Days of Incite

Special Incite: 2008 Incite Report Card

Submitted by Mike Rothman on Fri, 2009-01-02 12:16.
Today's Daily Incite

January 2, 2009 - Volume 4, #1

Good Morning:
Happy frackin' New Year. That's right. After being largely invisible in December, I'm going to try to be better about consistently posting the Incite a few times per week and some other random thoughts as they appear in my pea brain.  Are you ready??? 

You see, I've come to realize that I can't get everything done. I've been weighed down for the past month with guilt that I would spend a few hours doing my "personal" stuff when I had some much to do for my day job. What I've discovered, is that regardless of whether I work 10 or 18 hours a day - there is always more to do.

So screw it. I'm going to write my newsletter because I've missed doing it. The Boss reminded me of a few good one's that I wrote over the year (she doesn't exactly read them the day they are written) and I realized how much logging my daily rantings have become part of what I like to do.

So I'm going to keep doing it. And with that, take a look back at 2008 and see what you did right and wrong. What are you going to change? How are you going to change it? Are you sure? I've got no patience for the "resolutions" that everyone makes when the ball drops in NYC.

You either change or you don't. I mean MASSIVE CHANGE. Some folks look to make incremental changes. In my experience (especially with personal developement), it doesn't work. It's too easy to back slide into the old, bad habits. I do that all the time.

Don't fool yourself thinking that 2009 will be different unless you are going to be doing something different, actively and consistently. I've heard definition of someone insane is one who expects a different outcome from the same activity. I believe that.

So here's to you making the changes you need to make in 2009, and to having a great year!


Photo: "massive change" uploaded by 416style
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

2008 Incite Report Card

We could sit and agonize about how crappy 2008 was. But actually it was a pretty decent year for me. I'm very fortunate and I know it. But as Anton points out, there is no way I was going to miss getting back to my Incites for 2008 and seeing how I fared. Of course, my time schedule doesn't allow me to do such detailed analysis of each Incite, but I'll provide a sentence or two on each one - just to keep myself honest.

As I look at the Incites, I only have one comment. Pretty crappy... But like everyone else, I didn't foresee the depth of the economic malaise and that had a direct impact on a lot of these projections. At least, that's how I rationalize my continued inability to project much of anything.

 

Incite #1:  Express Your Inner Bean Counter

Substantiating the value of security continues to plague practitioners, who still can’t specifically answer the question: “Are we secure?” Structured security programs (ISO 27001/2, COBIT, Pragmatic CSO) help align programmatic activities, and look for significant advances in the area of security metrics – where the industry begins to gain consensus about what can and should be tracked.

Grade: D+

This one didn't exactly go as planned. OK, it really should be an F. There was no consensus and there doesn't seem to be any consensus on the horizon. It's too bad because it's something that is sorely needed by the industry. But we are (justifiably) more worried about keeping the lights on and fighting to keep our already limited resources and funding. Though metrics will help in the long term. We don't have the luxury of thinking long term right now.

 

Incite #2: It’s time for an audit revolution

Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Grade: B

Whenever you see any of the surveys heading into 2009, compliance is still a critical issue and one that "will not" be deferred, regardless of the economic situation. I'm not quite sure I believe that, but I do think that compliance continues to be a major corporate imperative. Even in a global recession, the auditors still show up and we'll probably still treat them like crap. Which is another story for another day.

 

Incite #3: Best of Breed DOA

As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

Grade: B+

Can you even get a stand-alone firewall anymore? I guess if you consider Palo Alto's box a "firewall," then maybe - but that's about it. This has happened and no one even talks about it anymore, and with Check Point's acquisition of Nokia's appliance business - it'll accelerate. Consolidation will continue in 2009, valuations will come down (reflecting the lack of options for most small security companies). I'm also right on target with the consolidation of security management offerings. At least I've made a huge career bet on it, so I'm not just blowing smoke on this one.

 

Incite #4: Weaving security into the network fabric

Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.

Grade: B-

Network security is largely just "accepted." Everyone has some equipment to protect their perimeter. The rush to bake security into the fabric will take longer than anticipated, mostly due to the fact that with the economic carnage - there are no real catalysts to invest in the infrastructure right now. We saw a few NAC vendors go out and some trying to keep their heads above water. But this is a market for the big boys and the sooner any independents find a partner, the better it will be for them (and their investors).

 

Incite #5: Night of the Internet Dead

With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

Grade: A

There was seemingly no stopping the zombie machine as it continued to proliferate around the world. We did see an ISP of ill repute get thrown off the island (when other ISPs stopped peering with them), but an amazing thing happened. Attacks continued, machines kept getting compromised, and with the exception of a week respite, the head grew back. In 2009, trying to stop all of these attacks is a bit too much to ask. So focus on making sure you contain damage and (right) REACT FASTER.

