Good Morning:
Some days I get to reflect on how lucky I am. I guess when you are sitting on the beach, watching your kids enjoying life, it's as good a time as any to appreciate all that I have. Of course, a unique "feature" of my personality is to never be satisfied - to always be striving for more. Yet, some days it just makes more sense to forget about all that crap. My goals and aspirations of world domination will be there when I return to the office and my daily rituals.

Until then, I think I'll just enjoy the fact that things could be a lot worse.

Have a great day.

Incite #2: It's time for an audit revolution

Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Read the original Days of Incite post on this topic.

6-month grade: B-

I need to come clean. Sometimes I get what's right and what's realistic confused. Now there is no doubt that my ideas about how auditors and auditees can work together are right on the money. I've heard enough feedback from enough people I trust that not treating an audit or an assessment like a 15-round fight is a much more productive way to go about things. This approach is laid out in the Pragmatic CSO.

But then again, what's realistic tends to be constrained by people, and people don't really change readily - if ever. It reminds me of one of the great lines in You Don't Mess With the Zohan: "They've been fighting for 2000 years, it will be over soon." Unfortunately, that seems like the story we tell in the security business. We've always fought with auditors and not fighting with them is kind of like asking for peace in the Middle East. Except I do think it's possible.

Just keep in mind that we are all fighting for the same thing - and that's to protect the information and assets of the organization. The auditors want to be able to prove that things are happening. Is that all bad? Of course not, it's quite good - but it takes a different kind of security practitioner to realize that.

What about the whole compliance golden goose? It's still alive and well. As we look forward to the end of 2008 and into 2009, it seems the global economy isn't going to be improving much at all. So we will face even more budget tightening and scrutiny of our investments. Since security is still largely an overhead function, it's going to be even more heavily scrutinized. 

So using the compliance card is not a bad thing at all. But do you buy something that is purported to help with compliance? Of course not. After all, a smart guy figures that GRC is dead. Buy what you need to protect your stuff. That hasn't changed at all. You still need to focus on Security FIRST! If you do that well, you'll be in decent shape for your audits and assessments.

In terms of a grade, the long term trend is intact and the approach is solid. But it'll happen more slowly than I anticipated - so I get a B-. Or go hug your auditor and prove me wrong.

Photo credit: "Monster Hug" originally uploaded by Alberto+Cerriteno

My friends over at SearchSecurity asked me to come up with some compliance "worst practices" for their April Fool's theme set of tips. Thus I started what I hope to become an annual tradition, which is to give out a series of awards for these nincompoops.

I'm calling the awards the "Steaming Brown Bag Awards." That's right, the award is a bag of steaming brown love, hot off the presses. A Great Dane did the honors after being fed a family of goats and a tub of Ex-Lax.

It was a tough job, but someone had to assemble the bags. Thankfully I read the 4 hour workweek and decided to outsource the awards packaging to my virtual assistant in Asia. They assure me it was an authentic Great Dane and real goats, but alas it was generic Ex-Lax. I guess it's very expensive to import Ex-Lax.

I've also picked a certain express delivery company to make sure that the brown bags get there absolutely, positively overnight. This is important because the shelf life of a steaming brown bag isn't very long. Signature is not required and I'm slipping the delivery guys a few simoleans on the side for them to light the bag on fire before they ring the bell. Hopefully before the cat gets in there.

This will be an award they don't soon forget. So without further ado: check out the list of award recipients:

WORST PRACTICES: RECOGNIZING THE BIGGEST COMPLIANCE MISTAKES
Mike Rothman, Contributor

As the season of entertainment awards comes to a close, I want to
weigh in and do my first annual "Steaming Brown Bag Awards" or
STiBBAs for short, which recognize the biggest compliance blunders of
the past year (or so), and the award is - of course - a steaming
brown bag.

And without further ado: The Rip Van Winkle STiBBA goes to...
http://go.techtarget.com/r/3408753/832109

 

 

So this is it. The final Incite for 2007. Overall, I think I did pretty OK, given how dicey it is to predict anything. I'm a bit ahead of the curve on some things - but I'm good with that. If I'm not a bit ahead, then I'm not thinking hard enough.

