June 29, 2009 - Volume 4, #29

Good Morning:
Being my first day back from a week of R&R, I thought I'd share some random thoughts. The first has to do with a trip back to my old stomping grounds in VA I took recently. It was like going to a high school reunion and seeing that most of the folks there looked terrible. The area was a mess with construction everywhere.

Given the congestion in the Northern Virginia area, any work they do is both necessary and required, but the place was in tatters. You can remember the good old days when the cheerleaders were cool and everyone had their best days ahead. Or you can focus on the fact that as time goes on, some areas (or people) wear better than others. 

Or you could focus on the fact that in one way or another we are all under construction. So you can appreciate what was, think about what's to come and understand whatever it is is just fine for right now. See, I told you - random stuff.

The Boss was quite kind to me when we were away and let me plow through a number of books. And no, I didn't read the latest marketing manifestos. I wanted some diversionary drivel, and I got it. First I read two of Daniel Silva's books from the Gabriel Allon series (The English Assassin and The Confessor). Good stuff. Fast paced, good plot. Not enough graphic hand to hand combat, but the plot complexities made up for it. 

Next up, I read Raymond Khoury's The Last Templar. This was basically a Dan Brown rip-off, which they made into a mini-series. The concept was intriguing, but the execution was a bit hollow and far-fetched. I know all thriller novels are far-fetched, but last few action scenes in this one stretched my imagination. Finally I tackled Harlen Coben's Deal Breaker, which was a total change of pace and dealt with a sports-tinged plot of intrigue. It was decent, a bit predictable, but Coben is pretty funny - so it was a decent read. 

Next we can also wish a freaky farewell to the King of Pop. Here is a great article about his early days at the world famous Apollo Theater. I read a number of places and my own family spent a bunch of time talking about the clear similarities between Michael Jackson and Elvis. But being in that kind of burning spotlight for decades definitely warps things, so I can only hope he finds the Dancing Machine in the great beyond. Though many folks never can say goodbye...

Have a great day.

Photo: "Under_Construction_Sign" originally uploaded by uberbeam
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Only having time to cover maybe 4 or 5 interesting posts a week has forced me to be pretty selective. Overall I think this is a good thing. But I'm sure none of you are bashful and will let me know if it sucks.

1. Cybercom is da shizzle - No, I have no idea what a shizzle is, but it was interesting last week to get the formalization of the US DoD's cyber-defense initiatives under a common banner. To be lead by the head of the NSA, but not within the NSA. Uh-huh. Anyhow, I do think that leverage is good and setting a common policy is good. Can you truly centralize anything with 15,000 separate networks and 7 million + devices, no frackin' way. But at least setting a set of guidelines isn't a bad thing. Though it'll be interesting to see how cyber-com differs in reality from NIST'.
   
2. The real auditing Top 10 list - The man known only as Shack has a wonderfully snarky analysis of the Top 10 things auditors aren't telling you, and it's dead on. Basically audit (and PCI assessment for that matter) is a very competitive business, which means it's all about cutting costs. So you'll see the bait and switch (#3) and also the auditor may likely back down if you yell loud enough. Unless you get the know it all (#9) or the one worried about being the next Arthur Andersen (#10) and then figure out how to go over the auditor's head. Of course, snark aside - there are cases where the audit can be productive and where you can treat the auditor as a peer, which is the Pragmatic way. Though to get to a productive place, you need to understand where the auditor is coming from.
   
3. Skeptics anonymous meeting at 10 - The Mogull has had too much time to think. And that's with a newborn. Maybe if there is a next go around, he (and the lovely Mrs. Mogull) can have twins so he doesn't have time to think all skeptical and stuff. But his series on Skepticism in security rung very true to me because part of every job is to make decisions with less than perfect data and we have to be skeptical about stuff. But that result in the business thinking us security folks are just "Dr. No" and that isn't productive over time. So I'd love folks to be more skeptical and get all New School and share data and be more scientifically rigorous, but we need to tread carefully. Because any credibility we are building taking a "Yes, but" position (as opposed to a NO! position).
   
4. CISO = DoDo bird? - Funny, there are a lot of folks questioning the long term viability of the senior security staffer position. I've certainly been one of them for a long time. Here are the Gartner Security show this week (follow my updates via Twitter @securityincite) and the first keynote is about how the CISO needs to evolve. And Shrdlu has a good post about how to evolve as a CISO, especially given there are very few formal education programs for a senior security folk. Again, I have to default to being Pragmatic. We are BUSINESS PEOPLE and that means we need to learn more about the business. Maybe spend a week in a factory. Or in the field with sales folks. Or in the customer support group. We need to have a firm understanding of how the business works and then we'll better understand how to protect it. So don't expect anyone (not even the pirates from SANS) to provide a curriculum to gain skills. The answer is right in your own house, you just have to get out of your easy chair to get it. 

Last week's Tweets of Note

Since I was off last week, I didn't do a whole lot of tweeting. But here is the stuff I pointed out. I'll be more active this week...

• Rothman (w/ @eiqnetworks hat on) does podcast with TechTarget's Andy Briney on SIM market. http://is.gd/12CbQ
• If you are vendor, you must follow @crankypm. She speaks the truth about how the sausage is made. And it ain't pretty. http://is.gd/12CgF
• Don't be too happy. It's politically incorrect (even with $36MM burning a hole in your pocket). Tom Peters rant: http://is.gd/13qJ1
• CSO role changing? Techie to business exec. http://is.gd/13rk2 Remember Deming: It's not necessary to change. Survival is not mandatory.
• No, you look great in that MooMoo. But if not, link from a TDI reader on a good eating plan from Texas Tech. http://is.gd/13rwJ
• IM Logic deal was such a success, #SYMC needed to launch a new IM Security Service. Back to 2004! http://is.gd/13rLS #lovetimemachine
• Cisco launches Flip Video Sharing Service. http://is.gd/13suI #watchuglypeoplescrewing
• Not much rumble about start-up Dasient. Seems like a feature to me. Other opinions? http://bit.ly/acNnG
• Off to do @andrewsmhay favorite SIEM panel with 5 other vendors. Should have had hemlock with lunch. http://bit.ly/iyzEI
• Heartland picks Voltage to build end to end crypto thing. Hopes this will subdue class action vultures. Not so much. http://bit.ly/rPnJi
• Been banging my head against wall for 90 minutes. Made a mess in conference room. #SIEMcast
• Google "considers" tightening web app security. http://is.gd/15nci <- Quick response, but a grin fookng nonetheless.
• RT @shrdlu: Checkpoint is advertising something called "WHALE pricing." <- Maybe they can call it "SUCKER pricing"
• I look at this post from @paperghost and I don't feel bad that idiots that fall for this crap get pwning they deserve. http://is.gd/15yhT
• June Fortune Cookie Advice from Matthew Rosenquist (http://is.gd/15zq2): Think strategic. Act competitive. Be secure. <- Kumbaya.
• Bad career advice from @mmurray @ljkush? Not Machiavellian enough. Feed boss hemlock and step over body on way to top! http://is.gd/15A52
• The real Grumpy Pete tries to take on Bejtlich relative to ROSI. This does not end well. http://is.gd/15FcX
• Mastercard initiates QSA stimulus package (on-site for L2 merchants). Methinks they'll all be qualified. (via @mckeay) http://is.gd/15Ftv
• My fathers day present is the realization that my kids will be able to work it out in therapy.
• Schneier shows the pre-cursor of the great Internet commerce backlash. If fraud is this prevalent folks will just stop. http://is.gd/19Cc5

