Security Incite

Once again, it's that time of the year. I'm pleased to present the 2008 Security Incites which are my "trends" for where I think the security industry is going this year. I don't know much, but I do know that the Incites are wrong. They always are, and actually they are supposed to be.

You see, I'm no fortune-teller. Though I have been able to pinpoint some of the key industry activites through the year, my hit rate has been mediocre at best. But I do keep trying because it's interesting and fun. Yes, that's right - I said fun. I like trying to figure out what the next 12 months has in store.

So take a look and let me know how washed up and silly I am.

Once again, I will also be commencing the 10 Days of Incite tomorrow as I delve into each of the Incites and give you a better understanding of how I've come to the positions. And I will continue to revist the Incites in mid-July (coinciding with my summer vacation) and at the end of the year - if only to keep myself honest.

So without further ado, check out the 2008 Security Incites. Get the PDF here.

2008 Security Incites

What are the Security Incites?

Annually, Security Incite publishes a list of the key “trends” in the security business for the next year. Called “Security Incites” and written from the perspective of the end user (or security consumer), Incites provide direction on what to expect, assisting the decision making process. Each Incite provides a clear position and distills the impact on buying dynamics and architectural constructs. Incites also set the stage for Security Incite’s upcoming research agenda.

1. Express Your Inner Bean Counter

Substantiating the value of security continues to plague practitioners, who still can’t specifically answer the question: “Are we secure?” Structured security programs (ISO 27001/2, COBIT, Pragmatic CSO) help align programmatic activities, and look for significant advances in the area of security metrics – where the industry begins to gain consensus about what can and should be tracked.

2. It’s time for an audit revolution

Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

3. Best of Breed DOA

As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

4. Weaving security into the network fabric

Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.

5. Night of the Internet Dead

With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

6. Laptop encryption hits the big leagues

Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.

7. The SDLC is your friend

As innovation in web application scanners is crushed by consolidation and web application firewalls still can’t find its sea legs, security professionals finally get religion about building secure applications, largely to avoid the PCI stick in the eye and embracing the reality that applications remain the path of least resistance. A long, hard cultural struggle ensues between security and software development personnel, but by focusing on building the most critical applications securely, the tide turns regarding the secure systems development lifecycle (SDLC).

8. Protect the Vault (that’s where the money is)

The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause.

9. Get the jumper cables for DLP

Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.

10. Hack thyself

Given that there is no panacea on the horizon, security professionals start to understand the concept of risk management, as opposed to throwing money down the security toilet on the latest, shiniest widget. Security organizations must start to put a premium on prioritizing activities, based upon what’s important to the business, as well as what is really exploitable in their environment. The only way to figure out the latter is through a new function called “security assurance,” which focuses on breaking stuff (networks, systems and applications) before the bad guys do.

 

In the better late than never camp, here are my Security Incites for 2007. I've taken a little different approach this year and have tried to focus exclusively on customer problems. Since everyone has an opinion, I look forward to lots of discussion and dialog relative to why I'm wrong.

And I will also be commencing the 10 Days of Incite tomorrow as I delve into each of the Incites and give you a better understanding of how I've come to the positions.

Just like last year, I will revist the Incites in early July (coinciding with my summer vacation) and at the end of the year - if only to keep myself honest.

So without further ado, I'm pleased to present the 2007 Security Incites. Get the PDF here.

 

What are the Security Incites?

Annually, Security Incite publishes a list of the key “trends” in the security business for the next year. Called “Security Incites” and written from the perspective of the end user (or security consumer), Incites provide direction on what to expect, assisting the decision making process as budgets and technology adoption plans are finalized for the upcoming year. Each Incite provides a clear position and distills the impact on buying dynamics and architectural constructs. Incites also set the stage for Security Incite’s upcoming research agenda.

2007 Security Incites

1. Get with the Program
   
   As security professionals continue to struggle with the number of threats and contradictory goals (protect information, but assist business), they increasingly turn to structured security programs (ISO 27001, COBIT, Pragmatic CSO) to assist in getting things done and communicating progress. Security management tools (predominately SIEM) continue to leave customers wanting for value and assistance in automating programmatic operations.

