StillSecure, After All These Years

Sometimes I just can’t help myself. No matter what I do, I get myself in trouble. For the most part I have stayed out of the whole cloud thing. I have watched on the sidelines as Hoff, Amrit and countless others have pontificated ad nausem about cloud this, virtual that, a new paradigm here, a revolution in the making there.  I stayed away from the hype.  To me I had been there and done that and have a bunch of worthless stock certificates to prove it. Back when StillSecure CEO Rajat Bhargava and I were getting Interliant going we were one of the early entrants in the ASP market (the cloud providers of our day).  We were hosting and managing all kinds of applications, web sites and other infrastructure, including dare I say it, managed security. I have also been through my share of market hype (NAC anyone?) too and recognize much of the cloud buzz for what it is.

Today I tried to write a small commentary on what was truly a tragedy on multiple levels. One of the least levels of tragedy was what can happen when we trust our providers to store our (take your pick) – applications, data, IP, stuff – on line in a shared or virtual environment.  This is why security of our cloud environments is so important. Without that security in place which allows the user to trust in the provider, the cloud will never ascend.  The real tragedy of this story is that not only did 10’s of thousands of people lose their websites and data probably for good, but a young man who developed the software that was hacked felt so guilty that he apparently took his life by hanging himself. Can you imagine! When many software vendors today won’t even acknowledge some vulnerabilities this poor soul took his life.  I guess its lucky Bill Gates never felt that personally responsible for any Microsoft vulnerabilities.  It is not a joking matter though. Many thousands of people effected. A web hosting business in shambles and a young life snuffed out.  Securing the cloud is rather minor on this scale.

But my friend Hoff (now of Cisco. Should be interesting to see what effect this may have on the blog) and Kirsh from someplace called CloudAve.com, took me to task.  Evidently this was just a shared environment and to “fear monger” about the cloud being insecure was totally out of line. Chris fails to see how a “PHP script vulnerability in a virtualization management program” equates to a cloud problem.  Geez I don’t know. Like I wrote in my reply, perhaps I don’t have the sophisticated palate that these gentlemen have to recognize a fine cloud when I see one. I felt like I was out on a Saturday night with some of my Boca friends when they debate the merits of this bottle of wine or that one. Hey aren’t they all just a bunch of grapes. Or better yet discussing maduro wrappers versus lighter tobacco wrappers, Dominican versus Cuban. Come on now. I had a flashback to Jim Ignatowski on the show Taxi smelling cocoa leaves to see where they were grown and when.

Maybe I will never be on the cover of Cloud Aficionado magazine, but I think most people have the same view I do. When I am talking about my stuff being kept up and off of my premises, it is up in the cloud. It doesn’t have to be fancy or sophisticated. You don’t need fancy diagrams or long winded treatises with story book names. it is really quite simple. When my stuff is up there I am getting it in the cloud. A PHP vulnerability on a shared server is not very different than a vulnerability in salesforce.com, if it means someone can gain access to salesforce and wipe out my data. 

To satisfy my own curiosity I went to Wikipedia and looked up Cloud Computing. Oh now that cleared it up - NOT. There is grid computing, utility computing, SaaS, PaaS, IaaS, yada, yada, yada. I don’t know about you all, but I would bet the common man would still have a tough time distinguishing today’s cloud versus the service bureaus and time sharing on the main frames from back when I was a kid and I went to work with my Mom (yeah I am that old). I am tired of hearing about paradigm shifts (the dot com bubble, the housing bubble, now the cloud bubble).  But lets leave the cloud snobishness out of it. Don’t forget that though some may sit around letting the wine breathe, enjoying a fine smoke discussing the more subtle points of a good cloud architecture, the rest of the world has to live,work and deal with this stuff everyday.

I have heard many people who say that this whole cloud security thing is much ado about nothing. Besides getting Hoff’s blood pressure going, most people just shrug.  Yesterday’s article in the Register detailing the erasure of perhaps 100,000 web sites from a UK based web host is a poster child of the stakes in play with cloud security.

