The Daily Incite - 6/15/09 - RIP DDL

Submitted by Mike Rothman on Mon, 2009-06-15 09:08.
Today's Daily Incite

June 15, 2009 - Volume 4, #28

Good Morning:
I have to admit that when I read earlier this month that Dom DeLuise has passed away, I was a bit saddened. Of course, I didn't know him - but I certainly remember the laughter he brought to me during my childhood years. You had to love him in Cannonball Run and the Mel Brooks' classics Blazing Saddles and History of the World: Part 1. He always seemed like he had a love of life. Maybe that was his persona, but I chose to believe it back then.
Wonder if he got that on
I also remember his role in the movie Fatso. That one was hard for me to watch back in 1980 because well, um, I was fat. When he went through the binge scene and his inability to get a handle on it, I understood. All too well.

Of course, the movie has a happy ending and Dom's character gets the girl and realizes that it's all about love and that his love for someone else can fill the place of his love of food. Most of the time characters in movies aren't like you. As much as I like to think I'm just like Indiana Jones or Captain Kirk or Tyler Durden, I'm not. 

But I was the Fatso character, and seeing that movie gave me hope. Until I cracked open that bag of semi-sweet chocolate morsels anyway. 

I've been working to address those lifelong demons for the past few years. I'm happy to say I'm making progress. It's a battle every single day, but as I realize what's important and what makes me happy and try my best to do that every day - I find the need to mow through a pizza or bag of chips minimizes.

It's also why I totally got into the Biggest Loser show on TV this past season. The Boss and I used to watch the last few episodes of each season, but this year we saw every single one (thanks to the wonders of DVR). It was amazing to see the transformation of the contestants. Not just on the outside (which was unbelievable), but also on the inside. These are different folks after 6 months. You can only hope they've addressed their demons and can sustain the change.

Maybe it's wrong, but we also let the kids watch the show. Genetically, it's pretty likely they'll all have to be careful with their nutrition. But we've decided the messages shown prominently on the show about eating (you have to eat enough, but the right stuff - starving doesn't get it done) and exercise (you have to do it, and a lot of it) are important for them to learn at as early an age as possible. Obviously you don't want to go overboard and make them crazy, but you also can't expect them to get good habits by hoping.

So with that, have a great day. And I can only hope Dom D is enjoying his 20 course meal in the great cafe in the sky...

Photo: "Dom DeLuise's Stationary" originally uploaded by activitystory
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Follow me on Twitter:



I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

It's actually been kind of hard to choose what to highlight in the now "weekly" Incite. So I go to some old favorites and some of the guys that actually do some thinking in this business. Certainly not vendor hacks like me. Enjoy.
  1. Understanding the "Phases of Compromise" - Bejtlich is at it again. Pushing us all forward with a series on how to not just understand, but communicate the specifics around incidents. Since he works for BFC (big freakin' company) now, communicating severity of incidents up the food chain is critical. So Richard first discusses a rating system, then rethinks this as it's more of a "classification" concept, and finally distills this into a discussion of the phases of compromise. We can noodle over the specifics of one classification vs. another, but in reality whatever tags you us are fine. Just use them and communicate what they mean, and be consistent. And feel lucky that a guy like Richard continues to share his perspectives for a great price.
  2. Strategic customer is a two way street - I'm fascinated by the continued attempts of folks to want to feel special. This NetworkWorld article discusses whether it makes sense to look for a "strategic" security provider or focus on best-in-breed offerings? First of all, I don't know what best-in-breed means. But there's a bigger issue. Unless you work for BFC (big freakin' company) and you have a pipe to the vendor's CEO, you are not a STRATEGIC customer for the vendor. Thus, you shouldn't consider the vendor a strategic partner of yours. Sure, you can look to simplify your environment by using products from a select few vendors. But don't delude yourself about how "strategic" you are to the vendor. For the most part, they care about the next PO you generate, not much more. (Salesman nasty grams can be directed to
  3. Fight battles you can win - This post from Gunnar vents a bit about secure coding defeatism, and he's right but more than a little idealistic. We have to continue fighting to get developers to do the right stuff or life will NEVER get better. That being said, you are not going to get everyone on board in one fell swoop. Even if you have a senior mandate (unless you are MSFT). So look for "poster children," those developers that get it and want to do the right thing and are willing to stand up and say so. Make them successful, highlight their successes as an example (quick win) to the other developers. And be realistic about how long it will take to change. Inertia is a really hard thing to combat...
  4. Letting the "market" give PCI some teeth - Le Mogull vents a bit here about making PCI better. I agree that PCI has been a good thing all things considered, but as we've all discussed, there needs to be real teeth and real accountability about these jokers that do QSAs. Of Rich's ideas, the one requiring merchants to publicly disclose when they change assessors is the most interesting. Clearly doing QSA's is a competitive business and that means unsavory folks will say what the merchant wants them to say and say it for a low price. If you hold them accountable for such shenanigans, then we have a fighting chance of making PCI better. And that involves pulling back the cloak of secrecy on failed assessments and changing assessors.