2. CSO Next
   
   A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisors and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically-oriented CSO.

3. Perimeter (R)Evolution
   
   The consolidated perimeter platform continues to subsume additional security and networking functions, making top flight content security and application acceleration the next frontier – further squeezing pure-play security players. This accelerates consolidation in the sector, keeping perimeter architectures in flux. Customers increasingly embrace integrated solutions from larger players putting a “best of breed” mindset on life support and proving that “big is the new small.” The first open source perimeter platforms also hit in 2007, providing a legitimate alternative for technically savvy, mid-sized businesses.

4. Trust No One
   
   The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.
   
   
5. You (Mal)ware It Well
   
   The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

6. Patching the Leaks
   
   More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

7. The Information Strikes Back
   
   2007 finally brings acknowledgement that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

8. Identity Everywhere
   
   Identity becomes the most overused term in 2007, as NAC vendors, systems management vendors, Big Security, and everyone else “identity-enable” their offerings more as a marketing initiative than to add value. Pragmatic CSOs focus on solving problems, embracing non-disruptive mutual authentication and integrating directory stores with network equipment to streamline management and problem isolation. The first inklings of an interoperable “identity network” emerge, making cheap multi-use tokens more compelling to a broader market.

9. Help Wanted: Fortune Teller
   
   CSOs need to increasingly flex their psychic abilities as exponentially increasing attack surfaces mean new controls must be targeted to protect the most likely targets, which are identified by discerning the true value of corporate business systems and increasingly sophisticated (and productized) security research. Network behavior analysis allows organizations to “react faster” by understanding network traffic dynamics, but integration with remediation solutions lag, forcing customers to continue to do the heavy lifting themselves.

10. Time to get PC(I)
    
    PCI is the new SarbOx as unsophisticated CSOs continue to try to “buy” compliance. The lack of regulatory enforcement and increasing scrutiny by bean counters finally kill compliance’s golden goose and force CSOs to justify more security spending on something other than compliance. Pragmatic CSOs understand that a strong security program addresses compliance requirements, so they focus on warming relations with auditors and communicating their results in business terms to the business people that matter.

So that friggin' Farnum tags me (here). Part of me wants to just ignore it, but that would be lame. So I'll take a break from book layout and web site building (yes, the Pragmatic CSO is on target to launch on Tuesday), but only by the graces of the boss, who is giving most of the long weekend to get everything done.

So here are 5 things you definitely don't know about me. Don't tell anyone, this will be our little secret, OK?

1. I'm introverted - Most of the time it's hard to tell because I've learned how to work a room out of necessity. But nothing gives me the heebies like a room full of strangers. Part of me is envious of those folks that seem to make friends everywhere they go. That ain't me.
   
   
2. I love art - Most contemporary stuff, but with a whimsical edge. I have pieces by Toutain, Vasarely, Chamaikan, and Schluss. Mostly lithographs, but the Toutain is an original and one of my most treasured possessions. Art is my one big weakness. At this point, I don't have the bankroll (or the wall space) to truly engage in collecting, but if the gods smile upon me - maybe at some point I'll be able to truly indulge.
   
   
3. I never miss a well check-up - Or birthday or anything else that is important to my kids. They don't realize it and hopefully some day they'll take it for granted, but I made a decision before my oldest daughter was born to be present and involved in their lives. I missed one of my wife's weekly pregnancy check-ups (because I was in the UK) and that still annoys me. So hopefully you'll understand if I decline a trip because one of my kids has something going on.
   
   
4. My favorite movie is Pulp Fiction - But Wall Street is a close second. I also liked the Usual Suspects. But at the end of the day, Tarantino's masterpiece of time shifting and other hijinx is the one I like best.
   
   
5. I don't drink Scotch - Stems from my first run in with J&B Scotch when I was probably 15 or so. Face down in a pile of puke freezing my ass off because my friends left the door open in the middle of winter. No, I couldn't get up to close it. At that moment, I promised myself I wouldn't drink anymore. I've broken that promise probably ten thousand times since then.

So hopefully you know a bit more about me. I'm not tagging anyone else because I think I may have been the last person on earth to be tagged.