 

Incite #6: Laptop encryption hits the big leagues

Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.

Grade: B+

Are there any stand-alone laptop encryption things left? I know, I know - a few - but not many. All of the big AV vendors have their own solution and in 2009, we'll likely see the bundling happen in earnest. Why wouldn't McAfee, Sophos and Symantec (once they buy GuardianEdge) just give it away? In this kind of environment, these guys will be pushing for renewals, and adding a lot of sweetener to get it to happen. What has lagged are the management tools from the O/S vendors (MSFT and Apple) to really make this happen as part of the operating system. The fact that no one is deploying Vista doesn't help either.

 

Incite #7: The SDLC is your friend

As innovation in web application scanners is crushed by consolidation and web application firewalls still can’t find its sea legs, security professionals finally get religion about building secure applications, largely to avoid the PCI stick in the eye and embracing the reality that applications remain the path of least resistance. A long, hard cultural struggle ensues between security and software development personnel, but by focusing on building the most critical applications securely, the tide turns regarding the secure systems development lifecycle (SDLC).

Grade: C

Another casualty of the economic downturn will be strategic things like the SDLC. Which is too bad, since it's critical that we address the root cause of these application attacks. Web application firewalls did find their sea legs, and they can send the check to "PCI Security Standards Council." When the PCI folks made the firewall a must-have, they carried the entire business with it. That will likely lead to Imperva and Breach getting a long look from the network security vendors in 2009. And the SDLC work that really needs to happen gets pushed back to 2010/11, best case.

 

Incite #8: Protect the Vault (that’s where the money is)

The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause.

Grade: B

Database security limped along in 2008, as big companies started dipping their toes into the water. But this wasn't a very exciting business in 2008, and it's hard to see what's going to make it exciting in 2009. And every year this space doesn't break out is another year the big DB folks get closer to doing it themselves - or acquiring technology at fire sale prices. And when was the last time you heard anything about encryption infrastructure? I suspect a bunch of the small vendors hanging on in that space will go away in 2009, and the rest will be subsumed - because there just isn't a market for it. 

 

Incite #9: Get the jumper cables for DLP

Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.

Grade: B+

The fact is that DLP is a small market, and will remain that way. I've heard (anecdotally) that Symantec's group (the former Vontu) is doing well, but that's about it. The standalone vendors are struggling, and the big vendors are trying to figure out what to do with it. Licensing the engine to Microsoft seemed to be RSA's answer. I still hold to the reality that large enterprises can look at a stand-alone solution because their liability is a lot greater - everyone else should be playing around with their mail and web gateways and tuning those regular expressions. Yes, it's a lame answer - but can you go spend 6 figures on a DLP thing now? Right.

 

Incite #10: Hack thyself

Given that there is no panacea on the horizon, security professionals start to understand the concept of risk management, as opposed to throwing money down the security toilet on the latest, shiniest widget. Security organizations must start to put a premium on prioritizing activities, based upon what’s important to the business, as well as what is really exploitable in their environment. The only way to figure out the latter is through a new function called “security assurance,” which focuses on breaking stuff (networks, systems and applications) before the bad guys do.

Grade: C

Driven perhaps by the loud mouths that continue to talk down pen testing, this was still an uphill battle for those enlightened security professionals that actually wanted to see what was really at risk. I'll admit to being a little early on this one, but over the next 2 years it will play out. Why? Because most of the new attacks target applications and a lot of the application scanners actually have exploit-like code built in. So application testers (right, Q/A folks) will become "pen testers" as we expand the definition of pen testing. The economic environment has probably put the kibosh on any kind of formal "security assurance" group for the time being - but that is another one I believe will play out, though it may be part of the audit team over time.

2008 DOI: Day 10 - Hack Thyself

Submitted by Mike Rothman on Thu, 2008-02-28 11:10.
2008 Incite: Hack Thyself
Given that there is no panacea on the horizon, security professionals start to understand the concept of risk management, as opposed to throwing money down the security toilet on the latest, shiniest widget. Security organizations must start to put a premium on prioritizing activities, based upon what’s important to the business, as well as what is really exploitable in their environment. The only way to figure out the latter is through a new function called “security assurance,” which focuses on breaking stuff (networks, systems and applications) before the bad guys do.



I have gotten a total of zero calls this year telling me that management has doubled their security budget and is hiring a full staff in 2008. That doesn’t mean it doesn’t happen, but it’s about as likely as you hitting the lottery. 2008 will be like every other year I can remember. Security professionals will be forced to continue doing more with less and staying strong in the face of innovative attacks.

