Report Card

So this is it. The final Incite for 2007. Overall, I think I did pretty OK, given how dicey it is to predict anything. I'm a bit ahead of the curve on some things - but I'm good with that. If I'm not a bit ahead, then I'm not thinking hard enough.

Look for the 2008 Incites to appear in February, and then I can spend the rest of 2008 poking myself in the eye. Which I hope is good fun for you.

Incite #10 - Time to get PC(I)

PCI is the new SarbOx as unsophisticated CSOs continue to try to “buy” compliance. The lack of regulatory enforcement and increasing scrutiny by bean counters finally kill compliance’s golden goose and force CSOs to justify more security spending on something other than compliance. Pragmatic CSOs understand that a strong security program addresses compliance requirements, so they focus on warming relations with auditors and communicating their results in business terms to the business people that matter.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-10-time-to-get-pc-i
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-13-2007

Final grade: D

I started the Incite Redux post with the following quote: “Much to my chagrin, compliance is still alive and well. This goose continues to lay golden eggs. Of course, the eggs are stamped with PCI, as opposed to other regulations – but it seems every time that compliance is on the ropes, a new set of legislation emerges from Mount Sinai to save everyone.”

PCI was that magic tablet in the hands of many auditors, whom continued to demand certain new capabilities (mostly database security gateways, application scanning and penetration tests) that saw growth in 2007. So I’m giving up the ghost on projecting the death of compliance. It’s just not going to happen, at least for a while.

So organizations need to be strategic in how they play the compliance card. Buy the things that are important for SECURITY, and will also make the auditor somewhat happy. Focus on reporting, since you will need to substantiate what you are doing. Yes, Pragmatic CSOs do see the value in a structured security program – that part is resonating. The idea of treating the auditor like a peer and communicating in business speak is spot on.

But compliance is the cat with at least 9 lives, and continues coming back for more. So I can’t feel good about giving myself anything higher than a D for this Incite because compliance continues to be alive and well. Very alive and very well, thank you very much.

I guess I shouldn’t complain too much because I personally continue to benefit from the fact that security is riding the compliance wave. Yet, I still feel bad because it’s not the right thing to do. Whatever, what’s right doesn’t usually correlate to what happens, now does it?

Once the PCI furor dies down, what will be next? I honestly have no idea, but I know it will be something. It always is, and just when you thought compliance was down for the count – it keeps storming back with a vengeance.

Maybe we can get Bruce Willis or Harrison Ford to star in the next compliance sequel. It seems those guys keep on ticking as well, so they are good role models.

Check out the other posts in the Report Card series.

Keeping with my just in time philosophy, it's time to finish up the 2007 Report Card. Which is good timing since today is the last day of 2007. I wish you and all of those important to you a happy, healthy and prosperous 2008. See you on the other side (of the New Year).

Incite #9: Help Wanted: Fortune Teller

CSOs need to increasingly flex their psychic abilities as exponentially increasing attack surfaces mean new controls must be targeted to protect the most likely targets, which are identified by discerning the true value of corporate business systems and increasingly sophisticated (and productized) security research. Network behavior analysis allows organizations to “react faster” by understanding network traffic dynamics, but integration with remediation solutions lag, forcing customers to continue to do the heavy lifting themselves.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-9-help-wanted-fortune-teller
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-13-2007

Final grade: C-

We saw the death of responsible disclosure in 2007, and that means security researchers are still big players, but they have leveled the playing field by disclosing vulnerabilities at the same time they tell the vendors.

Honestly, I don’t much care to weigh in on the good vs. bad side of disclosure. It is what it is and I can certainly see the rationale by many of the research folks out there who are done having a big vendor ignore their attempts to do the right thing. The arrogance of many vendors still perplexes me, but whatever…

Ultimately this Incite wasn’t about disclosure, the first part was about the business of security research – which never materialized. Why? Basically, end user organizations won’t pay for what they can get for free. Can they get a “hacker’s eye view” of a new vulnerability? No. Can they get a lot of security research folks take on the issue and the workarounds via the wonders of RSS? Absolutely.

Which is exactly what most organizations are doing. CSOs are staying current by monitoring the plethora of information sources out on the Internet. The folks trying to “sell” research just don’t have a compelling enough value proposition to get people to pay – so they won’t and that just reflects pretty pragmatic behavior. Who am I to argue with pragmatism?

The final piece of this Incite is pretty disappointing as well. Security monitoring continues to be a solution looking for a problem. Actually the thought leaders in this discipline (like Richard Bejtlich) know what the problem is – but the broad market isn’t listening.

