7 posts categorized "amrit williams"

May 31, 2007

The Security Bloggers Network keeps growing

Securitybloggers2Just wanted to take a moment and announce that the Security Bloggers Network has now reached 74 contributing security blogs!  The newest member is the Watchfire Application Security blog by Ory Segal.  Ory has a good article up on playing in the sandbox and asking why anti-virus vendors have not adopted this approach.  If you get a chance check out what Ory and the Watchfire guys have to say.

Ory joins some other great bloggers like Jeremiah Grossman of White Hat Security, Mike Rothman of Security Incite, Amrit Williams and Ryan Russell of Big Fix, the blogging guys from nCircle, Richi Jennings, Chris Hoff of Crossbeam (received a weird call from Chris and some "friends" last night but lets not go there) and many others to numerous to mention.  There is some great content there.  Subscribing to the combined feed is a great way to stay on top of all of these great blogs in one RSS feed.

Also, if you have a partially themed security blog at least and would like to add your feed to the mix, there is no cost to do so.  Just email me with your request.

02:42 PM in amrit williams, Chris Hoff, security bloggers network, Security Incite | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

May 16, 2007

Richard Stiennon comments on Amrit's NAC post

I decided to do Rich the favor and list his comments into the center section for everyone to see.  I don't agree with Richard on this (that is no secret) but wanted to give his point of view its due.  So Amrit has his take, Richard his and I mine. Thats what makes the world go round!

Too bad one can't comment at Enterprise Systems. So I'll comment here instead!   You have to admit Amrit lays out his arguments pretty well even though they are tainted by a configuration management perspective. But, you know what? NAC is all about configuration management. The way it is being promulgated (Thank you FireFox for in-line spell checking!)NAC addresses the issue of out-of-policy devices and what to do with them. Security is a side issue although the vendors like to push that aspect. But NAC cannot address security issues beyond the prevention of the spread of a worm or virus- at the expense of loss of productivity.

To me the issue is: After investing all that money in NAC what have you done to counter the threat of a healthy machine being used to attack you?

Yes, configuration management, NAC, and security all overlap. But I would draw the diagram with NAC inside Config Management and both intersecting a small piece of security.

09:12 PM in amrit williams, NAC, Richard Stiennon | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

Guess who wrote this ...

"NAC can only be effective when coupled with a program of continuous policy enforcement of managed systems. Quarantining devices should be a last and final line of defense and not the main method to secure an environment; it is a small part of an organization’s overall security program, not the cornerstone."

Couple of hints:

1. His company is in the continuous policy enforcement of managed systems business.
2. He never seems to want to talk about what to do about unmanaged devices, though he acknowledges that at ".. the same time, an increasingly mobile work force, and more outside stakeholders—contractors, suppliers, partners, service providers, etc.—required enterprise network access."
3. He just does not understand that not every single policy violation in NAC results in a "death penalty" of quarantine. You can have grace periods and other remedies for policy violations.  Instead of the binary on/off paradigm he constantly knocks.
4. Thinks that if you "pre-mediate" devices "before they log onto the network" that is not a form of quarantine.
5. He writes a nice article, though it has the tone of an analyst.  Old habits die hard.

If you have not guessed yet.  Have a look here.

BTW, I get that Enterprise Systems publishes bylined articles for content that are little more than marketing pitches, but do they have to classify them under news? Thanks to the sleep deprived Mike Rothman for pointing me to this one.

10:36 AM in amrit williams, NAC | | Comments (1) | TrackBack (0)

Technorati Tags: , ,

April 12, 2007

Questions to Amrit on effective vulnerability management

Amrit has part 1 of an article he is writing on effective vulnerability management up.  As some of you many know, Amrit spent a few years as an analyst in the VM field and certainly knows a thing or two about it.  In many ways reading Amrit's article reminded me of my own VA is dead thesis.  I say AMEN to what you have written about traditional scan and fix being a losing approach Amrit.

I think though Amrit is proposing a Big Fix like (no surprise there) approach as the evolutionary successor to traditional vulnerability management scanning.  So Amrit, while I agree with the dead end that vulnerability assessment scanning seems to be, let me ask you two questions regarding your position on this:

1. Does configuration management boil down to remediation being the only answer? If so what is remediation?  Is it only applying patches or shutting down a port or service?  Could applying limitations on access be part of the equation?  Access control based upon configuration baseline is I think an important part of managing the system.

