchaos.com/archives/2008/09/risk_managers_are_just_li.html
Link to this

Preventing FOI
No, this isn't a food blog. Following up on Schneier's indictment of security ROI, AndyITGuy coins a new metric that we need to be concerned about. FOI - Failure of Investment. This dovetails nicely with my general perspective that security is pretty binary. As far as your executives care (and they have the only opinions that matter), you have been compromised or you haven't. Of course, the easiest way to ensure a zero FOI is to unplug all your devices fro the network. And it doesn't really help you constantly improve your operations or figure out which investments need to be made. So we don't get off the hook of having to deal with some of these other numbers. But at the end of the day, FAIL is the only thing most people are worried about, so we need to make sure we are doing enough to avoid the FAIL, but not so much that no one can get anything done. Oh yeah, one other things. FAIL happens. So you better be able to recover the FAIL as well, or else you'll be dusting off your resume.  
http://andyitguy.blogspot.com/2008/09/security-roi-debate-continues.html
Link to this