Security Management

It's been quite a while since I penned the original "Big is the New Small" piece back in February of 2006. Obviously a lot has changed and happened in the security space since then. So I figure on the first Monday in August, I'd revisit that position and figure out if it was still relevant.

To refresh everyone's memory, Big is the New Small was the moniker I came up with to describe why consolidation was happening in security and why it was going to continue. Customers were increasingly fed up with the idea of having to manage multiple products from multiple vendors to handle mature, somewhat commodity functions. And all things being equal, they want to buy these solutions from "Big Security," the large publicly held companies that have staying power.

Much of this has come to pass. The Big have gotten bigger by continuing to acquire technologies to fill out their product families. Large companies have always acquired smaller companies, that's nothing new. And the original concept behind Big is the New Small is that customers were tired of dealing with crappy little vendors. They'd much rather deal with bloated, unresponsive, lumbering vendors.

There are many that cling to the "best of breed" myth. It's even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn't happen.

These ideas also are NOT an indictment of innovation, as many of the small vendors called it. It was a pragmatic view of how the industry is working now. Some choose to fight it, until Big Security swings by with a bag of money. Then they get religion pretty quickly. But even that isn't the point.

The point is that over the last 2 years, customers are looking for security that is "good enough." The main issue is that without anything that is truly innovative (and it's been quite a while since we've seen true innovation in the security space), customers have no choice but to go with good enough. Most of the new companies out there are focused on "better, faster, cheaper" models of improving the way things are already done.

Since security remains an expense and an overhead item, the natural inclination is to minimize cost, and that means to buy solutions that aren't the most expensive, but meet the needs in the most cost effective mechanism. That's this entire drive to doing security in the cloud. Since it's good enough, we may as well have someone else deal with it.

By no means am I saying that our protection is good enough, it's not. But I don't think it's because we have a lack of tools or knowledge. We collectively suck at protecting information not because we don't know what to do. We suck because we just don't do it. If we would actually use half the crap we've bought, and build a strong and credible security program - things would be a lot better.

Not perfect, but better.

But we don't, so it's not. Thus, good enough is here to stay. And as long as good enough is the primary criteria for most product/service purchases, it favors Big Security. They aren't much, but they are usually good enough.

Photo credit: "Good enough" originally uploaded by russelldavies

2007 Incite: Perimeter (R)evolution
The consolidated perimeter platform continues to subsume additional security and networking functions, making top flight content security and application acceleration the next frontier – further squeezing pure-play security players. This accelerates consolidation in the sector, keeping perimeter architectures in flux. Customers increasingly embrace integrated solutions from larger players putting a “best of breed” mindset on life support and proving that “big is the new small.” The first open source perimeter platforms also hit in 2007, providing a legitimate alternative for technically savvy, mid-sized businesses.

2008 Incite: Best of Breed DOA
As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

I get a lot of questions about “best of breed.” It’s a manifestation of a couple of deeply seeded misconceptions regarding how security has evolved, and also a bit of an ego thing on the part of most security professionals. But before we jump into my amateur Freud act and conclude that it’s our parent’s fault, let’s dig into history a bit.

Most technology markets are driven by the innovation, integration, and consolidation cycle. That means a bunch of new companies start up to solve a specific customer problem. That’s the innovation thing. Then the big, stodgy, un-innovative companies figure out there may be something there, so they integrate the stuff into their existing offering. Finally, these same companies figure out how to sell the integrated innovation (say that 10 times fast), and by then it’s not really that innovative anymore – so they acquire pretty much all the players in the market.

The first stage – innovation – is really what the “best of breed” mindset is all about. In an early market, there usually are marked disparities between the products. Some work, others not so much. So buyers really have to be aware and careful to ensure they don’t buy a pile of steaming poop.

But in later markets, the technical capabilities normalize. Technical differentiation is largely a myth. All the products work “good enough.” At that point, you are buying not on technical capability, but softer issues – like integration with your existing stuff, management, and reporting. At that point, best of breed pretty much ceases to exist.

That’s where we are in a bunch of security markets. In 2007, the Perimeter Incite (referenced above) really reflected this fact, and it definitely came to a head. A lot of folks bought UTM, even though they were only looking at replacing their firewall. Why do this? The more applicable question is really why not? Even if they don’t turn on some of these other capabilities, they could. And over time, probably will.

Same goes with the “endpoint suite.” No companies offer just anti-spyware anymore. Why would they? That capability has been subsumed by what used to be called anti-virus. Rootkit detection? Ditto. Don’t forget about device and application control too. Yep, it’s in there.

