StillSecure, After All These Years

My friend Mike doesn’t get a chance to do his daily incite as much. I know he says that he gets 30% more readers when he just does a rant on a single topic, but everyone I speak to misses his round up of whats news in security with his two cents thrown in.  So here is my daily incite.  We will see how this goes before committing to doing more of it.

Have a good day!

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

How can I do a daily incite without pushing the Pragmatic CSO?  There hope everyone feels better!

1. Big Fix offers 50% off – John Dunn at Network World reports that Big Fix is offering up to a 50% discount to customers who switch to the Big Fix patch management system from a competitor when it is time to re up. There is some other fine print with the deal (3yr commitment, only seats being replaced, etc.) but the bottom line is Dave Robbins and Amrit and gang are trying to use the current economy to grab some market share solely on price.  Yeah, it is a bit of a marketing thing and the competition will match it, but then the customer wins.  StillSecure did a similar thing with our 50% off Strata Guard deal.
2. Tim Greene predicts the future looking at the entrails of dead NAC companies. Tim makes a connection that since StillSecure bought ProtectPoint to get into MSSP and Trustwave took out Mirage, there must be money in NAC. While Tim may ultimately be right, I don’t think today there is significant revenue in fully managed NAC. According to the article Mirage derived 30% of their business from managed service. I question how much 30% actually was though.  Doing managed NAC is not as easy as it sounds.  The MSSP will have to access to network infrastructure as well as the NAC solution.  Stay tuned for more details on that one.
3. Say goodbye to FISMA? As I ranted on yesterday FISMA has become the poster child for all that is wrong with compliance for compliance sake alone. Yesterday a group with lots of support from the DoD, Mitre and SANs released the Consensus Audit Guidelines. You can get details on the SANS site here on the 20 critical controls. These look to me like the kind of common sense real security policies that will make a difference in the security of networks and not drown us all in paperwork without making us more secure. I sure would like to see this get adopted more widely.
4. Security company hackers speak up. Softpedia has an interview with the Romanian hacker group that broke into several security company webs sites including Kaspersky, F-Secure, Symantec, etc.  Personally I don’t care what they have to say. I think giving these guys any play is akin to negotiating with terrorists.  What they did was illegal and wrong and they should not benefit from it.

There you have it.  Shimel’s daily incite. Good day Mike Rothman no matter where you are ;-)

RENOWNED SECURITY BLOGGER MIA SINCE TAKING JOB

The Pragmatic, Inciteful Mike Rothman Has Gone Missing From His Blogging Since Taking a "Real Job"

(Alpharetta, GA. – November 2, 2008) – The mouth of the south, renowned security blogger, Mike Rothman has turned up missing in action shortly after announcing his acceptance of a full time position as a vendor puke with eIQ. Several inquiries have been made, but even “the boss” has been mum on his whereabouts. Several prominent security experts are already suspecting foul play and some even whisper of some sort of left wing conspiracy.

Rothman originally sounded optimistic about continuing his blogging workload and not abandoning his legion of fans in the RSS feed world. However, it appears that a “real job” has proven more than he had bargained for. Could it be, that after for so long making fun of others who blogged in addition to their full time jobs, the task is more daunting than Mike could handle? Could the Security Twits have kidnapped him? Where is Mike Rothman?

Other rumors flying around the blogosphere have reports of Rothman sightings. One report had him canvassing door-to-door on behalf of Ron Paul in Montana. Still others say that Rothman has been in an “undisclosed location” (the same undisclosed location Dick Cheney uses) working on Barak Obama’s cybersecurity plans. Rothman’s name has been floated as a possible Czar in an Obama administration. Some are saying Mike was holding out to be the Sheik of cybersecurity, not the Czar. Others say Mike was far too pragmatic to get mixed up in politics.

Several other well known security bloggers were asked to comment on Rothman’s whereabouts:

Chris Hoff of Rational Survivability said, “I hope and pray for the best for Mike. Unfortunately my suspicion is that he has been virtualized and sucked up into the cloud. We all know how insecure that can be.”