The web host evidently used virtualization software from a  company based in Banglore called LxLabs. Today comes word that the CEO of the company was found dead by hanging in an apparent suicide (what is it with people hanging themselves lately, will we hear rumors of sexual asphyxiation next?) Anyway, the software in question had either a zero day vulnerability or one that was a few weeks or months old (It all depends on who you believe on that one). In any event, the vulnerability gave the intruders root access to the machines in question.  The kind folks who perpetrated this crime then proceeded to wipe out the files of all of these web sites.  Perhaps half of these sites did not pay for any back up service, so their data and files may in fact be lost for good. That is just crazy!

So here are the stakes for the cloud. If something goes wrong and there is an incident, that incident can effect 10s or 100s of thousands of people and organizations.  With that much @stake (no pun intended), we cannot afford to be very serious about securing our cloud based environments!

We have all heard of the millennium generation. Generally it refers to people born after 1985 through now.  The older millennials are already young adults and their impact is being felt in social networking, politics and many other fields.

But it is the younger millenniums who are going to blow us away.  They are growing up in a world where the internet, ubiquitous connectivity and unfettered access to information is the norm.  They never saw an encyclopedia made out of paper. I was reminded of this tonight while getting Google tips from my 7 year old son Bradley.  Bradley was working on some Pokemon character and was looking for a picture that he needed edited.  He asked me to Google the character’s name and then grab a picture and edit it.  When I Googled the name no pictures came up.  Bradley said, “Dad put “for real” after the characters name.” When I asked why, he said that is what he does when he can’t find something on Google.  Frag (Battlestar Galactica word) if that didn’t work!  How did Bradley come up with this?  Is Google aware of it? It must change the search algorithm or something. Glad I have web filtering on the machine.

What is going to happen when Bradley and his friends grow up? What challenges will this present for the security industry?  Maybe they will help with security. I don’t know, but I do know that they have an instinctual intuitiveness around computers and such that previous generations on the whole don’t have.

Anyway, here is something you very rarely get with Mike Rothman’s Incite – a report on Friday!  Have a good weekend!

1. When open is open only if  or its about the platform stupid – Hoff has a good point today about VMware’s use of the terms open and interoperable.  These two abused terms get tossed around alot. Open used to really mean open source. You had access to the source. Interoperable in my meant that out of the box it would work with other platforms and products. Then open was not really about source, but at least the openness of the product to use generally accepted means of communication. In my mind SQL and ODBC connectivity in databases is a perfect example of this. But I think what Hoff is getting at but is not saying clearly is that now it is all about the platform.  VMware wants to be the platform here. They want you to use tools and applications, as long as you use their platform. By having to use their APIs to connect, you are locked into their platform. That is the real hook and makes it not very open at all.
2. Can IT Vendors be Objective? Probably not – Michael Farnum has a guest post up from a vendor friend of his venting about the fact that he has been “discriminated” against because he is a vendor and therefore deemed not objective.  I agree that most people out of hand say you are a vendor and therefore not objective.  Not that you can’t try. I have been accused of the same thing.  But being objective on this question, I have to say vendors can’t be objective. Not to say we would lie, but if we didn’t believe that our products were better, could we sell them? So yes IT vendors are not going to be objective.  But here is the kicker, neither can anyone else.  We all bring our own views and prejudices to the game and that effects our objectivity.  Therefore it is up to the audience to filter what they think is truth from fiction, opinion from fact. I think most people recognize that and perform that task.
3. Mogul calls BS – Rich Mogull calls out Bob Russo of the PCI council.  Seems Russo says that no business that are PCI compliant have ever been breached.  They may have been compliant once, but when they were breached they were not. Rich rightfully I think calls bull on this. I am not sure if Russo is playing semantics here or what.  Maybe he means that having a breach automatically puts you out of compliance? I don’t know but have invited Rich and a few friends I know on the PCI advisory council to appear on a podcast. Stay tuned!

So that is it for this week.  Have a great weekend!