Last week's Tweets of Note

I'm still trying to figure out how to most effectively do this Twitter thang, but thus far it's been a mix of conversation, banter and some interesting links. I suspect most of you are not interested in the banter or conversation, so I'll just highlight the links I thought were interesting. Please note the links are shortened and if you click on them, it's on you. But that's the way Twitter rolls.

  • Today's Dilbert nails it (AGAIN). @arj this is the hamster wheel of CEO wealth.
  • Must check this out from Daily Show. Especially if you have g-parents in FLA. Watch the whole thing.
  • Palo Alto to offer traffic shaping. Awesome, that worked pretty well for Check Point 10 years ago.
  • For anyone in a VC funded co: (via @avc)
  • confidential snooping on the rise, says Cyber-Ark. The answer: more cyber-ark product - OF COURSE.
  • Awesome post by the Mogull. Very pragmatic. "All patients die...eventually." No one outruns the GriM reaper.
  • Freeware AV taking share, but not because of price? Yeah right.
  • While everyone focuses on iPhone 3GS, I'm most excited about Snow Leopard. Finally will kill Entourage. All for $29.
  • Great video for all those dim marketers you deal with daily, including me.  (via @crankypm)
  • This is why location scares the crap out of me. No out of office messages. And I don't tell you where I am.
  • This is one school superintendent you shouldn't mess with. Wonder if he used a @Beaker or @jeremiahg armbar?
  • MFE trying to get back in the net security game. Just say "next generation" and "lower ops costs." That's the ticket.
  • Interesting backstory on Symantec/Brightmail. Enrique talks about planning the IPO, while working a Big Yellow Check.
  • Steve Riley on proof of work systems to change spam economics. Until stupid people stop buying fr spam, nothing changes.
  • Sec Spnd survey (MetroSITE Group March 2009). most see sec budgets coming down. Compliance main driver. Shocker! (pdf)
  • Oh nos, now it's MSFT free AV going to take down SYMC and MFE. Again. Guess it must be a slow news week.
  • June issue of InfoSec Mag posted. Lead story on SIMs. - Anyone else miss the hardcopy version? PDF just not the same...
  • RSA's new term: hyperextended enterprise. Sounds really painful. Results from @beaker armbar -
  • Move to DC: cost $$. Leave fancy job: $$$ Take cyber-security czar job: Not enough $$$ in world. @DennisF speculates.
  • Pr0n sites targeted by malware. Crap. Guess it's time for Mac AV.
  • Long lost Rob Newby on crack. Encryption no closer now than before. #toodamnhardnotworthmoney

Into Twitter Hell

Submitted by Mike Rothman on Tue, 2009-06-09 10:02.

As I mentioned yesterday, I've taken the plunge and decided to start Tweeting (@securityincite). Whatever that means. Basically there were a number of things that contributed to me being "late to the party," as a number of security twits (yes, that's what they liked to be called) reminded me.

First, I'm always late. For those that associate with me personally, there is "Rothman time," which is usually 10-15 minutes behind everyone else. I've been working on that, but it's a struggle. And the Boss is worse. "Boss time" is usually 15 minutes behind me.

Second, I was scarred as a young boy when my Mom dropped me off at a birthday party 2 hours early. She had to work - the nerve of her. It was a surprise party, so not only wasn't the birthday boy there, no one was there. I had to hang out with the kid's Mom for 2 hours. It was gruesome and painful and to this day, I'll drive around the block 50 times rather than show up 5 minutes early.

Third, I was never an early adopter. My house was the last house to get cable TV in the early 80s. By the time I got Atari, my friends all had Intellivision. Right, I got the Commodore 64 after everyone had an Apple IIc. We didn't have a lot of money, so I didn't get all the cool toys, and I realized it's not so bad - given 95% of shiny objects end up in the trash bin within a week. And with today's multi-tasking, ADD ridden, texting, Ritalyn taking kids, it's getting even worse.

So I don't have a Wii. And my oldest just got a DS. Bah humbug. I tell them to go read books or play in traffic. I didn't have no stinkin' DS. Or even the ticker on CNN to keep my attention for hours at a time.

Practically (dare I say Pragmatically), it's very hard for me to do full Daily Incite's more than once per week. So I'm figuring when I see interesting articles, then I can tweet about them and keep my analysis/commentary to 140 characters. I know many of you will appreciate that.

140 characters is good for me. That's kind of scary. Not much real estate. My first boss in research, a wild man named Joaquin Gonzalez , would thump me like a drum when I went into "flowery prose" mode. The worst insult he had for someone (OK, maybe not the worst, but close) was to say they wrote like a consultant. He told me good writing is dry, "dry like a martini." Why say it in 5000 words, when you can say it in 1000? Now I need to make the point in 140 characters. That is a good exercise for the verbose.