We all have a long list. None of us can get through the list daily. And once you cross one thing off, it seems two new ones appear. As I mentioned in the 2007 Incite on CSO Next, the ability to prioritize may be the most important skill for practitioners. The first step in that is to understand what is important. That’s Step 1 in the Pragmatic CSO.

I call this prioritization, but you could also make a case that this is what risk management is about. You decide what to do based upon the risk it presents or mitigates for the organization. Easier said than done, of course – but it needs to be done.

Yet, there is another aspect of the prioritization process that is starting to come into vogue and that’s what I call “security assurance.” A lot of folks have a lot of different opinions about what security assurance means, but to me it’s about making sure your defenses are up to snuff. The only way to do that is testing. Basically hacking your defenses, before the bad guys do.

Big companies should have their own assurance team, whose sole responsibility is to break things. They need to work fast, they need to be candid, and they need to kill the sacred cows. You (as the security guy/gal) want them to find all sorts of stuff. Remember, it’s a race and the bad guys are searching for successful attack vectors at all times.

If you aren’t a big company, then hire someone periodically to provide this type of testing. You want them to penetrate your defenses and show you the paths of least resistance. Small company practitioners should also invest some time and become familiar with the automated pen testing tools (Metasploit, Core Impact, Canvas, etc.). You should use these tools, as often as you can. You will find stuff and then you’ll know what to fix first. You aren't going to be able to stop a determined, skilled hacker - but you can make it harder for a script kiddie, using some tools he/she downloaded from a hacker site.

I'm also a big fan of social engineering your own employees. Of course you shouldn't keep any money you manage to collect, but everyone deserves an annual trip to Morton's, no? In all seriousness, if you believe Roger Grimes’ contention (thanks to Shostack for reminding me of that) that 86% of the Windows vulnerabilities required the user to do something, that means it’s a type of social engineering. The bad guys will be social engineering your employees, count on it. You should too.

Lastly I want to draw a distinction between vulnerability and exploit. Vulnerabilities show a theoretical attack path. But you may have other defenses that don’t allow the vulnerability to be exploited. A lot of companies spend a lot of time and a lot of money to fix vulnerabilities that cannot be exploited, which of course is a waste of time and does not help us prioritize on the most important stuff.

An exploit is just what it says. It’s a real attack, in the wild, which can be used to 0wn your networks, systems and applications. This is live ammo, folks. Obviously you don’t want to shoot your foot off. But you need to know what can be exploited because that’s the only way you can figure out what to fix first.

And given the amount of stuff on your plate, you need to know what to fix first.

Photo credit: rollerboogie

2008 DOI: Day 9 - Get the Jumper Cables for DLP

Submitted by Mike Rothman on Wed, 2008-02-27 11:29.
2007 Incite: Patching the Leaks
More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

2008 Incite: Get the jumper cables for DLP
Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.



Sometimes it’s hard delivering a message your friends don’t want to hear. I have a lot of friends in the DLP space and many of them are not happy with my prediction that the DLP market stalls in 2008. They weren’t bashful about calling me an idiot. Of course, the Mogull correctly wonders during our email interview whether the DLP market ever got started in the first place, but that’s neither here nor there.

The fact is DLP is expensive, it’s hard to implement (with any sophistication anyway), requires a lot of cross-functional cooperation both within and beyond the IT group, and takes a long time for customers to get discernable value. I know a lot of the vendors will argue those points, but that’s what I’m hearing.

Yes, it’s getting easier. Yes, some companies are coming into the market with more attractive price points. Yes, the high profile acquisitions of the DLP start-ups will allow more flexible bundling and pricing. Yes, a few of the companies are growing nicely, albeit off of a small base.

But this market is still very early. It is what it is.

You have a lot of users that continue to kick the tires. You also have a lot of companies that aren’t taking the time to kick the tires. Organizationally they are not ready. Many of them don’t want to know the answer. They can maintain plausible deniability if they don’t have physical evidence of private data and intellectual property theft. That sounds weird, but it’s true. You have a lot of political maneuvering as to who gets to set the DLP policies and what happens when they find a violation. These are things that have to be determined before a deployment begins.

Internal politics is actually the biggest risk to the DLP market. If the organziation can't get on the same page in terms of policies, workflows, and the like. There is no way anyone's technology can solve that problem.

With an economic headwind, a focused investment like DLP usually goes out the window. But that isn’t the biggest reason DLP will stall this year. I think it’s the presence of “poor man’s” DLP, in the form of email filtering and web filtering that are going to be “good enough” for most end users in 2008. Yeah, the DLP vendors definitely don’t want to hear that.