June 15, 2009 - Volume 4, #28

Good Morning:
I have to admit that when I read earlier this month that Dom DeLuise has passed away, I was a bit saddened. Of course, I didn't know him - but I certainly remember the laughter he brought to me during my childhood years. You had to love him in Cannonball Run and the Mel Brooks' classics Blazing Saddles and History of the World: Part 1. He always seemed like he had a love of life. Maybe that was his persona, but I chose to believe it back then.

I also remember his role in the movie Fatso. That one was hard for me to watch back in 1980 because well, um, I was fat. When he went through the binge scene and his inability to get a handle on it, I understood. All too well.

Of course, the movie has a happy ending and Dom's character gets the girl and realizes that it's all about love and that his love for someone else can fill the place of his love of food. Most of the time characters in movies aren't like you. As much as I like to think I'm just like Indiana Jones or Captain Kirk or Tyler Durden, I'm not. 

But I was the Fatso character, and seeing that movie gave me hope. Until I cracked open that bag of semi-sweet chocolate morsels anyway. 

I've been working to address those lifelong demons for the past few years. I'm happy to say I'm making progress. It's a battle every single day, but as I realize what's important and what makes me happy and try my best to do that every day - I find the need to mow through a pizza or bag of chips minimizes.

It's also why I totally got into the Biggest Loser show on TV this past season. The Boss and I used to watch the last few episodes of each season, but this year we saw every single one (thanks to the wonders of DVR). It was amazing to see the transformation of the contestants. Not just on the outside (which was unbelievable), but also on the inside. These are different folks after 6 months. You can only hope they've addressed their demons and can sustain the change.

Maybe it's wrong, but we also let the kids watch the show. Genetically, it's pretty likely they'll all have to be careful with their nutrition. But we've decided the messages shown prominently on the show about eating (you have to eat enough, but the right stuff - starving doesn't get it done) and exercise (you have to do it, and a lot of it) are important for them to learn at as early an age as possible. Obviously you don't want to go overboard and make them crazy, but you also can't expect them to get good habits by hoping.

So with that, have a great day. And I can only hope Dom D is enjoying his 20 course meal in the great cafe in the sky...

Photo: "Dom DeLuise's Stationary" originally uploaded by activitystory
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

It's actually been kind of hard to choose what to highlight in the now "weekly" Incite. So I go to some old favorites and some of the guys that actually do some thinking in this business. Certainly not vendor hacks like me. Enjoy.

1. Understanding the "Phases of Compromise" - Bejtlich is at it again. Pushing us all forward with a series on how to not just understand, but communicate the specifics around incidents. Since he works for BFC (big freakin' company) now, communicating severity of incidents up the food chain is critical. So Richard first discusses a rating system, then rethinks this as it's more of a "classification" concept, and finally distills this into a discussion of the phases of compromise. We can noodle over the specifics of one classification vs. another, but in reality whatever tags you us are fine. Just use them and communicate what they mean, and be consistent. And feel lucky that a guy like Richard continues to share his perspectives for a great price.
   
2. Strategic customer is a two way street - I'm fascinated by the continued attempts of folks to want to feel special. This NetworkWorld article discusses whether it makes sense to look for a "strategic" security provider or focus on best-in-breed offerings? First of all, I don't know what best-in-breed means. But there's a bigger issue. Unless you work for BFC (big freakin' company) and you have a pipe to the vendor's CEO, you are not a STRATEGIC customer for the vendor. Thus, you shouldn't consider the vendor a strategic partner of yours. Sure, you can look to simplify your environment by using products from a select few vendors. But don't delude yourself about how "strategic" you are to the vendor. For the most part, they care about the next PO you generate, not much more. (Salesman nasty grams can be directed to feedback@screwoff.com)
   
3. Fight battles you can win - This post from Gunnar vents a bit about secure coding defeatism, and he's right but more than a little idealistic. We have to continue fighting to get developers to do the right stuff or life will NEVER get better. That being said, you are not going to get everyone on board in one fell swoop. Even if you have a senior mandate (unless you are MSFT). So look for "poster children," those developers that get it and want to do the right thing and are willing to stand up and say so. Make them successful, highlight their successes as an example (quick win) to the other developers. And be realistic about how long it will take to change. Inertia is a really hard thing to combat...
   
4. Letting the "market" give PCI some teeth - Le Mogull vents a bit here about making PCI better. I agree that PCI has been a good thing all things considered, but as we've all discussed, there needs to be real teeth and real accountability about these jokers that do QSAs. Of Rich's ideas, the one requiring merchants to publicly disclose when they change assessors is the most interesting. Clearly doing QSA's is a competitive business and that means unsavory folks will say what the merchant wants them to say and say it for a low price. If you hold them accountable for such shenanigans, then we have a fighting chance of making PCI better. And that involves pulling back the cloak of secrecy on failed assessments and changing assessors.

Last week's Tweets of Note

I'm still trying to figure out how to most effectively do this Twitter thang, but thus far it's been a mix of conversation, banter and some interesting links. I suspect most of you are not interested in the banter or conversation, so I'll just highlight the links I thought were interesting. Please note the links are shortened and if you click on them, it's on you. But that's the way Twitter rolls.