Enjoy New Years and see you in 2007!

 

It's late on a Friday, so I figured I'd play around a bit with some of the advanced capabilities of my content management system (Drupal). The wonders of open source continue to amaze me in that people build these great capabilities and contribute them, gratis. It's cool.

After having the Internet connection at Incite Central down a few weeks ago, I figured it was time to start looking into Plan B, just in case. I've actually got a number of Plan B's in mind. I'll get an EV-DO card, once Sprint starts selling their USB modem, so it'll work with my Macbook. I'm hopeful that this will reduce my caffeine intake as well. Every time I go to a different coffee shop to work, I get one of those big coffee drinks. Let's just say I'm an excitable guy to begin with, but after a big coffee or two - WATCH OUT!

I also wanted to be sure I could post to my blog via email, as my Blackberry is pretty reliable. Thus, my Friday afternoon experimentation. A little hocus-pocus, couple of hand waves, a contributed module (called mailhandler), a new email box and BAM! I'm posting via email.

Now this is cool. Not rain, nor sleet, nor crappy Internet service, nor computer failures will keep me away. Have Blackberry will blog is my new motto. Enjoy your weekend and I'll see you on Monday.

A while back I published my OPML reading list (here), so you could get a slight glimpse of what I'm reading. Unfortuately that service is static and I'm too lazy to keep it up to date. But my friend Pito Salas, who does BlogBridge (my RSS reader) has graciously published my dynamic reading list as a BlogBridge expert guide. I'm not sure I'm the expert of anything, but nonetheless...

Basically this is a list of the top security blogs that I read. BlogBridge has this cool rating system where I use 1-5 stars to rate each blog. Then it is organized accordingly when new material comes in, which makes getting through my news much easier. I track close to 100 security blogs now, but only about 30 rate 3 or more stars.

So check it out those 30 here. The OMPL link is here.

If you happen to use BlogBridge, this is really cool. You can add my reading list as new guide. Go to Guides-Add Guide. Then click the "reading list" tab and hit the plus button (on the bottom left) and add the OPML link: http://www.blogbridge.com/directory/folder/1592.opml. Then any time I update my reading list, yours will be updated automagically.

Thanks Pito. BlogBridge is great.

Technorati Tag: information security

This month's SearchSMB column talks about UTM, within the context of the SMB market. So, that means "small UTM" just to be clear. If the column seems a bit short, well it is. That's because it was, let's say, heavily edited. Is it better? I don't think so because a lot of my informal vernacular has been gutted out. This is clearly not my style, but whatever. The points are the points, and at least they didn't mess with them.

I've got a unique style of writing, and if you couldn't tell I get a bit burned when it's messed with. But that's part of writing for some of the media outlets. So at the risk of getting into trouble, I'm going to post my original version here.

Of course, you can read the edited version here: http://searchsmb.techtarget.com/tip/0,289483,sid44_gci1205017,00.html

 

The Original:
SearchSMB column/tip – July 7, 2006

UTM is in your future
By Mike Rothman

The network security business has evolved rather incrementally over the years, largely driven by threats – as opposed to thoughtful architecture. First there was the token authenticator, designed to protect all of those crazy employees dialing up into a remote access environment.

Then as direct connections to the Internet hit widespread deployment in the mid-90’s, there was a need to protect those connections with firewalls. But firewalls were rather unsophisticated devices, so products that could detect an attack pattern (intrusion detection) came into vogue. Subsequently we’ve seen gateway anti-virus, anti-spam, web content filtering, anomaly detection, web application firewalls, and a host of other new products emerge to stop very specific threats.

You as a SMB technologist are sick of it. At least the folks I talk to are. All of these products have different management consoles, none work together, and most are marginally effective. We all know that you don’t have extra people or dollars lying around to maintain the status quo. You need to do more with less and you need to do it now.

One of my favorite sayings is “No mas box.” My clients don’t want to see any more appliances; they want integrated solutions or at least the visage of integration anyway. Thus a new product category called unified threat management (UTM) has emerged. Pioneered by folks like Fortinet, SonicWall and Astaro, but more recently being joined by pretty much every security vendor – these devices promise integration, convenience and protection from pretty much every threat out there.

