Best Practices

In another segment for SearchSecurity's Identity and Access Management School, I address how the security organization needs to evolve as we see more security capabilities migrate into the network and data centers. Suffice it to say, the security practioner ends up needing to add value more by influencing, than doing. I'm sure many of you are excited by the prospect of that.

Here is the description:

PODCAST: The evolving Security Organization

As security is further embedded into your network, the roles and
responsibilities of the security practitioner inevitably must change.
This Podcast highlights successful techniques to add value to your
organization regardless of where security happens in the network,
ensuring that the security function thrives far into the future.

The podcast is less than 10 minutes, so I'm talking fast. Which is much different than every other conversation I've ever had.

Check it out: http://searchsecurity.bitpipe.com/detail/RES/1155309686_698.html

 

In this week's NetworkWorld Column, I relay some of my experiences at Black Hat, and most importantly focus on containment. Huh? If there was one thing I learned at the show, it's that every network is vulnerable in some way, shape or form. So you don't want to bet the ranch that you'll be able to keep the attackers out. You also need to ensure that if something does happen, you can contain the damage. You'll need to think about the containment concept at multiple levels as well.

Check it out and let me know what you think:
http://www.networkworld.com/columnists/2006/081406rothman.html

 

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 15. Link here.

It tends to be hard to describe IT security to folks that only know about email and, maybe, their web browser. So you are always looking for a quick and universal analogy to make the concepts clear. The one I've been using for about 10 years is... the moat.

The moat is great. You put up a nice picture of a castle with a large moat protecting it and people get it. The bad guys are on the outside, so you build a deep, wide gulf between you and them and life is good, no?

Unfortunately, the moat is passé. Thinking about security as a moat no longer works, because you are intentionally dropping the drawbridge to let some of your "trusted" trading partners in to streamline operations. Or, at least, that was the story you were told. What about all of those insiders that have access because they work for you (or are consultants)?

Nowadays, we don't know who the bad guys are. So a deeper and wider moat is not really going to help. This phenomenon is called "de-perimeterization" in the trade. I'm not sure who came up with that term, and it kind of sucks, but it's what we've got. Suffice it to say, you need to spend some time focusing on how you are going to protect your environment when the bad guys can be anywhere. Literally.

So now you need to look at security from two perspectives. The first is "outside-in," which is still important. Bad guys are still out there, and, if you let your guard down, they'll compromise your defenses, turn your machines into zombies and steal your private data. Although the moat is no longer sufficient, it's still necessary.

The new wrinkle here is something that my pal Ted Julian (over at Application Security) calls "inside-out." Basically, you need to figure out how the data is used, who has rights to it, and a way to protect it. This is more art than science right now, and sometimes there aren't good answers. You should be thinking about how products in the database, content, and web application security spaces are potential solutions.

I've come up with a security architecture, called "Pragmatic Security," that aims to simplify how we talk about security, and make the point regarding the need to treat your infrastructure (outside-in) differently than your data/information/content (inside-out). Check out that post here. Of course, the lines blur at times, but this model has been well-received by folks trying to restore order to the chaos.

As disappointed as I am to not be able to explain security with the moat analogy anymore, I think it's good for the business. Maybe now we have to talk about two moats: one protecting the perimeter and one for
the data center. Not sure it gets there, but it's a start.

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 13. Link here.

Over the past week or so, I hope you've gotten a feel that I'm not really a touchy-feely type of guy. And I need to work hard to be optimistic about things because I'm wired to find problems and try to figure out solutions. It makes my wife crazy ("Can't you ever just be happy?!?!"), but that trait also makes me well suited to being an analyst.

But this isn't about optimism or even pessimism; it's about securing your networks and critical information assets. If something goes down the only touchy-feely you are going to get is a boot on your backside. Wishing your network is secure doesn't help either. As my father-in-law says, "If you hope, you are a dope." I tend to use the "hope is not a strategy" cliché more than I would prefer. The fact remains; you are either a hero or goat depending on whether the myriad of attacks you see every day are successful.

