Good Morning:
On the last day of vacation last year, I started the post with: 

But this year, I'm sure things will be a bit different. First of all, we've been with the kids. So it's not like I've gotten away from screaming kids. And "working" a few hours each day has kept me reasonably current with what is going on.

As Dorothy says, there is no place like home. She was right. I'm looking forward to sleeping on my own bed, using my own stuff, being back in my own routine, and enjoying all of the angst I constantly create for myself. Being able to go away for a few weeks is such a luxury, and we are very fortunate to be able to do it. But at the end of the day, being away makes you appreciate being back.

And it's time to get back. You'll see a special Incite on Monday, and TDI returns on Tuesday.

Have a great weekend.

Incite #10: Hack Thyself

Given that there is no panacea on the horizon, security professionals start to understand the concept of risk management, as opposed to throwing money down the security toilet on the latest, shiniest widget. Security organizations must start to put a premium on prioritizing activities, based upon what’s important to the business, as well as what is really exploitable in their environment. The only way to figure out the latter is through a new function called “security assurance,” which focuses on breaking stuff (networks, systems and applications) before the bad guys do.

Read the original Days of Incite post on this topic.

6-month grade: B+

I love how you can be right and wrong at the same time. First things first, it's clear that the term "risk" is much more in vogue this year than "security." I guess most folks think that risk is a more business oriented term. But no matter, I do think that slowly, but surely many practitioners are understanding that not everything is going to get done and focusing on the activities that reduce the most risk is not a bad thing.

How do you know what that activity is? Well, you need to be able to isolate real risk vs. theoretical risk. The only way I know how to do that is to actually test your stuff. Yes, I'm a big fan of testing of pretty much everything. I've said that about a million times. Unfortunately the tools to test the really important stuff are still pretty immature.

Yes, I'm referring to applications. The tools to do automated pen testing for networks and systems are maturing quickly. There aren't a lot of them, but the one's out there work pretty OK. But in reality, network and systems are not really the path of entry for most attackers nowadays. It's the applications.

And the tools to penetrate applications are still early. Sure they are maturing, but you still need a bunch of big brained dudes to figure out the logic errors that are more likely the cause of application compromises. Any scanner is going to do a decent job of finding XSS or SQL injection flaws. Though that is still low hanging fruit for attackers because not enough people are running scanners on their apps. 

Alas, Rome was not built in a day and neither are the application security testing tools. I can only hope (and I know hope is not a strategy) that the big companies that have acquired these tools continue investing in making them better. Or the start-ups (yes, there are still a few out there) will drum them.

Yet the real reason this is graded as a B+ is that I'm not seeing enough of the organizational change I predicted (and again, hoped for). I know a lot of folks that testing is PART of their job, but not the entire thing. And that means they don't get to it as religiously as they should. Not by a long shot. 

I can't stress enough the need to test all aspects of the system, and to be serious about it. So the sooner someone is appointed the internal "white hat," the more likely you'll find problems before your customers do. Capiche?

Photo credit: "black & white hats" by w00kie

Good Morning:
At this point, I'm probably chewing my arm off - ready to head back home and get back to my daily routine. I've come to embrace the fact that even if I didn't have to work - I still would. The life of leisure just isn't for me. I'm not the type to want to play golf every day or sit at the pool or out by the beach.

It's not that I don't appreciate the ability to turn things off and just relax a bit. It's important. But it's not something I want to or could do for months at a time. I'm a builder. I like to create new things and creating a lower golf handicap is not really what I'm talking about. As I mentioned on Monday of this week. It's not something I feel bad about either.

So over the next two days, I'll be ramping back up to jump into my routine. By Monday, we'll be back at the home base. The kids will be gearing up for another couple weeks at camp, and I'll be back to being pulled in 15 directions. And I can't wait.

Yes, vacation is great. But if you aren't looking forward to getting back to your life, then you need to change your life. Have a great day.

Incite #9: Get the Jumper Cables for DLP

Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.

Read the original Days of Incite post on this topic.