• Today's Dilbert nails it (AGAIN). @arj this is the hamster wheel of CEO wealth. http://dilbert.com/strips/
• Must check this out from Daily Show. Especially if you have g-parents in FLA. Watch the whole thing. http://is.gd/1023o
• Palo Alto to offer traffic shaping. Awesome, that worked pretty well for Check Point 10 years ago. http://is.gd/102P5
• For anyone in a VC funded co: http://is.gd/10356 (via @avc)
• confidential snooping on the rise, says Cyber-Ark. The answer: more cyber-ark product - OF COURSE. http://is.gd/103hm
• Awesome post by the Mogull. Very pragmatic. "All patients die...eventually." No one outruns the GriM reaper. http://bit.ly/13mRFL
• Freeware AV taking share, but not because of price? Yeah right. http://bit.ly/qZtur
• While everyone focuses on iPhone 3GS, I'm most excited about Snow Leopard. Finally will kill Entourage. All for $29. http://bit.ly/64ko5
• Great video for all those dim marketers you deal with daily, including me. http://bit.ly/GCnRx  (via @crankypm)
• This is why location scares the crap out of me. No out of office messages. And I don't tell you where I am. http://bit.ly/Y5Z6e
• This is one school superintendent you shouldn't mess with. Wonder if he used a @Beaker or @jeremiahg armbar? http://bit.ly/RWhLN
• MFE trying to get back in the net security game. Just say "next generation" and "lower ops costs." That's the ticket. http://bit.ly/BcDie
• Interesting backstory on Symantec/Brightmail. Enrique talks about planning the IPO, while working a Big Yellow Check. http://bit.ly/17jAbE
• Steve Riley on proof of work systems to change spam economics. Until stupid people stop buying fr spam, nothing changes. http://bit.ly/dVbtx
• Sec Spnd survey (MetroSITE Group March 2009). most see sec budgets coming down. Compliance main driver. Shocker! http://is.gd/Ybd6 (pdf)
• Oh nos, now it's MSFT free AV going to take down SYMC and MFE. Again. Guess it must be a slow news week. http://is.gd/YQ9s
• June issue of InfoSec Mag posted. Lead story on SIMs. http://is.gd/YQXg - Anyone else miss the hardcopy version? PDF just not the same...
• RSA's new term: hyperextended enterprise. Sounds really painful. Results from @beaker armbar - http://is.gd/Z0YL
• Move to DC: cost $$. Leave fancy job: $$$ Take cyber-security czar job: Not enough $$$ in world. @DennisF speculates. http://bit.ly/o3Fmf
• Pr0n sites targeted by malware. Crap. Guess it's time for Mac AV. http://bit.ly/JQTgO
• Long lost Rob Newby on crack. Encryption no closer now than before. #toodamnhardnotworthmoney http://bit.ly/P2BQB

June 8, 2009 - Volume 4, #27

Good Day, y'all:
The Boss was having a GNO (girl's night out) yesterday, so being the lazy slug that I am - I decided to take the kids out for dinner. That went fine, especially since I didn't force the boy to eat anything besides french fries. Some (I mean most) days it's just easier to give in than to dig in and cause many tears and heartbreak for those unlucky enough to sit by us. I'm waiting for social services to drop by any day now, especially when I force the kid to eat chicken nuggets or a different brand of cheese stick (he's partial to the Shrek cheese sticks).

Seriously. But this kid has the constitution of Gandhi, so I have no doubt he'd go on a hunger strike if we don't make the 20 minute drive to the one Super Wal-Mart in the metro Atlanta area that actually carries those damn cheese sticks. I'm all for the hunger strike because we could certainly do with the extra $5 or $6 of groceries the kid actually consumes each week. Yet the Boss isn't there yet, so we continue to negotiate.

But that's not even what I wanted to talk about. On the ride home the girls are bantering about some nonsense or other, and all of a sudden my oldest blurts out "Truth or Dare." I almost drove the van off the road I was laughing so hard.

Clearly the kids are growing up way too fast. I remember back to my high school days and "Truth or Dare" certainly had a less than innocent connotation. Of course, I had to live vicariously through my friends because I had no rap and I wasn't invited to play in those cool games. 

But the last thing I expected to hear was my 8 year old wanting to play this game. Where did she learn about the game? And obviously she didn't know about the "less than innocent part," at least I hope so. Yes, I'm coming to grips with the reality that I will be the Dad that is cleaning the shotgun when the first few suitors come to visit my girls. Hopefully will word spread and I can return the shotgun to Wal-Mart.

And while I'm there, I may as well pick up some of those Shrek cheese sticks. A boy can't exist on chicken nuggets and Oreo cookie yogurt alone, now can he?

Have a great day.

Photo: "Let's Play Truth or Dare" originally uploaded by loser
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

It's a cold day in hell. That's right, I just opened up a Twitter account. I suspect this isn't the first time someone will call me a twit, but at least now it's legit. I'll explain why (after 18 months of being VERY resistant to the idea) in more detail tomorrow, but in the meantime you can follow me @securityincite. I'm still trying to figure out how the damn thing works, but I'll likely be doing daily updates there, so check it out. I'll start in earnest tomorrow. And without further ado, here is some Incite.

1. That's right, one hell of a job - One of the great things about being at META back in the day was the battles we'd have about our research positions. Though it's not the same, seeing the debate on BlogInfoSec about whether security is the worst it's ever been (and whether we practitioners categorically are delusional about the job we are doing) kind of reminds me of those research meeting battles. I have to side with Sam DeKay here since the times are different now and comparing what we accomplish now (for a given investment) with what we accomplished back in the days before firewalls is a bit of an apples to rutabaga type of comparison. That being said, we have a lot of work to do, but it's not necessarily work on protecting things - it's work on the perception of security's value to the muckety-mucks.
2. Fighting off the Botnets - Interesting article on NetworkWorld about defending against botnet-based denial of service attacks. There are a few options, including some services that you can buy and some other techniques that you can do on your own network. The most interesting (to me anyway) is the idea of using Cisco's reputation filters. Back from my anti-spam days I saw the value of reputation and as it gets embedded in the network it will be a good thing. But the reputation is only as good as the data used to determine someone's reputation. The fact that you saw an IP address scrawled on the stall at a concert probably should automatically disqualify someone from sending you an email. Though it's probably not an insignificant data point. It would be interesting for Cisco (and the other reputation providers) to be transparent about how these reputations are determined. But there is a fat chance of that happening.
3. Defining your priorities - Gunnar is right on the money in discussing (and expanding on James McGovern's expansion of Gunnar's information security focus post) enterprise security priorities. He takes James' principles and does a good job of explaining and clarifying. Though I do want to make the point that ARCHITECTURAL priorities are much different than OPERATIONAL priorities. There is no doubt that auditors drive a lot of architecture and some tactical projects. But we as practitioners also have to pay attention to how we prioritize our operational responsibilities. You have a list and what needs to get done each day? That is one of the most important decisions you will make. I'm good and appreciate high level thinking, but we can't forget the tactical ways we decide what to focus on. In many cases, a broken operational prioritization is much more damaging than a broken architectural prioritization.
4. Why the SDL is like Seinfeld - I'm a big fan of quick wins. In fact, with today's CNN-based ticker at the bottom, multi-tasking, ADD ridden society, if you can't get a quick win, you usually don't get to keep playing. The guy who runs NBC said that Seinfeld wouldn't have been given the time to develop if it had been introduced in 2007, as opposed to 1989. Sad, but true. So Jeremiah talks a bit about how to get a quick win, and amazingly enough it has to do with vulnerability assessment + WAF (which is one of Big J's specialties, or that of his company anyway). Interestingly enough, there is a disincentive to do the right thing, which is to build software correctly in the first place. The SDL doesn't show value quickly enough, and therefore is a risk for CISO's to push for it. As they are casting for the SDL-Seinfeld web show, you've got to love Shostack to play Kramer. A little hair gel and the likeness is uncanny.

