May 10, 2007 - Volume 2, #77

Good Morning:
Yesterday I talked a bit about "collusion" relative to 3 database security vendors announcing largely the same thing on the exact same day. As expected, I heard back from these folks - and as I expected - they pointed the finger at each other and claimed the other was copying. Just like my twins. At least human nature isn't failing me here. But as I was at dinner last night with an old friend, we got to chatting about why there are multiple companies in each sector.

In case you aren't following, it always seems that there are 2-5 companies for every emerging security (actually, probably broader technology) problem. You never just get one start-up that solves a specific problem. That's very rare. So my friend and I started throwing some ideas around as to why this is ALWAYS the case.

Then I had an epiphany. It gets back to collusion. A key part of the launch process for any venture-funded company is validation. That's when they talk to a bunch of CIO/CSO/CFO or some other high fallutin' C-level blow hard and ask them what their problems are and if they built X, would they buy it. They tend to focus on large enterprises, so you end up with a bunch of entrepreneurs that talk to roughly the same 40-50 companies and get roughly the same feedback. 

I've been there, I've done it. But I never put the pieces together. Of course, all of the entrepreneurs are going to come up with new products to solve the same problems. They are discovering the problem space by talking to the same people. Of course, the uniqueness comes in how the problem gets solved and whether they can build it, bring it to market, and compete effectively.

Next time you get pissed about getting calls from 4 vendors offering the same exact thing, just think back to the fact that if you talk to these entrepreneurs - then you are to blame. You or someone like you gave them the answer. It's your bed, now you get to sleep in it.

Have a great weekend.

Technorati: Information Security [1], CSO [2]

[3] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [4]

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast) [5]

Top Security News

Wall Street & Technology [6] says security is more of an information management function and that security professionals have to evolve their skill set. I am certainly on board with that, and for smaller financial institutions that becomes a huge issue. The Super-Regionals just throw money at the issue, but the thousands of other smaller FIs and credit unions are continually having to rob Peter to pay Paul. Getting back to the article, the point is that it's all about the data and that a hard perimeter isn't going to get it done moving forward. They are exactly right. 
Link to this [6]

SearchSecurity editorial [7] this week. He makes some interesting points about why should customers wait for the monthly patching extravaganza, especially when there is a serious issue. But I still think the monthly cycle is the right approach for the vast majority of patches and also the vast majority of customers. Any organization of size has huge issues with testing and ensuring the patches won't cause regression issues with the rest of the systems. Doing any more than once a month means patching is pretty much all they'd do. There are approaches to get patch-like functionality and use IPS signatures to block these attacks until the patches can be worked through the change control process, which does take time. So I hear where Dennis is coming from, but monthly is still the right frequency for patching.
Link to this [7]

PDFZone [8] is an interesting issue that we have to deal with. I railed quite a bit about blocking encrypted zip files at the mail gateway, but that isn't the only way you can get nasty content through the gateway. PDF, as evidenced in this article, can be another way. Of course, I'm not familiar with ways to embed executables into PDFs, but you can certainly put links in there. So this could be a new fangled spam/phishing vector. The answer? Probably nothing right now, but a lot of the technologies designed to stop image spam should also be applicable to PDFs. And if the PDF is encrypted and password-protected? Right, block it at the gateway.
Link to this [8]

The Laundry List

1. Will browsing in a virtual machine protect you? Probably, but not always. This is a good tip from Ed Skoudis - SearchSecurity Tip [9] [10]
2. Trend Micro wins an anti-spam bake-off? Huh? Guess they had the time machine set for 2004. - Trend Micro press release [11]
3. Barney alert. PGP shacks up with Intel to do something at some point. We're all a big happy family, eh? - PGP press release [12]
4. Clearswift is still around? I guess so, they updated their web filtering gateway. - Clearswift article [13]

Top Blog Postings

http://www.symantec.com/enterprise/security_response/weblog/2007/05/big_corporations_and_bots_a_ma.html [14]
Link to this [14]

http://blog.securityincite.com/ [15]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [15]