2. Can configuration management be  done outside of an on board agent.  Looking at some of the traditional VM scanners like nCircle and Tenable, they are claiming configuration management capabilities.  Can their "point in time" scanning compare to always on configuration management agent based solutions? If not, what about unmanaged devices coming on the network without an agent?  Do you fall back to scanning them with a scanner? Is the position really that if all company owned assets are fully compliant, we don't worry about what a guest computer can introduce?  It is for this reason that I think you can never have a pure agent based configuration management system, but need both agent and agentless based.

OK, Amrit there you go.  Looking forward to your answer.

10:19 AM in amrit williams, vulnerability management | | Comments (1) | TrackBack (0)

Technorati Tags: , , ,

March 15, 2007

It truly is a golden age for security bloggers

Back in September of 2006, I wrote an article about this being a "golden age" for security blogging and podcasting.  I was afraid at the time that this golden age of innocence may be short-lived due to commercial pressures that would take away the special comradeship that exists among the security blogging community.  I am happy to report that so far that is not the case.  The folks at ITSecurity.com have put out a list of the 59 Top Influencers in IT Security.  Reading the list I was amazed at how many of these folks I have developed relationships with over the years via blogging.  The community is really making a difference and leading the industry.  I know Martin (number 11 on the list, congratulations!) thinks we are just talkers and the real heroes are the doers, but still I am very proud to be associated with this group of folks.  I hope we can use our leadership and influence to do good things around security.

Of course, I would be remiss if I did not mention that I was listed number 2 on the list behind Amrit Williams.  I am humbled and grateful for the recognition.  Other notables and friends Mike Rothman at 7, Mitchell at number 9, Michael Farnum and Michael Santangelo and just about everyone else.  Congratulations to you all, you all deserve it.  I was also really proud to see at number 19 the Security Bloggers Network, which is now 65 blogs strong.  I feel responsible for starting the Network and hope to see it continue to grow in influence and usefulness.


12:54 AM in amrit williams, General Security, links and appearances, Martin McKeay, Michael Farnum, Ross Brown, security bloggers network, Security Incite, the security industry, Weblogs | | Comments (1) | TrackBack (0)

Technorati Tags: ,

March 07, 2007

NAC - Bust or boom?

One thing I have learned is that rarely are there any absolutes in life.  It is rare that life makes it easy for us say with certainty that something is yes or no, black or white, success or failure.  That can certainly be said of NAC at this point in the story. There are some who say that NAC has not lived up to the hype and there are inherent problems which will prevent it from living up to its promise anytime soon.  Amrit Williams wrote about some of the problems he sees with NAC a couple of weeks ago.  There are others who say that NAC is revolutionizing network security and can significantly improve the security posture and lower the risk to networks of all sizes.  As with most things, the answer lies probably somewhere in the middle.  The perception of NAC today is that it is saddled with too many expectations and to little consensus on what NAC really is and does.

My view on the boom or bust issue is that the fact that we are even discussing this is indicative of the success of NAC.  NAC has changed the way we think about security and what our expectations should be.  By the sheer number of vendors offering NAC solutions, obviously there is something that people are recognizing.  However, what is it now, what will it be tomorrow?  That is what I am going to try and explain in the next few articles.  Amrit Williams, I hope will serve as my counterpoint.  You may find that Amrit's view and my view of what NAC needs is not that different.  Whether or not it gets there and when may be different.

I am going to give a brief history of NAC and then explain how NAC is evolving into a "complete NAC" strategy.  Stay tuned for that.  But first why do some people think NAC is not living up to its promise.

1. Over inflated expectations - A wiser man than me once told me, expect nothing and you will never be disappointed.  While having no expectations for NAC is not what I am advocating, having inflated and unrealistic expectations is a sure recipe for disapointment.  NAC is not the magic bullet that will cure all security ills.  It is not bullet proof and it is just one more layer in our arsenal.  Anyone who says different is setting inflated expectations.

2. Over engineered solutions - There has been much lamenting about no single NAC solution being able to "do it all".  Instead we hold up as success stories over engineered, redundant, cobbled together implementations that are too heavy, not truly integrated and do not meet the true definition of what NAC can do.  I am speaking about implementations such as one I saw that uses a DHCP enforcer such as Infoblox, a configuration management solution like Big Fix and a "NAC" solution like Endforce/Sophos all at once to provide complete coverage.  The products were not meant to work together, don't really integrate and these type of NAC mash ups give NAC a bad name.

