logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - February 27, 2007

By Mike Rothman
Created 2007-02-27 09:33
Today's Daily Incite

February 27, 2007 - Volume 2, #35

Good Morning:
Not sure what is in the water, but I want to discuss another deep topic this AM. Yesterday it was about equality, and today it's about community and mortality. It's pretty strange when you chat with people you hardly know, but they know a lot about you. That's the blogging effect and at first it's a bit unsettling, but I've come to really enjoy it. I choose to share some details of my life because I think its entertaining and it helps me find common ground with all of you. And I really appreciate your stories that you send (via email or phone) that relate. As I say in the preface to the Pragmatic CSO, I work alone but I never feel alone.

Another great example of a community is how one of my former colleagues and friends, Mary Catherine Bassett, has been using her blog (here [1]) to document her father's journey as he fights a pretty rare and devastating cancer. As you read each of MC's posts, you feel like you are there fighting the battle with Bill and the rest of the Bassett's. You feel her pain and concern, but what comes across most clearly is the love this tightly-knit family has for one another, especially under the most strenuous of situations. It's truly an inspiration to all of us that don't fight this kind of life and death battle daily and those of us that do.

I guess it gets back to the reality that we need to enjoy every day because we don't know how many of them we have left. Maybe check out Mike Murray's book (here [2]), which helps to focus you on your passion and find your calling in life. I do plan a full review on Mike's book because I think it's great, but life seems to keep getting in the way. The fact that I've found what I like to do on my own just reminds me how lucky I am. If you spend every day grumpy about what you AREN'T doing, then you need to re-evaluate what you ARE doing and why. Being grumpy is no way to go through life.

It's another milestone day, as today is the last Day of Incite for 2007. Yesterday's piece on security research and network analysis is here [2]. Today's piece will be a bit of a rant on compliance, focusing on PCI. It's good to see that I'm not alone in my thinking that a good strong security program leads to compliance, not vice-versa. That Catalyst guy (Michael Santarcangelo for those that don't know him) puts up a post (here [3]) that could have been written by me, except that it's nice. Which is not surprising because I've heard Michael is an exceedingly nice guy.

But it definitely reiterates one of the cornerstones of the Pragmatic CSO methodology and my research in general. There are no shortcuts, no panaceas and no way to get around the brutally hard work of securing your business systems. So roll up your sleeves and get to it. Things don't get done by wishing them to be done, now do they?

Have a great day.


Technorati: Information Security [4], CSO [5]

The Pragmatic CSO [6]
 The Pragmatic CSO is Here!


Read the Intro and Get
"5 Tips to be a Better CSO"


www.pragmaticcso.com [7]

Top Security News

here [8]), and it seems to confuse Alan (here [9]) and Mitchell (here [10]). But my StillSecure friends are too close to the business (given they have a competing product) to see the forest from the trees. For those of you that don't know about Harris STAT, they have a vulnerability scanner that is used in a lot of government agencies. It's pretty clear PatchLink is starting to take pages out of the Patrick Clawson playbook, who is their CEO (he formerly ran CyberGuard). Buy some 2nd tier stuff for cheap to aggregate a few existing security functions, but don't really worry about integration. Then sell it to someone else and make it their problem. Patching/remediation and scanning are first cousins (part of the process I call "security assurance"), so it does make sense for it to reside under one roof. Is there leverage in integration? Not so much. But there is leverage in growing the customer base and giving PatchLink an entry (even if it's tenuous) into the US Government space. After all, with Citadel going to McAfee and Altiris going to Symantec - there aren't a lot of chairs left and the music is going to stop soon. Clawson is betting a bit more heft will help them find a chair.
Link to this [10]

here [11]) to the laundry list. After TDI went out, Trend Micro announced a whole mess of messaging security initiatives (here [12]). Nothing novel here, but I still don't see the need to do much on the email server, with a strong gateway posture - unless it's free. But there is a bigger trend at work here. I said at RSA that anti-spam has started feeling like anti-virus to me, though maybe 25% of the total opportunity. Everyone needs it, and that leaves an opportunity for smaller and marginal vendors to make a pretty good living. Upon further reflection, it seems that content security (to paint it in a bigger box) is increasingly becoming what's next for the AV vendors as they grapple with commodity pricing and Microsoft on their home turf. Sure there are some gateway/networking vendors that will cater to the large enterprise (Cisco, Secure Computing), but the mass anti-spam market looks to be very AV-like with some competitors that we know pretty well. 
Link to this [12]

here [13]). This is not a new attack and HID presumably had time to understand it and fix it. No? Why they are making a big deal out of more of a "tutorial" is beyond me. But CMP will be riding this one all the way to the bank and this isn't even their big show (that's Vegas over the summer).
Link to this [13]


The Laundry List

Symantec spins in circles, finally releasing their 360 offering - here [14]
Apere's box focuses on network/identity integration. It appears to be yet another identity-aware device. - here [15]
Truston jumps into the identity theft recovery business. - here [16]

Top Blog Postings

http://www.matasano.com/log/708/dark-reading-on-virtualization-security/
 [17]Link to this [17]

http://www.darkreading.com/document.asp?doc_id=118192
 [18]Link to this [18]

here [19]) process will help you figure out if you have any chance of success a lot sooner. Isn't that worth $97?
http://www.terminal23.net/2007/02/a_tale_of_two_security_viewpoints.html
 [20]Link to this [20]

http://blog.securityincite.com/ [21]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [21]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-february-27-2007

Links:
[1] http://bbassett.blogspot.com/index.html
[2] http://www.forgettheparachute.com
[3] http://www.securitycatalyst.com/2007/02/26/protecting-information-is-not-a-seasonal-event/
[4] http://technorati.com/tag/information%20security
[5] http://technorati.com/tag/CSO
[6] http://www.pragmaticcso.com
[7] http://www.pragmaticcso.com
[8] http://biz.yahoo.com/bw/070226/20070226005321.html?.v=1
[9] http://www.stillsecureafteralltheseyears.com/ashimmy/2007/02/patchlink_tries.html
[10] http://www.theconvergingnetwork.com/2007/02/a_tale_of_two_deals.html
[11] http://biz.yahoo.com/prnews/070226/lam016.html?.v=77
[12] http://biz.yahoo.com/prnews/070226/sfm080.html?.v=82
[13] http://www.infoworld.com/article/07/02/26/HNblackhatrfid_1.html
[14] http://biz.yahoo.com/iw/070226/0219714.html
[15] http://biz.yahoo.com/prnews/070226/sfm067.html?.v=76
[16] http://biz.yahoo.com/bw/070226/20070226005603.html?.v=1
[17] http://www.matasano.com/log/708/dark-reading-on-virtualization-security/
[18] http://www.darkreading.com/document.asp?doc_id=118192
[19] http://www.pragmaticcso.com/poster.html
[20] http://www.terminal23.net/2007/02/a_tale_of_two_security_viewpoints.html
[21] http://blog.securityincite.com/