I’ve harped all year on the need for organizations to REACT FASTER, and unless you are monitoring your stuff – I don’t know how you do that. But evidently other folks know better than me, since they continue to do the same old same old and figure the answer will be different. Our networks continue to be infested with bots, our machines compromised and things are not getting better.

Yet no one wants to slay the sacred cow of “proactive” defense, figuring that new algorithms will solve the false positive issues and allow us to block attacks that we’ve never seen before. Something’s got to give. Maybe 2008 will be the breakthrough year, where monitoring solutions are finally packaged in a way that every organization can use them, or maybe an open-source solution will appear to allow security folks to play a bit with monitoring and learn how powerful a method it is to secure things.

Whatever the answer, I sure hope we are spending more time in 2008 figuring out what is not normal, than blocking stuff we’ve never seen.

Check out the other posts in the Report Card series.

Let's keep plugging along. This Incite deals with Identity. Not just from the standpoint of who you are and what you are supposed to have access to, but also how identity information is increasingly being integrated into the fabric of our computing infrastructures.

Incite #8 - Identity Everywhere

Identity becomes the most overused term in 2007, as NAC vendors, systems management vendors, Big Security, and everyone else “identity-enable” their offerings more as a marketing initiative than to add value. Pragmatic CSOs focus on solving problems, embracing non-disruptive mutual authentication and integrating directory stores with network equipment to streamline management and problem isolation. The first inklings of an interoperable “identity network” emerge, making cheap multi-use tokens more compelling to a broader market.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-8-identity-everywhere
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-12-2007

Final grade: C

Let’s start off with the positive. Cisco TrustSec. ‘Nuf said.

OK, it’s probably not enough, but it should be. Cisco finally jumped on the identity-aware bandwagon in December with its TrustSec architecture, which is basically just validating everything that everyone else has been saying for a long time. You can’t really separate out who you are, from what you are allowed to get to. Moreover, you need to enforce that as close to the network fabric as you can.

But the rest of the Incite was a bust. Mutual authentication is not really happening because the banks have no incentive to make it happen. Sure some of them are making a half-assed attempt to train their users about little marks or SiteKeys or something else, but these have had precious little impact on fraud.

The extent of directory store integration with the network is for the devices to suck information from a LDAP data store and then use it to set policy. It’s not like they are externalizing any of their policy or storing that policy in the directory store – now are they?

Finally, the idea of an “identity network” has been a real bust. You can get your little token from PayPal, but then what? Again, I was a bit optimistic here because I know it’s something that should happen – but I forgot the importance of a profit motive.

The reality is there just isn’t a real compelling need. It would be convenient for me as a customer to be able to use the same set of credentials in a lot of different places, but I’m not going to stop buying stuff from Amazon because they don’t play nice. So I’ll put this one in the “swing and a miss” bucket and look forward to getting closer in 2008.

Check out the other posts in the Report Card series.

It was good to see the topic of data security enter the conversation in 2007, it's the next frontier of security and a really big, nasty, hairy problem. There aren't any good answers to the issue quite yet, but a lot of smart folks are working on it. This is one of the areas to definitely keep your eyes on in 2008.

Incite #7 - The Information Strikes Back

2007 finally brings acknowledgement that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-7-the-information-strikes-back
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-12-2007

Final grade: B+

A funny thing happened on the way to the final grade for this Incite. The industry started to acknowledge the fact that securing data is different, and that applications are the path of least resistance to your data. Given the imminent chaos around virtualization, SOA, and continued focus on private data driven by PCI (more on that later), security professionals no longer have an option in trying to figure out how to secure their information/data.

I think we all acknowledge that the right answer is to build secure applications that aren’t subject to simple XSS and SQL*Injection attacks. Of course, that requires that our developers get religion about secure coding practices and that our executives get comfortable with the fact that applications shouldn’t ship unless they are secure.

Right, it’ll be a cold day in hell when that happens. So what’s Plan B?

Basically we have to continue working around the issue, by doing application scans, pen tests, and maybe even implementing some database and web application defenses to try to work around the fact that our developers don’t care about security.

If there was ever a space that is crying for some disruption, it’s the data security market. The current methods are band-aids at best. Not that I’m talking about 2008 yet, since we haven’t put 2007 to bed – but we need to think differently about data security. Fundamentally differently. That means we’ll need to think about how to secure the fundamental element of data, wherever it is because we can no longer assume that we only need to protect the data within our environment.

