January 2, 2009 - Volume 4, #1

Good Morning:
Happy frackin' New Year. That's right. After being largely invisible in December, I'm going to try to be better about consistently posting the Incite a few times per week and some other random thoughts as they appear in my pea brain. Are you ready??? [1]

You see, I've come to realize that I can't get everything done. I've been weighed down for the past month with guilt that I would spend a few hours doing my "personal" stuff when I had some much to do for my day job. What I've discovered, is that regardless of whether I work 10 or 18 hours a day - there is always more to do.

So screw it. I'm going to write my newsletter because I've missed doing it. The Boss reminded me of a few good one's that I wrote over the year (she doesn't exactly read them the day they are written) and I realized how much logging my daily rantings have become part of what I like to do.

So I'm going to keep doing it. And with that, take a look back at 2008 and see what you did right and wrong. What are you going to change? How are you going to change it? Are you sure? I've got no patience for the "resolutions" that everyone makes when the ball drops in NYC.

You either change or you don't. I mean MASSIVE CHANGE. Some folks look to make incremental changes. In my experience (especially with personal developement), it doesn't work. It's too easy to back slide into the old, bad habits. I do that all the time.

Don't fool yourself thinking that 2009 will be different unless you are going to be doing something different, actively and consistently. I've heard definition of someone insane is one who expects a different outcome from the same activity. I believe that.

So here's to you making the changes you need to make in 2009, and to having a great year!

Photo: "massive change" uploaded by 416style [2]
Technorati: Information Security [3], CSO [4], Security Mike [5], Internet Security [6]

[7]	The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8]

2008 Incite Report Card

We could sit and agonize about how crappy 2008 was. But actually it was a pretty decent year for me. I'm very fortunate and I know it. But as Anton points out, there is no way I was going to miss getting back to my Incites for 2008 and seeing how I fared. Of course, my time schedule doesn't allow me to do such detailed analysis of each Incite, but I'll provide a sentence or two on each one - just to keep myself honest.

As I look at the Incites, I only have one comment. Pretty crappy... But like everyone else, I didn't foresee the depth of the economic malaise and that had a direct impact on a lot of these projections. At least, that's how I rationalize my continued inability to project much of anything.

Incite #1: Express Your Inner Bean Counter

Substantiating the value of security continues to plague practitioners, who still can’t specifically answer the question: “Are we secure?” Structured security programs (ISO 27001/2, COBIT, Pragmatic CSO) help align programmatic activities, and look for significant advances in the area of security metrics – where the industry begins to gain consensus about what can and should be tracked.

Grade: D+

This one didn't exactly go as planned. OK, it really should be an F. There was no consensus and there doesn't seem to be any consensus on the horizon. It's too bad because it's something that is sorely needed by the industry. But we are (justifiably) more worried about keeping the lights on and fighting to keep our already limited resources and funding. Though metrics will help in the long term. We don't have the luxury of thinking long term right now.

Incite #2: It’s time for an audit revolution

Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Grade: B

Whenever you see any of the surveys heading into 2009, compliance is still a critical issue and one that "will not" be deferred, regardless of the economic situation. I'm not quite sure I believe that, but I do think that compliance continues to be a major corporate imperative. Even in a global recession, the auditors still show up and we'll probably still treat them like crap. Which is another story for another day.

Incite #3: Best of Breed DOA

As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

Grade: B+

Can you even get a stand-alone firewall anymore? I guess if you consider Palo Alto's box a "firewall," then maybe - but that's about it. This has happened and no one even talks about it anymore, and with Check Point's acquisition of Nokia's appliance business - it'll accelerate. Consolidation will continue in 2009, valuations will come down (reflecting the lack of options for most small security companies). I'm also right on target with the consolidation of security management offerings. At least I've made a huge career bet on it [9], so I'm not just blowing smoke on this one.

Incite #4: Weaving security into the network fabric

Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.

Grade: B-

Network security is largely just "accepted." Everyone has some equipment to protect their perimeter. The rush to bake security into the fabric will take longer than anticipated, mostly due to the fact that with the economic carnage - there are no real catalysts to invest in the infrastructure right now. We saw a few NAC vendors go out and some trying to keep their heads above water. But this is a market for the big boys and the sooner any independents find a partner, the better it will be for them (and their investors).

