StillSecure, After All These Years

From the classic movie Casablanca:

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

This week’s winner of the Captain Renault is none other then the folks over at Forrest-er Gump Research. Kelly Jackson Higgins has a report up on her Dark Reading column about the latest report from the Forrester guys.  Can you really charge someone to tell them that? I am in the wrong business.

When are people going to learn there are no magic bullets, magic wands, security Santa Claus or Easter Bunny for that matter.  Nothing takes the place of best practices, layered security defenses. It doesn’t matter if you are virtualized, cloud-ized, local, remote, wired or wireless, there are no short cuts.

Louie, this could be the start of a great friendship!

I saw an interesting Google Alert in my mailbox today. Titled “Cybercriminals In The Cloud”, I thought it was going to be about how cybercriminals were now using cloud services to access confidential information.  So I bit and found myself at a “welcome screen” from Forbes.  Why call it a welcome screen, lets call it an ad page as that is the only thing on there and you can watch the ad or click thru. After clicking through I was greeted by an article by Charlotte Dunlop (nice picture Charlotte).  The gist of the article was that the big thing at RSA was how top tier security vendors were going to use reputation services to make IDS/IPS, UTM and other technologies better able to stop the new more sophisticated attacks that CIOs are dealing with.

I say poppycock! Yes reputation services in the cloud are great for picking up IPs that have been used as spam homes or spewing other malicious content, but in targeted attacks cybercriminals are smart enough to use fresh IPs, not ones that are already tainted.  If these bad guys are smart enough to devices the techniques they do to break in, lets not be naive enough to think that they are going to then go out and use the same old IP addresses to launch new targeted attacks.  Reputation type of defenses are great against mass market type activity, but for targeted exploits that CIOs reading Forbes are worried about I don’t think it offers much hope.  Sounds to me more like yet another person bought the security in the cloud story hook, line and sinker.

From the classic movie Casablanca:

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

The latest winner of the Captain Renault award is Lexis Nexis and its corporate sister, Choicepoint. It seems that cybercriminals were using their service for 3 years to obtain information that was used to obtain fraudulent credit cards. Then to make matters worse Lexis Nexis apparently asked for and received permission to wait for 18 months to notify people whose information may have been compromised.  This is of course not the first time that Choicepoint has been duped into giving out confidential data.

When are we going to put enough bite into the penalties so that these companies will take protecting this data seriously. How do they dare sit on this for 18 months to two years before notifying victims?  This is the kind of stuff that makes politicians want to do something, its about time they did!

I was reading the news yesterday about IBM oem’ing Foundry/Brocade switches. Watching the machinations of companies vying for dominance in this space is like watching continental drift over geologic time periods. It seems the same old masses are in constant motion - combining, breaking up and recombining in infinite configurations. Cisco dominated the data center network infrastructure. HP had servers and storage. IBM competed with HP but dominated in services.  HP buys EDS competes with IBM in services. Cisco makes blade servers, competes with HP. HP heavily promotes its ProCurve line to compete with Cisco.  IBM oem’s Foundry/Brocade, competes with HP and Cisco.  Round and round she goes, where it stops nobody knows. Hey what is Microsoft going to do? As much as it goes around, it seems at the end of the day it is the same old big giants that dominate and are constantly trying to steal each others cheese.

I do know that there are billions of dollars at stake.  With stakes that high, it will be a fight to the finish.  However, sooner or later equilibrium will set in. Every side will find its niche. I don’t think any of these guys are going out of business or anything. In the meantime it could create opportunity too for smaller vendors to run between the legs of these giants and deliver solutions that customers need.  By the same token I am sure that this new jostling will lead to a new round of acquisitions as well.  Same old same old in the tech business!  The faces change, but the names stay the same!

So we all woke up today and the world was still here. In fact the market is even up as I write this. So was all of this Conficker stuff much ado about nothing? Maybe, maybe not, but it has certainly captured the imagination of the mainstream media and the public. More importantly it has given the security industry a much need shot in the arm. I have not seen such buzz and working together in a long time.  Kudos to Dan Kaminsky and my friend Rich Mogull for facilitating a lot of that.

A good old fashioned worm is just what NAC was designed to stop.  This could turn out being a really big boost for NAC vendors.  Alas it may come too late for some. I heard yesterday about yet another round of RIF’s at a NAC vendor based up in the Northeast.

Here is a roundup of some other security industry – Conficker news:

1. eEye back to their old ways – Remember when eEye would always release a free scan for whatever the fear de jour was? I haven’t seen them do that in years.  But they released a free test for Conficker yesterday. I wonder how many people will download it.  Ross Brown used to tell us, not sure if we will find out now, but it was nostalgic to see.

2. McAfee fails the Conficker test.  Good blog on ZDNet by Ed Bott on what McAfee did wrong with Conficker. I don’t see where there NAC can do anything about it.

3. Bill Brenner applauds the industry.  Bill has a good article up on CIO Online commending the whole industry in not over reacting to Conficker and acting reasonably for a change.

In other news:

4. Symantec dealing with its own security incident.  Oh the irony!  What does it say when your security company loses the credit card numbers.  Tsk, tsk.

5. Please tell me your just stupid. This article in the SDTimes by David N. Kleidermacher asks if the lack coding more secure apps and OS, as well as adopting better security practices is the result of apathy or ignorance.  Probably a little of both.  But I think most of it comes down to coin operation.  Put the incentives in place and people will do things more securely.

Thats it for now, have a great day!