But talking about UTM and endpoint suites isn’t particularly inciteful. I think that security management is next on the hit parade to hit this cycle. You have all of the SIM vendors saying they do log management. You also have all the log management vendors adding SIM-like capabilities. The NBA vendors are trying to feed algorithms and analysis (via partnership) to all of the above to stay relevant.

The cycle repeats itself once again. And it will continue to repeat itself. Remember, I’m not as smart as most of you – I’ve just been around longer and I’m good at recognizing the patterns that will repeat.

You don’t have to be a brain surgeon to see this writing on the wall. Market maturity kills product innovation. And that’s why I’ll be the first guy shoveling the dirt on security best of breed.

Photo credit: darleen2902

2007 Incite: CSO Next
A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisors and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically oriented CSO.

2008 Incite: It’s time for an audit revolution
Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Back in September, I addressed a chapter of the Institute of Internal Auditors. My goal was basically to help them understand the mindset of the security professional, and how the technical CSO needed to transition into the CSO Next (described in 2007’s Incite) and why the auditor was a key cog in that wheel.

It worked. This was one of my favorite speaking gigs the entire year. The internal auditors where both shocked and appalled at how difficult it is to be a security professional, and how so many counter goals and incentives are in place, which makes the job of security a lose-lose endeavor all too often.

The auditors also empathized with how acrimonious the relationship between security and audit had become. Kind of like the image at left. That's what most security folks feel like when they get out of the audit. But the conflict and friction took it's toll on the auditors as well. They felt it every time they sat down with the security folks and for the most part, they couldn’t pinpoint why it’s gotten to that point.

Just as last year’s Incite was a call to the masses to get past our technical heritage and start thinking about security within a business context, the 2008 Incite is a similar call to action. We, as security professionals, need to understand auditors are on the same team as we are. We both want the same outcome, and that’s to have a strong security posture and protect the critical assets of the organization. It’s as simple as that – it really is.

Security folks tend to be proud people. We fight the bad guys every day, and as every good warrior is prone to do – we don’t like to admit weakness or ask for help. Unfortunately that usually ends up with the security person being thrown out of the car at a high rate of speed once something goes south. It’s a pretty unpleasant experience.

It doesn’t have to be that way. We can (and must) start treating the auditors as peers. We need to realize they see a lot more stuff than we do. That means they can actually help. We need to stop being perceived as infallible, which results in a largely defensive position. We need to start asking questions and listening.

Sure, the auditor may be wrong, but then again – maybe they aren’t. If you have your blinders and earmuffs on and your head in your backside due to some misplaced sense of hubris – you’ll never know. Since we are coming up on Valentine's Day, maybe get your auditor a box of chocolate or something. OK, I'm sort of joking, but not really. If you start the audit on a positive note, it goes a lot better.

Finally, I’ve also made a significant “evolution” of my position relative to compliance. For the past number of years (actually as long as I can remember), I projected compliance was a flash in the pan. And it really should have been. You don’t buy compliance, you buy (and implement) security. I always advocate a “Security FIRST” mindset, because if you are secure (to the degree that’s possible, anyway) – then you are very likely compliant as well.

Now I’ve come full circle, largely driven by being thumped on the head for years about my compliance position. I’m finally ready to embrace what many of you probably figured was inevitable. There always seems to be a new regulation coming down the pike. There will always be auditors showing up and assessments relative to a specific regulation to complete. So compliance is a fact of life for the security professional, we may as well make the best of it and figure out how to best use the compliance budget to get what we really need with is good security.

 

Yes, it's that time of year again. It's acountability time. Over the next 5 days (culminating in the New Year's Eve spectacular!), I'll be critically evaluating all of my 2007 Incites (that's my vernacular for predictions) and giving some perspective of what happened, what didn't, and why.

So without further ado, let's jump onto Incite #1.

Incite #1 - Get with the Program

As security professionals continue to struggle with the number of threats and contradictory goals (protect information, but assist business), they increasingly turn to structured security programs (ISO 27001, COBIT, Pragmatic CSO) to assist in getting things done and communicating progress. Security management tools (predominately SIEM) continue to leave customers wanting for value and assistance in automating programmatic operations.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-1-get-with-the-program
Incite Redux Link:http://securityincite.com/blog/mike-rothman/incite-redux-july-9-2007

Final grade: B+

It’s tough to be a security professional nowadays. The attack surface continues to expand, the vectors are multiplying, the bad guys are getting more and more innovative, and it’s still not clear what our main objectives are. So is all the news bad?

Actually it isn’t. I’m not going to blow smoke in your backside relative to how much progress security folks made in 2007, but the reality is the folks that have adopted a programmatic approach are in much better shape today then they were 12 months ago. Nothing is going to be a panacea relative to getting more relevant with your senior team besides good, old-fashioned hard work and effective, outbound, proactive communication.