June 1, 2009 - Volume 4, #26

Good Morning:
They say the Grim Reaper gets us all. Today Dr. Death visited our pals at GM in Detroit. OK, not really Dr. Death, but his main henchman for business - Captain Bankruptcy. It's not like this wasn't expected, and (in my opinion) it will be healthy for the longer term viability for GM. It's hard to be competitive when a multi thousand dollar entitlement albatross what weighing down every car GM sold.

The idea is that bankruptcy will allow GM to sell assets, rewrite contracts (especially with the unions) and restructure to be competitive. As a guy who drives GM cars when I rent, but wouldn't buy one myself - I think the economic situation was one piece of it. They also need to be more nimble and build products that folks want to buy.

But the bigger issue here is the concept of periodic renewal. If you remember back to the mid-80's, the concept that GM would go bankrupt was absurd. But then foreign automakers came in and built a better product more efficiently. And 20 years later, GM is on the verge of going away, if they can't change things very quickly. Basically every company must fight to not get stale and doing the same things year after year breeds mildew.

It reminds me of when I was doing an internship at Mobil Oil (when Mobil still existed) back in college. I was living at home and taking a bus to a train into New York City. The commute took me about 90 minutes a day and amazingly enough some of the folks doing that same commute did so for 30+ years. 

These folks were tired and most seemed pretty beaten down to me. It's not hard to imagine that after 30 years of commuting 90 minutes each way, you'd be a bit stale. Now there are a lot of reasons that folks do the same stuff every day, but no one has a reason to let themselves get stale. In our business, where I can tell you the bad guys are anything but stale, complacency and losing vigilance will kill you.

So we can take a message from our friends in Detroit. If we aren't undertaking a process of constant renewal, things will get ugly and most of us don't have the option of a Government bail-out.

Have a great day.

Photo: "Demolition means progress" originally uploaded by churl
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

Better and better every day, every week. Imagine that, an Incite for two weeks in a row and I'll be starting to embrace "social media" more effectively this week, that I think will be a good thing. Stay tuned for that.

1. Obama says cyber-security is important - The big news on Friday was the publishing of the 60 day cyber-security review that took 120 days to complete. I know that counting is hard in Washington DC. But the message was a good one. Byron Acohido did a nice job of summarizing the key points, though every tech book and most of the blogging community wrote something about it. But there is a big difference between words and action. Over the next 120 days, in order to maintain any kind of momentum, there needs to be a clear and defined action plan for how we get to achieve the President's 5-point plan. It's not going to happen by itself, or just because Obama says so. We should all be cautiously optimistic and also prepare a set of talking points for senior management to understand if/how the new initiatives will impact your organization.
   
2. Metrics on the brain - When times get tough, the tough get counting. Isn't that how the saying goes? In security, counting has always been hard (as I've written about a million times), but we are making steady progress towards understanding what to count and then counting it. Dark Reading covers both how the fine folks at the Center for Internet Security have published their initial consensus-based security metrics work, as well as Project Quant - which is being driven by the Mogull. CIS puts forth 20 interesting metrics (well mostly metrics, some are a bit hard to really quantify) and it's a good start. Remember, some metrics will be operational in nature and some more focused on quantifying our value up the stack. The more substantiation we can have for the security team, the more likely we'll be able to stay around, especially if things remain economically tough.
   
3. Should we call them VeriSell now? - VeriSign continues to dismantle the house that Stratton built, now selling the MSS business to SecureWorks. Given VeriSign's focus on seemingly selling renewable low-value thingys to mostly smaller companies (like domain names and SSL certs), selling the MSS business makes sense - even if they had to take a $100+MM bath on the transaction. This also gives SecureWorks the leg up as the biggest of the independent MSS providers and they did it for a reasonable price. Of course, now the fun work begins of moving the existing VeriSign business to it's MSS platform to gain the economies of scale, but if you aren't getting bigger in this business - you are getting smaller.
   
4. Predict this Dave... - It's never too late to poke fun at vendor mumbo-jumbo. Back at RSA, McAfee's Dave DeWalt unveiled a vision called "predictive security," which probably resides in the same bunker as the Holy Grail. I know, I know - I'm objecting to the words again as opposed to the concept of evaluating a crap load of data to figure out what is actually happening out there. But as my Dad the lawyer always tell me, the words are important. Mining data you are gathering from the field is NOT predictive. It's reactive. The concept is that by having this data, you can see patterns emerging and draw conclusions FASTER. But that is not PREDICTING anything, is it? And the astronomy and meteorology analogies are interesting because I wouldn't say weathermen have a great track record of really getting it right. Though I guess "faster reactive security" isn't really a catchy marketing term.
   
5. Picking that QSA - Chris Hayes provides a good structure to evaluate a QSA in this post. Too many folks don't realize that picking a QSA is just like picking any other kind of service provider, and given the number of these folks that are popping up, it's a very competitive market on the verge of commoditizing. Of course, that means buyer beware must prevail to make sure you are getting adequate value, while minimizing cost. Also make sure anyone you talk to is well aware of the PCI Council's quality initiative (pdf) and challenge them on it. Some folks want a PCI assessor to just give them the rubber stamp, but that is being pretty short sighted. They can and should point out issues that need to be addressed, before the bad guys force the issue.
   
   

May 28, 2009 - Volume 4, #25

Good Morning:
So I'm on a flight a couple of weeks ago, and the guy next to me starts coughing. No, not a "cough cough." It was like he was hacking up a friggin' lung. Thankfully there was the air sickness bag to catch the nastiness. Normally, I don't think twice about that, besides to check my sleeves and make sure nothing escaped the dude's tissues. But with the Swine Flu going around, of course, that's the first thought I have.

So I start calculating the numbers. There have been a couple of hundred cases of the flu in the States. That makes the chance that I'd be sitting next to a carrier roughly... .0000001%. Some days I'm thankful for the mathematician in my that runs numbers and probabilities and uses those rationalizations to continue to function.

Now that threat is averted, I bury myself in another 50 games of Flood-It, perhaps one of the most addictive iPhone games. I really need to stop downloading these games. I probably should be writing TDI posts instead, but what fun is that?

Right when I'm lulled into a sense of Coke Zero complacency, the guy in front of me starts coughing that same cough from the guy next to me. Could it be? Could it be spreading that quickly? Then I feel that little tickle in my throat. Oh crap, I have it too?