6-month grade: C+

I hate waffling, but ultimately I have no choice but to waffle a bit on this Incite. Clearly I don't think the DLP market is going great guns, and I constantly hear anecdotes about big DLP projects being pushed out or pilots kind of stuck in pilot mode. Yet, on the other hand, I also hear anecdotes about some of the acquired DLP vendors beating their internal projections, mostly driven by the reach of the acquiring company. I guess the truth is kind of in the middle and very hard to really calibrate.

That's why I hate making market size projections. I guess I'll take a mental note to remember that next year, when I'm preparing the 2009 Incites.

But let's get back to the fundamentals of the DLP space. The reality is, as this business and the product offerings mature, the problems is less about catching bad stuff at the gateway and more about protecting the data at rest. That's really where it's most vulnerable. I should probably say FINDING the sensitive data at rest, since you need to figure out where it is before you can worry about protecting it.

And that gets back to a key hallmark about DLP, is that it's more about process than it is about a product. Sure you can buy a gateway to look for regular expressions (like SSN#'s and account IDs) or even use some sophisticated information fingerprinting algorithm, but unless you know what you are trying to protect and why - then the inherent value of the DLP will be limited.

I think that's really the concept I was trying to isolate in the Incite, but of course it came out like a Kimbo uppercut delivered to the jaw of the entire category. My point is that without a process to allow data leak prevention to actually prevent anything, you need to have an underlying process to figure out what's important, find it, and then ultimately protect it.

And without the process, the product is a pretty (I guess I should say a VERY) expensive way to find the low hanging fruit, and your existing mail and web gateways can probably find the low hanging fruit.

Photo credit: "Old Jumper Cables" by Dann Solo

Good Morning:
Today I need to send a shout out to my father-in-law Sandy, who turns 75 today. SEVENTY FIVE! Wow, that's a long time. I'd say something about spring chickens and being old, but he's one of the youngest guys I know. Sure there is a lot of mileage on his motor, but it still runs pretty OK. There are 75 year olds that are more like 90, waiting for their call to the great beyond.

And there are the 75 year olds that are more like 50-somethings. The difference? Engagement. It's as simple as that. Those that aren't engaged with hobbies, activities, maybe even a job are just waiting to die. Maybe it's because they have health problems or whatever, but there is clearly a correlation between someone's activity level and how young they appear.

Sandy is a stock broker and he loves it. He "works" pretty much every day. Not because he has to, but because he wants to. He would chart stocks even if it wasn't his living. In fact, he did chart stocks on nights and weekends before he became a full-time broker in his late 40's. It's his passion and his passion keeps him young. I can't tell you how much I've learned from watching someone actively engaged day after day, year after year, doing something they love. These are lessons I weigh every career decision against.

Happy Birthday Sandy. I'm looking forward to many more.

Have a great day.

Incite #8: Protect the Vault (that's where the money is)

The hackers continue to go where the money is by increasingly targeting the databases storing private information. Database vendor’s disdain for security doesn’t help, and creates an opportunity for database monitoring and security solutions to gain a foothold before this capability is subsumed into the DBMS and/or network fabric. Encryption infrastructure makes little to no progress in 2008, despite regulatory pressures – largely due to complexity and the nebulous compensating controls clause. 

Read the original Days of Incite post on this topic.

6-month grade: B+

In Incite #6, I talked about a hot market (full disk encryption), even in a crappy economy. Database monitoring is neither high profile nor particularly exciting - but it's happening slowly but surely. As opposed to the overheated NAC hype that set unmanageable expectations, database monitoring (for the most part) has flown under the radar. To be clear, this is still a very early market and the buying dynamics are still rather complicated (does the DBA or the security guy own/buy it?), but enough folks are looking at and interested in this space - that it'll end up being larger than another over-hyped market - DLP - this year.

But I don't want to get ahead of myself here, we talk about DLP tomorrow. Now the good news for the stand-alone database monitoring folks is that the big database folks have their respective heads in dark places. They are all focused on becoming something else, and a security vendor isn't high on the list. Oracle is an apps vendor, Microsoft is an everything vendor and it's not clear what Sybase is - but it's surely not a database vendor. So all these guys do offer their own flavors of database security, but it's clearly not a focus - which creates opportunities for the start-ups.

Is this a top priority issue? Does it need to be solved right now (like full disk encryption)? Nope. Unless you auditor has specifically required you to do so, as part of a compensating control for secure applications. So a lot of organizations will defer this purchase for a while. But I'll make the case for why it's important to do this sooner, rather than later.

