logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - September 20, 2007

By Mike Rothman
Created 2007-09-20 09:57
Today's Daily Incite

September 20, 2007 - Volume 2, #134

Good Morning:
What's the difference between Bill Belichick (the coach of the NE Patriots) and pretty much every other coach in the NFL? Besides 3 Super Bowl rings, that is? He got caught. That's right, he got caught. You don't think every other team has spies in the stands trying to decipher signals to gain an advantage? Of course they do. I'm sure many also use video, as Belichick did. But Bill got caught and now he's a villain.

I did a little rant a few days ago about "hating your competitors," [0] especially relative to competitive intelligence. Given the fact that the Belichick story won't seem to die, and the fact that in the security business it's VERY competitive and everyone is looking for an advantage, what is cool and what isn't? And if you are an end user, how can you know what is real and what isn't and most importantly - whether it matters?

I could write a book on this topic. Maybe I will, but I've got my hands full with Security Mike [1] for a while, so I'll try to summarize fairly quickly. As I mentioned on Monday, no one can assume the competition doesn't know all about your stuff. I don't care what business you are in. You have competition and you need to assume they know all about your stuff. That means you need to know about their stuff.

So how do you do it? Let me use security as an example. You need a box. It's most helpful if the competition will just sell you the box. Barracuda did. It was nice. Drop shipped it right to our offices. The other folks, not so much. So we had to be creative. I can't say much about this kind of creativity until the statute of limitations runs out, but suffice it to say the resellers can be your friends. I also know of an instance where a so-called "independent reviewer" procured a box to review and sent it to a competitor. I guess that's kind of being creative too. In a "2-5 year with an option for parole after 18 months" way.

Once you get the box, you need a lab. You need to bang on your competitor's box and find out where it's strong and where it's weak. Then you need to help your field teams understand that information and use it to your advantage. And at times, some of the competition will lie about what they've found about your box. Sometimes they'll just make things up. If you are a vendor, that's why your SE's are probably the most valuable employees that you have. They need to know how to overcome those objections and make sure you get a chance to be evaluated.

In enterprise sales cycles, it's all about the eval. Especially in security. So do whatever you have to do to get the eval. Make sure your SE's can make the box dance. And also understand that all the competitive posturing in the world isn't going to help if you've lied to the customer about what your box does and what the competition's doesn't. The eval doesn't lie.

If you are a customer, do you care about this stuff? The answer is a resounding no. You are worried about solving your technology problem and if the vendors are more focused on their competition than solving your problem, then you probably aren't talking to the right vendor. And define your long list quickly and get to the eval. The longer you wait and let the vendors snipe at each other, the more confused you are going to be.

The moral of the story is this: Everyone is doing it, so you need to as well. Belichick got caught, but let's be clear, everyone is trying to steal the other team's signals and get access to their game plan. Same goes in our security industry. Some are more ethical than others, but at the end of the day - you can't be competitive unless you have that information. If that makes you queasy, then you probably should find something else to do.

And with that, it's time to get back to work. Have a great weekend.

Technorati: Information Security [2], CSO [3], Security Mike [4], Internet Security [5]

The Pragmatic CSO [6]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com [7]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
pre-order your copy today

www.securitymike.com
 [8]
Security Mike's Guide to Internet Security [9]

Top Security News

this blog post from Paul McNamara [10] are true, then Ameritrade has got a lot of downside liability to deal with relative to the data breach announced this week. At first it was like, "big whoop, another data breach." But if Ameritrade basically ignored warnings that their data had been compromised, they are going down the river and they don't have a paddle. Do you see the class action vultures flying over the mountains? This could keep them busy (and fed) for quite a while. The problem is that Ameritrade is playing dumb. They better have a lot of documentation that they took the issue seriously, did an investigation, and found nothing to worry about. If not, then they've got a lot of explaining to do. I guess their forensics guys could find that the bad guys took another route to pwn the machines, but even so - it wouldn't mean the first notification wasn't real as well. Ultimately we are all waiting for the forensics report and then the vultures will know where the feeding frenzy will be.
Link to this [10]