I gave myself a B+ on this one because I was largely right, we’ve got a lot of acknowledgement about the depth of the data security issue – but precious few idea on how to really solve it.

Check out the other posts in the Report Card series.

OK, we've passed the half-way mark. Here is the Incite on Leak Prevention.

Incite #6 - Patching the Leaks

More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-6-patching-the-leaks
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-11-2007

Final grade: B

“More high profile privacy train wrecks…” Have any truer words been spoken over the past year? The list goes so far beyond just TJX and a lot has to do with lost laptops, but there have also been insider thefts, compromised machines and lost backup tapes. So the only thing you can pretty much count on is that if you think your private information is actually private, you are mistaken.

So you do you address the issue? The 2007 Incite talks about laptop encryption and DLP. Let’s pop the DLP bubble first. That market is early, and it’s also small. Symantec paid more than 3 times the entire market size for Vontu, but there is certainly a lot of precedent for Symantec paying up when they think they need something (Brightmail anyone?). EMC also bought Tablus, which means there aren’t too many independent DLP vendors left.

But that’s the simplistic vendor view of the world. What about customers? Basically, they still need to figure out what they are watching for. The current generation of tools does a decent job of checking against dictionaries and regular expressions. Catching stuff you don’t know about is still pretty dicey.

That being said, it is all about the content, and that means that inspecting the content is critical. It won’t be a standalone function over time, but the algorithms and content expertise required to do DLP right will prove valuable for every major security company to control. So expect more DLP consolidation next year, as the process becomes a more engrained part of security defenses.

What about laptop encryption? The answer is yes. It’s hard to envision how larger organizations can figure out how to protect their data, which increasingly resides on mobile devices, without resorting to laptop encryption. Maybe they are lucky and have all Macs, so they just turn on FileVault. Probably not, who has all Macs?

What about Vista’s BitLocker? Again, it’s pretty unlikely that your organization is all Vista (and given how badly Vista sucks, it probably shouldn’t be, but I digress), so you are looking for something to fill the gap. There are actually lots of choices to buy an encryption widget, and this is another market that will see further consolidation next year. Every endpoint security vendor needs to have this technology as part of their suite – whether they own it (like Check Point or McAfee) or do an OEM.

As hard as most organizations work to do the right thing in protecting your data, McNealy was right. You have no privacy – get over it.

Check out the other posts in the Report Card series.

Continuing on with the 2007 Report Card series, the next Incite deals with endpoint security and the ever-present malware situation. It certainly seems it's getting worse, but is it still as impactful? Let's see...

Incite #5 - You (Mal)ware it well

The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-5-you-mal-ware-it-well
Incite Redux Link:http://securityincite.com/blog/mike-rothman/incite-redux-july-11-2007

Final grade: B+

During a recent speaking engagement on endpoint security, I made the point that malware is pretty much ANYTHING that I don’t want on my desktops. I don’t care if it’s a virus, a worm, a Trojan, a keylogger, or any other bad juju – it shouldn’t be on my machine and I want an integrated endpoint security platform to get rid of it.

The good news is that the vendors have responded. Whether it’s the free stuff focused on consumers, or Big Security that have upgraded their stuff in 2007, we are seeing (finally) the justification for those annual upgrades.

What about these new entrants? Most importantly, big Microsoft was a no-show. They made a lot of noise in the early part of the year, and then… not so much. But that’s OK, since this is part of Microsoft’s playbook. They make a big splash; realize that they have some work to do on the product, disappear for a while and then eventually come back with something that is competitive. Clearly they have disappeared for a while, but in my best Governator voice – they’ll be back.

The reason this is still a B+? The ISPs remain blissfully unaware and unwilling to act to take many of the bots off their networks. And there has been little to no external pressure to force the issue. ISPs continue to ignore the issue, the bot masters continue to run to the bank, and millions of devices out there are just waiting to launch a massive attack on whatever is the next target of choice.

I wish there was any kind of good news on the horizon, but there isn’t. Users will continue to do stupid things, leaving themselves open to being compromised. The best that a corporate security person can do is to monitor their networks and figure out when one of their machines has been compromised. Rebuild it and contain the damage.

I always get a lot of VCs asking me what is hot in security. Where they should invest their money. Unfortunately, the best growth market in security is bots, but I don’t think the limited partners of the VCs would be all that enthusiastic about funding a band of criminals. Although it’s not unprecedented…

Check out the other posts in the Report Card series.

40% of the way there. Let's keep pressing forward.