Surprisingly enough, it gets back to REACT FASTER. Remember, we want to monitor as much as we can because we don't know where the next attack is going to come from. The network is really the first place we want to monitor (because the network doesn't lie), but after that I want to see what's happening in my database - that is where the money is, after all. Monitoring is good. So as you are looking at your priority list, keep that in mind.

What about the second half of the Incite, which is about encryption infrastructure. You know, that centralized key management function that allows those pesky little keys to be managed across applications. Kind of like a utility. Well, that's still nowhere. Encryption can and should be relatively transparent to developers, users, and pretty much everyone. In big environments, I get the value of centralizing management and escrow of the keys - but those use cases are few and far between. Most folks don't need it, and should focus on something that will yield more value in the short term. Like monitoring. :-)

Photo credit: "Bank Security Guard" by madaboutshanghai

Good Morning:
When was the last time you used a pay phone? For me it was a LONG time ago. I'm not sure why I thought about that, but sometimes entire industries just go away and we hardly notice. Pay phones were a very big business for the phone companies many years ago. I remember having my trusty phone card always by my side and finding those germ-ridden phone boxes wherever I could to check in.

Yes, this was before cell phones became ubiquitous and Blackberry's made 24 hour connectivity not only possible, but connected. This is why I always tell everyone to question everything. I'm sure the phone executives didn't figure their cash cow pay phone business would just go away. Even early in the cell phone revolution. I still used my calling card in hotels because the cell phone was too expensive to use all the time. Now, not so much.

So what can kill your business? What will you do if your main cash cow just goes away? If you work for a big business, these questions may not be that relevant (since I doubt a company like GE is going away, even if a portion of their businesses), but if you work for a small business - it certainly is relevant. I see this every day. Companies that were great businesses are rendered obsolete. And the businesspeople either adapt or they die.

Darwin would be proud. He was right. Have a great day.

Incite #7: The SDLC is your friend

As innovation in web application scanners is crushed by consolidation and web application firewalls still can’t find its sea legs, security professionals finally get religion about building secure applications, largely to avoid the PCI stick in the eye and embracing the reality that applications remain the path of least resistance. A long, hard cultural struggle ensues between security and software development personnel, but by focusing on building the most critical applications securely, the tide turns regarding the secure systems development lifecycle (SDLC).

Read the original Days of Incite post on this topic.

6-month grade: C

I curse the PCI 6.6 clarification. Ugh. It was that one little clause of either WAF or code reviews/SDLC to be compliant with 6.6 that torpedoed this Incite. Fact is, I've written a lot about the fact that most organizations will opt for the path of least resistance, and that usually means a box - as opposed to a process change. And a WAF is a box, and an SDLC is a process change. Guess which one wins, when deemed reasonably equal in the eyes of the assessor?

Now has their been a lot of innovation in the WAF space? Not really. But who cares. It's the path of least resistance for many trying to outrun the specter of PCI - so it's not only have WAFs found their sea legs, but you are seeing integration with web app scanning and other parts of the eco-system. By the way, if being wrong about an Incite means things are moving forward - then I'm cool with it.

But what about secure development practices? What about SDLC and code reviews and the like? Yep, they are still important and I think that implementing these concepts now will pay dividends for years down the road. And I also know it's hard and that many dev teams will be resistant to changing the way they do things. All I can say is to keep fighting the good fight and focus. 

One approach is to build up a grass roots effort by focusing on those apps that directly handle critical data. You aren't going to totally and fundamentally change things overnight. Nor should you. Some apps don't need to be overhauled, since they are either not exposed or they don't handle sensitive data. But for those that do, keep banging away. Yes you get a headache, and probably a callas on your forehead. 

If it was easy, everyone would be doing it.

Photo credit: "Path of Least Resistance" by kisses are a better fate than wisdom

Good Morning:
Week 2 of "vacation" is on. The last time I took off more than a week was back in 1997. The Boss and I took a 3 week trip to Australia and New Zealand a few months after we got married. It's been a long time. I guess part of me should feel bad about not really taking vacation and totally unplugging. I probably should just not work at all, not do any reading, not plug in and answer a few emails every day. Not work on any of my super-secret projects. But I don't feel bad. Not at all.

