October 11, 2007 - Volume 2, #141

Good Morning:
Gosh this week has just flown. When you are spending many hours a day knee deep in screen shots, portals, and other consumer-oriented security stuff, the time just flies by. It's funny, but I took for granted how hard it is to make complicated stuff seem simple. As I'm preparing the steps for Security Mike's Guide [0], I gain a true appreciation of the things that I previously took for granted.

Like what the Control Panel is. Or how to log into the wireless access point. As I was working with my test group, it became apparent what a huge undertaking it is to remove the complexity of dealing with today's computer systems. Basically I can't. All I can do is try to give as specific instructions as I can because Windows is FAR more complicated than it should be. I've said it before, but it doesn't just work.

I am really jealous of the folks that make it look easy. Like Dave Grohl of the Foo Fighters. I got to see them live last week and it was just a great show. In a small venue (the Tabernacle in ATL) with a few thousand of my closets (and seemingly sweatiest) friends, the Foos played for 2 hours and did a great job, especially since it was only the 2nd stop on their new tour. They made it seem easy and a good time was had by all.

Like when you see a talented hacker sit at the keyboard and break into stuff. It seems so easy until you take the controls and draw a blank. How do I do a SQL Injection again? I always had great respect for the Sales Engineers in the companies where I worked. Those were the guys that made the difference and in many cases closed the sales. Maybe not the contractual stuff, but if these guys couldn't make the box dance on its side, the deal was lost. And most of the products I've brought to market were REALLY complicated, which made a skillful SE that much more important. They had to make it look easy because no customer in their right mind (unless they are on the lunatic fringe) would take a product they know to have mind-numbing complexity.

I may be giving away a huge secret here, but that is one of my best landmarks to understand where a market is. Can an IT generalist that works in a mid-market company deal with the technology? In anti-spam, it happened pretty quickly. In DLP, not yet. Thus one becomes a mature market in record time, and the other grows at a good pace, but not an exponential pace. NAC is in the same boat. Most folks still need a PhD to get 802.1X to work and although not a firm requirement for NAC, the two tend to go hand in hand - for the early adopters anyway.

So every time a vendor tells me their market is exploding, I ask how many customers they have, what is the typical size of their customers, and what is the average deal size? From those three questions I can generally get a feel for whether a market is 12 or 18 months from mass deployment or if the entire market will never cross the chasm.

Since I've given you one of my closely guarded analyst techniques, I assume you folks will write the Incite on Monday, OK? I'll be spending the weekend coming up with some new analyst tricks since I've got to stay one step ahead.

Have a great weekend.


Technorati: Information Security [1], CSO [2], Security Mike [3], Internet Security [4]

[5] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com [7] [8]

Top Security News

finally done with the "rolling review" of web application scanners [9]. I'm kind of happy that I didn't stay up late to get the results in from the West coast, like on election night. Not that the analysis isn't good and very helpful - it is. But it really can't take 4 months to state that the tools aren't really ready for prime time. They like Watchfire's ability to handle AJAX [10] and the user experience of Acunetix's offering [11]. In fact, all of the products had some strengths, but don't expect that scanning your web apps will be as hands off as doing a network scan. Qualys these tools ain't. But maybe in 5 years they will be mature enough, assuming that the new parents of the big guys (IBM and HP) continue to invest in the scanners, which is not a foregone conclusion. Now if I could only put these reviews on my Tivo or maybe wait for the entire season to show up on NetFlix. The one episode at a time thing just doesn't work for me. But it is all about selling advertising, so maybe the serialized review is here to stay.
Link to this [11]

promising to inform customers of bad behavior on their consumer ISP [12] (via Larry Seltzer [13]). The analysis from Danny at Arbor that I recently highlighted showed that the numbers are starting to look ugly for ISPs intent on keeping their heads in the sand relative to zombie machines on their network. The good news is that someone is doing something. I wish they would actually commit to removing these folks from the network, as opposed to just "informing" them and helping them get clean - but it's a start. The bad news? Qwest is a marginal player and it may help them fight off Comcast in Denver, but it's not going to help enough folks, nor put much pressure on the bigger ISPs. It'll be interesting to see how this shakes out, as once someone proves that there is actually an economic benefit to having a cleaner network - the other ISPs may need to step up.
Link to this [13]

this NetworkWorld profile of a SaaS provider that has outsourced their data center [14]. Most of these folks are in the software business, not the data center business - so I'm cool with it. That being said, a SaaS that holds my sensitive data is responsible for my sensitive data. These folks should have an in-house (not outhouse) CSO that is ultimately accountable to make sure my data is protected. They need to ride herd on the outsourcer. I'm all for outsourcing, as long as I have one throat to choke.
Link to this [14]

The Laundry List

Top Blog Postings

http://chuvakin.blogspot.com/2007/10/more-on-ftp-or-again-and-simple-user.html [19]
Link to this [19]

IFOCE [20])? Me too. Trying to figure out what the eaters do with all those hot dogs isn't very interesting, but it definitely beats being the lone wolf within a hot Web 2.0 start-up saying "hey guys, shouldn't we be protecting against 45 year old perverts soliciting our 13 year old neighbors?" As Rebecca Herold points out, security in a Web 2.0 world is a misnomer. Since everything is user generated, and there is no real identity system - you basically have no idea what is going on. I don't see how the problem is going to get better either. That fine line between forcing verification (and detracting from the conversation) and the wild west of anonymity that exists today is more like an ocean. Alas, we can't have it both ways either. We can vilify folks like Facebook for having no controls, but at the end of the day they are just laying train tracks. It's not practical to think they'll be able to check the background of everyone that gets on the train.
http://www.realtime-itcompliance.com/privacy_and_compliance/2007/10/who_would_want_to_be_a_ciso_or.htm [21]
Link to this [21]

http://www.emergencemarketing.com/archives/2007/10/are_the_4_ps_still_releva.php [22]
Link to this [22]

http://securitymike.blogspot.com [23]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [24]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [24]