For those of you still resistant to Twitter, congrats. You are a later adopter than me, and that is pretty impressive. I'll highlight my Tweets in at least one post per week, so you'll know what I'm thinking - though not in real time.

So I'll see many of you in the Twittersphere, which is as stupid a word as blogosphere. You can find me at or @securityincite for you twits out there.

Calling myself a twit. I'm sure my Mom is tickled. Probably as tickled as me telling the surprise birthday party story (for the zillionth time).

Photo credit: "Twitter is down (the street.)" Originally uploaded by monstro.

The Daily Incite - 6/8/09 - Truth or Dare

Submitted by Mike Rothman on Mon, 2009-06-08 16:08.
Today's Daily Incite

June 8, 2009 - Volume 4, #27

Good Day, y'all:
The Boss was having a GNO (girl's night out) yesterday, so being the lazy slug that I am - I decided to take the kids out for dinner. That went fine, especially since I didn't force the boy to eat anything besides french fries. Some (I mean most) days it's just easier to give in than to dig in and cause many tears and heartbreak for those unlucky enough to sit by us. I'm waiting for social services to drop by any day now, especially when I force the kid to eat chicken nuggets or a different brand of cheese stick (he's partial to the Shrek cheese sticks).
Nothing good can come from this game....
Seriously. But this kid has the constitution of Gandhi, so I have no doubt he'd go on a hunger strike if we don't make the 20 minute drive to the one Super Wal-Mart in the metro Atlanta area that actually carries those damn cheese sticks. I'm all for the hunger strike because we could certainly do with the extra $5 or $6 of groceries the kid actually consumes each week. Yet the Boss isn't there yet, so we continue to negotiate.

But that's not even what I wanted to talk about. On the ride home the girls are bantering about some nonsense or other, and all of a sudden my oldest blurts out "Truth or Dare." I almost drove the van off the road I was laughing so hard.

Clearly the kids are growing up way too fast. I remember back to my high school days and "Truth or Dare" certainly had a less than innocent connotation. Of course, I had to live vicariously through my friends because I had no rap and I wasn't invited to play in those cool games. 

But the last thing I expected to hear was my 8 year old wanting to play this game. Where did she learn about the game? And obviously she didn't know about the "less than innocent part," at least I hope so. Yes, I'm coming to grips with the reality that I will be the Dad that is cleaning the shotgun when the first few suitors come to visit my girls. Hopefully will word spread and I can return the shotgun to Wal-Mart.

And while I'm there, I may as well pick up some of those Shrek cheese sticks. A boy can't exist on chicken nuggets and Oreo cookie yogurt alone, now can he?

Have a great day.

Photo: "Let's Play Truth or Dare" originally uploaded by loser
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Incite 4 U

It's a cold day in hell. That's right, I just opened up a Twitter account. I suspect this isn't the first time someone will call me a twit, but at least now it's legit. I'll explain why (after 18 months of being VERY resistant to the idea) in more detail tomorrow, but in the meantime you can follow me @securityincite. I'm still trying to figure out how the damn thing works, but I'll likely be doing daily updates there, so check it out. I'll start in earnest tomorrow. And without further ado, here is some Incite.
  1. That's right, one hell of a job - One of the great things about being at META back in the day was the battles we'd have about our research positions. Though it's not the same, seeing the debate on BlogInfoSec about whether security is the worst it's ever been (and whether we practitioners categorically are delusional about the job we are doing) kind of reminds me of those research meeting battles. I have to side with Sam DeKay here since the times are different now and comparing what we accomplish now (for a given investment) with what we accomplished back in the days before firewalls is a bit of an apples to rutabaga type of comparison. That being said, we have a lot of work to do, but it's not necessarily work on protecting things - it's work on the perception of security's value to the muckety-mucks.
  2. Fighting off the Botnets - Interesting article on NetworkWorld about defending against botnet-based denial of service attacks. There are a few options, including some services that you can buy and some other techniques that you can do on your own network. The most interesting (to me anyway) is the idea of using Cisco's reputation filters. Back from my anti-spam days I saw the value of reputation and as it gets embedded in the network it will be a good thing. But the reputation is only as good as the data used to determine someone's reputation. The fact that you saw an IP address scrawled on the stall at a concert probably should automatically disqualify someone from sending you an email. Though it's probably not an insignificant data point. It would be interesting for Cisco (and the other reputation providers) to be transparent about how these reputations are determined. But there is a fat chance of that happening.
  3. Defining your priorities - Gunnar is right on the money in discussing (and expanding on James McGovern's expansion of Gunnar's information security focus post) enterprise security priorities. He takes James' principles and does a good job of explaining and clarifying. Though I do want to make the point that ARCHITECTURAL priorities are much different than OPERATIONAL priorities. There is no doubt that auditors drive a lot of architecture and some tactical projects. But we as practitioners also have to pay attention to how we prioritize our operational responsibilities. You have a list and what needs to get done each day? That is one of the most important decisions you will make. I'm good and appreciate high level thinking, but we can't forget the tactical ways we decide what to focus on. In many cases, a broken operational prioritization is much more damaging than a broken architectural prioritization.
  4. Why the SDL is like Seinfeld - I'm a big fan of quick wins. In fact, with today's CNN-based ticker at the bottom, multi-tasking, ADD ridden society, if you can't get a quick win, you usually don't get to keep playing. The guy who runs NBC said that Seinfeld wouldn't have been given the time to develop if it had been introduced in 2007, as opposed to 1989. Sad, but true. So Jeremiah talks a bit about how to get a quick win, and amazingly enough it has to do with vulnerability assessment + WAF (which is one of Big J's specialties, or that of his company anyway). Interestingly enough, there is a disincentive to do the right thing, which is to build software correctly in the first place. The SDL doesn't show value quickly enough, and therefore is a risk for CISO's to push for it. As they are casting for the SDL-Seinfeld web show, you've got to love Shostack to play Kramer. A little hair gel and the likeness is uncanny.