Look for the 2008 Incites to appear in February, and then I can spend the rest of 2008 poking myself in the eye. Which I hope is good fun for you.

Incite #10 - Time to get PC(I)

PCI is the new SarbOx as unsophisticated CSOs continue to try to “buy” compliance. The lack of regulatory enforcement and increasing scrutiny by bean counters finally kill compliance’s golden goose and force CSOs to justify more security spending on something other than compliance. Pragmatic CSOs understand that a strong security program addresses compliance requirements, so they focus on warming relations with auditors and communicating their results in business terms to the business people that matter.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-10-time-to-get-pc-i
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-13-2007

Final grade: D

I started the Incite Redux post with the following quote: “Much to my chagrin, compliance is still alive and well. This goose continues to lay golden eggs. Of course, the eggs are stamped with PCI, as opposed to other regulations – but it seems every time that compliance is on the ropes, a new set of legislation emerges from Mount Sinai to save everyone.”

PCI was that magic tablet in the hands of many auditors, whom continued to demand certain new capabilities (mostly database security gateways, application scanning and penetration tests) that saw growth in 2007. So I’m giving up the ghost on projecting the death of compliance. It’s just not going to happen, at least for a while.

So organizations need to be strategic in how they play the compliance card. Buy the things that are important for SECURITY, and will also make the auditor somewhat happy. Focus on reporting, since you will need to substantiate what you are doing. Yes, Pragmatic CSOs do see the value in a structured security program – that part is resonating. The idea of treating the auditor like a peer and communicating in business speak is spot on.

But compliance is the cat with at least 9 lives, and continues coming back for more. So I can’t feel good about giving myself anything higher than a D for this Incite because compliance continues to be alive and well. Very alive and very well, thank you very much.

I guess I shouldn’t complain too much because I personally continue to benefit from the fact that security is riding the compliance wave. Yet, I still feel bad because it’s not the right thing to do. Whatever, what’s right doesn’t usually correlate to what happens, now does it?

Once the PCI furor dies down, what will be next? I honestly have no idea, but I know it will be something. It always is, and just when you thought compliance was down for the count – it keeps storming back with a vengeance.

Maybe we can get Bruce Willis or Harrison Ford to star in the next compliance sequel. It seems those guys keep on ticking as well, so they are good role models.

Check out the other posts in the Report Card series.

PCI is the new SarbOx as unsophisticated CSOs continue to try to “buy” compliance. The lack of regulatory enforcement and increasing scrutiny by bean counters finally kill compliance’s golden goose and force CSOs to justify more security spending on something other than compliance. Pragmatic CSOs understand that a strong security program addresses compliance requirements, so they focus on warming relations with auditors and communicating their results in business terms to the business people that matter.

Read the rest of the 2007 Incites here.

I’ve been calling for compliance’s head on a platter for quite a while. Thus far, I’ve been wrong. Just when I think the gravy train is done – someone does something stupid, resulting in a new wave of legislation that then the security vendors can jump on and string out their compliance pipeline a bit longer.

But then a strange thing happened on the way to the treasure trough – basically none of these regulations have been enforced. The number of HIPAA enforcement actions is minimal, with penalties not even registering. In fact, it’s usually cheaper for a healthcare organization to just budget in compliance penalties rather then actually secure their infrastructure.

Now that’s scary, but true.

Sarbanes-Oxley runs the risk of fitting into the same category. Sure, we are still pretty early in the game, and the auditors make loud noises and grunt a lot about failing the examination – BUT WHERE’S THE BEEF? Where is a CEO’s head on a stick for bungling an ERP implementation? Until the SEC sends a high profile CEO on a perp walk, SarbOx will remain an empty suit.

Much to the chagrin of all the vendors out there trying to remain in the bandwagon.

But that brings up the regulation de jour – PCI DSS (Payment Card Industry Data Security Standard). Basically PCI is Visa and MasterCard’s power play to divert some of the risk of identity theft and fraud onto the banks. The banks then get to beat down the retailers in turn. Shit flows downhill and retailers tend to live in a pile of the slop.