Let’s be clear that most of the DLP market has been driven by compliance. Big companies are writing big checks because they feel they have a gun to their heads. But what if they can convince themselves that looking for account IDs, Social Security #’s, and some other regular expressions is good enough? If they believe the auditor will only poke their eye 1 knuckle deep, I believe they stop writing the checks.

Fact is - most companies already have a gateway (at least email) that can provide a rudimentary outbound filtering capability. They turn it on and they figure out a lot of data is leaking. They also have an endpoint security suite that is starting to add features like device control to deal with USB drives and iPods.

They set some policies to show to the auditors and to prove they are taking data loss seriously and implementing additional controls to fix the problem. Auditors don’t expect the problem solved (at least initially), but they do want to see incremental progress. Monitoring SMTP and outbound HTTP is that kind of progress.

And it doesn’t cost $500,000 to get started.

To be clear, I do believe in the core value proposition of DLP, in terms of helping organizations protect their data and make sure it isn’t being sent to webmail accounts, competitors, or even customers. I just don’t think the current DLP deployment model of using an overlay content monitoring and blocking infrastructure will solve the mass-market problem.

DLP really needs to be a feature, and it’s starting to happen. EMC and Symantec will build the DLP algorithms into their storage management suites, while trying to milk the standalone cow as long as they can. Big AV (Symantec, McAfee and Trend) all have bought DLP properties and will be shipping the DLP agent capability with the endpoint suites.

Longer term, there is no DLP market. Which is as it should be. A philosophy of protecting data should be a fundamental value for every organization.

2008 DOI: Day 8 - Protect the Vault (that's where the money is)

Submitted by Mike Rothman on Tue, 2008-02-26 11:26.
2007 Incite: The Information Strikes Back
2007 finally brings acknowledgement that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

2008 Incite: Protect the Vault (that’s where the money is)
The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause.


In the second half of the application/data/information security Incite, let’s dig a bit into database monitoring and security. The hackers are a lot of things, but stupid isn’t on the list. They know the database stores most of the information they want, so that’s what they target.

Most organizations haven’t done much in terms of protecting their databases, mostly because they figured the attackers couldn’t really get to the database – so they focused on other things. Unfortunately they are wrong. External bad guys are very good at compromising web applications giving them unfettered access to the data store. Even more potentially damaging are the insiders, since they already have access to the database server, and from there it's not brain surgery to get access to the data.

Now you have auditors coming in and pointing out that very issue. So lots of the larger database security implementations have been a direct result of an audit finding, and the natural response follows – buy a product and make the problem go away.

This is another case where we’ve seen this movie before. I expect database security to continue rolling out like most other security functions. First came the scanners. Most organizations won’t spend money on solving a problem they don’t know they have. So the initial step is usually to do a vulnerability assessment on your databases. They are checking for vulnerabilities and configuration errors.

Next they tend to monitor what’s going on. Who is accessing what? Should they be there? What changes are being made? It’s the whole separation of duties thing. The auditors want someone to watch the watchers. So some kind of monitoring is usually the next capability that gets rolled out. Per usual, I have no dogma or religion about monitoring via an external appliance or a software layer on the DBMS. There are use cases for both models.

Finally there is blocking. If the device were to detect a clear attack, it wouldn’t be a bad thing to block it. Yet, this capability is very similar to IPS. A lot of customers have it, and a lot of them don’t use it. Not to overdramatize, but you need to be able to explain to your COO why a multi-million dollar transaction was blocked by the database security gateway. That doesn’t mean you shouldn’t be blocking anything, but you better make sure you are blocking the right stuff.

Like everything else (or so it seems), over time this capability is subsumed into the database and/or network infrastructure. But that “over time” will be measured in years, probably 5-7 of them. That gives the database security market plenty of running room over the next couple of years.

Yes, you will see consolidation. But I don’t think that will happen in 2008. The database vendors are still in denial that it’s a problem (or that their over-priced, under-functional solutions aren’t good enough) and the market isn’t big enough to make it a must-have for a big security aggregator. Truth be told, this is something that IBM and HP should have. It would be very complimentary to their application dev and security tools, and should be wrapped into big application infrastructure projects as a preventative measure. Net-net, this is not a stand-alone market for any length of time.

What about encryption? You can’t really talk about data/information protection without mentioning good ol’ crypto. There will be little change in the crypto business in 2008, if anything things may slow down a bit – given macro-economic headwinds and the fact that no one wakes up and says, “I gotta get me an encryption infrastructure!” So we’ll continue to see the same user and vendor dynamics.

Users will continue to not understand why they need an encryption infrastructure and the vendors will continue to focus on making encryption disappear in other application initiatives. And that's where is should be.