I thought I would continue my Mike Rothman Daily Incite series today.  The only dangers I can see in this are I might start getting grumpy and give up meat!  But hey Fake Steve Jobs stopped blogging, maybe I can be Fake Mike Rothman.  Seriously, this format allows me to comment on a bunch of different things in one blog post, so will go with  it a while.

First of all I want to call out that today is my 19th wedding anniversary! My wife Bonnie (the real Boss) continues to amaze me every day.  Most times it is around how she puts up with me.  But seriously in this day in age where so many couples come and go, 19 years is an accomplishment.  Marriage in some ways is a lot like security.  You are not successful at it without a lot of hard work, staying on top of the game and being passionate about it and it seems I am always one step behind!  In the meantime, I still feel like Ralph Cramden, happy to have my Alice. So in the words of Ralph -  Bonnie, you are the greatest!

Now on to the news and have a great day!

1. Sourcefire goes into the 3rd party patch business.  Shades of Ross Brown and eEye, the VRT at Sourcefire have released on their blog a “home brew patch” for the critical Adobe Acrobat vulnerability, which is actively being exploited in the wild.  Adobe is supposed to have a patch out by March 11th.  In the meantime just as happened in the past, we really don’t know if the 3rd party patch has been adequately tested.  If it turns out it breaks something, Marty and team may wind up with egg in their face. As I have written before, generally I am against 3rd party patches.  In the meantime, Adobe come on! If you want Acrobat to be ubiquitous, you need to do a better jog of getting patches out.  This vulnerability has been kicking a long time!
2. Checkpoint comes out with '”software blades” for the UTM. Checkpoint has introduced a new concept in their UTM line up.  They call them software blades. “The company describes a software blade as a security building block that is independent, modular and centrally managed.” The software blades operate on a software chasis.  Checkpoint wants to sell each blade for $1500. I don’t now about you but this sounds a lot like StillSecure Cobia to me! Modular security apps that run as software that can be mixed and matched on the management platform.  Very little is new under the Sun!
3. Top Ten web hacking techniques of 2008. And the winner is . .  If you did not get enough on Oscar night here is the list of the academy awards of web hacking by Jeremiah with help from an all star cast of judges: The Mogul, HD Moore, Hoff and Forristal). Reading this post and Rich’s post on it, the mice continue to get smarter. That makes us work harder making better mouse traps.  Jeremiah will be presenting on this at a bunch of conferences including RSA. You probably want to catch that one.
4. New kid on the block.  A friend of mine, Jack Mancini who has been working in security since Symantec first bought Norton (or was that when Ralph met Norton?) has started his own security blog called “Secure or Not Secure”. Jack is just launching a new security VAR down here in Florida. He has already put up some good stuff and I am sure will continue to do so!

Anyway that’s my news for today. I am putting the Pragmatic CSO ad down here. If the real Rothman wants to work out a revenue share deal with me it might find its way back to the top!

The Pragmatic CSO:

Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

So Chris Hoff thinks he might have come across the perfect solution to his vexing cloud/virtual security issues.  A comment from from Greg Ness over at Infoblox fired up a synapse in the Hoff's brain and he recalled that the TCG/TNC's IF-MAP protocol could really help with the whole in the cloud/virtual conundrum.  Chris wants to know how many vendors outside of the NAC space are actually supporting IF-MAP.

So while I don't stay as close to the goings on at the TCG/TNC as I would like to, let me venture a guess.  I think very few vendors are actually supporting and have implemented it.  In fact it is not just non-NAC vendors, it is NAC vendors as well. Other than Juniper, I am not aware of another NAC vendor who actually supports MAP yet. Not because we don't want to, it is just not important enough. I was also very jazzed about it last year at Interop. Customers have not demanded it. So no one has the cycles to spend on it. Yes Infoblox would make the comment on your blog.  I think they are the people who originally came up with the idea and pushed it through the TCG with their own server as the storage container.  Beyond that I though ArcSight was behind it, but don't know how far they have gone either.