Thus far, PCI has been an empty suit as well. We’ve “heard” of the beginning of costly enforcement actions, but all of this stuff has been handled in the back room. More like a bad guy disappearing in the middle of the night, as opposed to being executed in the public square. Unfortunately, in order to make a statement a retailer needs to be drawn and quartered in a very public fashion. Maybe it’ll be TJX, but thus far it’s been no one.

So now comes the rub. Even if a retailer (or anyone else) wants to comply with PCI, what the hell does that mean? Relative to HIPAA and GLBA, PCI is crystal clear. But that still makes it about as clear as mud. As with every other type of regulation, a vendor feeding frenzy ensued to position every security widget at the panacea to achieving “compliance” with the regulation.

For a little while, the way PCI was structure was actually pretty good and made it relatively clear where the line would be drawn relative to network and data protection. But then they introduced this concept of “compensating controls” back in November. That really screwed things up. Why? Because basically it gives every vendor a way to spin how their stuff offers an alternative to the right answer of actually protecting the data.

No less than 5 vendors talked about how they achieved PCI’s compensating controls language in my 10 meetings at RSA. That’s 50% for your math majors out there. And the other 50% were asleep at the wheel. These folks came from lots of different places, including NAC, UTM, leak prevention and database monitoring. Starting to get the picture yet? With the compensating controls clause, PCI is no clearer than any of the other regulations out there.

What to do if you are a customer? Nothing new here, just focus on executing your security program – which will provide you with the documentation to prove that you are compliant with whatever you regulation you are worried about. Sounds too easy, no? It’s not easy at all, but it’s the proper path. Continuing to focus exclusively on compliance is a fool’s errand.

Not to continually flog my own stuff, but the Pragmatic CSO process (www.pragmaticcso.com) is all about building a security program and ends with a chapter on compliance, which recommends a different approach than you are used to in dealing with your auditors. Check it out. You’ll thank me later.

In the last Report Card for today, let's look at what happened in the wild and wooly world of compliance.

Incite #4 - Stay out of Jail

Compliance continues to generate tremendous hype, but largely remains a red herring throughout 2006. Smart users will use the compliance word to get funding for critical imperatives (perimeter redesign, identity management) and sufficiently document their processes to keep regulators happy. Those not so smart users figure encryption is a panacea and buy some; ultimately realizing making encryption work on a large-scale basis hasn’t gotten any easier.

Grade: A

Original Days of Incite post: here
Incite Redux post: here

Finally, a decent Incite that actually turned out to be right on. Clearly the wind is out of the sails of “compliance” as a term, and if anything CEOs and CFOs are now asking the tough questions about what all this compliance stuff they’ve bought does.

So we will look back at 2004-2006 as the halcyon days for compliance. Now it is truly an operational aspect of every security program. Those that don’t ask about the compliance impact of any new infrastructure or applications are clearly asking for trouble. And don’t expect to get more funding or resources to do “compliance.”

As security professionals, everything we do should generate an artifact (report, graph, other document) and that artifact can be used to substantiate the controls in use by the security program. It's the presence of those controls and the comfort that issues will be remediated fast and completely is what the auditors are most interested in.

What we didn’t see as much of was widespread adoption of encryption. Instead we saw pockets of strength and great strength at that. The number of lost/stolen laptops and the associated PR and notification fiascoes made it very clear that mobile devices need to use encryption to protect the private and sensitive data on those devices.

The good news is that whole disk or desktop oriented encryption is quite leverageable and not just from a compliance standpoint, so this is one of those technologies that are bought to solve a compliance problem, but end up being pretty strategic over time.

How does it become strategic? Basically as part of a broader data security environment that controls and protects data at its fundamental element. We are still a ways away from even having technology to do that, but having that data on the mobile devices protected is a start.

It’s not clear yet that “compliance” will get another Incite in 2007 since it is rapidly being subsumed into all security operational activities, but don’t be lulled into complacency. There are compliance considerations in everything that you do as a security professional.

Dealing with Oracle when you are an analyst is loads of fun. There is no more arrogant company out there. I asked for a briefing on their identity management stuff early this year, and I got the "read our white papers, they'll tell you everything you need to know." It was clear, they didn't have time for analysts that don't have a G or F in their company name.

