May 10, 2006

Good Morning:
And a good morning it is. Do you feel like a failure? Does the constant arms race of attack/defense make you nuts? A recent article from a fellow named Noam Eppel (link here [1]) basically says we are losing the battle big time and we don't realize how serious the problem is. I rant about it a bit below, but I just don't buy this. The real answer is that the security business is changing. We cannot close all the exposures, so we have to prioritize carefully and make sure we have proper contingency plans in place. There is great post about this on the TaoSecurity blog (link here [2]).

Most importantly, don't let wet blankets like this Eppel character get you down or cause you to lose focus. If that happens, the bad guys win. No one said this was easy - but it's important. Your company counts on you to protect their critical information assets, so keep your eye on the ball.

Have a great day.

Top Security News

Symantec looking at IdM
So what? - Shocker. There is a market Symantec is not in and they should be. If one of their "themes" is going to be IT compliance, they need to be in Identity Management. So the question becomes what to buy? They could go BIG and buy RSA, but that would be expensive. Or they could buy technology and take out folks like PassLogix or Imprivata for SSO or Courion on the provisioning front. Given where the IdM market is (maturing quickly with big stacks - IBM, Sun, Oracle, CA leading) Symantec doesn't have time to buy technology. They need to buy market share and then start to drive it hard. Seems like a Bindview-like opportunity to buy something a bit bigger to gain an accelerated foothold.
http://news.zdnet.com/2100-1009_22-6069734.html [3]

Hamlet dies at the end, right?
So what? - John Thompson lays out an integration plan for the desktop security suite with the Sygate endpoint stuff and WholeSecurity behavioral defense products they've acquired in this CRN article. The point is to move their products from "end point protection to full end point compliance." Whatever that means. They have code named the product Hamlet, which I think is entertaining. Since Hamlet and basically his entire family are dead by the end of the play. What is not entertaining is that Symantec wants credit for an obvious integration play that should have happened months ago. It's not like they just acquired Sygate and Whole, but are finally getting around to integrating stuff. Target availability is end of Q1 2007, so about 18 months after the acquisitions. Clearly the Big Yellow is big and lumbering. They need to take a lesson from some of the bigger aggregators (Cisco, EMC, and CA come to mind) about how to communicate and drive a road map after a number of acquisitions.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=187201691 [4]

Partners jump on Check Point UTM strategy
So what? - Predictably, Check Point's appliance partners have lent their support to the new UTM offerings, or really single console offering of all the stuff they've had for a while. Crossbeam and Nokia are happy to have something new to sell to customers. Of course, this is great for Nokia, but I'm not so sure for Crossbeam. They've already got separate components to provide UTM on their chassis, so this may confuse the issue a bit. But as I mentioned yesterday, it's not too late for Check Point to start pushing into this market, but betting on Nokia to keep competitive relative to other UTM appliances (Fortinet, ISS, etc.) is a bad bet.
CheckPoint's UTM: http://www.checkpoint.com/press/2006/utmannounce050906.html [5]
Crossbeam's support: http://www.crossbeamsys.com/press_050906.asp [6]

Earnings Watch: Symantec, Cisco, Zix, ActivIdentity
So what? - Lots of earnings announcements yesterday, highlighted by the Big Yellow. Symantec had revenues of $1.24 billion and earnings that were a bit higher than Street expectations. Stock up a bit, despite a soft outlook. Go figure. Cisco got significant contribution from Scientific Atlanta and thinks the US will remain strong, so they feel pretty good about their future outlook. Zix continues to hemorrhage money. Revenues are up ($3.9 million), but that seems very small for as long as they've been at it. They burned about $5.5 million in cash over the quarter, but they keep raising money. That boggles my mind. Finally, ActivIdentity announced a flat quarter year over year during their latest turnaround. Their outlook was for about 20% growth next quarter, which given they've never really grown much of anything - is interesting.
Symantec: http://snipurl.com/q9n6 [7]

Chambers on Cisco's Quarter: http://newsroom.cisco.com/dlls/2006/hd_050906b.html?CMP=ILC-001 [8]

Zix: http://phx.corporate-ir.net/phoenix.zhtml?c=108645&p=irol-newsArticle&ID=854450&highlight= [9]