To be clear, I'm not talking about thinking positively here (though I heard it does help, maybe I should try it someday), I'm talking about acting positively. And in a security context, that means only allowing the stuff you specifically want to run on your network, and blocking everything else.

You can first start this on your perimeter. Basically, your access router shouldn't allow anything unless you specifically decide it should. This technique is called "default-deny." Depending on what you have running, that probably means SMTP and HTTP at a minimum. Maybe a few other protocols as well, but nothing else. Shut it down. If you block stuff before it even gets to your network, you are much better off.

Same deal goes for your firewall. Take a look at what is probably a panoply of firewall rules that may not even be relevant anymore. Have you compared what you are allowing and blocking to the router? Make sure every rule in there is for a VERY good reason and that the firewall and router configurations are in sync. Don't take chances by leaving your perimeter sloppy.

Unfortunately, with more and more applications looking like HTTP and coming in over port 80, this technique is not as effective as it used to be. That's why we need stuff like intrusion prevention, deep packet inspection, and anomaly detection to ensure that port 80 traffic isn't malicious. But doing this little stuff on your existing firewall and router is still effective and will make a difference.

Next, let's look at the desktops (or laptops, as it may be) that access your network. Lots of folks get compromised because their employees surf to a bad site (either through phishing or pharming). They can also contract something in a coffee shop, which they so kindly proliferate through your network upon their return.

What you are looking for here is a strong, positive endpoint security posture. Basically, malware infects a machine by running executables that compromise the machine, turn off its defenses and then spread to other devices. If you use the trusty old "default-deny" approach, specifying which applications you allow to run on your devices, the malware has a hard time spreading.

Of course, this technique can be controversial, especially if you decide that iTunes is not an authorized application. And it's not foolproof -- nothing is. But I've seen this approach be very successful in stopping the contraction and spread of malware.

So the next time someone tells you to think positive, you can say with a straight face that you always do. Maybe smile for good nature and say "Kumbaya!" It'll make everyone feel better.

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 13. Link here and then you'll need to scroll down a bit because they didn't add an anchor for this specific post.

There has been a lot of M&A activity in the security space of late. With EMC buying RSA and Secure Computing acquiring CipherTrust, I'm sure there is a lot of angst in the end user community about the impact of these mergers on the only thing that's important -- you and the security of your environment.

M&A in the security space (actually all of technology for that matter) is a fact of life. So grinding your teeth about it will only make your dentist happy. But there are a set of activities that end users can undertake, once a key vendor is acquired, that will help.

The reason I even bring this up is an article I found in Information Security Mag from May of 2006 that seems like it must have been lost for four or five years (or possibly misdated). It's been a long time since I've seen Axent and Platinum Technology used as an example in anything. This article talks about the potential impact of mergers on customers and the conclusions are pretty close to reality.

From my perspective, very few deals actually are in the customer's best interest. Deals are driven by economics, and, inevitably, the integration causes the acquired company to lose momentum both on the distribution/sales side as well as in improving the product. When I was on the vendor side, we would joke that your second happiest day is when your biggest competitor gets acquired. That gives you at least six months of runway to do damage and take share as they look internally and focus on integration.

Of course, the happiest day is when you get acquired. But at that point, you are more likely thinking about your new big house or fancy sports car than about your customers.

So, a key vendor of yours gets acquired, what do you do? I mapped out my thoughts in this post from April, but let me summarize quickly.

1. Do nothing at first -- Just because a deal is announced doesn't mean it's going to close (remember Check Point/Sourcefire?). So until the deal actually closes, it's business as usual.
2. Call a meeting -- Within a week or two of the deal closing, call a meeting with the surviving entity. Hopefully you'll know who your account rep is at that point. You'll want to ask three questions.
   
   • How does my product (the one that was bought) fit into your strategy?
   • Is my account team changing?
   • What is the 18 month product roadmap?

Listen very carefully to the answers, because you should have a gut feel at the end of the meeting whether the integration is going to be a train wreck. Based on what you learn, then you'll have two more decisions to make.