Martin McKeay of Network Security Blog said, “You know Mike always made fun of my privacy views, but for once I wish we had a way to get past privacy laws and find out what really happened to Mike. I may have to don my purple tights and Captain Privacy suit to lead the search for Mike”

Rich Mogull of Securosis had this to say, “Mike did ask me for a hazmat suit that I used for the Democratic convention. I hope something did not go terribly wrong and Mike winds up as a green, muscular super hero”.

Amrit Williams of Techbuddha had nothing to say at all about Mike. In fact he said he never really liked Mike anyway.

JJ of Security Uncorked said, "I think Mike is just holed up somewhere in the Deep South working on the next set of 802.1x standards. But if I don't start blogging more they may be putting out MIA releases on me next"

Richard Stiennon (sorry Rich, couldn't find your blog URL) said, “Though I am sorry to see Mike’s disappearance, it does leave a real vacuum for blogging security analyst and Stiennon’s first law is “blogging abhors a vacuum”

Alan Shimel  of StillSecure, After all these years, put perhaps the finishing touch on the Rothman situation saying, “You know Mike was a fast-talking NY guy who always spoke his mind. His up front, in your face style might have just rubbed someone the wrong way. He could very well be the security industry’s Jimmy Hoffa. But you know being the huge Giant fan he is, I am sure he would not mind being buried in the end zone of the new Giants Stadium”

In the meantime a Ten ($10.00) Dollar reward has been offered by the Security Bloggers Network for any information leading to the whereabouts of Rothman. Anyone with information regarding this mystery can email podcast@stillsecure.com. All information will be kept confidential, as well as HIPAA and PCI compliant.

**All names and quotes are purely fictitious. Who knows where Rothman really is?**

Just wanted to take a moment and announce that the Security Bloggers Network has now reached 74 contributing security blogs!  The newest member is the Watchfire Application Security blog by Ory Segal.  Ory has a good article up on playing in the sandbox and asking why anti-virus vendors have not adopted this approach.  If you get a chance check out what Ory and the Watchfire guys have to say.

Ory joins some other great bloggers like Jeremiah Grossman of White Hat Security, Mike Rothman of Security Incite, Amrit Williams and Ryan Russell of Big Fix, the blogging guys from nCircle, Richi Jennings, Chris Hoff of Crossbeam (received a weird call from Chris and some "friends" last night but lets not go there) and many others to numerous to mention.  There is some great content there.  Subscribing to the combined feed is a great way to stay on top of all of these great blogs in one RSS feed.

Also, if you have a partially themed security blog at least and would like to add your feed to the mix, there is no cost to do so.  Just email me with your request.

I decided to do Rich the favor and list his comments into the center section for everyone to see.  I don't agree with Richard on this (that is no secret) but wanted to give his point of view its due.  So Amrit has his take, Richard his and I mine. Thats what makes the world go round!

Too bad one can't comment at Enterprise Systems. So I'll comment here instead!   You have to admit Amrit lays out his arguments pretty well even though they are tainted by a configuration management perspective. But, you know what? NAC is all about configuration management. The way it is being promulgated (Thank you FireFox for in-line spell checking!)NAC addresses the issue of out-of-policy devices and what to do with them. Security is a side issue although the vendors like to push that aspect. But NAC cannot address security issues beyond the prevention of the spread of a worm or virus- at the expense of loss of productivity.

To me the issue is: After investing all that money in NAC what have you done to counter the threat of a healthy machine being used to attack you?

Yes, configuration management, NAC, and security all overlap. But I would draw the diagram with NAC inside Config Management and both intersecting a small piece of security.

"NAC can only be effective when coupled with a program of continuous policy enforcement of managed systems. Quarantining devices should be a last and final line of defense and not the main method to secure an environment; it is a small part of an organization’s overall security program, not the cornerstone."

