July 16, 2007 - Volume 2, #104
Good Morning:
I remember when I was a kid, growing up outside of New York City and
there was a pretty serious winter storm. I remember a couple of feet of
snow. Being maybe 10 or 11, I guess my Mom coaxed me to attempt to
clean the driveway. We had a snow blower, but I wasn't old enough to
use it. So I dutifully went outside with my shovel and in a massive
effort of futility tried to move the snow. The more I moved, the more
seemed to be there.
What does this have to do with anything? No, I didn't leave my brain on vacation. A week in the tropics certainly didn't make me yearn for the
snow either. But as I started this morning digging through the stuff
that
accumulated during my vacation, I had the same feeling. The more times
I
hit "J" in Google Reader, the more stuff seemed to be there. The more
things I tagged in del.icio.us, the more I needed to tag. So it will be
a multi-day process to dig out.
I had to acknowledge that because it was already noon before I looked
up and figured I should start writing and leave some of the reading for
later. I guess I shouldn't be surprised, but I
am. It's been so long since I've really unplugged that I guess I forget
about the sheer volume of stuff I process on a daily basis.
The vacation was outstandingm thanks for asking. After 13 years, the
Boss and I still have
fun together. I'm a lucky guy. Not that I expected anything different,
but we spend so much of our daily existence keeping the ship afloat
that sometimes you forget the carefree days before big mortgages, kids,
and other grown-up responsibilities.
For those of you looking for a place to unplug from the world, I highly
recommend the Four Seasons in
Nevis, West Indies [1].
We did splurge, but wanted to celebrate 10 years of marriage in style.
It being the low season, there weren't many folks around -
which was great by me. The last thing I want on vacation is to be
surrounded by the chaos and activity that I get every day. It has
maybe the best golf course in the Caribbean, though I didn't play
during the week. I was too busy hanging out on the beach or by the
pool, doing some snorkeling, and not worrying about much.
In case you are wondering, I was able to unplug almost instantly once
we left the US. That was a new experience for me, but whatever stress I
have is now self-imposed, so I wasn't worried about anyone poking me in
the eye (besides the Boss). It was great not spending the first 3 days
of the vacation trying to relax. I got through 3 books (Barry
Eisler's The Last Assassin [2], Ludlum's
The Janson Directive [3], and
Cussler's
Trojan Odyssey [4]) and
outlined my summer project, but I never felt the proverbial anvil over
my head. Maybe that's because I left the anvil behind at my last "job",
and that's a really good thing.
And I can also say that VoIP is truly a disruptive technology. We
brought the Boss' laptop because I didn't want to be tempted having
mine around and used it to call the kids. Sure the high speed access
cost $15 per day, but other calls to the US cost a whopping
$.02/minute. We used Gizmo, though I'm sure Skype would have been fine
too. I loaded up $10 at the beginning of the week and we still had over
$7 left at the end. And we checked in every day. Better yet, I didn't
get raped after an hour on the phone with Delta to change our flight
home.
Compared to the $1.49/minute that cellular roaming would have cost or
the even more outrageous hotel international calling rates, it was a
real deal.
Of course, I missed the big Google/Postini deal, but I'll add my two
cents below. I'll also weigh in on the ROI discussion started up by the
Zen Master as well. Lots to do, but that's good. I am
refreshed, sort of tan, and ready to jump back into the fray. Though a
week on the beach doesn't suck, it would get old after 3 or 4
months. Sharing my Incite never seems to get old. That's my
story and I'm sticking to it.
Have a great day.
Technorati: Information
Security [5], CSO [6]
 [7] |
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Top Security News
Google's
$625 million acquisition of Postini [9],
one of the most promising security IPO candidates. Most of the
conversation around the deal centered around Google's focus on
Microsoft, and that is clearly one of the key drivers for the deal. But
let's hope (for their sake) Google does a better job with Postini than
Microsoft did with FrontBridge. After thinking about it for a bit, I
think Chris
Hoff has it exactly right [10].
Google realizes bandwidth is plumbing (and not highly valued), thus are
focusing on building out a new "application network" targeting small
business. Though I don't believe they are focused on compliance, as
this article
would lead you to believe [11]. Google
correctly views security as a feature of its other stuff, which it is.
So it'll be built into all of their business oriented applications.
Thus I suspect Google will continue to buy security stuff that works
with their
Web-centric model. And these guys are like Microsoft 15 years ago.