To wrap up, we are on a multi-year journey for customers to understand that protecting data is fundamentally different than protecting networks or even servers. 2008 sees us continuing to understand. We aren’t there yet, but we are getting closer.

Photo credit: sigma

2008 DOI: Day 7 - The SDLC is your friend

Submitted by Mike Rothman on Mon, 2008-02-25 17:00.
2007 Incite: The Information Strikes Back
2007 finally brings acknowledgement that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

2008 Incite: The SDLC is your friend
As innovation in web application scanners is crushed by consolidation and web application firewalls still can’t find its sea legs, security professionals finally get religion about building secure applications, largely to avoid the PCI stick in the eye and embracing the reality that applications remain the path of least resistance. A long, hard cultural struggle ensues between security and software development personnel, but by focusing on building the most critical applications securely, the tide turns regarding the secure systems development lifecycle (SDLC).


Like yesterday’s piece on laptop encryption, I decided to split the 2007 information security Incite in 2008. Why? Because starting to implement a secure software development lifecycle (SDLC) is a key imperative this year. No you can’t wait until next year or the year after that. Software projects take years to go from idea through deployment to maintenance. Sure there are many iterations along the way, but if a project starts in 2008 and isn’t built thinking about security from the get-go, it’s not going to happen later.

I’m not going to go through the numbers of why it’s important to fix software defects early in the process. That is obvious or at least it should be. You want to eliminate issues prior to software being deployed. Bokay?

Here’s the rub. Organizationally, it’s hard to embrace secure coding standards. You need a seriously high level mandate to get everyone on board, and those take some time. Yesterday on Microsoft’s SDL blog, Michael Howard, details how Microsoft embraced their SDL. Basically they did it because Bill Gates told them to. They had no other choice. Unfortunately sometimes that’s what it takes to get the behavior changes that are required.

There are other reasons why the SDL needs to be a short-term imperative. It may be the first situation where security leadership influences other parts of IT and the business to think about security – before they have to. Remember, being a senior security professional requires sales and persuasion skills. Yes, these are more valuable than technical chops moving forward.

As I mentioned, it’s a long tough slog to get the developers to do a threat model when they are architecting the application. It’s hard to get Q/A to add more security tests to their harness because they are already behind since they got the code late. It’s hard to get them to hold up a release, which is already late, because there are serious security holes. Yes, it’s hard.

So how do you increment to get there, knowing that true adoption of the SDLC will take years? Basically you need to attack the issues on multiple fronts. You’ve got to make the investment in the process (SDLC), but you are also well suited to start thinking about how tools can supplement your efforts to amend the process.

Neither web application scanners nor web app firewalls ever really hit the big time. They remain interesting niche markets, but that’s far from what is required to solve the problem. Let’s hit the scanners first. Basically these tools tell you (at a high level) where the holes are in your applications. Actually, to be more correct, they will find SOME of the holes.

Web app scanners cannot find logic flaws in your applications. They have trouble detecting cross-site request forgery. You still need humans to do that. So running the systematic application penetration test is critical to uncovering those issues the technology doesn’t catch. The fact is the tools only go so far and we still need skilled humans to do a comprehensive analysis of an application.

Yet, running a current generation scanner is better than not running one at all. Two of the biggest players in that space were Watchfire and SPI Dynamics. Both were acquired last year by the development tools divisions of IBM and HP, respectively. There is a real risk that innovation slows for both of these companies, since the scanner business is hardly adjacent to development tools.

On the web app firewall front, these devices just never got going. And now you have new entrants (like Palo Alto Networks) and the existing firewall folks claiming to do more sophisticated application-level firewall functions. There are some protocols and attack vectors that web app firewalls handle, that the other devices can’t. Does that mean you need it? As usual, it depends on what you are trying to protect. If it’s that important, then the answer may be yes. But the market has spoken thus far, and web app firewalls are being voted off the island.

I want to wrap up with a little career advice. I get asked frequently where practitioners should focus their efforts and how they can maximize their opportunities and status within their organization. I tell them to learn how to break and protect applications. There is a major skills shortage in dealing with application security, so if you are looking to become more relevant – that’s where to supplement your skills.

Photo credit: freshelectrons

2008 DOI: Day 6 - Laptop encryption hits the big leagues

Submitted by Mike Rothman on Wed, 2008-02-20 15:32.
2007 Incite: Patching the Leaks
More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

2008 Incite: Laptop encryption hits the big leagues
Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.


As I look at the 2007 Incite on leak prevention, it was broader and focused on the broader DLP space. This year, I’ve decided to break the Incites up. The DLP piece will hit in a couple of days, but in the meantime I want to focus on laptop encryption.