Incite #5: Night of the Internet Dead

With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

Grade: A

There was seemingly no stopping the zombie machine as it continued to proliferate around the world. We did see an ISP of ill repute get thrown off the island (when other ISPs stopped peering with them), but an amazing thing happened. Attacks continued, machines kept getting compromised, and with the exception of a week respite, the head grew back. In 2009, trying to stop all of these attacks is a bit too much to ask. So focus on making sure you contain damage and (right) REACT FASTER.

Incite #6: Laptop encryption hits the big leagues

Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.

Grade: B+

Are there any stand-alone laptop encryption things left? I know, I know - a few - but not many. All of the big AV vendors have their own solution and in 2009, we'll likely see the bundling happen in earnest. Why wouldn't McAfee, Sophos and Symantec (once they buy GuardianEdge) just give it away? In this kind of environment, these guys will be pushing for renewals, and adding a lot of sweetener to get it to happen. What has lagged are the management tools from the O/S vendors (MSFT and Apple) to really make this happen as part of the operating system. The fact that no one is deploying Vista doesn't help either.

Incite #7: The SDLC is your friend

As innovation in web application scanners is crushed by consolidation and web application firewalls still can’t find its sea legs, security professionals finally get religion about building secure applications, largely to avoid the PCI stick in the eye and embracing the reality that applications remain the path of least resistance. A long, hard cultural struggle ensues between security and software development personnel, but by focusing on building the most critical applications securely, the tide turns regarding the secure systems development lifecycle (SDLC).

Grade: C

Another casualty of the economic downturn will be strategic things like the SDLC. Which is too bad, since it's critical that we address the root cause of these application attacks. Web application firewalls did find their sea legs, and they can send the check to "PCI Security Standards Council." When the PCI folks made the firewall a must-have, they carried the entire business with it. That will likely lead to Imperva and Breach getting a long look from the network security vendors in 2009. And the SDLC work that really needs to happen gets pushed back to 2010/11, best case.

Incite #8: Protect the Vault (that’s where the money is)

The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause.

Grade: B

Database security limped along in 2008, as big companies started dipping their toes into the water. But this wasn't a very exciting business in 2008, and it's hard to see what's going to make it exciting in 2009. And every year this space doesn't break out is another year the big DB folks get closer to doing it themselves - or acquiring technology at fire sale prices. And when was the last time you heard anything about encryption infrastructure? I suspect a bunch of the small vendors hanging on in that space will go away in 2009, and the rest will be subsumed - because there just isn't a market for it.

Incite #9: Get the jumper cables for DLP

Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.

Grade: B+

The fact is that DLP is a small market, and will remain that way. I've heard (anecdotally) that Symantec's group (the former Vontu) is doing well, but that's about it. The standalone vendors are struggling, and the big vendors are trying to figure out what to do with it. Licensing the engine to Microsoft seemed to be RSA's answer. I still hold to the reality that large enterprises can look at a stand-alone solution because their liability is a lot greater - everyone else should be playing around with their mail and web gateways and tuning those regular expressions. Yes, it's a lame answer - but can you go spend 6 figures on a DLP thing now? Right.

Incite #10: Hack thyself

Given that there is no panacea on the horizon, security professionals start to understand the concept of risk management, as opposed to throwing money down the security toilet on the latest, shiniest widget. Security organizations must start to put a premium on prioritizing activities, based upon what’s important to the business, as well as what is really exploitable in their environment. The only way to figure out the latter is through a new function called “security assurance,” which focuses on breaking stuff (networks, systems and applications) before the bad guys do.

Grade: C

Driven perhaps by the loud mouths that continue to talk down pen testing, this was still an uphill battle for those enlightened security professionals that actually wanted to see what was really at risk. I'll admit to being a little early on this one, but over the next 2 years it will play out. Why? Because most of the new attacks target applications and a lot of the application scanners actually have exploit-like code built in. So application testers (right, Q/A folks) will become "pen testers" as we expand the definition of pen testing. The economic environment has probably put the kibosh on any kind of formal "security assurance" group for the time being - but that is another one I believe will play out, though it may be part of the audit team over time.

Special Incite: 2008 Incite Report Card