Iterating
like crazy and getting it done. Being a security guy, the idea of all
my business data in Google-land is still disconcerting, and their
ability to natively and cleanly sync with the Blackberry are real
obstacles for me - but they will fix those issues and I suspect within
2 years have a suite of services that will allow a guy like me to shut
down Office and turn off Exchange and embrace my Web-top. Let's
also look at some derivative impacts. It seems that MessageLabs and
Proofpoint
are the last email security players of substance left. I'd be surprised
if either was still independent at the end of the year, and I'm
not alone [12]. Sure there are a
bunch other players, but Barracuda is the other large one and they
would have some issues integrating their business model into an
acquirer. And everyone else is really too small to make an impact. So
good for Postini and good for Google, who is clearly a player to be
reckoned with across the technology landscape.
Link to this [12]
via
the channel [13] anyway. $50
million is the tip of the iceberg [14]
and SYMC and MFE are exposed. Big AV can protest all they want, but
Microsoft will be a player in the endpoint security market and they are
going to take their pound of flesh from someone. To really kick the
incumbents below the belt, if I were Microsoft's BD guys, I'd be
looking at Bit9 or Sana for the behavioral stuff and maybe Exploit
Prevention Labs to add LinkScanning to the mix. Bundle those in and
watch Big AV squeal. Kind of like in Deliverance. Now that's a nice
mental image, eh?
Link to this [14]
NetworkWorld
coverage of a law firm missing
a big hearing because the notification was caught in the spam filter [15]
is very funny. Unless you were involved in the case. It's amazing to me
that some folks don't take very simple precautions to ensure this stuff
doesn't happen. So I'm all for tightening up your defenses, especially
relative to spam, but be smart about it. Figure out what 10 or 20
domains YOU CANNOT BLOCK and set up white list entries. You don't want
to white list everything, but something from 'federalcourt. gov"
probably should be let through, even at the risk of it being spam. And
have your uses monitor their quarantines. Nothing is 100%, so you need
to keep the technology honest. Sure it takes up some time, but not
nearly as much as explaining to your client why you blew the case.
Link to this [15]
The Laundry List
- Web 2.0 content filtering? Startup Techrigy announces a buzzword compliant service that tracks what folks are saying on blogs, etc. This is not novel sports fans, lots of folks already do this, but if it's priced to move it could be interesting. - InformationWeek coverage [16]
- Web access to Outlook, NOT OWA? This is a train wreck waiting to happen. IIS on personal machines and little word towards security. I have another idea, it's called remote control. Ever heard of GoToMyPC? - SearchExchange coverage [17]
- Talk about padding the results. Looks like bots like Windows Live Search better. Has Nielsen figured out how the bots are watching Survivor yet? - InformationWeek coverage [18]
- Free as in Beer. Here is PC World's list of 15 free security tools. It's a good list for your family because the price is right, but the free stuff won't do for corporate use since you need to manage it, eh? - PCWorld coverage [19]
Top Blog Postings
case
study on how to try to make the case
for monitoring [20], especially when you are resource and money
constrained. Then having the discussion expanded by the likes of Alex
Hutton [21], Cutaway [22]
and Ken
Belva [23], Richard unleashes both
barrels in two posts (No
ROI? No Problem [24] and Security
ROI Revisited [25]) in
justifying a statement at the end of the case study post that should
already be self-evident - "The
bottom line is that security saves money; it does not create money."
Now Belva and I got into it a bit last year, and we agreed to disagree.
And I still pretty much disagree with these attempts to "quantify" the
value of security. So how do Pragmatic CSO's justify monitoring, which
is a key aspect of the operational process? It's all about reacting
faster. Can you mitigate damage faster and you do a few scenarios to
"show" how money can be saved by fixing stuff faster. Are the scenarios
trumped up and theoretical? Let's hope so because if you are using real
data, odds are your predecessor has created quite a mess for you to
clean
up. But that's part of the game. In reality, P-CSO's sell their senior
team on a PROCESS and get them to buy into the process by running their
security operations as a business. Spending a lot of time to really
quantify risk and build an air-tight business case is (in my experience
anyway), time you are not spending doing your job.
http://taosecurity.blogspot.com/2007/07/network-security-monitoring-case-study.html [26]
Link
to this [26]
http://andyitguy.blogspot.com/2007/07/slow-blue-poop-security-model.html [27]
Link
to this [27]
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/07/nac-and-voip.html [28]
Link
to this [28]