January 24, 2008 - Volume 3, #8
Good Morning:
I got a number of notes over the past few days wondering why I didn't
mention the G-men victory and trip to the Super Bowl. It turns out I'm
still in a state of shock. A number of folks told me they didn't have a
chance in the frozen tundra of Lambeau, and candidly sending Dallas to
the off-season was enough for me. Of course, I was rooting hard for my
boys, but I was OK with whatever the final score was.
And then the G-men won. I didn't intentionally forget to mention it on
Tuesday. With the holiday and all the other stuff floating around in my
restricted gray matter, it just didn't happen. Now the anticipation
builds. Scarily enough, a lot of the pundits are saying the G-men have
a chance. A better chance than they did against the Pack. That'll teach
you to listen to pundits. Guess they seem to forget that the Pats are
18-0. I just want
the game to be competitive.
[1]But it brings up
a bigger thought. What is good enough? The Giants are in the Super
Bowl. Is that a good enough outcome for the season? Should I just be
happy that the team got to the Big Show?
What about with your own life and job? Many of us are "high achievers."
That means for some unknown reason we push and push and push and push
and then probably push some more. We fight against internal
expectations that don't always seem reasonable, or even
useful.
Yet we do it anyway. I know I do. I've worked for some brutal bosses in
my time. Relentless. I mean really relentless. No matter what you
accomplished, the expectation was for more. Hardly even a thank-you or
an atta-boy for super human feats.
Now I work for myself and I find my boss (that's me, not THE BOSS) to
be pretty relentless as well. I find that I can't help it. I want to
grow
more. I want to do more. I want to do it faster. I'm not sure why, but
I do.
At some point, I'm hoping to control those inner demons and learn to be
content. Not necessarily satisfied, but content with what I achieve.
Every so often I'm able to do that, certainly more now than when I had
a "job." I'm making progess, but I'm not there yet. I need to keep
working towards a balanced existence. So if the G-men win, I'll be
ecstatic. As long as the game is competitive, it'll be a good day. Even
if they get blown out, I'm going to try to be
happy also. There are 30 other teams that will be sitting on their cans
on Feb 3. My favorite team is not one of them. There is something to be
said about that.
Don't worry, be happy - and have a great weekend.
Technorati: Information
Security [2], CSO [3],
Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
this project to scan a bunch of open source
software, which is described in this SC Mag article [10]. Of
course the service provider, Coverity, found a bunch of stuff. That's
not a surprise. At least it shouldn't be. If you scan software, you'll
find holes. The even better news is that the open source projects are
taking that feedback seriously and working hard to fix things. This is
how the system gets better folks. Thanks DHS. That was money well spent.
Link to this [11]
Joel Snyder does a pretty flattering review
of SourceFire's latest in NetworkWorld this week [12] and it's
pretty instructive. I also recently got a pretty detailed demo of
SourceFire's
latest and integrating behavioral data, signatures, and user
information does help to narrow the scope of what security admins need
to worry about. The technology is finally maturing enough to
be useful
and helpful in building a perimeter defense. Note that I said
"perimeter defense" because I don't think it's cost effective at this
point to deploy IPS everywhere. Not with the current sensor-based
model. As IPS and NAC and LAN switches continue to merge, some
of this capability will be baked into the fabric of the network, and
then it'll make sense to deploy enterprise wide. When is that? Given
the economic backdrop, I suspect many companies will be pushing those
LAN upgrades out a bit.
Link to this [13]
Bill Brenner comes to the conclusion that
NAC is just immature [14], assembling a bunch of data points to
show that folks have decided to wait before jumping headling into a NAC
implementation. But let's get back to the
fundamentals. Is host integrity checking important? Do you want to know
who and what is connecting to your network? Yes. Is access control
important? Do you want to make sure that whoever is allowed to connect
is allowed to get to only stuff they are authorized to see? Yes again.
Those are the two fundamental value propositions of NAC. Here's the
rub. NAC is not a stand-alone function. What those users were really
saying in
the article is that they don't want to build yet another security
layer. That's pretty consistent with the conversations I have. What NAC
does is important, but it needs to be built into the network
infrastructure for the capabilities to really take off.
Link to this [15]
The Laundry List
- A Lotus branded email security box? No kidding. Lotus now rebrands some of the ISS technology to get into the spam appliance game. Seriously. They should bring that time machine to market, since they are about 5 years too late. - CRN coverage [16]
- The Big Yellow announces strong Q4 earnings and decent guidance for 2008. International growth is the engine, and it seems they'll be spinning off some more stuff. - Reuters coverage [17]
- CheckPoint also weighs in with a good Q4 and decent guidance. They also indicate that they'll be doing some more deals. Hmmm. Big is the new small, eh? - Check Point release [18]
- McAfee integrates DLP and encryption into their endpoint offering. Yep, integration is happening a multiple layers of the stack. - McAfee release [19]
Top Blog Postings
http://jeremiahgrossman.blogspot.com/2008/01/lets-talk-web-application-firewalls.html [20]
Link
to this [21]
here [22] and below) about client
virtualization and server virtualization and NAC and the like, I just
get the sinking suspicion that we are moving back to the terminal to
host mentality. Let's step back into the time machine and think about
security back then. It was all about O/S level security and
fine-grained authorization (remember RACF and Top-Secret)? We didn't
worry much about the network because our hosts had a distinct
connection. LANs screwed that up quite a bit and the Internet blew up
the model. But if we play out this terminal/host thought, the network
is no longer relevant - as long as I know who is connecting and making
sure they only get access to the right stuff. Is that NAC?
Functionality-wise, the answer is yes. But not as the current NAC
industry delivers the product. It's more like AC. Just drop the N,
since in this world, all networks are created equal. It is about access
control, just not network access control. Yes, that's an
oversimplification, and it will take years to get there. But those that
forget history are doomed to repeat it.
http://rationalsecurity.typepad.com/blog/2008/01/client-virtuali.html [23]
Link
to this [24]
http://www.oreillynet.com/onlamp/blog/2008/01/what_have_you_changed_your_min.html [25]
Link
to this [26]
http://sm-blog.securitymike.com [27]
Check out the
latest on
the Security Incite blog
http://blog.securityincite.com/ [28]
Read the
most recent Daily
Incite
http://securityincite.com/security-incite-rants/daily-incite [29]