Not even the mathematician can help now. I break out Word and start working on my will. I figure I'll stop by the hospital on the way home and see how bad the damage is. I play this game for another 15 minutes. Then I realize, all of this stuff is in my head. So I think about being in the wilderness and taking deep breaths. The air is clean and crisp. There are no bubonic plague carriers in breathing distance. It's all good.

Until the guy behind me goes into a coughing rage... Basically, I'm screwed. Have a great day.

Photo: "ZOMG!!! Swine Flu!!!!" originally uploaded by Amanda-Ruth
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

I know. I suck. The best laid plans seem to get derailed by, well... life. Between sales meetings, day job responsibilities, and all the other crap that piles up on my plate, TDI has taken it in the shorts. So next week I'm going to recalibrate a bit and try to take a different perspective on it. I appreciate your patience.

1. You can't boil the ocean - Though the Incite lawyers are hard at work on the cease and desist order for Rich to stop using the term "Pragmatic" anything, he makes a really good point in discussing the Pragmatic Data Security Cycle. Most things security fail miserably when we try to cover everything. There is just too much, so part of success is knowing where and how to bound all of these key initiatives. Hopefully Rich (and Adrian) will be fleshing out how to actually do this in subsequent research because it's like learning Mandarin for lots of folks. We know we should do it, but it's really hard.
2. SMARTS gets smart about ConfigureSoft - The deals keep coming fast and furious. Yesterday, EMC announced the acquisition of ConfigureSoft for a undisclosed sum, though I'd be surprised if it was more than 2.5-3x trailing revenues. Most interesting to me is that it was EMC's Resource Management Group (which is built around the SMARTS system management technology) that did the deal, not RSA. Configuration management is more about operations than security - always has been. So having the EMC mother ship drive this deal is an indication of that.
3. Finding the next gig - Great post on the Security Catalyst site by Bill Pennington about how to stand out from the crowd during a job search. Getting an audience is the first step and Bill outlines the way he likes to be approached, which is great advice and probably very similar to many hiring managers out there. I very rarely use headhunters because I don't have to. I usually know the folks I like for a position, and if not, then the interesting one's tend to figure out how to find me. Though this is only the front end of the battle, and there is also some good pointers about how to research a company you are interviewing with. If you don't have a crisp idea on how you are going to help, forget it.
4. The future's so bright, you don't need shades - Is there a longer term future for the CISO? Or does the position go the way of the dodo bird? Boaz wonders how many larger organizations really need one? I'd posit that big companies NEED a CISO, but the CISO doesn't need to have an organization. I still believe someone needs to be the "conscience" of the organization, to evangelize and persuade the operational teams and business units that security is important. This person needs to own the "program" and set the standards for what is acceptable and what isn't. What they don't need is an empire. There is no reason that firewall changes shouldn't be owned by the network team, and database security shouldn't be owned by the data center team (or DBA team if you have one of those).
5. Security budgets take a hit? No kidding... - I think the security industry for the most part has a bad case of happy ears. For the past few months (even though I haven't been writing, I've been reading), a lot of folks continue to maintain that budgets will be stable, maybe even increasing a bit. Sorry, that's a load of crap and I've been saying that for a while. Everything is being scrutinized by big companies, and that includes security. The Deloitte folks did a survey finally proving that. It was restricted to media, telecom and tech companies, but I'd be willing to be it's pretty consistent across the other verticals as well (besides maybe the Fed space). I do think security will recover first, when things start really getting better - but to think there would be no budget impact of the financial implosion and recession is just silly.
6. Heartland regains PCI Compliance - Hurray for Heartland, who is once again PCI compliant. Until they aren't. To these guys credit, they acted decisively and addressed the shorter term issues that allowed the data breach. But to be clear, this doesn't mean they are secure. It just means they have done the bare minimum, until the Standards Council decides to either re-write the rules or get into the time machine and change things. It's easy to always be right when you have a time machine at your disposal.

March 10, 2009 - Volume 4, #23

Good Morning:
For all the toys, gadgets and gizmos we've gotten for the kids, it's usually the simple mundane and classic stuff that they really gravitate to. For example, we have a room full of assorted toys, games and the like. The kid's stuff used to be all over the house, but we've made a concerted effort to contain it to one or two rooms as they've gotten older. So what do they play with?

Crayons. That's right, good old fashioned Crayolas. We've been tightening the belt a bit at Chez Incite, so when the Boss brought home a little carousel with a couple hundred crayons in it and a bunch of 11 x 17 coloring books, I was a bit steamed. Sure it wasn't a lot of money, but the kids have a bunch of stuff they don't play with - why buy them more?

The fact is, I had a point. We are very careful, but I still get the feeling that my kids are spoiled and don't appreciate how good they have it. They want for nothing. If they need it, they get it. Even if they don't need it, a lot of the time they get it. And don't get me started on controlling the grandparents, who believe they have a license to spoil.

But after a weekend with the new crayons and coloring books, I have to admit that the Boss made a good purchase. My boy especially loves to color. The focus and intensity he brings to the task is amazing. He painstakingly colors every square millimeter on these 11x17 pictures. It doesn't hurt that the coloring books are from Star Wars and the Incredibles (two of his favorite movies). He can sit and color for hours at a time.

Photo: "Crayon Fence" originally uploaded by laffy4k
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

