May 15, 2006

Good Morning:
After a good weekend (I kicked my Sunday AM hangover by 2 PM), it's back to the business of security. My top "incite" today is how quickly things happen now in the security space. Mike Fratto publishes a pretty damning rant about NAC on Dark Reading and it just made me think that with blogs and other mechanisms for individuals to be heard, there is no "honeymoon" time for a new technology. So the G-folks may need to update their "hype cycle" because it seems that technologies are simultaneously at the peak of inflated expectations and the trough of disillusionment. That's why I love this business. It's always changing and you need to stay on your toes just to keep pace with the velocity of change.

Have a great day.

Top Security News

How quickly the tide turns on NAC
So what? - The velocity of the security hype engine continues to increase. A while ago, we'd at least have a year or so of unabashed hype before the naysayers started getting their megaphones ramped up. Not so much anymore. In this post, Mike Fratto of DarkReading questions the value proposition of NAC. Why do we need it? Where is the payback? Those are good questions to ask, but I disagree with his contention. Endpoint admission is the least interesting aspect of NAC to me. But things like insider threats, outsourcing and web services mean we can't always assume the good guys are on the network. NAC is a way to control the flow of traffic on the network and ensure only the right folks get access to the resources they are supposed to access. Is there ROI there? Is there for any security technology (besides maybe identity management)? We are entrusted to maintain availability and protect private information, and NAC will help do that more effectively. That's my bet anyway. So take that Fratto!
http://www.darkreading.com/blog.asp?blog_sectionid=326 [1]

Dynamic NAC
So what? - We are going to see all sorts of stuff portray itself to be NAC. In this story, CRN covers a new product from InfoExpress that can deploy NAC without any infrastructure upgrades. How? Basically it's an evolution of endpoint security, deploying agents to each desktop that can detect new devices that join the network (via watching the broadcast domain) and "apply policy." I was briefed on this probably 2 months ago, so some stuff may have changed, but I didn't really think there was much merit to the approach. But it goes to show that there are many potential ways to solve every problem. I personally think that the network needs to become more intelligent and it will - over time. But there will be a number of ways to "evolve" towards a NAC-based infrastructure and I guess endpoint enforcement is one of them.
http://www.crn.com/showArticle.jhtml?articleID=187201659

[2]
Eight security vendors worth knowing
So what? - I haven't really mentioned much about the new CMP Security site, Dark Reading - but I like it. These guys aren't analysts, but they aren't beat reporters either. They have an opinion and their style is irreverent enough to be interesting. In this article, they highlight 8 start-ups that are innovating in security. Some I haven't heard of (Ciphire Labs, Asempra, ForceField Wireless), some that feel like features - not companies (Sana Security, CoreStreet, SecureLogix, CounterStorm) and one who's story is great (Exploit Prevention Labs - which I've written on a few times before). The point is (regardless of what David Berlind says) - there are lots of security companies solving new problems. Some will make it (likely getting acquired by an aggregator), many will not. But security will remain a problem for the rest of my working career (15 years or so).
http://www.informationweek.com/story/showArticle.jhtml?articleID=187202804 [3]

More thoughts on enforcement
So what? - I mentioned last week my thoughts on throwing the book at hackers (whether they consider themselves white hat or black hat). There have been a lot of rumblings that folks like the dude that broke into the USC network are needed. I don't buy that for a second. Every company should be doing penetration testing (if you have something to protect anyway) regularly. But giving the green light for unauthorized folks to try to compromise your network is not OK by me. InformationWeek's Larry Greenemeier delves into the topic in more detail in this story and presents both sides of the story.
http://www.informationweek.com/story/showArticle.jhtml?articleID=187202846 [4]

Is security slowing online banking growth?
So what? - I love these types of articles that do a survey that proves the law of large numbers really exists. It seems that people are worried about online security, which is no secret. About 58% of people out will do online banking this year. But eMarketer only sees that growing to 62% over the next 4 years because of online security concerns. My first question is what is true saturation? Based on the number of folks that don't have computers (but have bank accounts), is it 75% or 70%? I don't think we'll ever get to 75% of online banking penetration because you still have folks out there that don't use ATM machines (my in-laws are two of them). You aren't going to change those folks, it's culture and until today's kids are tomorrow's adults, we'll never get full penetration of online services. Regardless of the security issues.
http://www.informationweek.com/story/showArticle.jhtml?articleID=187202815 [5]

Is social networking the key to finding hackers?
This is an interesting post from Dancho Danchev about the role of social networking and security. Can we visualize where the bad guys hang out and use that information to help catch them (or at least protect against them) more effectively. I say yes, but it's very very hard. When I was at TruSecure, part of our research group spent a lot of time penetrating the hacker networks. That gave them insight into what the hackers were working on and allow them to pinpoint areas that should be protected. But this is largely a human activity and will be very hard to automate, especially given how zombies are being used to further obfuscate the bad guys.
http://ddanchev.blogspot.com/2006/05/terrorist-social-network-analysis.html [6]

What wireless security problem?
David Ramel on the ComputerWorld blog asks something that I wonder about as well. Do we really have a wireless security problem? So there are a lot of unprotected access points out there. What are you going to steal? Even most businesses that have rogue access points, what is the real exposure? That being said, if you connect through any of these open networks (like at a coffee shop or if you "borrow" bandwidth from a neighbor) you should have sufficiently protected your endpoint. Up to date AV, anti-spyware and permissions to ensure your own machine is not compromised.
http://www.computerworld.com/blogs/node/2519 [7]

Chandler is ranting
Today I'll highlight two posts on Chandler Howell's blog that I think are interesting and good. The first is about our continued reliance on the perimeter and the difficulty of making "internal security" work. That's another reason I think NAC is the long term answer. In the meantime, we'll need to focus on protecting the data center with application gateways, as Chandler says. The other post questions whether DRM (digital rights management) will ever really work. I join Chandler in being skeptical because of both technology (interoperability is nil) and user experience. If I'm on a plane, I need to get at my documents. Today's approaches to DRM are just too friggin complicated to make work. But with folks like EMC buying Authentica, we'll start to see this being baked into the storage infrastructure - which may give it a chance. But it will be a LONG time before discernible progress is made.
Perimeter post: http://thurston.halfcat.org/blog/2006/05/13/americans-still-love-their-perimeter/ [8]

DRM post: http://thurston.halfcat.org/blog/2006/05/13/how-corporate-drm-will-fail/ [9]

You need to love security
In this post, "Roger" reminds us security professionals about needing to love what we do. Security has been hot for a while, so I don't necessarily think we are still dealing with a lot of carpetbaggers, just looking for the next hot thing. But it is true that security is a thankless job that is hard - every day. If you are great, you are anonymous. If you screw up, you are vilified. That's not something that people looking for the highest buck are going to be comfortable with for any length of time. Most of the folks I meet on the end user side are very passionate about what they do, and it gets them through the fire drills. Take it from me (who spent a good portion of the last few years hating what I did), if you don't love it - find something else to do.
http://www.infosecblog.org/2006/05/how_to_be_an_infosec_guru.html [10]

How many customers means success?
I usually try to keep my rants to end-user oriented topics, but sometimes I just can't help myself. In this post I riff a bit on how many customers means success and whether it even matters. I got a bit torqued during a briefing last week when a vendor tried to convince me they were the leader of their space with only a few customers.
http://securityincite.com/blog/mike-rothman/how-many-customers-means-success [11]

Read Friday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-12-2006 [11]