1. Look at how to do more business -- so if you are happy with the products, account team and roadmap -- you should be seeing if there are other opportunities to do business with the vendor. This would be a good thing.
2. Look for Plan B -- if the answers are no good, then start talking to competitors immediately. Most will be very willing to defer costs until your existing contract/maintenance expire, in order to displace a competitor.

In either case, DO NOT be the victim here. You are driving your security strategy, and if you don't like what you hear from the vendor, throw them under the bus. It's not like you've got any vested interest or political capital tied up with the new guy. Blame the merger and move on. There is another 750 other security companies ready, willing and able to sell you stuff.

I'm happy to say some of my research has been featured on ComputerWorld. I did an interview for Bert Latamore's IT Management column and he did a pretty good job of summing up Pragmatic Security and constructing some other nuggets of Incite. According to me anyway.

Yes, over the next few months you'll see me fleshing out the Pragmatic Security architecture in a lot more detail, but until then you can read this column and get a feel for how things are evolving.

Read the article: link

 

As I mentioned on Monday, I suffered a hard drive failure over the weekend as a result of a pretty severe storm here in Atlanta. There is a happy ending to the story, in that I was able to recover all of the data I cared about and I was operational immediately and back to full speed within 48 hours.

So why do I say I was woefully unprepared for a hardware failure? Basically, restoring my work environment took way too long and I made some amateurish mistakes that cost me time. Thankfully not any money, but losing time is the same thing and it really annoys me. I get that I only have to support one person, so that makes me different than most of my readership, BUT there are some things I picked up and some new processes that I'm implementing that will streamline the process the next time I have a failure.

First, let me describe my work environment a bit to give some background. I use a desktop PC when I'm in the office. I have a Mac ibook notebook computer for when I travel or need to get out of the house and work at Panera, etc. I also have a family PC that my oldest daughter uses to explore the web, play games, etc. My backup system is pretty simple, but designed to make sure I have no single point of failure and that I can get up and running very quickly. In concept anyway.

I have a folder on my desktop that is all of my Security Incite files. Since I use a Mac laptop, I needed some way to keep all of those files current and synchronized on both platforms. I use a great product called FolderShare (who was acquired by Microsoft last year). FolderShare allows me to replicate files between multiple devices and automatically syncs whenever there are any changes. And it transparently supports both PC and Mac. I have current versions of all my business files on both the desktop and Mac at all times. So if I decide to go work remotely, I just grab the Mac and I'm good to go.

I also keep my music and photos replicated between my desktop and the family PC, so I always have two copies. I can't replace the digital pictures, so I like the idea of having those instantly replicated to two places. This product kicks butt and if you are multi-platform it's a necessity. Best of all it's free. You can't beat that.

I use a hosted Exchange provider for email (I can connect to the same mailbox from Outlook on my PC and Entourage on my Mac), so all of my data was up on their site. I can get to it via OWA (outlook web access) or can pull down the data very quickly once I reinstall Outlook.

But I'm not satisfied with that because if something happens at my house (God forbid) I am SOL. So I also backup most of the relevant files to an online back-up service using Connected Corp, which was acquired by Iron Mountain. So I have access to that backup as well.

So on most days I feel pretty good that my data is protected. I'd actually say I got a bit complacent. Complacency is a BAD place to be. That's when people get hurt.

When I found my PC unable to boot last weekend, I just pulled out my Mac and I was instantly productive. No problem there. FolderShare worked like a charm. All my files were exactly where they were supposed to be. Then I ran into a number of problems. First, it took me some time to run the diagnostics on my machine. And when I did, I ran the wrong diagnostics (when it took about 30 hours I should have suspected something). When I finally got the diagnostics right, I learned that my drive seemed structurally intact, but I still couldn't boot - so I'd have to rebuild the machine.

The PC I bought came from Systemax, and they have a very cool capability to restore the machine to factory settings. I think the software to do this comes from PowerQuest (which was bought by Symantec). This process took about 20 minutes and was painless. I was back in Windows XP and set up my user account, printer shares, etc. I started the FolderShare restore and within a hour, I had all of my work files back on my PC. So far so good.