3. Lack of clarity of definition by vendors, media and analysts -  All of us in the industry are guilty of this.  In the rush to the gold fields, we have let ourselves be deluded into thinking everything is NAC.  Each vendor has "embraced and extended" the original concept of NAC to fit their own product and then set out into the wilderness of the market to preach their view of NAC.  The press and the analysts (with the exception of Gartner to their credit and very few others), have not done a good job of placing these solutions in their categories and separating them from other type of NACs. This has created tremendous confusion in the market.

Lets be clear!  The original concept of NAC was performing pre-admission health or profile checks on devices as they sought to enter the network.  If the device failed they were denied access or quarantined.  Then we added post-admission vulnerability scans, then IDS detection, behavior based detection, identity based access controls, etc.  Before you know it, anything that has anything to do with getting on the network and staying there is part of NAC.  How do you expect the customer to understand all this and make a decision on it?

The good news is that in spite of this, the premise of NAC and the promise of NAC are so compelling that many are attempting to wade through the morass and find what works for them. At this early stage in the NAC market it has already made a huge impact.  As products mature and incorporate multiple aspects of these modes of NAC it will continue to influence and dominate the network security market.  Like it or not, this is the age of NAC.  To those who say is has been a bust I say, you ain't seen nothing yet!

09:08 PM in amrit williams, NAC | | Comments (0) | TrackBack (0)

Technorati Tags:

February 21, 2007

Its people like Amrit that make blogging fun

You know after my UTM panel at RSA I was talking to Ross Brown about what I said to someone and he said something like "big deal it was like kicking a mentally challenged guy"  Of course he used another word instead of mentally challenged, but hey I am PC these days.  What Ross said was right on.  There is no fun if there is no competition.  Sort of like gambling when you know you are going to win all the time.  It is not really gambling, if you know you are going to win and it quickly grows boring.  That is why I like to blog.  Verbally sparring with the likes of Mike Rothman, Ross Brown, Chris Hoff (when every so often he remembers to blog) and of course Amrit Williams, keeps me on my toes.  These guys give it as good as they get and never shy away from a good argument. It is entertaining, stimulating and usually educational all at once. 

A case in point is my exchange with Amrit today.  He started it by knocking NAC. I came back saying there was nothing the matter with NAC.  Amrit did an artful job of twisting my words and adding his own innuendo to make it like I agreed with him.  I tried without personally attacking him to point out the fallacy and inaccuracies of his characterization.  Amrit came firing back with a put up or shut up comment:

I feel fine, thanks for asking Mitchell. The reality is that Shimel has little leverage but to try to use misdirection, how about you offer up a case study or a company that is willing to discuss this value that NAC provides them?

The reality is NAC is NOT really usable today, especially as advertised, unless you seriously constrain the scope - can NAC products provide remediation of quarantined devices or does this require technical and process integration, is the value just for guest access and unmanaged nodes? Well then there are far less expensive ways to
deal with that problem and honestly if you have users walking into your office able to just plug a laptop in and gain a DHCP address than you have issues far greater than anything Still secure can offer. What about all the mobile devices, like blackberry's PDA's, USB dongles - NAC helping you out there? What about the protection of data - is NAC the answer for that?

So posture all you want big man the proof is in the revenue :-)

So, what am I to do?  Should I give in to my baser instincts and engage Amrit on this?  You have to admire his in your face attitude.  Sort of a real little bulldog.  Well Amrit, here is my response.  I would be happy to share revenue and customer reference and case studies with you. However, we only share that with current Gartner analysts, not former ones.  Sorry Charlie ;-)

12:03 AM in amrit williams | | Comments (2) | TrackBack (0)

Technorati Tags: , ,

Search

Lijit Search

disclaimer

  • The views and opinions expresed here are those of myself only and in no way represent the views or positions or opinions of my employer, Latis Networks, Inc. d/b/a StillSecure or anyone else.

Forbes.com

StillSecure, After all these years, the podcast

  • Podlogo

Categories

Currently Reading

Read Recently

Track my blog stats

Blog powered by TypePad
Member since 10/2005

About