1. #3 on the jobs you don't want to have list... - Clearly that would be Federal Cybersecurity czar. Probably right behind athletic cup tester and right in front of grease trap cleaner. Thanks to Adrian, who posted a quick update over the weekend, Beckstrom resigned after about a year on the job. It seems the NSA got in the way of almost everything he tried to do. Byron Acohido does a great interview with Beckstrom here as well on his new-ish blog. The take-aways here? The idea of coming up with a coordinated Federal cybersecurity process is pretty much a non-starter. These folks are professional beaurocrats and you think they are going to let some entrepreneurial soul get in the way of their 3 hour lunches? So we'll continue to get "guidance" from NIST and each agency will continue to blaze their own trail. Which given the scope of the US Government and the different requirements of the different agencies may not be an entirely bad thing. As opposed to trying to coordinate everything, maybe it's time to decentralize a bit and then give FISMA (or something like it) more teeth.
2. Technology is only the third stool - It's been said security is about people, process and technology. Though we in the industry seem to continue searching for magic bullets, potions or anything else that will give us a leg up on the bad guys. Yet, that mentality hasn't worked for the past 10 years and it's not going to work moving forward. Neil MacDonald over at Gartner makes that point on his blog, talking specifically about application security. He's right. Tools can help, but fundamentally it's a process and a people issue. And until we figure that out as an industry, things aren't going to get much better. I'll have more to say on that tomorrow.
3. PCI + Virtualization = ??? - Clearly given the drive towards virtualizing everything, there is a big hole in the PCI-DSS regarding what you can and can't do relative to virtualization. So the PCI Standards Council spun up a virtualization working group to figure it out. This is a good move, but the proof is always in the pudding. Will they put some real controls in place? Or will it just be more of the same? Of course, a bunch of vendors are praying they do a 6.6 redux and mandate a virtualization security widget. That's not likely, but these folks can hope, no? And more importantly, when will they force adoption of these guidelines? Virtualization is happening today and I suspect many organizations aren't doing it in the most "secure" fashion, whatever that means. Which will entail a retro-fit of the infrastructure. Retailers and banks don't like retro-fitting much of anything, especially in a global recession. So we'll see what kind of tight rope Russo & Co will walk on this one.
4. Cisco jumps on the email security SaaS bandwagon - I guess when you are Cisco, you don't need to be on the cutting edge. At least when it comes to mature markets and technology. About 3 years after everyone else, Cisco's IronPort group finally announces a hybrid offering encompassing appliances and services for email security. To be clear, most of the time trying to sell both appliances and services is a recipe for failure. Some companies do boxes well and some do services well. Not many do both well. But that's neither here nor there, the point is that customers will choose the right deployment model for their operational requirements. And the vendors need to figure out how to do both well, but only if they want to address the entire market.
5. Dumping on the CAG - Standards are tough, especially when there are no teeth there. It seems the industry has looked at the CAG (Consensus Audit Guidelines) and decided consensus sucks. That's because it usually does. Dan Philpott at the Guerrilla CISO blog talks a bit about why the CAG has become the Hindenburg of security guidance. But to be clear, anyone trying to develop the Rosetta Stone for security is going to have similar problems. I think everybody acknowledges that FISMA needs to be improved, and give some credit to the folks behind CAG (Gilligan and Paller) for getting some discussion going. But ultimately publishing a white paper and a set of slides doesn't not accountability make. Without teeth, a standard is pretty much useless.

March 4, 2009 - Volume 4, #22

What the F is with Visa?

Good Morning:
Sometimes I just sit in my office and scratch my head. It's rare that I'm speechless (very rare, just ask the Boss), but when I came across this article in NetworkWorld on Visa's latest perspective on the "new" data breach, I was pretty much paralyzed. Yesterday, SC Magazine covered it as well.

In a nutshell, Visa is either being run by lawyers or the Three Stooges. It's not clear to me which one, though I'd have to side with the lawyers at first glance.

In a classic Clintonian "it depends on what the definition of is is" moment, it turns out Visa's statement on the "new" breach didn't indicate it was actually new. And now they are saying it wasn't new. Maybe customers were compromised. Or maybe they weren't. Holy crap I'm confused.

Which is the real problem. First of all, it's clear that consumers credit card data has been compromised. Maybe it was a new breach, maybe it wasn't. But clearly there was a successful (very successful, dare I say) attack vector and we still don't know anything about it. Instead we have word games and obfuscation from the lawyers that have to approve any messages that go to either customers or the media.

With all due respect to my Dad and all the other lawyers I call friends (most of the time), I hate lawyers. You see, this gets back to the disclosure issue. These attacks are happening, RIGHT NOW. These attacks are being successful. Financial institutions and retailers are sitting under a two ton anvil called the recession (some would even say depression).

These folks need to optimize their resources and make sure their defenses are in place against new and innovative attack vectors. Instead, you have their lawyers trying to decipher what Visa and Mastercard's lawyers are saying or not saying. All the while the attackers continue to have their way with pretty much anyone and everyone (PCI compliant or not).

I know I'm asking a lot, but to hear the truth would be nice. It's all fine and dandy that Visa is now "risk scoring" each transaction to look for fraud (didn't they do that anyway? If not what the hell do I pay my 2% per transaction for?). But they are still reacting to the attacks, not helping to address them.

Makes me want to do my best Moe imitation and give an eye poke to Larry (Visa) and a head slap to Curly (MasterCard).

Have a great day.

Photo credits: “Three Stooges” originally uploaded by NYCArthur 

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

March 2, 2009 - Volume 4, #21

Good Morning:
When I was a kid, I used to love snow days. What could be better than not going to school. As I grew up (well, to the degree that a guy like me grows up) and had kids, then I really started to appreciate the pain of the snow day. First of all, it snowed. So there is always some type of clean up involved in that. Some love the snow, but me - not so much. I don't ski, so there is little attraction to it.

Today they canceled school in Fulton County, GA. If you ask me, the roads were fine, though there were some icy patches and it was still cold enough this AM that the ice hadn't melted yet. So I can kind of understand. But it caused a number of complications for the Boss.

First of all, we have to make sure we have coverage for the kids all day. Thankfully the twins pre-school was still open, so that eliminated a big problem. But we still had one to deal with, and it meant rescheduling a bunch of things and basically being adaptable.

Of course, we got through it, with a minimum of pain. Next year when the twins are in public school the one (or two) days a year when school is canceled with present a much bigger challenge. Yet it got me thinking about what I can learn from the snow day. Here a couple of thoughts:

1. Adapting - It usually gets down to being able to adapt at the last minute. I was in town, so I could bring the twins to school and Jodi was able to make some plans at the last minute to keep our oldest occupied. Every day it seems we have to adapt to different things, especially in the security business. So this should be second nature. Note that I said "should" because it's amazing how many people get bent out of shape when they have to diverge from their Gantt chart and GTD task list.
   
2. Re-prioritizing - eIQ's office in MA is closed today. It's stupid to expect people to drive through a foot of snow to make an appearance. But that means some activities that need collaboration or depend on something in the office aren't going to get done. So what do you do with the time you have? What can you get done in a remote context? This is kind of related to adapting, but all the same you always need to have a list of things that can get done in the airport (given a delay) or at home (given a problem getting to the office). Maybe it's a good day to work through all that crap piled in your inbox.
   
3. Communicate - One of the things most challenging for folks not used to working remotely is to keep other people in the loop about activities, especially when you aren't in viewing range. Many managers will just assume if you are home, you aren't doing anything. Yes, it's stupid - but it's reality. So pound them with email. Every hour or so, even if you don't have anything to say. At least they'll know you are at your machine doing something.

You can also probably skip the workout at the gym, since I hear that snow can be pretty heavy. Though it's been about 5 years since I've had to use my shovel. And I'm perfectly OK with that.

Have a great day.

Photo: "Portland loves snow days" originally uploaded by ArielAmanda
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

Given today is a snow day, I figured I'd work through some of my older links that I haven't had a chance to get to. I've pretty much depleted my backlog, so I figure the rest of the week I'll do some stand-alone rants and then maybe an incite on Thursday or Friday. Enjoy.

1. Yes, we still need to build it in - OK, so this post from Gunnar was from this AM. He makes too good a point to put on the shelf for a week. It's really just another reminder about how important it is to strategically build security into the application layer. Throwing other technologies to try to overcome software security issues hasn't worked. Not well enough anyway. I'm still a fan of layered defenses, but given today's attack vectors, breaking the application seems to provide a get of out jail free card against all the other controls we have in place. So it gets back to doing what we all know needs to be done.
   