The Pragmatic CSO approach and philosophy works. I’ve gotten enough feedback from both early reviewers, as well as some folks that are using the process in practice to know that it works. But you have to do it. You have to get out from behind your desk and work the program, building relationships with the senior team, monitoring your environment, and taking care of all the steps in the program.

I’m very excited about what Pragmatic CSO – Year 2 will bring. There will be more ways to access the content, more assistance in implementing the program, and ultimately more success stories. But as with everything else, you have a choice. You can certainly continue doing what the vast majority of security folks out there continue to do - which is to continue to react to every situation, pray that your bosses understand what you do, and keep your resume fresh - so you can move onto the next job before the hazards of the present job catch up to you. Remember, you don’t have to do anything different - I hear the status quo is working out well.

Relative to security management tools, most end users remain disappointed at how much time and money it takes to make the existing generation of security tools add value to their environment. But that never stops the entrepreneurial bug. Now there are new “risk management” offerings hitting the market and others positioning into the GRC (Governance, Risk and Compliance) space - whatever that means.

GRC tools promise to “automate” the compliance reporting process and maybe even associate security controls with risk. I’ll remain skeptical until these tools become easier to use for companies below the Fortune 100. So at least some companies are trying to make some progress and help with the onerous reporting requirements of today’s regulations and audits, but 2008 will still be an early adopter year for GRC, as the market figures out what needs to happen and then how to solve the problem.

Check out the other posts in the Report Card series.

As security professionals continue to struggle with the number of threats and contradictory goals (protect information, but assist business), they increasingly turn to structured security programs (ISO 27001, COBIT, Pragmatic CSO) to assist in getting things done and communicating progress. Security management tools (predominately SIEM) continue to leave customers wanting for value and assistance in automating programmatic operations.

I'll be the first to admit that this first Incite is pretty self-serving. Obviously having just published a "poor man's security program," the Pragmatic CSO - I'd certainly like this to be a self-fulfilling prophesy. But let's examine why a security program is in great demand in the markets out there.

First, there is to much to do and CSOs and other security professionals are having a hard time figuring out what to do on any given day. Second, even if they know what to do - helping the rest of the organization (especially the business folks) understand the value that security brings has been problematic. Finally, the auditors show up every so often and it's usually a miserable experience for everyone.

Basically, many many CSOs are looking for a better way. I believe taking a programmatic approach to security can provide the structure and perspective needed to be successful in today's environment.

To be clear, I don't much care if it's 27001 or COBIT or any kind of program. But doing security in a hodge-podge way, basically playing whack-a-mole to eliminate the issue de jour just isn't working. So it's time to try something new.

What about that security management stuff? That's the 2nd part of the Incite and remains pretty controversial. Again, to be very clear, I don't have an issue with security management. It's necessary and critical to being a successful and Pragmatic CSO. BUT, security management has to add value. If it's so expensive and ponderous, as to actually detract value - then there is something wrong. That's where we are at today. The biggest enterprises see value, but that's about it.

I continue to be haunted by my past as a networking analyst in the early 90's. I had a front row seat as network management evolved and eventually disappeared. It's pretty operational now and dominated by the vendors that provide the networking equipment. The biggest networks in the world use stand-alone management offerings, but most folks use whatever their networking provider offers.

We've seen this movie, and security will be largely the same. First, there is the bundling thing. If you are doing a big endpoint renewal, you can bet you'll get that security management thing thrown in. Just ask. Same goes for UTM and every other major category. And reading Syslog and getting feeds from other devices just isn't that novel anymore.

That's why many Cisco customers default to MARS, even if it doesn't work as good as other offerings (just ask Bejtlich on that one). It's easy to buy and that overcomes a lot of technology and implementation issues. You know what they say, you don't get fired by buying [name your favorite big ass vendor here].

We will see more activity and more clarity about what log management does relative to SIEM this year. And we'll also see tighter partnerships between network behavior analysis (NBA) vendors and SIEM. Why? You get to look ahead of you (with NBA) and behind you (with SEM), which is actually pretty compelling.

But overall in 2007, expect security management to continue to disappoint. That's all the more reason for you to get with the PROGRAM.

This is the last report card for today. Tomorrow you'll get the remaining 4 and I'll put a close on 2006.

Stand-alone security information management (SIM) plateaus in 2006, as consolidation continues and the need for large-scale system integration makes acceptable time to value out of reach for all but the largest enterprises. Closed correlation systems increasingly take root as users swing towards homogeneity and ratchet back expectations on which devices really need to be integrated into the management system, while leveraging the reporting infrastructure for compliance purposes.