The Daily Incite - 6/1/09 - The GriM Reaper

Submitted by Mike Rothman on Mon, 2009-06-01 11:25.
Today's Daily Incite

June 1, 2009 - Volume 4, #26

Good Morning:
They say the Grim Reaper gets us all. Today . OK, not really Dr. Death, but his main henchman for business - Captain Bankruptcy. It's not like this wasn't expected, and (in my opinion) it will be healthy for the longer term viability for GM. It's hard to be competitive when a multi thousand dollar entitlement albatross what weighing down every car GM sold.
Not the kind of demo you want to see...
The idea is that bankruptcy will allow GM to sell assets, rewrite contracts (especially with the unions) and restructure to be competitive. As a guy who drives GM cars when I rent, but wouldn't buy one myself - I think the economic situation was one piece of it. They also need to be more nimble and build products that folks want to buy.

But the bigger issue here is the concept of periodic renewal. If you remember back to the mid-80's, the concept that GM would go bankrupt was absurd. But then foreign automakers came in and built a better product more efficiently. And 20 years later, GM is on the verge of going away, if they can't change things very quickly. Basically every company must fight to not get stale and doing the same things year after year breeds mildew.

It reminds me of when I was doing an internship at Mobil Oil (when Mobil still existed) back in college. I was living at home and taking a bus to a train into New York City. The commute took me about 90 minutes a day and amazingly enough some of the folks doing that same commute did so for 30+ years. 

These folks were tired and most seemed pretty beaten down to me. It's not hard to imagine that after 30 years of commuting 90 minutes each way, you'd be a bit stale. Now there are a lot of reasons that folks do the same stuff every day, but no one has a reason to let themselves get stale. In our business, where I can tell you the bad guys are anything but stale, complacency and losing vigilance will kill you.

So we can take a message from our friends in Detroit. If we aren't undertaking a process of constant renewal, things will get ugly and most of us don't have the option of a Government bail-out.

Have a great day.

Photo: "Demolition means progress" originally uploaded by churl
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Incite 4 U