2. It can happen to you - A couple of months back I talked about my eBay account getting compromised. It wasn't because I was proud or happy about it, the point is that it can (and probably will) happen to you. My hope is that my issues would be a reminder to do the right thing. The same applies to a recent David Berlind column, where he talks about his Facebook password being compromised by a phishing scheme. If you aren't constantly checking URLs and always aware, it can happen to you too. David was able to patch things up quickly, change the passwords at risk and not suffer any damage (let's hear it for the incident response plan), but this should remind all of us that it can happen and likely will happen - so be ready.
   
3. Avoiding your SQL fix - I'm at a party on Saturday night, and I see a friend who happens to work for a company that recently suffered a pretty high profile data breach. Of course, we start talking about the breach and it was clear the initial compromise was via a SQL injection type of attack. So I explained to this non-technical guy about how an attacker can "inject" a web application with SQL commands and gain access to the database. He was amazed. I soiled my pants because these web attacks have become mainstream. Big J does a great job of going through the issues with SQL Injection and more importantly how to holistically defend against the attack. It's a lot of hard work and won't happen overnight, but unless we start thinking about web app security more strategically, I may be discussion your data breach at a party happening soon.
   
4. Speaking of IR plans - The illustrious Cutaway has a great post up about an incident response plan. It was all spurred by that "oh crap" moment when one of your fail-safes trips and alerts to you a successful attack. Don's first point is that you must NOT PANIC. That's absolutely true. And there is a lot of other great stuff in there about making sure you are prepared. I certainly have spoken about this topic ad nauseum throughout the years, but to me it never gets old. Why? Because as long as I keep stumbling across folks that are surprised by successful attacks and have no idea how to respond, it means the work is not done. And clearly the work is not done.
   
5. How do you measure success again? - Measuring success for a security person is probably the hardest thing we have to do. I've long though we spend a lot of time quantify stupid things because it's too hard to quantify the right stuff. Mark Davidson is blogging now, so check out his piece on the topic. It's pretty high level and not overly enlightening, but makes the right points. Right now we are somewhat constrained to things like vulnerability management data and SIEM types of information. That's a starting point, and can certainly present some interesting operational data, but it's not going to yield the information you need to make a case to the senior team. For that you need to get a lot more Pragmatic...
   
6. King Gillette would be proud - That's right, he's the guy that figured out the handle isn't that interesting, it's the ability to sell blades. It seems Check Point is looking at the same model with their "software blade architecture," which aims to provide a lot more flexibility in how security capabilities are deployed. Ah, sounds a bit like what Crossbeam has been talking about for years, but in software as opposed to hardware. It's also a bit interesting to try to paint a UTM platform as "innovative," since for years customers haven't cared about the underlying plumbing, just that they can solve their problems at a reasonable price. But I guess if you spend a bunch of money overhauling your technology, you need to at least send out a press release.
   

February 27, 2009 - Volume 4, #20

Good Morning:
Although the NFL season has been over (for all intents and purposes) for a month, I feel more connected to what's going on this year than I have before. Why? NFL blogs. Both ESPN and NFL.com have some great blogs that keep you connected with everything that is happening. Whether it's the combine or even free agency, football junkies can stay on top of what's going on with an RSS reader and minimal effort.

Ah free agency. That annual time of year when smart money usually stays on the sidelines and stupid money parties like it's 1999. Even this year, when money is tight everywhere (even Commissioner Goodell took a 20% pay cut - down to like $7 million a year, ouch) there will be some high profile signings. And we can look forward to the coming years when there will be those same high profile flame-outs, but they will have a few more Bentleys courtesy of NFL stupid money.

That got me thinking to how to apply a free agent mentality to our industry. The reality is there are folks with a unique skill set or a set of accomplishments that will always be valued. And headhunters are kind of the "agents" of security folks, except they work for the "owners." So basically you need to act as your own agent and find out which of the owners needs to bolster their defensive line.

That's right, even though the economy is crap and most security professionals are keeping their heads down, now is a good time to start networking and seeing what's out there. No, I didn't spike my coffee this morning. I'm serious. Smart companies are always looking to UPGRADE their talent. That's right, even though there is a low likelihood there is something open - that also takes the pressure off from any meetings you'd have.

So maybe it's time to test the free agent market. Who knows, maybe you'll be the next Albert Haynesworth.  

Have a great weekend.

Photo: "Michelle Yeoh: He was the highest bidder" originally uploaded by chrisjohnbeckett
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

I'm sure you know some folks that never make a mistake. The kinds that no matter what happens, it's someone else's problem. They are perfect and everyone else sucks. Sound familiar? Well it seems that guy is now the PCI Security Standards Council. Their leadership is not willing to accept any responsibility or intimate that their wonderful 12 requirements may, in fact, not be perfect.


I had a rip roaring rant all lined up in my mind and then I saw Rich become totally unglued about it. Rich correctly intimates: "With the volume of breaches we’ve seen, this either means the standard and certification process are fundamentally broken, or companies have had their certifications retroactively revoked for political reasons after the fact." 'nuf said.

1. It's all about inertia. - So the earnings season for security/network related companies is in full swing. We had strong earnings from McAfee a week ago and now we see SourceFire, Blue Coat and Guidance holding their own. Why are some companies doing well and others (like Trend Micro) not so much. I tend to think there are three thoughts here. The first is companies with a large exposure to Federal business is certainly going to do OK, since the Feds continue to spend money on cyber-defense. Second, are companies that have huge inertia, meaning large customer bases and big maintenance streams. It's easier to just renew the maintenance on pretty much anything when expenses are being scrutinized, so that's got to be part of it. Finally, a lot of security companies really executed poorly over the past few years, and a few got new management in place that is sucking a bit less. And there you have it.
2. Data must drive decisions - Security metrics is truly quicksand. We all want it, yet we can't really agree on what needs to be there. I know folks like CIS are driving progress in the area (which is great), but we still have a long ways to go. This month's Fortune Cookie from Intel's Matthew Rosenquist resonated with me. "A worthless metric is one which fails to drive decisions, even when the metric result radically changes." That's exactly right. Now the data we need to gather and analyze can be for two audiences. Us and them. We need operational data that helps "us" prioritize what needs to be done. We also need higher level, business centric data to substantiate value to "them," you know - the guys writing the checks.
3. A whole lotta ROSI - It shouldn't be a surprise, but I'm still no fan of trying to pain security within any kind of ROI context. Grumpy Pete and I have had battle royales over this in the past and now Fratto is weighing in. He uses Ed Moyle's thinking about saving money (as providing ROI) through increased efficiency and then brings up a great point. "What is never talked about is where that savings comes from." That's exactly right. And his conclusion is also right: "Efficiency is a side effect, not a goal." I ranted a while back about the challenges of using efficiency to justify expenses now, given that most staffs are already cut to the bone (it was my Selling Fear post). Whether it's fear or value, selling something other than efficiency is probably your best path in these times.
4. The price tag of PCI - Found a set of interesting numbers (from Gartner I think) on the PCI DSS Compliance blog. Level 1's report spending almost $3 million on PCI. Level 2's do $1.1 big. Those are big numbers and they are going up, but we don't get a feel for percentages, and that would be most interesting. How much of a companies security budget/spend is being consumed on PCI or any other reg? I suspect it's a lot, although a lot of the stuff for PCI can be used for security ops and other regulations. The point is to figure out how to get some of these leveraged projects paid for and it seems PCI is still a good place for that. Even though you know Russo will point the finger at you, at least he's helping you pay for stuff.
5. Shut up and drive. - One of the tactics that can be particularly useful to folks trying to gain credibility internally is to start up a security steering committee. This would get involvement from all sorts of folks within the organization that can make your life miserable if they aren't on your team. There is a good piece on SearchSecurity about how University of Washington is using the steering committee to get things done. I'm always looking for good, leveraged ways to get face time and ensure the senior team is on board with the program and the tactics. So this sound like a great idea to me. I'm kind of pissed I didn't think about it. There is always P-CSO 2.0.