Incite #4 - Trust No One

The “insider threat” continues to garner tremendous hype, but leaves customers struggling to figure out muddled offerings and providing disappointing results for early adopters. The NAC (network access control) bubble pops rather visibly in a maelstrom of confusion, forcing users to focus on solving specific problems (like visitor and contractor access) and implementing monitoring processes which result in checks and balances at all levels of the organization.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-4-trust-no-one
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-10-2007

Final grade: B

Yes, customers continue to struggle with the idea of protecting against the insider threat. They all know it’s a problem, yet with the sheer number of things that need to be done – many organizations are stuck in analysis/paralysis mode. Do they do DLP first? What about NAC? What about just contracting the perimeter and installing a whole mess more firewalls closer to the data that needs to be protected?

We’ll talk about DLP later (Incite 6), so let’s focus on NAC now. Suffice it to say, everyone is acknowledging that the technology disappointed relative to expectations in 2007. How could it not? But what will 2008 have in store? Probably not a lot different. Can you hear the wails of the VCs with hundreds of millions invested in the space? The early adopters will continue looking at how to overhaul their campus networks and do it in a more secure fashion.

Everyone else will wait until they clean up the other projects, which are ahead of NAC on the priority list. Little things like IPS and the like. Yes, there are still folks in the mass market focused on IPS and not some of these other shiny functions that we spend most of our time dreaming about. NAC standards efforts will continue to lag, although the new, open source OpenSEA 802.1X supplicant effort will pick up steam – basically because there aren’t any other options.

But to me, the last clause is what is most important about this Incite and the reason this was only graded as a B. The security monitoring philosophy is not spreading as quickly as it should. So many security folks are still married to the idea of blocking everything and have not grasped the folly of trying to outsmart the bad guys. In one man’s opinion, focusing on REACTING FASTER and doing that through a strong monitoring capabilities is a lot better (and more sustainable). Maybe some more folks will start to get that in 2008. One can hope, no?

Check out the other posts in the Report Card series.

Ho Ho Hopefully you are enjoying this holiday season, wherever you are. Maybe it's time to return some gifts or just kick back a bit or maybe even poke ol' Mikey in the eye a bit about the next two Incites...

Incite #3 - Perimeter (R)Evolution

The consolidated perimeter platform continues to subsume additional security and networking functions, making top flight content security and application acceleration the next frontier – further squeezing pure-play security players. This accelerates consolidation in the sector, keeping perimeter architectures in flux. Customers increasingly embrace integrated solutions from larger players putting a “best of breed” mindset on life support and proving that “big is the new small.” The first open source perimeter platforms also hit in 2007, providing a legitimate alternative for technically savvy, mid-sized businesses.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-3-perimeter-r-evolution
Incite Redux Link:http://securityincite.com/blog/mike-rothman/incite-redux-july-10-2007

Final grade: A

Gosh, if only I could pick stocks as well as come up with Incites. This is another that is right on the money, although in hindsight - very obvious. Some may think that putting all this stuff in a single box creates security issues, but the reality is there is a VERY compelling economic justification for collapsing all of these perimeter defense activities into a single platform.

Given that security doesn’t really help to make more money, if there is any way for us to contribute to saving a few shekels – that is all good. Now what about content security? It’s in there. Pretty much every UTM platform has some type of anti-spam capability and web filtering too. A bit of a miss was this application acceleration theme, but it’s still pretty early for function. As it matures, it will be subsumed into the UTM platform as well.

Specifically in the case of anti-spam, is it good enough? Do you need a dedicated platform to scan some mail? The answer is probably not. Given that bigger companies that also have perimeter defense platforms have acquired most of the messaging security specialists, it’s not like a lot of the technology that shows up on this integrated platform wasn’t stand-alone at some point.

So big is the new small and given the continued consolidation that almost everyone is predicting for 2008, the best of breed mindset is definitely on the endangered species list. But it has been for a while, this is nothing new.

What about open-source? It’s clearly making an impact. The underlying technologies, including IPTables, Snort, OpenVPN, Spam Assassin, et al, are robust and mature. There are a bunch of companies (Astaro, Untangle, StillSecure/Cobia) that build wrappers around these technologies to make it easier for customers to implement. Sure these vendors do a little more than package the open-source distribution – but the reality is the existing perimeter players will need to step up their game in 2008 because the value gap is not enough to justify big pricing differentials anymore beyond these open-source alternatives.

Check out the other posts in the Report Card series.

Let's continue marching through the Incites. After this one, we'll be 20% done! Now that's a half-full viewpoint, if I ever saw one...