Better and better every day, every week. Imagine that, an Incite for two weeks in a row and I'll be starting to embrace "social media" more effectively this week, that I think will be a good thing. Stay tuned for that.
  1. Obama says cyber-security is important - The big news on Friday was the publishing of the 60 day cyber-security review that took 120 days to complete. I know that counting is hard in Washington DC. But the message was a good one. Byron Acohido did a nice job of summarizing the key points, though every tech book and most of the blogging community wrote something about it. But there is a big difference between words and action. Over the next 120 days, in order to maintain any kind of momentum, there needs to be a clear and defined action plan for how we get to achieve the President's 5-point plan. It's not going to happen by itself, or just because Obama says so. We should all be cautiously optimistic and also prepare a set of talking points for senior management to understand if/how the new initiatives will impact your organization.
  2. Metrics on the brain - When times get tough, the tough get counting. Isn't that how the saying goes? In security, counting has always been hard (as I've written about a million times), but we are making steady progress towards understanding what to count and then counting it. Dark Reading covers both how the fine folks at the Center for Internet Security have published their initial consensus-based security metrics work, as well as Project Quant - which is being driven by the Mogull. CIS puts forth 20 interesting metrics (well mostly metrics, some are a bit hard to really quantify) and it's a good start. Remember, some metrics will be operational in nature and some more focused on quantifying our value up the stack. The more substantiation we can have for the security team, the more likely we'll be able to stay around, especially if things remain economically tough.
  3. Should we call them VeriSell now? - VeriSign continues to dismantle the house that Stratton built, now selling the MSS business to SecureWorks. Given VeriSign's focus on seemingly selling renewable low-value thingys to mostly smaller companies (like domain names and SSL certs), selling the MSS business makes sense - even if they had to take a $100+MM bath on the transaction. This also gives SecureWorks the leg up as the biggest of the independent MSS providers and they did it for a reasonable price. Of course, now the fun work begins of moving the existing VeriSign business to it's MSS platform to gain the economies of scale, but if you aren't getting bigger in this business - you are getting smaller.
  4. Predict this Dave... - It's never too late to poke fun at vendor mumbo-jumbo. Back at RSA, McAfee's Dave DeWalt unveiled a vision called "predictive security," which probably resides in the same bunker as the Holy Grail. I know, I know - I'm objecting to the words again as opposed to the concept of evaluating a crap load of data to figure out what is actually happening out there. But as my Dad the lawyer always tell me, the words are important. Mining data you are gathering from the field is NOT predictive. It's reactive. The concept is that by having this data, you can see patterns emerging and draw conclusions FASTER. But that is not PREDICTING anything, is it? And the astronomy and meteorology analogies are interesting because I wouldn't say weathermen have a great track record of really getting it right. Though I guess "faster reactive security" isn't really a catchy marketing term.
  5. Picking that QSA - Chris Hayes provides a good structure to evaluate a QSA in this post. Too many folks don't realize that picking a QSA is just like picking any other kind of service provider, and given the number of these folks that are popping up, it's a very competitive market on the verge of commoditizing. Of course, that means buyer beware must prevail to make sure you are getting adequate value, while minimizing cost. Also make sure anyone you talk to is well aware of the PCI Council's quality initiative (pdf) and challenge them on it. Some folks want a PCI assessor to just give them the rubber stamp, but that is being pretty short sighted. They can and should point out issues that need to be addressed, before the bad guys force the issue.

The Daily Incite - 5/28/09 - Swine Paranoia

Submitted by Mike Rothman on Thu, 2009-05-28 11:32.
Today's Daily Incite

May 28, 2009 - Volume 4, #25

Good Morning:
So I'm on a flight a couple of weeks ago, and the guy next to me starts coughing. No, not a "cough cough." It was like he was hacking up a friggin' lung. Thankfully there was the air sickness bag to catch the nastiness. Normally, I don't think twice about that, besides to check my sleeves and make sure nothing escaped the dude's tissues. But with the Swine Flu going around, of course, that's the first thought I have.
Masks iz ded sexy...
So I start calculating the numbers. There have been a couple of hundred cases of the flu in the States. That makes the chance that I'd be sitting next to a carrier roughly... .0000001%. Some days I'm thankful for the mathematician in my that runs numbers and probabilities and uses those rationalizations to continue to function.

Now that threat is averted, I bury myself in another 50 games of Flood-It, perhaps one of the most addictive iPhone games. I really need to stop downloading these games. I probably should be writing TDI posts instead, but what fun is that?

Right when I'm lulled into a sense of Coke Zero complacency, the guy in front of me starts coughing that same cough from the guy next to me. Could it be? Could it be spreading that quickly? Then I feel that little tickle in my throat. Oh crap, I have it too?

Not even the mathematician can help now. I break out Word and start working on my will. I figure I'll stop by the hospital on the way home and see how bad the damage is. I play this game for another 15 minutes. Then I realize, all of this stuff is in my head. So I think about being in the wilderness and taking deep breaths. The air is clean and crisp. There are no bubonic plague carriers in breathing distance. It's all good.

Until the guy behind me goes into a coughing rage... Basically, I'm screwed. Have a great day.

Photo: "ZOMG!!! Swine Flu!!!!" originally uploaded by Amanda-Ruth
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