Grade: A

Original Days of Incite post: here
Incite Redux post: here

There is not much to say here, but “I TOLD YOU SO!” The security management business (really I mean SIEM here) is made up of the lucky (e-Security and Network Intelligence - who got acquired this year), the survivor (ArcSight – who is moving into other businesses like log management and network configuration fast), and the walking dead (everyone else). And the shake-out will be severe in 2007.

It's not that the capability of correlation of security events isn't important. It's just not a stand-alone business. Cisco is moving a lot of their MARS appliances, mostly as a low-cost add-on to a network upgrade. So there is customer demand for a lower cost option to help correlate events a bit better.

Let me also touch on the futility of security “dashboards” as a market because the reality is the infrastructure vendors are going to provide that capability as well. Cisco is moving in this direction and everyone else needs to. So look for focused niche vendors that offer competing capabilities to something like MARS for a low price point to be in high demand next year.

The one opportunity that is real in the security management space, which I didn’t see a year ago is log management. Given forensic requirements and the need to do some of that correlation and analysis work, purpose-built log management products (not re-branded struggling SEM products) exit 2006 with a lot of running room.

Many of you may have heard by now, but Alan Shimel and Mitchell Ashley recently convened a panel of security experts (Martin McKeay, Michael Farnum, Bobby Dominguez) and a loudmouth (me) to discuss how to effectively sell security up the food chain.

It was a very interesting, though long, conversation. And when you see experienced security guys talking about how difficult it remains to get management on board relative to funding security efforts, there is clearly a problem out there.

So we talked about tactics, some experiences (both good and bad) that the panel had, and come to some conclusions about the best way to go about it.

Check it out and thanks again to Alan and Mitchell for inviting me to participate.

http://www.stillsecureafteralltheseyears.com/ashimmy/2006/09/stillsecure_aft_2.html

As I alluded to in this AM's TDI, EMC has not let the grass grow under their acquisitive feet and acquired Network Intelligence for $175 million this morning (release here). This looks to be about 4-5x sales and it a healthy number given that SIM is clearly just a feature of security management. Stiennon may not want to call it consolidation, but there is no standalone market for SIM. So now we get to watch all the vendors run for the exits.

For EMC, the deal makes sense on a number of levels. First, EMC has spent a while aggregating some management technologies (notably SMARTS) and Network Intelligence fits into that model. They provide intelligence for what is going on from a security standpoint and I think there is leverage in the data and analysis that SMARTS brings to the table for the network folks. It also gives some additional capabilities to the RSA folks, who didn't have a SIM in their bag.

Ultimately, I think the most leveragable part of the deal is something that EMC neglected to spell out in their deal presentation - the role of log management in driving more storage consumption. In fact, I'm not sure EMC realizes they just bought into the log management space. This is a good thing for EMC because logs take up a crapload of space, especially forensically clean ones. Anytime you are storing 100,000 things a second, it's going to demand some space. Ergo more storage.

EMC painted Network Intelligence as a SIM because that's where they started and that fits better into EMC's stack chart of all the security markets they play in. Too bad it's wrong. If you look at NI's positioning of late and what problems they were trying to solve - it feels a lot more like log management to me. If they were going to go it alone, they'd need to morph their positioning and log management is where they would have ended up. They were already more than halfway there.

I also want to point out that log management, though a distinct market from SIM IS NOT a standalone market over time either. On LogLogic's blog (here) they go through their reasoning about why SIM is crap and log management is a standalone market, based on what SANS says. Besides the fact that SANS just put on a blow-out Log Management Conference, it just doesn't ring true to me. Over time log management is also a subset of a broader security management story. Like SIM, only different.

I'm not disputing that log management is different than SIM. I've written about that a number of times (here, here). It's about high volume log aggregation and forensic cleanliness to help in the event of an issue. Like every other security market, the log management folks have plastered a reporting engine on top of it to appeal to the compliance folks.

But I don't believe it's standalone ad infinitum. So the real question is when does someone like Network Appliance (who is also trying to break into the security market) take out LogLogic or some repositioned SIM-thing like SenSage to gain exposure both to security and to control a storage driver. Or maybe it's Cisco or Juniper, since you can just as easily aggregate network log data. Or even Symantec or McAfee, though neither one particularly understands appliances.

The only thing I do know is that it will be someone, you can take that to the (Log) Bank.