Why? Because I love what I do. I don't spend a portion of every day reading because I worry I'll fall behind. I do it because it's what I like to do. I'm an information junkie and I've found a profession that lets me indulge that. I love writing and inflicting my opinions on all that will listen. I love building new things, so my new projects keep me engaged.

The fact that I have enough back-up to "work" a few hours a day is lucky. So I can get my info fix and then spend the afternoon with the kids at the beach. And a couple of hours of beach time is about all I can handle anyway. Especially since I have no pool to lounge by and no one to bring me drinks in a pineapple.

Yes, I'm spoiled. I don't feel bad about that either. Have a great day.

Incite #6: Laptop encryption hits the big leagues

Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.

Read the original Days of Incite post on this topic.

6-month grade: A-

Yep, this one seemed very obvious when I wrote it. Though in a time of macro-economic chaos, and even the mighty (like VMWare) proving that trees don't grow to the sky, good old fashion disk encryption continues to do well. Well enough to keep big security afloat and announcing good earnings? That I'm not sure about (remember I wrote this about two weeks ago before many of the public security players announced their earnings), but I can tell you it would be a lot worse without the ballast of this hot category.

And why is it hot? Well, just read the Incite. People keep losing laptops and disclosure laws mean customers need to be notified. It's a lot easier to just encrypt the disk and most companies are realizing that. Of course, you see datapoints from a few months ago that the US Government is about 1/3 of the way through their deployment and you realize how many friggin' devices there are out there, and that there is still plenty of running room for this category.

I'll also pat myself a bit on the back by saying the longer term prediction part of the Incite seems on track as well. There are precious few stand-alone device encryption companies left and many of them have shacked up with Big Security to OEM their offerings through a bigger distribution engine (like the Symantec/GuardianEdge deal). Of course, the good news about long term predictions is that they are longer term and thus I can just say it's right. Right?

But what about having the embedded OS capabilities kill stand-alone offerings by next year. That's the difference between A- and A. Microsoft's Vista is every bit the train wreck we thought and a lot of big companies are just going to wait for the next version of Windows. That means no BitLocker, which means continued demand for 3rd party offerings. And as many inroads as Apple is making in the enterprise, it's still a rounding error. So 2009 may turn out to be a bit optimistic. But to be clear, good enough will prevail in this game. It's not a matter of if, it's a matter of when.

Photo credit: "Laptop Stolen" by Bahi_P

Good Morning:
Ah Friday. On vacation, every day is Friday, isn't it? But when are are at the beach, it always helps to have Plan B. Inevitably it rains and when it rains, you better have a plan to keep the kids occupied. Or it gets messy pretty quickly. Optimally, you get a half and half. Glorious sunshine in the morning with the weather rolling in around 2 PM. 

By then, the kids are beached out and they probably don't need any more sun at that point. Then we can bring them back to the house, feed them and get some naps in. Maybe a late afternoon movie would be on the plan as well. It's also good to have some games to play and art projects ready to go. Better to be prepared than have a bunch of bored kids writing on the walls of the rented house. 

It used to be a lot easier. There was one thing we'd do on a rainy beach day BK (before kids). Right to the bar. It could be 10 AM or 2 PM, no matter. If it was raining, I was drinking. That always helped my sleep habits too, since I'd usually be incoherent right around dinner time, so I'd eat and then pass out. After a few hours of sleep, I'd go for round 2. What we could do when we were young...

But I am not that young anymore. Nor do I live in the past. So right about now, it's probably time to break out Sorry or Chutes and Ladders. I can't wait until we can bust out the Monopoly and Stratego. Of course, by then the kids will want to play online with kids from around the world, I'm sure. Yet, I can still hope for family game day, can't I?

Have a great weekend.

Incite #5: Night of the Internet Dead

With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

Read the original Days of Incite post on this topic.

6-month grade: A

I'm happy to wind up the first week of Incite Redux on a high note. This Incite (although obvious) has certainly come to pass. We hear about new and more sophisticated bot networks weekly. We are starting to learn just how advanced the crime organizations are that drive much of the cyber fraud around the world. 