Incite 4 U

I know. I suck. The best laid plans seem to get derailed by, well... life. Between sales meetings, day job responsibilities, and all the other crap that piles up on my plate, TDI has taken it in the shorts. So next week I'm going to recalibrate a bit and try to take a different perspective on it. I appreciate your patience.
  1. You can't boil the ocean - Though the Incite lawyers are hard at work on the cease and desist order for Rich to stop using the term "Pragmatic" anything, he makes a really good point in discussing the Pragmatic Data Security Cycle. Most things security fail miserably when we try to cover everything. There is just too much, so part of success is knowing where and how to bound all of these key initiatives. Hopefully Rich (and Adrian) will be fleshing out how to actually do this in subsequent research because it's like learning Mandarin for lots of folks. We know we should do it, but it's really hard.
  2. SMARTS gets smart about ConfigureSoft - The deals keep coming fast and furious. Yesterday, EMC announced the acquisition of ConfigureSoft for a undisclosed sum, though I'd be surprised if it was more than 2.5-3x trailing revenues. Most interesting to me is that it was EMC's Resource Management Group (which is built around the SMARTS system management technology) that did the deal, not RSA. Configuration management is more about operations than security - always has been. So having the EMC mother ship drive this deal is an indication of that.
  3. Finding the next gig - Great post on the Security Catalyst site by Bill Pennington about how to stand out from the crowd during a job search. Getting an audience is the first step and Bill outlines the way he likes to be approached, which is great advice and probably very similar to many hiring managers out there. I very rarely use headhunters because I don't have to. I usually know the folks I like for a position, and if not, then the interesting one's tend to figure out how to find me. Though this is only the front end of the battle, and there is also some good pointers about how to research a company you are interviewing with. If you don't have a crisp idea on how you are going to help, forget it.
  4. The future's so bright, you don't need shades - Is there a longer term future for the CISO? Or does the position go the way of the dodo bird? Boaz wonders how many larger organizations really need one? I'd posit that big companies NEED a CISO, but the CISO doesn't need to have an organization. I still believe someone needs to be the "conscience" of the organization, to evangelize and persuade the operational teams and business units that security is important. This person needs to own the "program" and set the standards for what is acceptable and what isn't. What they don't need is an empire. There is no reason that firewall changes shouldn't be owned by the network team, and database security shouldn't be owned by the data center team (or DBA team if you have one of those).
  5. Security budgets take a hit? No kidding... - I think the security industry for the most part has a bad case of happy ears. For the past few months (even though I haven't been writing, I've been reading), a lot of folks continue to maintain that budgets will be stable, maybe even increasing a bit. Sorry, that's a load of crap and I've been saying that for a while. Everything is being scrutinized by big companies, and that includes security. The Deloitte folks did a survey finally proving that. It was restricted to media, telecom and tech companies, but I'd be willing to be it's pretty consistent across the other verticals as well (besides maybe the Fed space). I do think security will recover first, when things start really getting better - but to think there would be no budget impact of the financial implosion and recession is just silly.
  6. Heartland regains PCI Compliance - Hurray for Heartland, who is once again PCI compliant. Until they aren't. To these guys credit, they acted decisively and addressed the shorter term issues that allowed the data breach. But to be clear, this doesn't mean they are secure. It just means they have done the bare minimum, until the Standards Council decides to either re-write the rules or get into the time machine and change things. It's easy to always be right when you have a time machine at your disposal.

Later than Hay: Incite's RSA 2009 Wrap-Up

Submitted by Mike Rothman on Wed, 2009-05-06 11:08.

Andrew Hay thought he'd be the last to post a wrap-up of RSA. How wrong you are my friend? There is no boundary to the lameness originating at Incite HQ nowadays. But enough of the self-inflicted beatdowns. Personally RSA was great this year. It's always great to see so many old friends, make some new ones and basically plug back into the security collective after spending lots of time in the wilderness over the past 6 months.

But that isn't really the right point to make. What were my general impressions of the big show this year? It gets back to the point that perception is reality. Always has been, always will be.

It's been entertaining to see what the pundits have been saying about this years RSA. Ahead of the show I made a statement about the show being indicative of the strength of the industry (link). Well I don't have much more clarity 3 weeks later, which is pretty indicative of the state of the industry. A few guys like Oltsik were largely pretty negative. Ogren and Stiennon were positive. And Pescatore (Post 1, Post 2) was right in the middle.

Me? I'm not as dour as Oltsik, but less optimistic than Pescatore. And Stiennon enjoyed too much of that vendor happy juice. Way too much. He's as excited as a 15 year old girl at a Jonas Brothers concert, which is horrifying.

Here were a few things of note that I noticed:

  • Since when is authentication cool? There were a lot of new vendors showing multi-factor authentication. I kind of figured I stepped into a time machine.
  • Less attendance is not a good thing. I saw a bunch of folks rationalizing the crappy attendance by saying there were fewer t-shirt hunters and more "buyers". Meh. We had our share of decent conversations, and our booth was packed for most of the show. But it's not like in past years, no amount of happy juice can get you there.
  • Compliance is just there. In past years, we saw everyone talking up their compliance capabilities. I didn't get the impression that was a key theme this year. It probably has to do with the fact that EVERYONE says it, so it's as good as no one saying it.
  • The death of TLA. That's right the three-letter acronym seems to be dead. Very little about DLP and NAC. Not too much on GRC also (since no one knows what the hell it means, it's a good thing). PKI? No where to be found. Thankfully SIEM is a four letter acronym, eh?
  • New UTM vendors. WHAT? I saw a few new companies hawking UTM like devices. Wow. Good luck with that.
  • Everything as a service. Yes, much of the conversation was around SaaS and the nebulous cloud. I have a lot to say about that, but it'll wait until later this week.