I took me a while, but I found all of my software (you know, Microsoft Office, Quicken) and downloaded whatever I didn't have (iTunes, Firefox, etc.). This took another couple of hours to replace all of that software - but that went pretty smoothly as well.

But then I realized some of my personal files were out of date on my family PC. I had a blown fan so the computer sounded like a 747, so most of the time I had that machine turned off. I actually had another machine that I was going to replace it with, but I was too lazy to move everything over. Thus, FolderShare wasn't syncing my personal files, including Quicken - which I use for both personal and business accounting. It wasn't Foldershare's fault, it was mine. But nonetheless I needed to get my Quicken file back ASAP. I had invoices to send out. In a start-up cash is king and no invoice means no cash.

No worries, right? I had the Quicken files on the online service, so I'll just reinstall that software and pull down the files and I'm good to go. Ah, not so much. It seems that Connected doesn't want folks to just download their software, so they require an active account number to download. Uh oh. My account number was on the old, re-imaged drive, so I didn't have it. No worries, I can have them send it to me via email. Uh oh. None of my email addresses seemed to work. Hmm. OK so I'll call. They don't have 24/7 support.

WHAT? A backup service that does not have 24/7 support! Now I was pretty pissed. I had burned most of my Sunday trying to get back and now I can't get over the finish line because my backup provider thinks failures only happen between 8 AM and 9 PM Mon-Fri. That's a problem. But, I had most of my files and could be productive on the Mac - so it wasn't a total waste.

On Monday AM, I called Connected again, but they require an account number to even talk to a rep. This is ridiculous. I don't have the account number. So I called the main number at Iron Mountain and it seemed like I was from Mars. They had no idea what the Connected offering was. I got sent to a customer service rep who also needed an account number to arrange for my backup tapes to be delivered. WHAT? I don't have backup tapes. Suffice it to say, I was pretty frustrated.

Finally, the rep understood what I needed and then told me to wait a minute. He then came back and said he needed an account number to forward my call to the Connected people. No kidding. He did say he found a prompt on another number that asked for a credit card. Well I had the credit card they were billing, so I gave that a try. The customer service rep was nice and he tried to be helpful, but he just didn't have the information about the Connected offering. So my customer experience was less than stellar.

So I finally got through to the right rep (using my credit card number) and he gave me my account number within 5 minutes. I was restoring my data and had everything I needed within an hour. Again, why they don't have 24/7 is beyond me. They also should offer the ability to talk to a rep with or without an account number. When you lose a machine, it's pretty traumatic. To have to navigate through a bunch of crap to talk to someone did not help the delicate state I was in. The poor guy who did finally answer the phone got an earful, which could have been easily avoided.

All's well that ends well, I guess. But it was painful at the time and I lost a lot of time. Time I should have been chasing my kids around. I did learn a lot from the experience, so here are a few tips:

1. Practice - This was my biggest mistake. I had gone over the details in a theoretical fashion, but I hadn't actually called or tried to reinstall the Connected software in 2 years. I didn't know they required an account number, which is now stored in my Blackberry and on paper. I was also unfamiliar with my system diagnostics, so I wasted time figuring that out.
   
   
2. Document - I found that through most of Monday I was downloading and installing software that I needed (like Acrobat), but forgot to do over the weekend. That costs time, so now I have a list of software that I need on the machine. So if this happens again, I can just work through the list and get thing back up and running. I guess I could burn an image (using Ghost or something like that) of my machine, but the applications I use change pretty frequently. So I'm not sure that would save me a lot of time. But if you support hundreds (or thousands) of PCs, having standard images and separating out the data is key.
   
   
3. Consider virtualization - Virtualization is all the rage now, in that it allows you to image a PC (or Linux box) and get it running very quickly. You keep your data on another partition on the drive (maybe even another drive altogether). If something blows up, you just install another image and you are good to go. I'm going to look at this, but it may be overkill for my single person shop.
   
   
4. Have multiple backups - I'm just more comfortable with most of my data protected by Connected, but also replicated to another PC through Foldershare. That way I've got multiple contingency plans. And in this case, I seemed to have needed every single one.
   