I heard (anecdotally, of course) that one of the crime networks has built a database of private information that rivals "legal" information sources like ChoicePoint. Of course, that could be boasting and hyperbole, but to think that a crime database that size is within the realm of possibility is nothing short of shocking.

If you've made it through the first half of the year with no issues, none of your users losing their devices, none of your trading partners firing someone who had access to your stuff, and no public disclosures, then pat yourself on the back. I'm not sure if you are lucky or good, but all the same - the likelihood that you'll have the same answer next year is pretty small.

So plan for the inevitable. There are a lot of very smart guys that I hang around with, who make a living trying to figure out what attack is next. They find a lot of bugs and they do the right thing by responsibly disclosing those "features" to the vendor in question. Most of the time anyway. But of all the smarts these guys have, they missed little things like Melissa and SQL*Slammer. They missed many of the new social engineering attacks and crimeware, spyware and other x*ware variants that have been compromising machines and converting devices into zombies at an alarming rate.

And this has nothing to do with the talent and capabilities of the researchers. My entire point is that no one has a crystal ball. None are practicing fortune tellers. One of the most valuable roles that security research plays in the ecosystem is to find new attacks, pull them apart, and figure out how to defend against them. But to be very clear, in most cases, these folks are not working ahead of the curve. They are working against the clock because the bad guys have already weaponized the attacks.

Which is why the REACT FASTER doctrine is so important. No widget is going to protect you against an attack you've never seen. Although truly new attacks are fairly infrequent, they happen enough that we need to plan for the next one. So we monitor our networks and our servers. Also our databases and applications. We look for anomalies and other funky behavior that is not the norm. Then we investigate to see if that strangeness is just random or representative of a real issue.

Then we address the issue. Once that work is done, we live to fight another day. Take pride in the fact that most of the world reacts slowly, if at all. They are the ones that get to disclose breaches to their customers and mop up a real mess, if they can. Or they are constantly working on their resume and hoping their number doesn't come up before they get that new job.

It's true you can run, but you can't hide. All you can do is REACT FASTER. And that deserves an A.


Photo credit: "fortune teller" originally uploaded by yunheisapunk

Good Morning:
Kids say the darnedest things. At least mine do. At the beach, we usually trek down to the Boardwalk in the late afternoon for a few carnival rides, some desert and basically to further tire the kids out before bed time. Though I'm not sure how it happened, the Boss let my son out of the house in his Flash costume. Yes, the kid was walking along the boardwalk as the Flash.

And I'll also admit it was very cute. Lots of folks were commenting on his costume, including one jackass who confused him with Shazam! Come on now. Who doesn't know the difference between the Flash and Captain Marvel? Thankfully my older daughter goes up to the guy and says, "That's not Shazam, it's the Flash!" Wallflowers my kids are not.

So the boy actually seemed a little embarrassed by all the attention. He's a bit shy and he didn't like all those folks he didn't know talking to him (yes, it's hard to out run your genetics). I tried to make him feel a bit better by saying that all those folks are talking to him because he's cute in his costume.

He looks up at and the Boss and says, 'I'm not cute." Huh? What do you mean you aren't cute, boy? Crap, do I need to set him up with the therapist right away? Is this a four alarm self-esteem issue? Nope, he then follows that up with: "I'm not cute, I'm handsome!" 

Yes boy, you are handsome. And bold and innocent and all the stuff that we old folks need to remind ourselves to be in the morass that is our daily lives.

Now go have some fun today. I'm certainly going to.

Incite #4: Weaving security into the network fabric

Network security hits the tipping point where it’s no longer considered novel or a “must-have,” but rather it’s just there – truly becoming a feature of the network fabric. Network Access Control remains a proxy for all things network security, and makes minor inroads in 2008 – largely as people stop talking about it. Independent NAC vendors either sell or struggle, as the big networks force their will on locked-in customers. The NAC standards battle turns out to be much ado about nothing.

Read the original Days of Incite post on this topic.

6-month grade: C+

The challenge of making prognostications is that things happen in my mind fairly quickly, and in the real world - a hell of a lot slower. So the idea that we will be getting to this mythical "Secure Network Fabric" is certainly still in the works - though it will be a multi-year evolution to get there. So let's look at the data points that validate this theme.