But most of all, I heard data points on both sides of the industry health discussion. If you wanted to hear happy thoughts, someone would tell you a happy thought. If you wanted to hear about the end of civilization, more than a few Chicken Little's were in the house.

The thing that I was most aware of was the underlying fear. Most of the folks I talked to thought things were getting better. But they weren't really sure. It was kind of like they were trying to convince themselves things were getting better. And if they clicked their heels together 3 times, they'd be taken back home. I've long said that optimism is good, but that doesn't mean it's justified or real.

Folks on the user side weren't sure if their projects were going to be funded, or if they'd even have a job when they got back. Not all of them, but a lot of them still were operating under a cloud of uncertainty. The vendors put on their happy faces and talked about how the 2nd half of the year looked strong. Of course, looking strong and being strong are totally different things, now aren't they?

Personally, I think the strong will be stronger and the one's that suck will suck more. Darwin is at work here. Some companies are announcing strong results and clearly taking share (see McAfee). Others, not so much (see SonicWall). The business environment is clearly accelerating the strengthening and weakening of many companies.

Even if we've hit the bottom from a macro standpoint (which a lot of folks are saying now), it makes me think we've still got some bumpiness ahead. For whatever that's worth.

Most Entertaining Acceptance Speech

Submitted by Mike Rothman on Fri, 2009-04-24 14:31.

I'm honored, flattered and totally undeserving of winning the "Most Entertaining" blog award at the Social Security Awards at RSA this year. Given I was late to the event (and Rich had to spoil the surprise by sending me a 911 text to get my behind to the Blogger meet-up), and Alan got a bit long in the tooth in giving out the awards, and my total shock at winning much of anything - I was a little at a loss for words. Which is the first time I can remember that happened.

And even if I was my usual loudmouth self, the looks from the folks at the party made it clear I was the only thing standing between them and another cocktail. That's a bad place to be, so I kept my comments intentionally short.

I didn't get a chance to say thanks to a lot of folks that made this possible. However undeserving I am, the people around me enable this. So let me send thanks to:

  1. The Boss - Yes, without the Boss to keep me honest and focused, none of this happens. She takes care of many things, so I can do what I do. And she supports me and loves me, even when I make that hard to do. I also know that she'll kick my ass if I don't thank her first. Every time someone gets up at an awards show and forgets to thank their spouse, she goes on a tirade. I won't make that mistake.
  2. The munchkins - Though I don't view what I do as very entertaining, my kids sure are. So thanks to Leah, Lindsay and Sam - who give me an infinite amount of material to write about. They also teach me something new every day. It's great to see things from their perspective, which keeps me young (even though I look old).
  3. My blogging peeps - Yes, the blogging community is integral to the success of all of us. There are too many to thank individually, so I'll just say thanks to everyone. We challenge each other, give each other a hard time, and make the end product much better. Incite is written by me, but it's clearly a joint production.
  4. The bad guys - Everything is relative. Without dark, there is no light. Without bad guys, we don't understand what is good. So we can't do what we do unless they are doing what they do - as objectionable as that is. So we can get mad at "the bad" or we can be thankful that they keep us employed, keep raising the bar and ultimately give us a lot to talk about.
  5. You - I've always said that I write for myself and I'm just lucky that other people find (entertainment) value in it. That was true at one time, but not anymore. Many people that came to my panels or the booth specifically to tell me they enjoy the Incite. Many also said they wish I had time to write more. Wow. It's a humbling experience and I coudn't thank those folks enough.
You can probably see why I kept my comments at the Blogger meet-up short. I suspect someone would have bounced a cue ball off my head if I rambled on like this at the event.

I wasn't quite sure what this blogging thing was about 3 years ago, but I ended up making a whole bunch of very good friends, building a business, and progressing along the road to happiness. After a brief detour, I recognize that continuing to write is very important to me.

So that's what I'll do.

RSA 2009: Art says Kumbaya

Submitted by Mike Rothman on Tue, 2009-04-21 12:12.

After getting out of the first two keynote speeches here at RSA, I have a few quick observations. First, I'm glad no one is alllowed to smoke in the keynote hall. RSA's Art Coviello and Symantec's Enrique Salem were so wooden reading off the teleprompters during their keynotes, even the slightest spark would have set them and the entire building ablaze. And neither of them announced anything of substance. Nothing really on new products, just some horse crap about the need to operationalize things and build an eco-system.

It seems the theme of Big Security at this year's RSA show is Kumbaya.

That's the message from Art and Enrique today. To combat the threat of the bad guys and "win," the industry needs to collaborate and organize. Personally I think this is a veiled response to the success of McAfee's SIA program. Neither announced a formal partnering program, but it's just a matter of time. If you can't beat them, copy them. That's the way of Big Security.

Here's the thing about "collaboration." End users don't care about whether the vendors work together. They just want their problem to be solved. They are frustrated that they aren't any more secure today (and probably less secure) than they were 6 years ago. And with the economic collapse, customers don't have the ability anymore to throw money at the problem and deploy technologies that have limited success and go thru the motions to put another widget in place. That game is over.

So all this stuff about collaboration is noise. It's to distract everyone that Big Security isn't getting it done. They aren't solving the problem. Basically the answer is what I've been saying for a long time (yes, before I went out and got a day job). You aren't going to get ahead of the threat. You need to react faster and contain the damage when you get hit (and you will).

I'm not saying we need to give up. Or stop trying to do the right thing. I'm saying we need to be realistic. Implementing a policy management environment to encompass the entire technology stack, as Art suggests, isn't realistic. Sorry to burst Art's bubble, but customer's don't have enough breadth or visibility to even dream about protecting the entire ball of wax.

It's good keynote fodder, but for the most part it's just more hot air.

PS: I posted a piece on the eIQ blog this AM about whether we should even both to try to "win" the battle against the bad guys: 

RSA 2009: The Acid Test

Submitted by Mike Rothman on Mon, 2009-04-20 08:59.

For the first time in a long time, I'm not sure what to expect from this year's RSA conference. The early anecdotes indicated it may be a pretty weak showing this year. Then lately I'm hearing north of 15,000 people will attend. Perhaps they are including everyone in a 5 block radius of the Moscone Center in SFO, but that's neither here nor there.

To me, the health of the security industry will be gauged this week. Of course, everyone puts on their happy faces and basically lies their respective asses off. "Sure, business is great." "Scaling is our big problem." Blah blah blah. In this kind of economy, every company has issues. The question is how big the issues are.

So why did I think the conference was going to be weak? Basically because every other event I've been to since the economic meltdown has been mediocre at best, a total cluster-F at worst. End users have largely been keeping their heads down, not taking time to mingle at conferences. Basically, we've been trying to survive. RSA is the biggest dog in the security conference field, but still will folks get on a plane to see the sights?

Then I got the speaker notifications. I'm doing four panels and a peer to peer session. Now, I've certainly got an inflated opinion of my speaking abilities. And I've done sessions at the last 5 or so conferences that have gotten decent reviews. But to get 4 panels? Definitely means the gene pool of presenters is a bit thin this year.

On the other hand, lots of companies have been announcing decent earnings. Some have thrown in the towel (like Entrust), but quite a few are holding their own. It'll be interesting to see the tone at the AGC (America's Growth Capital) conference on Monday to get a feel for the market. 

I'll be at the conference all week, though as you can imagine, my schedule is pretty jammed packed with day job responsibilities, speaking gigs, and the like. If you can attend the sessions, my speaking gigs are:

  • Tuesday @ 1:30 PM: STAR-105: Is SaaS the Future of Enterprise Security? 
  • Tuesday @ 4:10 PM: BUS-107: Security Groundhog Day (this was the best panel last year - don't miss it)
  • Wednesday @ 9:10 AM: NET-202: Using SaaS to Solve the Network Management and Security Challenge
  • Wednesday @ 10:40 AM: P2P-203A: More Security with Less Monday and Fewer Resource (peer to peer session)
  • Thursday @ 9:10 AM: BUS-302: Which Security Tools take Priority in a Challenging Economic Environment

So as you can see, I've got a full speaking plate. And my sessions indicate what are clearly the two major themes of this year's show. SaaS and navigating the turbulent economy. Both are kind of related, but as in year's past when you heard about NAC or GRC or DLP, you'll hear about the conference theme until your ears bleed. This year, SaaS will be the most hated term by Thursday.

Hope to see you at the show, if you are here. Check out one of my sessions or swing by eIQ's booth (#2058) and pick up a log data is not enough t-shirt or hat. You'll also be able to see the 2nd half of the "Don't be like Dick" video.


Log Data is Not Enough [Gratuitous Promotion]

Submitted by Mike Rothman on Wed, 2009-04-15 11:58.

<Gratuitous Promotion>
As much as my evaluating priorities has been taking up a lot of my time, I have been pretty busy doing my day job at eIQ. Today we relaunched our web site (, with the objective to explain what we do and how we do it a lot more effectively. Candidly I got tired of hearing the same feeback from friends and colleagues. eIQ looks cool, but what do you guys do again?

The hope is that our new site explains that more crisply.

Additionally, we launched a new project we've been working on called Log Data is Not Enough. We've got a website ( which shows a funny video about a data breach and it's impact on the organization, as well as a number of other tips to make sure you are not like Dick. The first portion of the video is posted now and next week at RSA, we'll be previewing the second half, as well as an additional set of videos featuring someone you know pretty well, in character of course.

So check out and

</Gratuitous Promotion>