   
5. Practice - Did I mention that one already? Well I'll say it again. You don't know what doesn't work until you actually try it.

So, I know this was a bit of a long post, but hopefully you can learn something from my pain. Anyway, now I have it documented, so I can refer back to it the next time I screw something up.

To provide a bit more of a teaser for the upcoming "Buying Security Products" eBook, let me rant a bit about product reviews. First of all, I hate product reviews. OK, I said it. With few exceptions, they do not reflect real life situations, and can be easily manipulated. What do you mean manipulated? I'll plead the 5th on that one, but suffice it to say I've lost very few reviews in my time because I understood the process. Of course, there are exceptions to that (and I'm sure my friends in the trade press will be pretty annoyed with me), but I call it like I see it.

So, what got me going? First was just seeing a couple of reviews (not just the stand-alone review of NFR that I blasted in this post), and I was struggling to get a feel for how that information is going to help a customer make a buying decision. In one of the reviews, 4 out of the 8 products got some type of "recommended" status. What the hell is that about? They may as well have said, all these products are the same - so it doesn't matter. Or they should have admitted, my methodology had me comparing apples to oranges, so if you are looking for apples - do this and oranges - do that. But they didn't, so end users are left to their own devices to figure out what matters.

Now, I may as well remind everyone what I used to do for a living. As VP of Marketing for any emerging technology company, product reviews are either your best friend or a friggin' nightmare. I've had numerous examples of both during my marketing tenure. It was always amazing to me that two different reviews would come out within a few weeks of each other and get totally different results and draw totally different conclusions. Had the product changed? No, of course not. It's basically the methodology that varies and that can have a dramatic impact on the "winner" of a review.

Let's look at reviews within the context of the procurement process (which of course will be detailed ad nauseum in the eBook). Product reviews can be useful in determining the long list during the time you are learning how to solve your problem (Step 3 - EDUCATE), prior to actually start talking to folks that will try to sell you stuff (Step 4 - ENGAGE).

Now, I get that no one has infinite time. So you can't talk to everyone. When I was in the anti-spam business, there were legitimately 50 companies that could stop spam in some way, shape or form. You can't possibly talk to all of them, so how do you pare it down?

Basically, a review can help do that. Most reviews will have a grouping of folks near the top. And if a space is hot, there will be a number of reviews that have been published. The reality is the cream does rise to the top. So if a set of vendors is always at the top of the list, then they are probably someone that should make the long list. Conversely, if a vendor is just not in the ballgame consistently, then just blow them out right there and then.

DO NOT MAKE A DECISION BASED ON ONE REVIEW. I'm not sure I can say it any clearer than that. 

But, does being a "Best Buy" or "Recommended" mean a damn thing? Not in my opinion. Determining the winner of these things is so subjective that sometimes it's impossible to understand why the winner actually won. This is pretty frustrating as you marketing folks out there know. "I don't know why the other guys won" does not make the CEO very happy.

And the vendors are masterful at using each "win" to make it seem that everyone else sucks. Don't believe them. Reviews are just another data point to help you focus your efforts on products that have the highest likelihood of solving your problem. But, they SHOULD NOT be used to determine a short list (2-3 vendors). You could be disqualifying the right product early on in the process because their marketing folks don't understand the process.

Like everything else having to do with procurement, the more data you gather - the higher the likelihood that you'll make the right decision.

 

Now that you have your own house in order, it’s time to build the team that’s going to help you execute on this project. For the rest of the series, I’m going to assume you are the leader of the team. OK?

So, Mr. or Ms. Leader, what does that really mean? Ultimately, it means you have the accountability for the successful completion of the project. You’ve got to manage expectations up and down the line, and ultimately it will be your call as to what solution(s) are selected.

If you are not cool with having your head on the block, try to find someone else to be the leader. Not that this is necessarily a bad thing, every team needs leadership and it also needs people to get things done. But now is a good time to figure out which bucket you personally fall into.