Should you turn off your existing equipment and move to these new platforms? In a nutshell, the answer is most likely yes. Your choices are pretty straightforward, continue to renew the maintenance on your existing device(s) or buy something new. In many cases, given the competitive nature of the UTM market, out of pocket costs may be comparable to upgrade to a new device.

Even if you are talking about a 15-25% increase in year 1 cost for a new box, it’s worth it. You’ll save at least that much time in not having to troubleshoot different equipment when you have a problem and your protection will be broader.

That begs the next question, who do you buy it from? The answer largely lies in your comfort level. Each vendor has strengths and weaknesses. Some are built using mostly open source software; others have proprietary chips to get the job done. Given where the market is now, you should strongly consider your incumbent network security provider. In all likelihood they also offer a UTM device, and you already are familiar with the vendor and the management interface.

At a minimum, you should kick the tires of at least one or two other devices. Only by getting hands-on a few boxes will you figure out what is the best fit for your environment. But for SMB customers, UTM is the shape of things to come.

OK. I'm tired of getting poked in the eye by my podcasting friends telling me that I'm a dinosaur. So I'm going to ask you all about whether you'd like to see an "InciteCast" or something like that. I've been waiting until I have time, but that's probably never - so I need to get a feel for whether anyone would listen if I did one.

So, visit Security Incite, log a vote and let the community will decide. Within a week or so, I should have enough data to know which direction makes sense. And if no one votes, I count that as a good indication of public disinterest.

http://securityincite.com/podcast-poll

I've noticed that Feedblitz delivery of the Security Incite blog is rather lumpy. Some days you get the previous days postings at 3 AM and other days it shows up at 5 PM (like today) or even later. Given that part of the value of Security Incite is timeliness, this may not be working for you. 

An alternative is to subscribe to the email version of The Daily Incite. Each days news hits your inbox by 10 AM THAT DAY. Not the next day, like with Feedblitz. I put a summary of each post in the newsletter, so if something picques your interest you can hit the link and read away.

You can subscribe on every page of securityincite.com or by sending an email to dailyincite (at) securityincite (dot) net. 

Or if next day delivery is cool, forgive the intrusion and thanks again for reading.

 

My apologies for the fairly frequent downtime on the website. For the most part my hosting company - Site5, does a pretty good job. But of late, they can't seem to keep MySQL up. So when you get those nasty looking MySQL errors, it's nothing but the shared database engine crashing and burning.

At this point, I can't really justify moving to a dedicated facility for what would be roughly 10x the price. As much as I think my rantings are "important," 70% or so of you read this through asynchronous methods like RSS or email - so the website being down isn't the end of the world.

Some day when I have a big commerce engine running 24/7, then my decision will be different. But for now I'll just deal with the fact that I pay $8/month for hosting and that means there will be some hair on the site.

Gets back to that risk/reward decision that we all have to make on a daily basis.

That is a legitimate question, and one I've given a lot of thought to before I started Security Incite.

Since I left META Group in 1998, the entire technology research business has been beset by mediocrity, especially the security sector. Since the Gartner "IDS is dead" position almost 4 years ago, analysts have shied away from taking strong, controversial opinions in this market. Who is providing perspective that security is too complex or that customers don’t need another security appliance? Who is questioning the significant economics being spent on compliance-oriented technology or stating that some of the new "architectures" are over-reaching and borderline delusional? These are messages the user community needs to hear and the analyst community has not stepped up to provide that guidance.

The catalyst for the formation of Security Incite was the Gartner/META acquisition. By removing the only other truly user-centric technology research company, Gartner now has monopoly pricing power and little, if any, competition to challenge their positions or their market position. That being said, our goal is not to create another Gartner. It’s to get technology research back to its roots – objective and user-centric.

Another goal is to provide world class analysis to the mid-market companies that cannot afford to spend $50,000 with the research monoliths every year. These companies have different, but just as significant, problems as the largest enterprises. At this point, they have no one but their VARs to rely on. By providing reasonably priced and actionable research – we believe the mid-market is a large growth opportunity for technology research.