Couple of hints:

1. His company is in the continuous policy enforcement of managed systems business.
2. He never seems to want to talk about what to do about unmanaged devices, though he acknowledges that at ".. the same time, an increasingly mobile work force, and more outside stakeholders—contractors, suppliers, partners, service providers, etc.—required enterprise network access."
3. He just does not understand that not every single policy violation in NAC results in a "death penalty" of quarantine. You can have grace periods and other remedies for policy violations.  Instead of the binary on/off paradigm he constantly knocks.
4. Thinks that if you "pre-mediate" devices "before they log onto the network" that is not a form of quarantine.
5. He writes a nice article, though it has the tone of an analyst.  Old habits die hard.

If you have not guessed yet.  Have a look here.

BTW, I get that Enterprise Systems publishes bylined articles for content that are little more than marketing pitches, but do they have to classify them under news? Thanks to the sleep deprived Mike Rothman for pointing me to this one.

Amrit has part 1 of an article he is writing on effective vulnerability management up.  As some of you many know, Amrit spent a few years as an analyst in the VM field and certainly knows a thing or two about it.  In many ways reading Amrit's article reminded me of my own VA is dead thesis.  I say AMEN to what you have written about traditional scan and fix being a losing approach Amrit.

I think though Amrit is proposing a Big Fix like (no surprise there) approach as the evolutionary successor to traditional vulnerability management scanning.  So Amrit, while I agree with the dead end that vulnerability assessment scanning seems to be, let me ask you two questions regarding your position on this:

1. Does configuration management boil down to remediation being the only answer? If so what is remediation?  Is it only applying patches or shutting down a port or service?  Could applying limitations on access be part of the equation?  Access control based upon configuration baseline is I think an important part of managing the system.

2. Can configuration management be  done outside of an on board agent.  Looking at some of the traditional VM scanners like nCircle and Tenable, they are claiming configuration management capabilities.  Can their "point in time" scanning compare to always on configuration management agent based solutions? If not, what about unmanaged devices coming on the network without an agent?  Do you fall back to scanning them with a scanner? Is the position really that if all company owned assets are fully compliant, we don't worry about what a guest computer can introduce?  It is for this reason that I think you can never have a pure agent based configuration management system, but need both agent and agentless based.

OK, Amrit there you go.  Looking forward to your answer.

Back in September of 2006, I wrote an article about this being a "golden age" for security blogging and podcasting.  I was afraid at the time that this golden age of innocence may be short-lived due to commercial pressures that would take away the special comradeship that exists among the security blogging community.  I am happy to report that so far that is not the case.  The folks at ITSecurity.com have put out a list of the 59 Top Influencers in IT Security.  Reading the list I was amazed at how many of these folks I have developed relationships with over the years via blogging.  The community is really making a difference and leading the industry.  I know Martin (number 11 on the list, congratulations!) thinks we are just talkers and the real heroes are the doers, but still I am very proud to be associated with this group of folks.  I hope we can use our leadership and influence to do good things around security.

Of course, I would be remiss if I did not mention that I was listed number 2 on the list behind Amrit Williams.  I am humbled and grateful for the recognition.  Other notables and friends Mike Rothman at 7, Mitchell at number 9, Michael Farnum and Michael Santangelo and just about everyone else.  Congratulations to you all, you all deserve it.  I was also really proud to see at number 19 the Security Bloggers Network, which is now 65 blogs strong.  I feel responsible for starting the Network and hope to see it continue to grow in influence and usefulness.

One thing I have learned is that rarely are there any absolutes in life.  It is rare that life makes it easy for us say with certainty that something is yes or no, black or white, success or failure.  That can certainly be said of NAC at this point in the story. There are some who say that NAC has not lived up to the hype and there are inherent problems which will prevent it from living up to its promise anytime soon.  Amrit Williams wrote about some of the problems he sees with NAC a couple of weeks ago.  There are others who say that NAC is revolutionizing network security and can significantly improve the security posture and lower the risk to networks of all sizes.  As with most things, the answer lies probably somewhere in the middle.  The perception of NAC today is that it is saddled with too many expectations and to little consensus on what NAC really is and does.