But that's OK. Oracle has never really been taken seriously in the security space, so it's not like I have a lot of folks asking me about what they are up to. But given the amount of money they've spent on acquiring a space in the Identity Management space and the fact that data security is becoming more real (EMC/RSA being a pretty significant data point), I'll need to suspend disbelief and take another look at what Oracle is up to.

So I was pleased when a little birdie gave me a sneak peek at Oracle's "security strategy" briefing for 100's of analysts customers around the world. Shockingly enough, they claim to be the "leader" in security. That's a laugh. But I'll get to that.

First, what does Oracle consider security? Basically it's the stuff they sort of have. Access Control (but they mean Identity), data privacy (database encryption), and compliance (whatever that means). So they are hovering around in what I call information or data security and Identity in Pragmatic Security lingo.

They make a number of bold claims, including integration amongst the products and that their security works consistently across all of their applications. Huh? So they've gutted PeopleSoft and JD Edwards and Siebel and now have a common security model. Maybe on the PPT, but not in reality. Oracle does have a bunch of crap in a bag. But to say it's integrated is insulting the intelligence of the folks that buy stuff from them. Though I know that Oracle holds their customers in high regard. Kind of like CA in the days of yore.

Basically, all of this cool integration and the like is on a Fusion roadmap. Due to the wonders of federation and standards, many of the products (at least on the IAM side) can work together. But that ain't integration, to be clear.

What about data privacy? Well anyone that's even tried to do sophisticated logging on a high transaction production database knows it kills performance. And to try to do field level encryption? No way. Unless you are running at 10% utilization that is. Then you've got plenty of headroom to drive your DB to 90% utilization. Performance has never been their strong suit. But that's what bigger servers are for, no?

And compliance? As I've said a million times, compliance is a process not a product. It's very easy for Oracle to make it a pillar of their security strategy because it doesn't mean anything. So if you can get logging to work, then you can pull a report on it and BAM! You are compliant. Did I mention that I hate compliance lately?

Now that I've rained all over their parade, I'll begrudgingly admit that Oracle will be a factor in data security. If only due to their market presence. Whether we like it or not, Oracle controls much of the data in the largest enterprises in the world. That's a pretty powerful position to be in, but it's far from a mandate to control information security.

To date, no one has a compelling "big story" as to how data security evolves over time. And that creates opportunity for other big players (like EMC, IBM, Symantec and Microsoft) to codify that story and take the thought leadership high ground. It also creates a window for smaller data security players to gain a foothold and thus become acquisition bait.

But Oracle always has Plan B, just in case they can't tell the big story and their roadmap falters - it's the checkbook. There is the old saying that "the enemy of your enemy is your friend." Well over the past few years, Oracle has bought both their friends and enemies until there isn't much left standing.

But these were mature markets. Very much like the CA of old. They are milking the acquired revenue streams. But data security ain't mature. There are no revenue streams to milk.

So Oracle can crow all they want about being the leader of this or the leader of that. Soon enough they'll figure out that security is different. They'll need a more compelling vision for the customer. They'll need to get some application security technology (like a web app firewall). And they'll need to be more respectful of a heterogeneous world.

Oracle is not Cisco or Microsoft. Applications have inertia, but it's nothing like the inertia of the network or the desktop. With the advent of SOA, applications and data can be and will be anywhere and everywhere. A strong disruptive application is much more likely to be adopted than something new in network plumbing or on the desktop.

Maybe they can learn a lesson from CA, which proved that what goes around, comes around. Even if it takes years. But probably not.

Compliance is just one of those topics that I hate. It's a catch-all word for vendors that can't figure out what they do and what value they provide. We continue to see tons of folks, consultants and vendors alike, that try fervently to latch onto the compliance bandwagon. After 10 years of this, it's pretty nauseating, but it goes with the territory. Most of the people I deal with have become numb.

The best thing I can say about compliance is that it has provided a funding source for many a security project. Projects that would have been hard to fund otherwise, so there is some goodness. But the gloss is coming off that rose and senior execs are asking what they are getting from all that money spent on "compliance."

I figured most people that have been in this business for more than a week or so had an idea about what compliance is and what it's not. But I guess I was wrong. This morning I read this article in Network Computing (here) and almost fell out of my chair. I wasn't laughing, I was shocked. The sub-head of the article is:

The best way to stay out of the regulatory hot seat and keep the compliance police at bay is to develop a comprehensive set of well-written policies.

WHAT? Since when does a policy do anything to get you out of the regulatory hot seat? A policy is a piece of paper. It's not worth the ink it's printed with. Why? Because most policies are documents written by lawyers to cover the collective ass of the organization.

Compliance indicates that you've done something. And that you can prove it to an auditor when they come to make sure. I can assure you that if an auditor shows up and all you show them is a policy document, it will be a LOOOOOOOOOOOOOONG day for you.

So let me quickly make a distinction between a policy, a strategy, and an implementation plan. I've already discussed a policy above. A strategy is how you propose to execute on the policies. And an implementation plan are the tactics, projects and products that will be used to make the strategy a reality.

You are not in compliance with anything until you have successfully implemented your strategy and that you can document the controls in place to meet the spirit of the regulation, whatever that may be.

They only thing a well-written policy gets you is a clear view of the target. That and $4 will get you a coffee at Starbucks.

So the reality is that you DO need to start with a policy, and this article gives you some ideas about where you can find a policy template for what you are trying to do. It even points you towards a set of document management products that can help you assemble the documentation that the auditor may want to check out.

But there is nothing in this article that is going to help you "stay out of the regulatory hot seat or keep the compliance police at bay." Shame on Network Computing for printing such an incomplete discussion of this topic. The editor must have had a lobotomy or something to let this one slip through.

Heaven help the poor administrator that takes this advice to heart. Maybe they'll know better for their next job.

 

This is it. The last day of our visitation of DR's Top 10 IT Security Myths. The link is here. Which is fine by me, since I'm pretty much tired of this myth busting. I'll leave that to the Urban Legend folks. I hope you've enjoyed the quick series and maybe even busted a myth or two yourself.

Myth #9 - Clean Bill of Health Attainable? (link here)

The fact is that auditors are paid to look for problems, and they usually find them, experts say.

Ah, the ages old battle between security people and auditors. I do find that most organizations fail audits frequently, and then they go into a few weeks long death march to get things right. Of course, as the DR folks point it - it's usually a failure of documentation rather than a failure of controls.

To be clear, this is our problem - not the auditors. Relaxing the documentation requirements won't fix things. I guess some reporting requirements are onerous, but deal with it. You need to have the data, if only to verify what you do on a daily basis and the value that you bring to the organization. As we learned in the UBS insider case, it's critical to document the stuff you do - or else the forensics folks will need to do it for you. So documentation is not a bad thing. Protection and documentation can be done synergistically. I promise.

All security folks need to get a little auditor empathy. Maybe we can make up some bracelets that say "WWAD." What would the auditor do? So when we are implementing new products or controls, we know we can get the right information out at the right time. It's usually a bad day when you figure out you don't have information as the auditor is breathing down your neck.

WWAD. Make it a mantra, and your life will be much easier. This was pretty good. B+ I say!

Myth #10 - More Spending = Better Security (link here)

There's no real way to measure your return on investment
from hiring white-hats to run penetration tests and stage social
engineering exploits. It's much more cost-efficient to train your own
instead.

Man, DR really whiffed on this one. For one, the title is misleading. They are talking really about outside pen testing, not a broader security spending bucket. I do believe that more security spending does NOT lead to better security, but what does that have to do with pen testing?

What the so-called "experts" here missed was why company's engage outside resources for pen tests. It's pretty simple really. Management doesn't believe their own people. So getting someone in (even if it costs more money) to basically validate what the security folks have said is money worth spending to these folks. Sure you could do it cheaper, but that won't give answers to the muckety-mucks. Sometimes we need to do things to give answers to the muckety-mucks.

That being said, training your folks to do poor-man's pen testing and social engineering attacks is a good thing too. I don't think it's an either-or proposition here. And looking at automated pen testing products to provide more sophisticated tools for your own internal use is a good thing as well.

Then when the outside folks show up, they either won't find much or you'll already know the answers. And that's a good day, when you know (and hopefully have already asked for money to fix) all the holes.

Well, that's it. I need to get working on some of my own myths.

Just as there are winners @ RSA, there are inevitably losers.  Big conferences are zero sum games, and something's got to be cold. The common thread of what seemed cold is a lack of innovation over the past year, and a maturity of the solution. Duh! Here's my list:

• Secure Content Management - Regardless of whether it was anti-spam, IM security or web filtering, it felt a bit slow around those stands. The technology has clearly matured and it's just not that interesting for attendees.
  
  
• SIM - There seemed to be a big lack of interest in Security Information Management, especially with the transparent and undifferentiated compliance messaging all of the vendors have adopted. Even the leaders in this space seemed kind of slow.
  
  
• Wireless Security - Another market that has been subsumed into the infrastructure is wireless protection. All of the big vendors have a portion of their stand focused on their wireless offerings and there didn't seem to be a lot of interest. Clearly this market does not stand alone.
  
  
• "Compliance" - The industry is numb to the regulatory message. Since it's everywhere, it feels like it's nowhere. Sure, many of my conversations at the show focused on the use of compliance money to buy things, but there was little focus on how to "achieve" compliance, which was the clear focus of the past few years.
  
  
• Perimeter stuff - The perimeter defense market is mature and thus not interesting at a show like this. As focus shifts internally (through the NAC hype), it seems the perimeter is being taken for granted. That will last until the next major outbreak.

I'm sure I'll get an earful from my friends in these sectors about how I'm wrong. I can hear the voice mails now: "You dolt. My booth was packed." But spin all you want. Folks go to a show like RSA to check out the new, not focus on the old. If these folks don't have anything new to say, then they may as well stay home. It's a huge waste of money to show up at RSA without a new innovative widget to draw interest.

That's one man's opinion anyway.

There were clearly pockets of strength in the security space demonstrated at RSA. Here's a quick list of the hotties at the show (and I'm not even focusing on the return of eye candy to RSA):

• Identity Management - There was lots of activity at the show, validating the choice of IdM as the subject of the first battle plan (available at the end of the month). All of the big guys (Microsoft, IBM, Sun, HP, et al) where there in force and lots of other network-security oriented vendors were talking about the linkages between IdM and network access control (NAC) in an effort to differentiate. My checks with resellers and users indicated the IdM strength is not vendor push. It's happening. Another data point was the overflowing sessions on IdM during the conference - I'm talking standing room only. IdM is hot.
  
  
• Network Access Control - A bit further off is NAC, but there was tons of activity in this space as well. The big (Cisco, Microsoft, Symantec, McAfee) and the little (ConSentry, ForeScout, Lockdown, Mirage, StillSecure, Vernier) were well represented and NAC will be the next big thing. The clear challenge for the start-ups will be to focus on clear differentiation to remain relevant. I can't recall a hot market space where the big players are delivering products, mostly home-grown, in the same timeframe as the start-up. Big is clearly the new small.
  
  
• Encryption - Scarily enough, this may actually be the year that encryption happens. Sure, there is still confusion as to what you really can do, and it's not nearly transparent enough. But the rising tide is lifting all the boats (PGP, PostX and Voltage notably) and it seems that a decent portion of that compliance budget is being allocated to rolling out crypto.
  
  
• OATH - The stand set up to demonstrate the Open Standard for Authentication seemed to be packed the entire show. There were something like 10 vendors in there demonstrating their OATH compatible solutions, and this standard is taking root. Given the momentum for IdM and NAC, the need for continued focus on the authentication part of the equation is clear.
  
  
• "Leak Prevention" - It's not clear what this category is called quite yet, but it's basically about making sure that private data and intellectual property stays where it belongs. There was a lot of activity in this space.
  
  
• Web/Application/Database Security - There is a lot of interest in boxes (and software too, I guess) that protects applications and databases from targeted attacks. This market is poised to be big in 2007, so figure next year's RSA show will have this as a prominent theme.
  
  

Clearly this is an unscientific analysis of what was going on, but by roaming around the show floor a bit and talking to lots of people you get a pretty good feel for what is going on.