Chris unfortunately like the TCG/TNC NAC standard itself, without more customers demanding it, it remains in the nice to have category instead of the must have category.  So in your lingo, there are many more haznots, than there are haz's and it will probably stay that way.

RENOWNED SECURITY BLOGGER MIA SINCE TAKING JOB

The Pragmatic, Inciteful Mike Rothman Has Gone Missing From His Blogging Since Taking a "Real Job"

(Alpharetta, GA. – November 2, 2008) – The mouth of the south, renowned security blogger, Mike Rothman has turned up missing in action shortly after announcing his acceptance of a full time position as a vendor puke with eIQ. Several inquiries have been made, but even “the boss” has been mum on his whereabouts. Several prominent security experts are already suspecting foul play and some even whisper of some sort of left wing conspiracy.

Rothman originally sounded optimistic about continuing his blogging workload and not abandoning his legion of fans in the RSS feed world. However, it appears that a “real job” has proven more than he had bargained for. Could it be, that after for so long making fun of others who blogged in addition to their full time jobs, the task is more daunting than Mike could handle? Could the Security Twits have kidnapped him? Where is Mike Rothman?

Other rumors flying around the blogosphere have reports of Rothman sightings. One report had him canvassing door-to-door on behalf of Ron Paul in Montana. Still others say that Rothman has been in an “undisclosed location” (the same undisclosed location Dick Cheney uses) working on Barak Obama’s cybersecurity plans. Rothman’s name has been floated as a possible Czar in an Obama administration. Some are saying Mike was holding out to be the Sheik of cybersecurity, not the Czar. Others say Mike was far too pragmatic to get mixed up in politics.

Several other well known security bloggers were asked to comment on Rothman’s whereabouts:

Chris Hoff of Rational Survivability said, “I hope and pray for the best for Mike. Unfortunately my suspicion is that he has been virtualized and sucked up into the cloud. We all know how insecure that can be.”

Martin McKeay of Network Security Blog said, “You know Mike always made fun of my privacy views, but for once I wish we had a way to get past privacy laws and find out what really happened to Mike. I may have to don my purple tights and Captain Privacy suit to lead the search for Mike”

Rich Mogull of Securosis had this to say, “Mike did ask me for a hazmat suit that I used for the Democratic convention. I hope something did not go terribly wrong and Mike winds up as a green, muscular super hero”.

Amrit Williams of Techbuddha had nothing to say at all about Mike. In fact he said he never really liked Mike anyway.

JJ of Security Uncorked said, "I think Mike is just holed up somewhere in the Deep South working on the next set of 802.1x standards. But if I don't start blogging more they may be putting out MIA releases on me next"

Richard Stiennon (sorry Rich, couldn't find your blog URL) said, “Though I am sorry to see Mike’s disappearance, it does leave a real vacuum for blogging security analyst and Stiennon’s first law is “blogging abhors a vacuum”

Alan Shimel  of StillSecure, After all these years, put perhaps the finishing touch on the Rothman situation saying, “You know Mike was a fast-talking NY guy who always spoke his mind. His up front, in your face style might have just rubbed someone the wrong way. He could very well be the security industry’s Jimmy Hoffa. But you know being the huge Giant fan he is, I am sure he would not mind being buried in the end zone of the new Giants Stadium”

In the meantime a Ten ($10.00) Dollar reward has been offered by the Security Bloggers Network for any information leading to the whereabouts of Rothman. Anyone with information regarding this mystery can email podcast@stillsecure.com. All information will be kept confidential, as well as HIPAA and PCI compliant.

**All names and quotes are purely fictitious. Who knows where Rothman really is?**

". . . and Cisco NAC support is extended to cover all NAC versions, protecting the network from infected guest hosts." Beats the heck out of me.  It is in the last line of F-Secure's press release about their new endpoint agent/suite (when did we get to the point that an agent and a suite are interchangeable anyhow?).  It comes right before the "about F-Secure" paragraph. Is it the proverbial catch all? Do they really support all NAC versions? All versions of Cisco NAC? How? Did they just want to hit all of the buzzwords?  They were sure to mention my boy Hoff's new buzzword, "the cloud". But show me an AV vendor who isn't checking the cloud these days.  The cloud is the new black.