If you are in a big company, you may have some analysts that will be able to do the leg work during the education and engagement steps. That is truly a luxury, since wading through the sheer amount of information that is available for pretty much any topic is daunting. And we all know how much fun those vendor pitches are. So, if you have some minions that just love Google or are “professional” tire kickers. Let them rip. Just make sure they can succinctly tell you what you need to know.

You’ll also need some technical resources to test the product in your lab (you have a lab right? – heh), optimally focused on this specific project. I know that is probably a bit optimistic (maybe even delusional), but expecting to put any product through its paces with people that are stealing time away from daily operational tasks is hard, and you usually end up with sub-par results.

Finally, it is also helpful to have some type of financial analyst on the team as well. Clearly making sure you get some type of payback is very important for any project. Finance-types are invaluable in structuring the discussion around investment and payback. Especially with security projects, payback is a very squishy thing. BUT, some type of financial analysis will be required to spend a lot of money. It’s as much about CYA (cover your ass) as anything else.

Boy, it would be nice to have 4-6 people on the project team, eh? Let me paint two scenarios where it doesn’t always work out that way.

1. You have more than 4-6 – This is usually indicative of a political hot potato. High profile projects usually get lots of “volunteers” to help out because the decision is important and the executives may be pushing their own agendas. So they want their minions involved in the process. If this is your case, try to run. I know that’s not always an option, but adding politics decreases your chance of success by 30-50%. Unfortunately, advanced political maneuvering is outside of scope of this series.
   
   
2. You have none – This is a very likely scenario in mid-sized companies and you probably also have a day job that burns up 10-12 hours a day. Well, in this case you need help to do this right. We’ll talk about this situation a lot through the rest of the series, but suffice it to say there are places where you can get help for a small price and places where you’ll just have to do the work. Compromising on doing the work yourself is also another quick path to fail.

So, that is the project team (or not). Tomorrow we’ll focus on something near and dear to my heart, which is education. We’ll also discuss how and more importantly, when to engage outside parties to push the project along.

In this first step, you are preparing to be successful. How many times have you gone all the way through a project, only to discover it wasn’t clear what you were trying to accomplish? Don’t let that happen, it’s career limiting.

So, how do we avoid those issues, given that most of the world seems to be a moving target nowadays? First you need to DEFINE SUCCESS. Of course, your definition is totally irrelevant. The only definition that matters is the project’s executive sponsor. Be realistic, if you are going through a reasonably formal procurement process, someone on high is supporting this endeavor. So make sure both of you are on the same page as to what success means.

If you do not know what success looks like, you are doomed to fail.

Then you need to understand the time frame. Is the expectation for a 6 month project, or is this business critical and it needs to be done in 2 months? Note that I said EXPECTATION, not reality. The executive sponsor has an idea of when this needs to be done. Make sure you understand that.

Next you need to line up the budget. Isn’t this early in the process to be fixated on budget? Actually, you need to know at the onset of the project whether you are going to be able to buy a Porsche or a Yugo. Of course, you don’t necessarily need to share the budget numbers with anyone, but you need to know the money exists.

Don’t be concerned if the budget changes as you move through the process. In many cases, the process uncovers other key requirements that add scope to the project. Or you may determine you didn’t need all of that stuff to meet the business need and then you’ll contract scope. The key point here is to make sure you’ve got funds (so you aren’t wasting everyone’s time) and that you’ll be flexible through the process because things will change.

Then you need to sketch out a plan. This is really just a straw man that gives you an idea of what the major milestones of the project will be. Nothing too specific, but you want to get a feel for timeframe and key success points. In my experience, it always is useful to work backwards.

So, envision the successful end goal and the agreed upon time frame. Then figure out what the key milestone is right before you are done. Maybe it’s a successful deployment to a pilot group for 2 weeks. Then move backwards from there. The step before was likely the final selection, and negotiating the deal may have taken 3 weeks.

Hopefully you get my drift. By working backwards, you know where you’ll need to be at any given time in the project. But, remember, this is a straw man and things will change throughout the process, so being flexible is absolutely critical.

If you can do these couple of things before you formally start a project, you dramatically increase your chances of being successful. Later today, we’ll talk about building the project team.