July 3, 2008 - Volume 3, #62

Good Morning:
It's really cool when your kids hit milestones. For instance, yesterday the tooth fairy came to visit our house for the first time. And quite a visit it was, since my oldest has been a bit "slow" on the tooth front. So our dentist removed 4 in one fell swoop to make room for the two that already emerged behind the baby teeth. So at least now we can ditch the shark costume we had picked out for October.

So the fairy comes (with handwriting amazingly similar to the Boss) and leaves an envelope filled with a $20 spot. Four teeth * $5/tooth (evidently inflation strikes everywhere) and the kid is cleaning up. She was happy and that is all that matters. 

Of course, when thinking about the costs of dental care, I'm not happy. And it's not the $20 tooth fairy tax. Of course, you can't have a kid with teeth like a shark - so we had to do something. But dental insurance is a total joke. Except it's not funny. I carried a policy last year and paid out a ton in premiums. Given the deductibles and the "usual and customary fees," which evidently aren't really customary where I live - I got maybe 10% of the dental costs covered by the policy. Yes, that's crap. 

As I've described before, once I got out of engineering school - my Math skills went down the tube, but even I can see this is no deal. So I dropped the dental and bought a discount card - which gives me better pricing at a couple of local dentists. After our costs this week, we are already in the positive return column for the discount card.

But it's a real shame that health care costs and insurance is so screwed up here in the US. I mean really really really really screwed up. Thankfully, I've been very fortunate and I can pay for decent insurance (if you call a multi-thousand dollar deductible "decent") and cover whatever out of pocket expenses crop up. Not many are fortunate, so they suffer with crappy care or can't get the drugs or access to specialists that can help them.  

Something's got to give because soon enough if my insurance premiums keep rising at 15% per year (like they did last year), I'll be paying more for insurance than I bring in. I can only hope that the next administration takes a look at the fundamental drivers of out-of-control health costs and tries to address them. Normally I'm a fan of free markets, but that's clearly not working in healthcare. Not by a long shot.

So do me a favor and stay healthy.

Have a great holiday weekend for those of you in the US. I'm laying low a bit during July, so I posted a publishing schedule for the rest of July [1] yesterday, just so you aren't surprised as I hibernate.

Photo: "Tooth Fairy" originally uploaded by mouse [2]

Technorati: Information Security [3], CSO [4],Security Mike [5], Internet Security [6]

[7] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [9] [10]

Top Security News

Greg Shipley to put some SIEM solutions through their paces [11]. And the results are pretty mediocre. To be clear, the biggest dog in the space, ArcSight decided not to show - but the remaining ones were pretty underwhelming. Sure, each had some strengths, and Q1 (the winner) got some decent props, but overall the category is still too hard to use, takes too long to set up, and doesn't deliver enough value without a lot of tuning and integration. After 7-10 years, that's ridiculous. To me, this is a critical issue because the security management platform is one of the key aspects to being able both REACT FASTER, do investigations, and generate reports for that pesky auditor. I can only hope (I've been doing a lot of hoping lately) that the vendors take Greg's issues to heart and continue rapidly iterating on their offerings. It would also be interesting to see a Barracuda-like shop enter the market, with a $5K toaster that is good enough for what most customers want. You know, gather some data, set some realistic thresholds, and generate some useful reports. If you need a PhD to set these things up, then someone is missing the point of the mass market. 
Link to this [12]

NetworkWorld has an overview of one person's experience using the pseudonym Penelope Retch [13]. Great name BTW. What did they learn? That the unsolicited email is the first step in a very sophisticated and aggressive set of marketing campaigns. It's sad, but if all of our respective companies were as responsive in following up as these fraudsters and snake oil sales folks, we'd all probably double revenues. Now good luck to Ms. Retch in cleaning up her snail mail, since evidently she had stuff mailed to her house. I hear they are just as aggressive at removing the names from the lists as well. But for the money shot, McAfee aims to prove that all this spyware slows down the PC. Which means you need something to clean it, eh?
Link to this [14]

Dennis Fisher's latest [15] is probably the best argument that I've seen showing that Shostack and Stewart's New School [16] is highlighting a huge issue. I've seen this myself as well. No one in this business can agree on what to count and even if we could, no one is willing to share the data. There isn't enough benefit to warrant real clinical trial type environments to anonymously gather data and protect the subjects, so we don't. And this means the statisticians don't have enough relevant data to figure out which way the bubble are going. Thus we just muddle through our days, not really sure if we are good or if we suck at security. Then we jump from job to job because our bosses and senior management can't figure out if we're good or if we suck either. I know there are a bunch of folks that are trying to address the issue, and I was too. But it's pretty frustrating when people don't want to help themselves. Oh well.
Link to this [17]


The Laundry List

Top Blog Postings

http://jeremiahgrossman.blogspot.com/2008/06/can-wafs-protect-against-business-logic.html [22]
Link to this [23]

http://www.bloginfosec.com/2008/06/27/pci-dss-position-on-patching-may-be-unjustified/ [24]
Link to this [25]

Eric Maiwald reminds us about the need to relate things to business value [26]. Who knew? That's a big duh, now isn't it. But it still important to see it every so often. Then the irrepressible Grumpy Pete presents 10 metrics he thinks are important. A lot are focused on transactions and then some hocus pocus stuff like total number of inline control events and costs of controls. He also mentions things like total losses. Without reading the entirety of the research and getting a feel for what these numbers really represent and how to gather the data - it's hard for me to really assess the likelihood that many/any end user organizations would have this kind of data. It doesn't mean we shouldn't be focusing on gathering this stuff. Maybe we should. I guess I'm still looking for some kind of poor man's set of metrics. Numbers that are readily available to end mid-sized companies. Data that can be spit out of a SIEM type apparatus (ah back to my frustration about how hard it is to make SIEM work) or some other set of tools. But those types of metrics are usually deemed too unsophisticated to mean anything. So I guess I'll just keep wingeing and whining. I don't want to be critical of His Grumpiness, since we've got to keep throwing stuff against the wall to make progress. But we need to think about the problem from the simpleton's perspective as well.
http://srmsblog.burtongroup.com/2008/06/your-top-ten-st.html [27]
Link to this [28]