When I did the dry run of the Incites to a group of my trusted colleagues, the universal feedback on this was DUH! Everyone already had thought of laptop encryption was already in the “big leagues” and kind of a foregone conclusion. Unfortunately, there is a large part of the world that isn’t there yet.

Just think about the market numbers. Check Point’s PointSec group did something like $80 million in 2007. McAfee’s SafeBoot did a bit less. There are a bunch of other players with significantly less revenue. The firewall business is billions, laptop encryption is not. Yet. Laptop encryption is not a universal thing by any stretch of the imagination. My message here is that it needs to be.

If you have laptops, you need laptop encryption. It’s a simple as that. I don’t care whether you get the big enterprise package or just mandate the use of the built-in O/S tools. You need to do something. Why? Because laptops go away. They are stolen. They are lost. And they have private data on them.

One other thing before I jump into the market dynamics. If you have service providers (outsourcers, contractors, et al) that store your data, then THEY need to do laptop encryption as well. How many organizations are pulling splinters out of their butts because their auditor or their on-site contractor lost a laptop? That should be a requirement for continued business and put as a standard term of professional services contracts. OK, off soapbox now.

What about the market for laptop encryption? Basically, it’s going away. The first wave of this has already happened. Check Point and McAfee took out the two biggest players in the laptop encryption market. There are others and they will be spoken for in 2008. Symantec needs something. So does Trend and every other company that wants to play in the endpoint space. Check Point and McAfee will use the encryption as a wedge and differentiator in a market with precious few differentiators. That means the others are sure to act.

But over time, that capability within the endpoint suite goes away as well, or it's value is marginalized at a minimum. The capability will be subsumed into the operating system. Windows Vista already has BitLocker, but it’s not there yet from a centralized management standpoint. Once it plugs into Forefront or maybe just SMS (or whatever they call the management thing nowadays), then it truly becomes a feature. Apple has had FileVault for years as well. That works great, but doesn’t really have central management capabilities.

This is another market where the standalone vendors better find a partner pretty quickly. The window won’t be open for long. They better enjoy the fresh air while it’s there.

Photo of the Enigma machine: chris_malcolm

2008 DOI: Day 5 - Night of the Internet Dead

2007 Incite: You (Mal)ware it well
The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

2008 Incite: Night of the Internet Dead
With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.


Zombie Break Glass Last year’s malware Incite was about integration, and that has largely come to pass – so I ended up consolidating that topic with the perimeter Incite since both functions are no longer “best of breed” types of functions.

This year I want to focus on the inevitability of compromise. I don’t mean you’ll work out your issues more cordially with your significant other this year. I mean the fact that your users will do something stupid and thus they will get 0wned and that means your environment will be compromised.

Nowadays, it’s just too easy to get nailed. The users don’t have to do anything. The bad guys are now installed drive-by downloads on LEGITIMATE sites. Let me go over that again. The bad guys compromise a legitimate server and have it download a Rootkit or Trojan to all the visitors. It happened to an ISP a couple of weeks ago.

There is no defense against this. Training your users isn’t going to help, since they are going to a legitimate site. But it gets better. Now the bad guys may be specifically targeting YOU or someone in your organization. That’s right. They know your name. They know your email and they want to get something from you. It’s a lot more likely if you are a “C”-level something for a big company or in the news or something like that.

But all the same, this level of targeting is unprecedented.

Since I’m no mathematician (sorry Mr. Calabrese, I probably should have paid better attention in 11th grade), let me do the calculus. Users get nailed going to sites they trust and the bad guys are now specifically targeting them. Crap. What the hell do we do now?

You know what’s coming don’t you? That’s right, you need to REACT FASTER. For long time Incite readers, this is a predictable outcome. I’ve never been one to say that you can “get ahead of the threat.” The best you can do is to make sure you figure out you’ve been compromised before there is too much damage.

Yes, it’s all about containment and incident response. Though we shouldn’t get the cart ahead the horse here. First we need to know something is wrong. We do that by monitoring. So do yourself a favor and get Bejtlich’s book on network security monitoring. That is the bible of how to do this.

I believe that this is a function that needs to be integrated into the security management platform. I talked in the Best of Breed DOA Incite that security management will undergo a fundamental shift towards an integrated platform mentality. Monitoring logs, Netflow, and other stuff (like database logs, applications, transactions) is critical to figure out what you should be focusing on.

Unless you are the one in a million that has so many security resources and budget that you get through your list every day – you need to prioritize. How do you prioritize your activities? By investigating the stuff that looks fishy, and you find that stuff via monitoring.

Here is some math even I understand: Monitor aggressively + REACT FASTER = Live to fight another day.

Photo credit: Drunken_Monkey

2008 DOI: Day 4 - Weaving security into the network fabric

Submitted by Mike Rothman on Fri, 2008-02-15 09:43.
2007 Incite: Trust No One
The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.