Incite #2 - CSO Next

A new breed of CSO emerges in 2007, focused on running security as a business. High visibility, setting milestones, communicating progress, prioritizing fiercely, outsourcing strategically, managing vendors aggressively, and embracing advisors and coaches are the hallmarks of “CSO Next.” This Pragmatic CSO needs to look more like an MBA-type than a code jockey, which creates many challenges for the current generation of technically oriented CSO.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-2-cso-next
Incite Redux Link:http://securityincite.com/blog/mike-rothman/incite-redux-july-9-2007

Final grade: A

The concept of this Incite is right on the money. All over the industry you continue to hear about how Chief Security Officers need to transcend the technology and really focus on how security plays within the business. Wait. Can you hear that? It must be the sound of one-hand clapping.

As much as I nail it relative to what CSO Next needs to be able to do, the cold, harsh reality is most security professionals are woefully unable to make this transition. The reality is that many security folks are not cut out to have a C-level title. It’s as simple as that.

So, the first thing on your list for 2008 needs to be a brutally honest assessment of whether you want to make the transition. It’s OK if you don’t. That’s cool, but to take the job and fail because you don’t want to deal with politics or focus on persuasion, just means you are going to stunt your own career.

That is not what you want under your tree during the holidays.

But if you are the type that wants to take that step, then start to take a crash course in your business. What are the revenue drivers? What are the cost levers? Do you understand the key imperatives for the CEO? How about how those imperatives map to the CIO’s strategy and thus, how they impact what security has to worry about?

Are you getting ahead of the curve and studying all about data security and this Web 2.0 stuff? If not, and you want to be CSO Next, you better get to work. No rest for the weary – get to it. There’s a big world out there that needs to be protected.

Check out the other posts in the Report Card series.

Yes, it's that time of year again. It's acountability time. Over the next 5 days (culminating in the New Year's Eve spectacular!), I'll be critically evaluating all of my 2007 Incites (that's my vernacular for predictions) and giving some perspective of what happened, what didn't, and why.

So without further ado, let's jump onto Incite #1.

Incite #1 - Get with the Program

As security professionals continue to struggle with the number of threats and contradictory goals (protect information, but assist business), they increasingly turn to structured security programs (ISO 27001, COBIT, Pragmatic CSO) to assist in getting things done and communicating progress. Security management tools (predominately SIEM) continue to leave customers wanting for value and assistance in automating programmatic operations.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-1-get-with-the-program
Incite Redux Link:http://securityincite.com/blog/mike-rothman/incite-redux-july-9-2007

Final grade: B+

It’s tough to be a security professional nowadays. The attack surface continues to expand, the vectors are multiplying, the bad guys are getting more and more innovative, and it’s still not clear what our main objectives are. So is all the news bad?

Actually it isn’t. I’m not going to blow smoke in your backside relative to how much progress security folks made in 2007, but the reality is the folks that have adopted a programmatic approach are in much better shape today then they were 12 months ago. Nothing is going to be a panacea relative to getting more relevant with your senior team besides good, old-fashioned hard work and effective, outbound, proactive communication.

The Pragmatic CSO approach and philosophy works. I’ve gotten enough feedback from both early reviewers, as well as some folks that are using the process in practice to know that it works. But you have to do it. You have to get out from behind your desk and work the program, building relationships with the senior team, monitoring your environment, and taking care of all the steps in the program.

I’m very excited about what Pragmatic CSO – Year 2 will bring. There will be more ways to access the content, more assistance in implementing the program, and ultimately more success stories. But as with everything else, you have a choice. You can certainly continue doing what the vast majority of security folks out there continue to do - which is to continue to react to every situation, pray that your bosses understand what you do, and keep your resume fresh - so you can move onto the next job before the hazards of the present job catch up to you. Remember, you don’t have to do anything different - I hear the status quo is working out well.

Relative to security management tools, most end users remain disappointed at how much time and money it takes to make the existing generation of security tools add value to their environment. But that never stops the entrepreneurial bug. Now there are new “risk management” offerings hitting the market and others positioning into the GRC (Governance, Risk and Compliance) space - whatever that means.

GRC tools promise to “automate” the compliance reporting process and maybe even associate security controls with risk. I’ll remain skeptical until these tools become easier to use for companies below the Fortune 100. So at least some companies are trying to make some progress and help with the onerous reporting requirements of today’s regulations and audits, but 2008 will still be an early adopter year for GRC, as the market figures out what needs to happen and then how to solve the problem.

Check out the other posts in the Report Card series.