IronPort recently announced they have done some work to increase throughput by more effectively using Intel multi-core chips [11]. An 800% increase? Who knows and who cares? I really hate that "mine is bigger than yours" positioning and marketing. The point is that it's not clear that vendors are going to get appropriate return for taking on the risk of building their own chips. That doesn't mean you'll be able to get a 10GB IPS by loading some open source software on the old Pentium 3 you have in your closet. There will need to be other packet acceleration technologies utilized and the like (especially if decoding SSL traffic is a requirement), but for a lot of the compute activities - your standard PC chips are going to do great and continue following Moore's Law (or some less aggressive corollary). Lest you think I'm all about software on standard hardware, I'm not. Ultimately customers want SOLUTIONS to their problems, so they expect the vendor to integrate everything and tie it up with a nice, little bow on top. It's just not clear that there is a lot of value in spinning ASICs anymore.
Link to this [11]

Raytheon bought the Oakley Networks that does DLP stuff [12]. Oakley has always been strong in the Fed space, so there is synergy with Raytheon, but this is a pretty strange combination. Clearly monitoring your data usage, making sure it doesn't leak and then being able to investigate an issue is pretty important for some of the Federal agencies, but it's not clear that Raytheon is the kind of organization that is going to be able to move fast enough to keep pace in an emerging, dynamic high-tech market. So we'll see, but there is very little history of emerging technology actually prospering in a beltway-bandit type of environment.
Link to this [12]

The Laundry List

  1. Great, now it's time for next generation DLP. We've hardly deployed first generation, but Orchestria thinks they can "dramatically reduce enterprise risk." How so? Delete all the data? I hate these kinds of releases that promise the world and deliver nothing but unsubstantiated claims and two analyst quotes because they couldn't get a customer to say anything.  - Orchestria release [13]
  2. A smart VPN, that's novel. Verizon can recognize your mobile device and place it on a VPN within their carrier network. - InformationWeek mobile blog [14]
  3. Guess Maynor's gag order from SecureWorks expired because he's published the details of the Apple wireless exploit. It's been patched, this isn't news - but it remains an instructive lesson on how security researchers can be used as punching bags.  - PCWorld release [15]
  4. PCI day of reckoning is upon us. The deadline creates lots of scrambling, but will it be enforced, especially beyond Tier 1 merchants? That's the real question. - Mark Tordoff's blog [16]

Top Blog Postings

http://spiresecurity.typepad.com/spire_security_viewpoint/2007/09/am-i-a-modeler-.html [17]
Link to this [17]

http://taosecurity.blogspot.com/2007/09/comment-on-netwitness-article.html [18]
Link to this [18]

http://blog.securityincite.com/ [19]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [19]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-september-20-2007

Links:
[1] http://www.securitymike.com
[2] http://technorati.com/tag/information%20security
[3] http://technorati.com/tag/CSO
[4] http://www.tecnorati.com/tag/Security%20Mike
[5] http://www.technorati.com/tag/Internet%20Security
[6] http://www.pragmaticcso.com
[7] http://www.pragmaticcso.com/
[8] http://tdi.securitymike.com
[9] http://tdi.securitymike.com
[10] http://www.networkworld.com/community/node/19720
[11] http://www.informationweek.com/story/showArticle.jhtml?articleID=201807228
[12] http://www.oakleynetworks.com/news/raytheon.php
[13] http://biz.yahoo.com/bw/070919/20070919005643.html?.v=1
[14] http://www.informationweek.com/blog/main/archives/2007/09/verizon_wireles_9.html
[15] http://news.yahoo.com/s/pcworld/20070919/tc_pcworld/137329
[16] http://blogs.ittoolbox.com/security/connection/archives/visas-pci-deadline-looms-as-merchants-scramble-19116
[17] http://spiresecurity.typepad.com/spire_security_viewpoint/2007/09/am-i-a-modeler-.html
[18] http://taosecurity.blogspot.com/2007/09/comment-on-netwitness-article.html
[19] http://blog.securityincite.com/