2008 Incite: Weaving security into the network fabric
Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.


Network SecurityWhen you think about it, there really shouldn’t even be a network security industry. Who is going to connect to the Internet bareback nowadays? Only Rip Van Winkle. Even back in the late 90’s you have to look hard to find folks that didn’t use firewalls. But a firewall alone does not a network security strategy make.

So we had things like IDS and then eventually IPS that made inroads. We had application oriented attacks, so we needed spam gateways, web filters, and web firewalls. Now we have application firewalls because the existing network security devices can’t really handle some of these new fangled attacks. It’s that same innovation, integration, and consolidation cycle I mentioned yesterday.

At the same time the perimeter defenses were integrating, we had a general acknowledgment that letting infected devices connect to our networks was a bad thing. It just took a few SQL*Slammers to show how dangerous it was when a mass proliferating anything breached your perimeter. So the network access control business was born. It was actually called Network Admission Control initially, and Cisco coined the term. Of course, the ABC (anyone but Cisco) crowd couldn’t let that happen, so they all banded together and figured Network Access Control (NAC) was a better term.

NAC was the second coming. NAC was everywhere. NAC could cure cancer. That’s if you believed the hype. I, of course, did not and was projecting a disappointing 2007 for NAC. I was right, but that was obvious. No technology could live up to that hype. And it didn’t.

So where do we go from here? Basically I think a lot of forgot the first word in network security, and that is NETWORK. I’m seeing a lot of operational security resources migrate back to the ops teams (and the pendulum swings back) – so a lot of the buying decisions for network oriented stuff is going to increasingly end up with the network folks.

Guess who networking folks like to buy product from? Right, networking vendors. Thus, it’s just a matter of time before Big Networking squeezes the network security specialists out. So anyone selling an exclusively overlay network security solution is going to have a problem. Over time, those capabilities are built into the switch. So if you don’t have a switch and you do NAC, I’m hard pressed to see how that works out a couple years from now.

To be clear, this is not an absolute and it’s going to take years to get there. But to think that end users want layers of overlay security on top of their devices is silly. Also figuring that your favorite big networking vendor isn’t going to get their majority of network security market share is being naïve.

That means the shakeout will continue. And this year it’ll be more than just Vernier becoming Autonomic and heading for higher ground (again). The good news is that there are a lot of big networking firms that don’t really understand security. Most are struggling, but they still have a lot of dumb money. That means Barnum can come in and sell them a bill of goods. It also means that it’s a race, and the one without a seat when the music stops is in a world of hurt.

But don’t believe me. Believe a couple of guys that are actually smart. Thomas and Nate debate NAC towards the end of their annual predictions. And they are right.

Lastly, I want to drive my stiletto deep into the heart of NAC standards. Windows Server 2008 is pretty much here, so now that means NAP will become pervasive, right? Wrong. Cisco has its own thing, and everyone else has TCG/TNC.

But the cold, hard truth is that customers don’t care about standards. If the functionality were important enough, they would deploy the technology without a standard. If it’s not, they tell the sales reps that “standards are important” and they are going to wait for the standards to shake out. That way the sales rep’s ego isn’t impacted and they’ll stop calling. But in reality, the customer is saying, “What you do isn’t important enough to me,” so I’ll wait until it is.

And that seems to be the story of NAC.

2008 DOI: Day 3 - Best of Breed DOA

2007 Incite: Perimeter (R)evolution
The consolidated perimeter platform continues to subsume additional security and networking functions, making top flight content security and application acceleration the next frontier – further squeezing pure-play security players. This accelerates consolidation in the sector, keeping perimeter architectures in flux. Customers increasingly embrace integrated solutions from larger players putting a “best of breed” mindset on life support and proving that “big is the new small.” The first open source perimeter platforms also hit in 2007, providing a legitimate alternative for technically savvy, mid-sized businesses.

2008 Incite: Best of Breed DOA
As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

I get a lot of questions about “best of breed.” It’s a manifestation of a couple of deeply seeded misconceptions regarding how security has evolved, and also a bit of an ego thing on the part of most security professionals. But before we jump into my amateur Freud act and conclude that it’s our parent’s fault, let’s dig into history a bit.

Most technology markets are driven by the innovation, integration, and consolidation cycle. That means a bunch of new companies start up to solve a specific customer problem. That’s the innovation thing. Then the big, stodgy, un-innovative companies figure out there may be something there, so they integrate the stuff into their existing offering. Finally, these same companies figure out how to sell the integrated innovation (say that 10 times fast), and by then it’s not really that innovative anymore – so they acquire pretty much all the players in the market.