First is Cisco's TrustSec, which is basically another marketecture from the kings of marketecture - really focusing on how to evolve the current switch infrastructure to something more secure. Yes, it will take a long time and hopefully not involve a wholesale rip and replace of all your current gear (like the C-NAC Framework of old), although your Cisco rep would certainly like it. Basically, it's just a fancy way of saying what has been obvious for a long time. Network security will be in your network, not in a set of overlay boxes meant to protect your status quo switching fabric.

Juniper is also getting into the enterprise switch game and their differentiator? Ah, uh, well, it's basically their operating system and their NAC stuff. And scarily enough, that may be enough for the few that don't want to buy from Cisco and aren't comfortable that the other switch vendors will be around long enough to support their stuff down the road. So the Secure Network Fabric is happening, though at a snail's pace.

It's also been interesting to see how far and how fast the NAC business has fallen out of favor. Evidently all it took was a couple of high profile flame-outs and the rest of the business largely just shutting up and getting back to the business of actually solving some customer problems and selling some gear. 

And an amazing thing is happening, the business is growing. Although modestly, though I'm not sure how modestly since I don't do numbers, and I don't believe what folks like Infonetics say. So I'll just use the term modestly - which is a lot better than not modestly. This is a disappointment to the investors and hype-meisters that have been looking for huge growth (meaning IPOs and high value acquisitions) out of this space, but in reality any kind of market growth is not a bad thing nowadays.

Customers still have problems with visitors and outsourcers and other folks that now are supposed to be on their networks, but without the ability to manage those devices. These problems sometimes bubble to the top of the priority list, especially if an auditor has said to fix it for compliance purposes. My biggest issue with the space was whether a customer could wait to deploy NAC? And the answer has been largely yes, but enough folks feel the pain to keep the business moving forward. 

Who is doing well in this space? Everyone says they are doing great, just like Lockdown. Ultimately, it doesn't matter. My procurement philosophy has to do with solving your problems, not with picking who is doing well. So figure out what problems you are trying to solve and then figure out if NAC is the right solution for you. But the key here is to focus on the longer term and how you want to get there. The reality is, you will be rolling out a secure network over the next 5-7 years. Do you want to evolve slowly or quickly? Do you have an option? Is an overlay the best answer or do you want to start incrementally updating your fabric in crucial areas?

There are lots of questions to ask and that is the most important part of considering a NAC solution. In terms of grading this Incite at the 6 month mark, it's good in some areas and not so much in others. Overall, a mediocre showing, which is about a C+.

Photo credit: leigh.

Good Morning:
Is it Wednesday already? Maybe for you. I'm writing this from the past, and that's one of the amazing things about technology. I can stack up 10 posts before I leave and like a clock, you'll get your daily dose of babbling. So let's all do a prayer of thanks to the Technology Gods. But the reality is that I am in fact writing this post, so at some point I had to get out of my normal schedule to get ahead of my publishing schedule.

My business still needs me to run, and that is an inherent limitation. It's also something that I'm planning on addressing in the very near term. No, I can't talk about it yet - but I've got some super-secret projects underway and hopefully it will contribute to being able to really take time off, as opposed to just paying my work forward.

So that brings up the inevitable question: when you are out of the office, who is holding down the fort? Can they do your job? If not, what do you have to do to get them there? No one is indispensable, and you don't want to be. So think about it. And have a great day.

Incite #3: Best of Breed DOA

As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

Read the original Days of Incite post on this topic.

6-month grade: A

I got a great question from one of my channel contacts a few weeks ago. They asked if they could still get a stand-alone firewall anymore. They'd been looking a bit, but it seemed that every device that was out there was "more" than just a firewall. Some went the UTM route, others have focused on applications, but you actually have to look hard for just a firewall. Clearly this kind of consolidation of functionality is happening and it's what "big is the new small" is all about. But is this good or bad?

Basically, it's neither. I answered the question to my contact by reminding her that UTM devices are still firewalls. You just turn off all that other stuff and run it as a firewall. Yes, kind of like using a Swiss Army Knife as a cork screw. And given the cost economics of the technology business, that's not a bad thing to do as you are migrating from one perimeter platform to another. You incrementally get there and then when you are ready, you turn on more functionality in the UTM box and turn off the stand-alone device.