ActivIdentity: http://www.actividentity.com/en/newsroom/7_1_105_actividentity_pr_050906.php [10]

The importance of the channel in early markets
So what? - Consistent readers of TDI know that I think mastering the security channel is a critical success factor in breaking out of emerging, crowded security markets. NAC is going to demonstrate this more than most. Getting the mind share of the big security channel players will make the difference between ramping quickly (and getting a good exit) or not. In this announcement, the folks at ForeScout announce that FishNet is now selling their box, which is pretty significant validation relative to the other NAC start-ups. FishNet is one of the big security resellers (along with Calence, Forsythe, True North, among others) and they tend to be reasonably selective in who they add to their line card. The enterprise security channel is not about two-tier distribution and thousands of resellers, it's about having 20-30 focused partners to drive the business.
http://www.forescout.com/index.php?url=news&section=press_releases&id=06-014 [11]

Top Blog Postings

End-to-End NAC is hard
In tandem with my post on NAC interoperability, the folks over at Matasano make a very insightful observation about not needing end-to-end NAC at this point. Just protect the most sensitive assets and let everything else evolve to NAC at its own pace. I looked at the problem from the perspective of where the market is (based on customer problems), they look at it from the perspective of what needs to be protected.
http://www.matasano.com/log/262/nac-is-hard-sigh/ [12]

Security vs. Risk Management
Chandler Howell has an interesting set of definitions for security vs. risk management. His conclusion is that security is a subset of risk management. I tend to agree, but with caveats. I'm not sure there should be a difference. I interpret his definitions to be security as a technical discipline, where risk management looks at it from the business point of view. Maybe that's not what he's saying, but that's what I read. I don't think security folks have the luxury of thinking about only technical stuff anymore. They absolutely need to look at risk, basically ensuring they spend the most time protecting the most valuable assets. Those that present the most RISK to the organization if they are compromised.
http://thurston.halfcat.org/blog/2006/05/08/security-versus-risk-management/ [13]

Is security a failure?
Martin McKeay refers to a post by Noam Eppel regarding a "complete, unquestionable and total failure of information security." Martin is pretty politically correct in saying that we are certainly not winning, but to think that security people don't know what's at stake is just wrong. I'll be a bit more candid. Noam's position is crap. There is a nugget of truth (the bad guys innovate fast) weaved around a whole mess of Chicken Little statements about all of the exposures. He only mentions about 10, but there are thousands of places you can get compromised. That isn't the point. Folks that are exposed to simple stuff aren't doing their job. With a little "pragmatic security," a dose of end user training, and the right defenses in place, a great majority of the risk can (and should) be eliminated. Noam is allegedly going to publish a Part 2 that talks about solutions. That will be interesting to read.
http://www.computerworld.com/blogs/node/2490 [14]

Numb to patch Tuesday
Mike Fratto expresses some frustration that he just can't get fired up about Microsoft's monthly ritual. Maybe some Viagra would help, I'm sure he gets lots of spam offering it. But seriously, we should be numb to having to patch the OS. At this point, it's an operational issue. We've got tools to automate the function and the only time we need to be alarmed is when something big happens and the patch isn't ready. The biggest news is that one of the patches breaks RIM Blackberry Enterprise Server, but there's an easy workaround. I'm with Fratto. Big deal. As long as there is software, there will be the need to patch it - so to continue to get fired up about this is a waste of time and energy.
http://www.darkreading.com/blog.asp?blog_sectionid=326 [15]

Convenience vs. security
Douglas Schweitzer brings up a good point to pretty much flay the issues everyone has been having with the new additional security controls in Vista. "Security is not always convenient." Amen to that. As security professionals we need to make decisions every day about whether an additional defense or control is with the cost and user experience impact. Some folks may deem that Vista is too much and impacts the user experience too dramatically. That's fine, stick with XP. The point is that it's a CHOICE.
http://www.computerworld.com/blogs/node/2490 [16]

NAC Attack Part 3: Interoperability, do you care?
Getting back to the NAC series, in this post I tackle why you shouldn't care about NAC interoperability. YET. There will come a time when it's important for agents, NAC appliances and switches to work together - but that's not now. Check it out.
http://securityincite.com/blog/mike-rothman/nac-attack-part-3-interoperability-do-you-care [16]

Read Tuesday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-9-2006 [16]