My view on the boom or bust issue is that the fact that we are even discussing this is indicative of the success of NAC.  NAC has changed the way we think about security and what our expectations should be.  By the sheer number of vendors offering NAC solutions, obviously there is something that people are recognizing.  However, what is it now, what will it be tomorrow?  That is what I am going to try and explain in the next few articles.  Amrit Williams, I hope will serve as my counterpoint.  You may find that Amrit's view and my view of what NAC needs is not that different.  Whether or not it gets there and when may be different.

I am going to give a brief history of NAC and then explain how NAC is evolving into a "complete NAC" strategy.  Stay tuned for that.  But first why do some people think NAC is not living up to its promise.

1. Over inflated expectations - A wiser man than me once told me, expect nothing and you will never be disappointed.  While having no expectations for NAC is not what I am advocating, having inflated and unrealistic expectations is a sure recipe for disapointment.  NAC is not the magic bullet that will cure all security ills.  It is not bullet proof and it is just one more layer in our arsenal.  Anyone who says different is setting inflated expectations.

2. Over engineered solutions - There has been much lamenting about no single NAC solution being able to "do it all".  Instead we hold up as success stories over engineered, redundant, cobbled together implementations that are too heavy, not truly integrated and do not meet the true definition of what NAC can do.  I am speaking about implementations such as one I saw that uses a DHCP enforcer such as Infoblox, a configuration management solution like Big Fix and a "NAC" solution like Endforce/Sophos all at once to provide complete coverage.  The products were not meant to work together, don't really integrate and these type of NAC mash ups give NAC a bad name.

3. Lack of clarity of definition by vendors, media and analysts -  All of us in the industry are guilty of this.  In the rush to the gold fields, we have let ourselves be deluded into thinking everything is NAC.  Each vendor has "embraced and extended" the original concept of NAC to fit their own product and then set out into the wilderness of the market to preach their view of NAC.  The press and the analysts (with the exception of Gartner to their credit and very few others), have not done a good job of placing these solutions in their categories and separating them from other type of NACs. This has created tremendous confusion in the market.

Lets be clear!  The original concept of NAC was performing pre-admission health or profile checks on devices as they sought to enter the network.  If the device failed they were denied access or quarantined.  Then we added post-admission vulnerability scans, then IDS detection, behavior based detection, identity based access controls, etc.  Before you know it, anything that has anything to do with getting on the network and staying there is part of NAC.  How do you expect the customer to understand all this and make a decision on it?

The good news is that in spite of this, the premise of NAC and the promise of NAC are so compelling that many are attempting to wade through the morass and find what works for them. At this early stage in the NAC market it has already made a huge impact.  As products mature and incorporate multiple aspects of these modes of NAC it will continue to influence and dominate the network security market.  Like it or not, this is the age of NAC.  To those who say is has been a bust I say, you ain't seen nothing yet!

You know after my UTM panel at RSA I was talking to Ross Brown about what I said to someone and he said something like "big deal it was like kicking a mentally challenged guy"  Of course he used another word instead of mentally challenged, but hey I am PC these days.  What Ross said was right on.  There is no fun if there is no competition.  Sort of like gambling when you know you are going to win all the time.  It is not really gambling, if you know you are going to win and it quickly grows boring.  That is why I like to blog.  Verbally sparring with the likes of Mike Rothman, Ross Brown, Chris Hoff (when every so often he remembers to blog) and of course Amrit Williams, keeps me on my toes.  These guys give it as good as they get and never shy away from a good argument. It is entertaining, stimulating and usually educational all at once. 

A case in point is my exchange with Amrit today.  He started it by knocking NAC. I came back saying there was nothing the matter with NAC.  Amrit did an artful job of twisting my words and adding his own innuendo to make it like I agreed with him.  I tried without personally attacking him to point out the fallacy and inaccuracies of his characterization.  Amrit came firing back with a put up or shut up comment: