November 6, 2008 - Volume 3, #87
Good Morning:
One of the things I've always enjoyed most is getting to work with
customers that are trying to solve some pretty tough problems. It was
less fun when I need to solve those problems myself, but being able to
offer some advice, and try to position any number of different
alternatives remains a fun challenge for me. And this is pretty
consistent whether I've worn a research hat or am representing a
vendor. 
[1]
Being at the Information Security Decisions show has given me
the ability to have a number of great conversations with folks and
figure out what's on their mind. I got into a pretty detailed
conversation last night with someone who was asking why security folks
don't talk about breaches and other issues more openly.
That's actually a great question and is (I think) the underlying
concept for "The New School of Information Security." The book is still
on my nightstand, and I guess it's probably time I crack it open and
see what those guys have to say about the topic.
I explained to the person about the general paranoia of a security
person, which is a cultural impediment to sharing a lot of information.
But if that was the only reason, it could be overcome by a grass roots
effort. The real problem is liability. If companies talk about their
data breaches, then the tort lawyers have a ton of ammo to sue the
pants off these companies.
At the show Mandiant's Kevin Mandia did the keynote on the state of
incident response. One of the points he made was that in a breach
scenario, it's critical to restrict information as closely as possible.
Leaks happen and the information is usually neither complete nor
accurate (remember the telephone game?). If you can restrict info as
long as practical, it's best for most.
But that is obviously counter to using the massive number of industry
breaches as instructive for all. So each company only gets to learn
from their own mistakes, and that obviously makes it a much longer road
to get better at protecting data. Yet, as long as there are significant
financial penalties for sharing information, it won't happen. And
that's a shame, but it is what it is.
Have a great weekend.
Photo: "Image_901" originally uploaded by sittered [2]
Technorati: Information
Security [3], CSO [4],
Security
Mike [5], Internet
Security [6]
 [7] |
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Incite 4U
I'm continuing to adjust to the new demands of having a job
and all that entails, while keeping up with my industry reading and the
Incite. I'm still way behind in my reading, so many of these news items
are still a week or so old. I plan to catch up over the weekend, and
then get back into a better rhythm. That's the plan anyway.
- PwC does their annual information security survey and finds
security is still driven by compliance [9], as well as mergers
and Web 2.0. Hmmm. First of all, I wonder if/how that has changed over
the last 6 weeks. Back over the summer, I still saw compliance as the
primary driver, though Web 2.0 was driving a lot of hype and getting
folks to kick tires a bit. Virtualization security fit into that latter
bucket as well. I do expect security spending to hold up better than
other software markets, but that doesn't mean it's going to hold up
well.
- Cisco announces a good quarter [10], but a
crappy outlook moving forward. Their security business grew 19% year
over year, which is again further evidence that 1) it doesn't matter if
your product is best of breed, and 2) big is still the new small. But
check out their earnings call transcript [11] because
there is some great stuff there about how to deal with a downturn.
Great stuff.
- An agile Big Yellow? Hold the presses. Symantec has started their own internal
incubator [12] to give folks the ability to develop ideas outside
of the "machine" or the big process the drives product development in a
multi-billion dollar company. Actually this is a great idea, since the
risk profile of leaving the mother ship and starting a new company is
pretty ugly right now. I suspect a lot of engineers would jump at the
chance to start new things, but within the warm embrace of a reasonably
safe paycheck. And who knows, maybe some of them will actually come up
with something.
- Understanding the "brave new world." Chris Wysopal of
Veracode eloquently discusses something that we probably already knew,
but didn't want to say. Everything is a target, which means everyone
has to worry about little things like application security. [13]
Of course, this is great news for Chris at his day job, though because
everything is at risk doesn't mean everyone will decide they want to
address that risk. Yet, I don't want to minimize the point, which is
that you can't assume they don't want to target you anymore.
- Little companies need IPS too. SourceFire
goes down market with a few appliances targeting smaller organizations. [14]
I know, I know - it's not an IPS. It's their 3D system, which does more
than just IPS things. Blah blah blah. The important part of this is
that at some point every company needs to figure out how to get smaller
companies to pay them money. And they also have to figure out the
channel, since that is how you get to smaller companies. This is
actually pretty predictable given the background of Burris (the new
CEO), and is the right direction to go in.
- 20% of 0 is still 0. Speaking of budgeting and security
spending drivers, SearchSecurity highlights a recent survey
saying community banks are going to increase security spending [15].
I wonder if they took the results of the banks that aren't going to
survive out of the analysis. OK, that was probably a low blow, and I
suspect the survivors will have to spend more on security, but it's not
clear how many survivors there will be.
- OMG Gartner is blogging. Not Gideon Gartner, but some
Gartner analysts. And it doesn't seem to be overly filtered. That's
kind of cool. Pescatore is one of the security bloggers and makes the
point that the Morris worm is no longer a teenager [16].
Funny thing is that I was actually at Cornell when the worm hit. I
vaguely remember some discussion about it, but it didn't seem like such
a big deal. But then again, if it wasn't made with hops or agave, it
wasn't much of a big deal to me back then. He shows all the major
outbreaks since then, which is always good to see graphically.
- While FIRE is going down market, Code Green is going up market with a new enterprise-focused DLP platform [17]. I'll make the same point I made before, but in a converse way. It's very hard to build a self-sustaining business only on the back of SMB as well. There are very few examples of that. So you do need to play in both. Now the real question is whether DLP is enough of a stand-alone market to support either the SMB or enterprise segment.