The first stage – innovation – is really what the “best of breed” mindset is all about. In an early market, there usually are marked disparities between the products. Some work, others not so much. So buyers really have to be aware and careful to ensure they don’t buy a pile of steaming poop.

But in later markets, the technical capabilities normalize. Technical differentiation is largely a myth. All the products work “good enough.” At that point, you are buying not on technical capability, but softer issues – like integration with your existing stuff, management, and reporting. At that point, best of breed pretty much ceases to exist.

That’s where we are in a bunch of security markets. In 2007, the Perimeter Incite (referenced above) really reflected this fact, and it definitely came to a head. A lot of folks bought UTM, even though they were only looking at replacing their firewall. Why do this? The more applicable question is really why not? Even if they don’t turn on some of these other capabilities, they could. And over time, probably will.

Same goes with the “endpoint suite.” No companies offer just anti-spyware anymore. Why would they? That capability has been subsumed by what used to be called anti-virus. Rootkit detection? Ditto. Don’t forget about device and application control too. Yep, it’s in there.

But talking about UTM and endpoint suites isn’t particularly inciteful. I think that security management is next on the hit parade to hit this cycle. You have all of the SIM vendors saying they do log management. You also have all the log management vendors adding SIM-like capabilities. The NBA vendors are trying to feed algorithms and analysis (via partnership) to all of the above to stay relevant.

The cycle repeats itself once again. And it will continue to repeat itself. Remember, I’m not as smart as most of you – I’ve just been around longer and I’m good at recognizing the patterns that will repeat.

You don’t have to be a brain surgeon to see this writing on the wall. Market maturity kills product innovation. And that’s why I’ll be the first guy shoveling the dirt on security best of breed.

Photo credit: darleen2902

2008 DOI: Day 2 - It's time for an audit revolution

Submitted by Mike Rothman on Wed, 2008-02-13 14:45.

2007 Incite: CSO Next

A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisors and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically oriented CSO.

2008 Incite: It’s time for an audit revolution
Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.


Back in September, I addressed a chapter of the Institute of Internal Auditors. My goal was basically to help them understand the mindset of the security professional, and how the technical CSO needed to transition into the CSO Next (described in 2007’s Incite) and why the auditor was a key cog in that wheel.

It worked. This was one of my favorite speaking gigs the entire year. The internal auditors where both shocked and appalled at how difficult it is to be a security professional, and how so many counter goals and incentives are in place, which makes the job of security a lose-lose endeavor all too often.

The auditors also empathized with how acrimonious the relationship between security and audit had become. Kind of like the image at left. That's what most security folks feel like when they get out of the audit. But the conflict and friction took it's toll on the auditors as well. They felt it every time they sat down with the security folks and for the most part, they couldn’t pinpoint why it’s gotten to that point.

Just as last year’s Incite was a call to the masses to get past our technical heritage and start thinking about security within a business context, the 2008 Incite is a similar call to action. We, as security professionals, need to understand auditors are on the same team as we are. We both want the same outcome, and that’s to have a strong security posture and protect the critical assets of the organization. It’s as simple as that – it really is.

Security folks tend to be proud people. We fight the bad guys every day, and as every good warrior is prone to do – we don’t like to admit weakness or ask for help. Unfortunately that usually ends up with the security person being thrown out of the car at a high rate of speed once something goes south. It’s a pretty unpleasant experience.

It doesn’t have to be that way. We can (and must) start treating the auditors as peers. We need to realize they see a lot more stuff than we do. That means they can actually help. We need to stop being perceived as infallible, which results in a largely defensive position. We need to start asking questions and listening.

Sure, the auditor may be wrong, but then again – maybe they aren’t. If you have your blinders and earmuffs on and your head in your backside due to some misplaced sense of hubris – you’ll never know. Since we are coming up on Valentine's Day, maybe get your auditor a box of chocolate or something. OK, I'm sort of joking, but not really. If you start the audit on a positive note, it goes a lot better.

Finally, I’ve also made a significant “evolution” of my position relative to compliance. For the past number of years (actually as long as I can remember), I projected compliance was a flash in the pan. And it really should have been. You don’t buy compliance, you buy (and implement) security. I always advocate a “Security FIRST” mindset, because if you are secure (to the degree that’s possible, anyway) – then you are very likely compliant as well.

Now I’ve come full circle, largely driven by being thumped on the head for years about my compliance position. I’m finally ready to embrace what many of you probably figured was inevitable. There always seems to be a new regulation coming down the pike. There will always be auditors showing up and assessments relative to a specific regulation to complete. So compliance is a fact of life for the security professional, we may as well make the best of it and figure out how to best use the compliance budget to get what we really need with is good security.