If there was one major takeaway I got from the sessions and my conversations at Black Hat, it's that we're pretty much hosed. I've always said that if someone wants to get into your network, they can. But to see it right there in front of you and seemingly so easy is quite an experience. Yeah, I've seen those dualing hacker courses - but for some reason this felt different. It felt real. It was a reminder of the dangers lurking out there in the wild.

I only got a chance to attend three of the sessions, so I tried to split them between understanding the threats and cleaning up the mess with forensics.

I went to a session by Thomas Ptacek and Dave Goldsmith of Matasano about the risks of systems management products. Basically the point here is management "agents" are basically bots (or zombies). This is trusted code that can pretty do whatever it wants on the managed devices. Thomas and Dave explained 6 or 7 different ways to break these systems, which would provide access to 1000's of devices in a target network. Bet you didn't think of that, eh?

But it underscores the need to pick software carefully. Though they broke into pretty much everything they tested, there were differences in security model and capabilities. Users are still justifiably focused on capabilities for their management applications, but I bet that sooner rather than later - having a verifiably secure agent starts to become a point of differentiation.

I also saw two forensics sessions, since I don't know much about that discipline and it's becoming pretty important. If only to know what kind of data you need to gather and store from the security perspective and understanding the process the investigators go through.

I saw Chuck Willis and Rohyt Belani of Mandiant do a good session about web application forensics and use a couple of real case studies to make their points. There is nothing like real life situations to illuminate the points they were making. I also saw Johnny Long do kind of an intro to Forensics, which was interesting. As Johnny pointed out, computer forensics folks don't typically get the blood trails that their CSI counterparts to, but following the evidence is key to success.

I also had a number of conversations about the virtualization topic and suffice it to say, it's non-trivial. I'm still familiarizing myself with the nuances of hypervisors and device drivers and the like. The only thing I know for sure is that it will change how we think about security, which is a good thing.

Finally it's also clear to me that we need to start some discussions about how to blow up the status quo of security. If there was one thing that was abundantly clear is that fixing holes is not the answer. The people presenting their research can break networks and applications in MINUTES. We've got to start from a blank slate and really rethink the problem space.

Stay tuned on this. The discussion will be starting soon. But don't call me, I'll call you. The last thing I need is a hundred vendors telling my why their product breaks the status quo of security. That would be so un-Black Hat, after all.

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 7. Link here.

As the Internet bubble burst, the bean counters reemerged as true power brokers over all things IT. For the most part that was a good thing, since IT pretty much spent like drunken sailors towards the end of the millennium and the hangover was pretty severe. It was up to the accountants to bring the Gatorade and Advil (my favorite hangover remedy) to restore some sanity.

In tight budget cycles, you need to rely pretty heavily on ROI (return on investment) calculations to justify spending anything. Over the years a number of folks got pretty good at showing how things like CRM and business intelligence provide a distinct return to the business. Those were easy cases to build because the technology really did favorably impact the business. But security professionals have always struggled with this, pretty much since the beginning of time.

Why? Because quantifying risk is an inexact science at best. You have no idea what the downtime of specific assets really costs. Figuring out "productivity improvements" due to not making someone jump through as many authentication hoops is suspect. And ultimately none of these calculations matter. The day an attack is successful and a network or application is compromised, all bets are off. The next day about 50 POs are cut to pretty much buy every product a technologist can get their hands on. Fool me once, shame on you. Fool me twice... or so the saying goes.

I bring this up because folks like Pete Lindstrom have been trying to do research and come up with a defendable model for what he calls ROSI (return on security investment) for years. And he's failed. There are so many caveats to make the number believable, it's just not. This has nothing to do with Pete's creativity or talent, he did his best. It's more about the impracticality of doing it in the first place.

But what really set me off was an article posted on SearchCIO from some folks at Alinean, who specialize in developing ROI models. I think that approach is hogwash. There is no way to gather most of those numbers. Not in a way where you could sleep well at night. If you are okay presenting those numbers to a CIO or CFO with your credibility and career on the line, more power to you.

I know that my general disdain for ROI models puts many of my clients and readers of my personal blog in a bind because their bean counters want to see ROI information. But I say now is the time to RISE UP and fight the power. No I haven't been listening to my classic Public Enemy CDs again, I really mean it.

In the time you'd spend making up some cockamamie ROI model, you could be doing real work. An alternative approach is to take some of that hard fought budget and get a penetration test. I bet that within a day, your network would be proven to be Swiss cheese. Take the pen test report to your CFO and don't forget your stack of POs for all the new stuff you need to buy.

There's your ROI model. A sophisticated hacker will make mincemeat out of our network unless you buy some stuff. How about them apples, Big Mr. Bean Counter? And while we're at it, let's discuss that BMW I've been looking at.