[0]
Incite Redux - July 13, 2007
Good Morning:
Knock knock. Who's there? Real life. Real life who? Real life dumb ass.
You better enjoy your last day of vacation because in a scant 36 hours
you'll be back home to the sweet sound of screaming kids, the reality
of bills to pay, and the general mayhem that is your daily
existence.
Of course it's not that bad. Since I'm a big fan of change, if I wasn't
happy - I would change it. But I'll be glad to get home and sleep in my
bed, hug my kids, and get back to what I do best - pissing people off
with my magic fingers and an Internet connection.
Since I'm writing this over a week ago, I have no idea if the weather
has been good or bad this week. If the facilities were top notch or
just overpriced. Or if I've gotten through the 2 or 3 books I brought
along for the trip. But no matter, I'm sure the vacation was wonderful.
Even a crappy vacation is usually better than the same old same old.
I'm hopeful that I'm tanned (as much as a pale face like me is going to
tan anyway), relaxed and rested. That being away has made me appreciate
how lucky I am and got me to focus on appreciating the good, not just
fixing the bad. Overall I'm doing pretty OK and a week away from home
is usually a good reminder of that.
But it's time to get back to business. It's not just what I do, it's
what I love. I'm lucky to be able to make a living from doing something
that I really enjoy. So enough of this vacation stuff. Let's get ready
to rumble. The TDI is back - on MONDAY.
Have a great weekend.
Incite #9: Help Wanted:
Fortune Teller
CSOs need to
increasingly flex
their psychic abilities as exponentially increasing attack surfaces
mean new controls must be targeted to protect the most likely targets,
which are identified by discerning the true value of corporate business
systems and increasingly sophisticated (and productized) security
research. Network behavior analysis allows organizations to
“react faster” by understanding network traffic
dynamics,
but integration with remediation solutions lag, forcing customers to
continue to do the heavy lifting themselves.
Read the original Days
of Incite post [0] on this topic.
6-month grade: C-
Security researchers are the new rock stars. They sneeze and 500
bloggers write about it and soon after the technology trade press
starts buzzing. Put Thomas Ptacek and Joanna Rutkowska in a mud ring
and let it start to fly. And anyone with a fuzzer can now
claim
security researcher status.
The reality is, I run the risk of whiffing on this Incite because I
overestimated the ability of the researchers to do relevant work.
Fighting over whether hypervisors are exposed? Makes great news fodder,
but close to 100% of the devices out there DON’T have
hypervisors
running. So how does this research really help customers do their jobs
better?
I know, I know. If we don't do the basic research, then we won't be
ready when a new, innovative attack happens. I guess I'm just a little
bit bored with all this theoretical attack mumbo-jumbo. I think a lot
more folks should be focused on helping to understand today's attacks,
as opposed to thinking about tomorrow's. After all, unless we get
through today - there is no tomorrow.
Most of "today's" research analyzes the latest patches from Microsoft,
Apple and Oracle – big whoop. Sure, helping a user to
understand
which patches to apply and which not to is valuable. But it seems the
answer is just do them all because lots of folks have tools to make
that a one button endeavor.
The Month of X bugs projects have been pretty useless too. Why? It
seems the hackers have gotten lazy. They are content waiting for the
patch cycle, reverse engineering the exploit, and 0wning the dummies
that can’t figure out how to apply the patch in a timely
fashion.
The most exciting exploit announced was Dino Dai Zovi’s
Safari
bug, which turned out to be a Java problem in QuickTime. The only
reason that even exists is because of the $10,000 bounty.
It’s
just not interesting otherwise.
And then you get the potential liability around disclosure.
Presentations at security conferences are routinely canceled now under
the threat of litigation. Most of the research work for small shops and
it’s not in their best interest to pay chicken with a
multi-billion dollar vendor with scads of lawyers. It’s
easier to
cancel, take the PR benefit (since everyone talks about the fact that
the session was canceled), and move on to the consulting work that pays
the bills.
I guess we just haven’t found the business model that makes
security research pay quite yet. It’ll happen because it
needs
to. Mr. Market will ensure that – but unfortunately it
probably
won’t be in 2007.
Incite #10: Time to get PC(I)
PCI is the new
SarbOx as
unsophisticated CSOs continue to try to “buy”
compliance.
The lack of regulatory enforcement and increasing scrutiny by bean
counters finally kill compliance’s golden goose and force
CSOs to
justify more security spending on something other than compliance.
Pragmatic CSOs understand that a strong security program addresses
compliance requirements, so they focus on warming relations with
auditors and communicating their results in business terms to the
business people that matter.
Read the original Days
of Incite post [0] on this topic.
6-month grade: D
Much to my chagrin, compliance is still alive and well. This goose
continues to lay golden eggs. Of course, the eggs are stamped with PCI,
as opposed to other regulations – but it seems every time
that
compliance is on the ropes, a new set of legislation on stone tablets
emerges from Mount Sinai to save everyone.
Even though there has been precious little enforcement, hardly any
recent perp walks, and increased scrutiny on security expenditures
(yes, that is happening), nothing is derailing the compliance
juggernaut.
So it’s time for me to move to Plan B. Let’s figure
out how
to use compliance in the most effective way. How to play on the
continued fear and get what you need, while sending the bill to the
compliance guy. Basically much of that is outlined in the Pragmatic CSO.
The process is pretty simple. Find out what is important to the
business, protect it, communicate your successes and make deposits in
the credibility bank. You can trade your credibility currency for
compliance money when you need something.
Sounds too simple? I thought so too. But it's not. For about 5 years
running the death of compliance funding has been greatly exaggerated.
I’m no bandwagon jumper, but it’s time for me to
accept
reality and pull the splinters out of my backside.
Compliance will remain a factor for 2-3 year planning horizon. Now I
need to go get some Tums, since eating crow wreaks havoc on your
digestive track.