February 25, 2009 - Volume 4, #19

Good Morning:
It's tough to find the balance. Like most of you, I struggle daily with how to spend my time. Of course, there are day job responsibilities that have to get done, but also lots of things to do around the house and I also continue to indulge my habit of writing these missives a couple of times a week.

I need to send my buddy Shimmy a big shout out today. For the last two days (yesterday, today), he's done his own version of the "Incite" and truth be told, he's doing a great job. That just goes back to the reality that what I do certainly isn't unique, nor is the way I do it. And by the way, Alan was kind enough to send me a nice email yesterday morning to make sure I wasn't steamed that he's co-opted the format.

Personally I couldn't be happier. I'm also very flattered. I read all the trade press and it's pretty dry and mostly crap. So the idea of summarizing the things that are important makes a lot of sense and then having an audience to wax poetic and spout whatever crap comes into my brain that day is fantastic. I would be very selfish, but also delusional and arrogant if I tried to "own" the format.

In today's world, content wants to be free and it's very easy to "borrow" business models. So I default back to the idea that I don't need to own everything anymore. I don't need to win if it means everyone else has to lose. This isn't a zero sum game, so there should be plenty of room for other loudmouths to share their opinions in short snippets every day.

Which brings my back to the concept of balance. Every day we all have to make choices about what we will do and what we won't do. How we'll spend the 24 hours ahead of us and what compromises that will require. The way things are going now, I'll likely only be able to do a Daily Incite type of piece once or twice a week. I find the format is somewhat restrictive to going into more detail on a topic, which is the other one or two pieces a week.

I couldn't be happier that guys like Shimmy are willing to join the conversation and adopt the format. Anything that adds value to the community at large is OK by me. It's taken me a long time, but I finally figured out that if it's good for all of you, then in the long run it'll be good for me. Now back to the tight rope.  

Have a great day.

Photo: "this guy is walking on a flaming rope" originally uploaded by noopzilla
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

Unfortunately I wasn't able to trek up to DC to attend Black Hat DC this year. The reason I like going to these kinds of shows is really to remind me about what is there and how although the tactics have changed, the general philosophy of what we need to do really doesn't. Richard Bejtlich really sums that up nicely in his Black Hat wrap-up. His words are much better than mine.

Man, that is well said and really sums up the REACT FASTER doctrine. And it still works, though with the ability of the bad guys to cover their tracks and hide their malicious code, it's getting harder. What fun would it be if it was easy, right?

1. The only guarantee is that you'll fail - Hoff (who is looking for a new gig) gets it exactly right on this one. I knew there was a significant brain drain out of IBM/ISS, but it seems there is no one left over there with any sense of security history. That's obviously not true, but to put out a statement that they "guarantee" cloud security is just asinine. Unless they've figured out how to get rid of all the people that have access to the data in the cloud, they can't make statements like that. But the good news is that the Internet never forgets, and as soon as there is an issue, there will be tons of folks digging up this quote and shoving IBM's face in the hot pile of steaming you know what. I can't wait... 
   
2. Kicking the competition in the nuts - Alan hit on BigFix's 50% sale in one of his "Incites" and was generally positive on the concept. I've got mixed feelings. First of all, companies compete on price when they can't compete on capabilities or value. That's usually true, but in this kind of environment, inertia is very very strong. So customers aren't going to do much of anything besides write their maintenance checks. But if you reduce their maintenance pricing by 50% that could play very well with folks trying to figure out how to do more with less. It's very aggressive, and I like aggressive. It also allows BigFix to tell the story about how patch management is only like 10% of what they claim to do. All in all, this is good marketing. Now we'll see how the competitors respond.
   
3. You probably can't do this at home - Great story on Dark Reading about how HD Moore dealt with a DDoS attack on his Metasploit sites. The good news is that you probably aren't HD, so the odds you'll be specifically targets as often as he is are small. But in the event you are (hey HD!) or are a similarly high profile target, keep in mind that you can't solve these problems on your own. You need the help of fellow researchers to quickly pinpoint the origin of the attacks and likely the authorities to try to shut down the botnet command and control apparatus. Also keep in mind that you don't really "win" a DDoS fight, you try to get to a point where you can limp away. 
   
4. Time for more marshmallows, the fire sales continue - Two more deals over the past week that I'd term as "fire sales." The first is Mirage being acquired by TrustWave. Lots of folks continue to wonder if NAC will ever become a real business and my stand has been pretty consistent on that. It's a feature and the question is not if, it's when the independent NAC folks are taken out of the mix. Next it's Nortel starting to divest assets as part of their bankruptcy activities and it seems RadWare is taking on the Alteon web balancing product line. After a couple of years at Nortel, you wonder if there is anything but a customer list and some hardware inventory left within the Alteon group.
   
5. Virtualization security moving to the fore? Uh huh... - Sometimes you read something that just makes you laugh. I need to thank Neil Roiter for my comic relief a few days ago when I found his recent piece, "Virtualization security moves to the fore in 2009." HA! I guess there wasn't a lot to write about last week. Yes, virtualization will remain hot this year due to it's ability to make data centers more efficient. And lots of researchers will continue to try to break the virtualization layer to figure out where the issues are. I also expect the vendors to continue flapping their lips about how they are making virtualization more secure. What I don't expect to happen is for customers to give a crap in 2009. Unless one of the researchers is very successful that is.