The same thing is happening in the endpoint security game. Everyone has an AV engine nowadays, if only to take that objection off the table. You know, why go with just an anti-spyware agent when I also need AV? You don't. You  buy a suite that includes all this stuff. And it seems there is no end to the bundling. Symantec is adding backup features (as you'd expect) and Microsoft is bundling Office with OneCare as a subscription. Yep, security is something we all need and something that will be a checkmark or free add-on to something else you are buying.

I kind of laughed 5 years ago when my new PC (yes, when I still bought and used PCs) came with a full license of CA anti-virus. I used it diligently until that machine croaked. Why would I pay for something else? And that's exactly the point. You'll see the endpoint security folks continue to focus on bundling as their main path to market.

Security management is also playing out as I projected. Pretty much all the SIM players have a log management offering and vice-versa. You are now seeing integration with the identity management folks, which makes sense because you want to get down to managing a user's activity - not just a nameless, faceless IP address.

Those companies that still have stand-alone solutions have some strategic decisions to make. It's increasingly clear that having just an IPS or just a secure switch, or just a set of security utilities is not a way to find long term sustainability. But with the macro-economic environment being pretty crappy, you won't see a lot of deals over the next 12 months, unless they are deals done under duress (yes, fire sales). The privately-held category leaders will likely wait for better valuations, which they figure will come back when the stock market strength returns.

This Incite is rather obvious, but still pretty accurate - so I'll bestow an A on it at this half-way point.

Photo credit: "French Army Knife" originally uploaded by Simon Davison

Good Morning:
Some days I get to reflect on how lucky I am. I guess when you are sitting on the beach, watching your kids enjoying life, it's as good a time as any to appreciate all that I have. Of course, a unique "feature" of my personality is to never be satisfied - to always be striving for more. Yet, some days it just makes more sense to forget about all that crap. My goals and aspirations of world domination will be there when I return to the office and my daily rituals.

Until then, I think I'll just enjoy the fact that things could be a lot worse.

Have a great day.

Incite #2: It's time for an audit revolution

Contrary to popular belief (and desire), compliance is far from dead and remains a major buying catalyst (and funding source) for all sorts of information security tools, services and the like. Yet, the acrimonious relationship between the auditor and the audited continues to create problems and needlessly burn resources. Forward-thinking security professionals jump on the bleeding edge of innovation treating the auditor as a peer and viewing the audit as a learning opportunity.

Read the original Days of Incite post on this topic.

6-month grade: B-

I need to come clean. Sometimes I get what's right and what's realistic confused. Now there is no doubt that my ideas about how auditors and auditees can work together are right on the money. I've heard enough feedback from enough people I trust that not treating an audit or an assessment like a 15-round fight is a much more productive way to go about things. This approach is laid out in the Pragmatic CSO.

But then again, what's realistic tends to be constrained by people, and people don't really change readily - if ever. It reminds me of one of the great lines in You Don't Mess With the Zohan: "They've been fighting for 2000 years, it will be over soon." Unfortunately, that seems like the story we tell in the security business. We've always fought with auditors and not fighting with them is kind of like asking for peace in the Middle East. Except I do think it's possible.

Just keep in mind that we are all fighting for the same thing - and that's to protect the information and assets of the organization. The auditors want to be able to prove that things are happening. Is that all bad? Of course not, it's quite good - but it takes a different kind of security practitioner to realize that.

What about the whole compliance golden goose? It's still alive and well. As we look forward to the end of 2008 and into 2009, it seems the global economy isn't going to be improving much at all. So we will face even more budget tightening and scrutiny of our investments. Since security is still largely an overhead function, it's going to be even more heavily scrutinized. 

So using the compliance card is not a bad thing at all. But do you buy something that is purported to help with compliance? Of course not. After all, a smart guy figures that GRC is dead. Buy what you need to protect your stuff. That hasn't changed at all. You still need to focus on Security FIRST! If you do that well, you'll be in decent shape for your audits and assessments.

In terms of a grade, the long term trend is intact and the approach is solid. But it'll happen more slowly than I anticipated - so I get a B-. Or go hug your auditor and prove me wrong.

Photo credit: "Monster Hug" originally uploaded by Alberto+Cerriteno