Guys if you are going to mention something you do in your press release at least explain it so people know what you are talking about.  Also, why be the 15th AV vendor to announce what you do in the cloud and make it like your unique.  Why not just say, "we are doing what everyone else is doing".  Of course you could say you did it first. you do it better, yours is bigger or faster. etc. Hey I guess size does matter.  But talk about me too releases, come on.

I am not sure what it is with Richard Stiennon.  Maybe his mom beat him with a NAC stick when he was young.  Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC.  In any event Richard never seems to miss a chance to take a pot shot at NAC.  I have fired back and debated him many times on this.  In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow.  Richard still thinks of NAC as Cisco’s network admission control, circa Dec ‘03.  He has not gotten up to speed on anything happening with NAC since.  Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard’s latest NAC knock comes on a comment to an excellent article by the Hoff.  Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can’t take the analyst out of the man), takes exception to Hoff’s “whining” (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong.  Great Richard you try to prove them wrong, when because of what they report you don’t have a market, can’t get any capital and have no visibility.  I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

“Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.”

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth.  Richard the fact is that the edu market is not the only viable market for NAC.  In fact, one of the biggest customers of NAC is the DoD.  That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can’t handle the truth!  You sleep securely under the blanket of protection that NAC provides.  If it is good enough to help “clean the sand” out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don’t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard.  Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions?  Why has Microsoft put such a big push on NAP?  Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that).  Richard we are still signing new major OEM partners.  I am afraid you are the one sadly out of touch on this one Richard.  Just as you are out of touch in missing Hoff’s point in his article.

As to Hoff’s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to “learn” from them while at the same time trying to educate them.  I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts.  Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc.  A vendor giving an analyst a real live“pet” customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy.  But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

TippingPoint announced their Core Controller appliance today. It is a 10GBPS in line IPS. Actually what it sounds like it is, is a network controller that load balances traffic among several conventional Tipping Point boxes and than puts the flow back together and passes it on.  Sounds cool, but I would like to see the latency involved in doing this.   Sounds like a lot of moving parts.  It also sounds a lot like the way Hoff used to do things over at Crossbeam Systems.

The real question for me though is not whether or not this new appliance does line speed IPS or not.  The question is do we still want our IPS as stand alone IPS or do we want it as part of UTM. Mike Rothman in his 2008 Days of Incite talks about "best of breed DOA". In it Mike talks about 2007 being a year where customers clearly voted for integrated solutions over individual best-of-breed.  He also says 2007 was the year the first open source perimeter platforms hit.  I like to think he is talking about Cobia. But 2008 will be an even bigger year for Cobia functionality! The bottom line though is except for the Ferrari crowd does anyone want to buy a stand alone IPS? Mike says it best when he says. "Market maturity kills product innovation".

Yes people buy UTM for one application at first. It could be firewall, it could be IPS or gateway AV, URL filtering or anti-spam. But they like the idea of getting more than what they just needed and paid for.  They figure they are going to turn on the other stuff soon enough anyway.  Plus they get it all from one vender.  So on this one, I have to agree with Mike.  I think people will buy UTM over single purpose security solutions in increasingly greater numbers in the months to come.  Agree?  Disagree?  Leave a comment with your opinion.

Saw a pretty funny video clip today over on the Hoff-miester's blog.  It is a viral video from the folks over at Palo Alto Networks poking fun at Juniper and Check Point.  Pay attention to the words, as it is good stuff. What could be next, Dancing with the Security Stars? I would like to see Amrit, Tom Ptacek and Mike Rothman (I hear he has been practicing dancing with his daughter for this) as the contestants. 

Seriously, these videos are a great way to get some buzz going and I think Palo Alto has done a great job.  Count on Chris to find this stuff. Enjoy!