Today’s lesson comes courtesy of my friend JJ.  For those who don’t know JJ was born and raised around her parents integrator business down in North Carolina. Yesterday JJ sent out this very funny video she found based on the “what do I want to be when I grow up” theme.  There is some mildly offensive language that I doubt any of you will mind.  While watching though remember that for most of us, vendor or user – the integrator, VAR, channel  partner is the key distribution and delivery vehicle that is responsible for much of our security and IT in general. 

I have some other good articles below, so be sure to continue on after the video. Have a good day!

Browser Wars continued? – Couple of articles today about browser security wars.  And here I thought the browser wars ended when Marc Andreessen left Netscape! First Brian Krebs has a good article about a report from Secunia. The report details two metrics. One is how many security flaws were reported and fixed over the past year. The second and as Brian points out much more important metric, was how long on average it took to fix.  On the first metric, believe it or not Mozzila far outpaced other browsers in the number of vulnerabilities fixed with over 100. This was like 4 times more then IE for example.  But again as Brian says, the key thing was that Mozzilla fixed their holes on average in 43 days versus over 100 days for the Redmond team.  Me, I think these are both too much. Of course I want to see less vulnerabilities found, but that is a pipe dream.  Quicker response times is the key and I would like to see them both under 30 days!

Browser Wars continued part 2- A new version of the Opera browser was released to address some security flaws. Who cares?  Between IE, Firefox, Safari and Chrome, all being free, is their any room for another browser? If there is how does Opera make enough money to keep the lights on against these competitors that give it away?

Cisco discovers SaaS for email security – where is the innovation? – The Cisco marketing machine was out in all of its super heavyweight force this week with the announcement that its IronPort email security division was rolling a hybrid SaaS model.  Even I got spammed by the PR folks.  While I think it noteworthy that even Cisco is joining the SaaS/Managed security market, I have to agree with Eric Ogren (who I rarely agree with), what is so unique about this offering? Is there anything that Google/Postini doesn’t offer? For that matter is there anything that Symantec or Websense or any number of other vendors don’t offer.  Don’t look like it.  I also had a thought about all of those Cisco powered MSPs out there.  How do they feel about Cisco going into direct competition with them? Its bad enough that most Cisco partners would cut each others throats for an extra 2 or 3 points, how do they compete with Cisco itself in offering managed email security?

A new Mogull? A very big shout out to Rich and his wife and new daughter.  Congratulations! Anyway that is it today.  Its almost 7am and I have a full day of meetings before flying home Fll.  Have a great day!

I know you may not be feeling this way depending on where you live, but Spring is in the air.  How do I know? Easy, my anniversary has just passed.  For the 19 years I have been married, I know that once my anniversary is over it will soon be Spring.  Sort of my own bird like instinct maybe.  When we were first married we used to go to Maui every year for our anniversary.  It is always Spring in Maui, but by the time we would come home in early March, Spring was certainly on the way. Of course with the kids we don’t get to Maui much, but I watched a pre-season baseball game today, what more proof do you need then that?

So what does Spring have to do with anything?  Spring represents a rebirth. I think we need a rebirth.  We need to stop dwelling on the negative and start making our own luck and our own positives! To quote a greater thinker than I, “we have nothing to fear but fear itself”.  So take my word for it, Spring is on the way.  Start thinking about how you are going to break out of the winter/economy doldrums and attack your job, your life and your problems head on. 

Good luck with that!

1. Mike Rothman gave me a nice shout out yesterday in his blog about copying his format.  Besides thanking Mike, I want to say that I am thinking of this as just doing a few short blog/comments in one post.  I will of course add my own Shimmy schtick to it, but I like it. I will still do full posts when I see something I want to talk about. I am interested though if you readers like this type of blogging. Let me know.
2. The law of conservation of energy – Adrian Lane over on Securosis has a nice commentary up on the recent Symantec/Ponemon FUD that employees leaving their employment are taking IP and confidential data with them and that this number has gone up drastically.  As Adrian points out, no crap Sherlock! With all of the people being laid off, there are certainly more people leaving work.  The real issue though is how many of these people actually dong anything with this information. It reminded me studying science with my oldest son Landon.  The law of conservation of energy says that the amount of energy doesn’t change, just the form does. So really this is a potential threat, like potential energy. It remains to be seen if it will translate into anything more than that. Adrian says no, I say it desperate people do desperate things.
3. Dead men walking – While reading this story about Nortel laying off another 3200 people today I was reminded of a potential customer call I was on a while back for NAC. They were also looking at Nortel’s NAC solution and the CIO was telling me how good he felt dealing with a company Nortel’s size and the stability it offered over StillSecure. My how the mighty have fallen!
4. Its not a product, its a feature – Hoff loves to spout that one. I was reminded of the same thing today reading the article in Computer World by Mark Everett Hall that SaaS is not a market, just another channel. I actually agree with that statement and is one of the driving forces behind StillSecure’s recent ProtectPoint acquisition.  While many folks including Rothman question an organizations ability to sell service and product, I view the service offering as just another distribution channel.  Customers can buy our products as a hardware appliance, software or as a service. I think long term that view of SaaS is going to proven correct.
5. Firewall tools – I recorded a great podcast earlier this week with Secure Passage CTO Jody Brazil.  Jody is the former CTO of Fishnet and Secure Passage was originally spun out from Fishnet with the Firemon product. It is totally independent of FishNet now and is coming out of stealth mode.  My recording equipment messed up and am waiting on Mitchell to send me his file to edit. In the meantime Brian Prince of eWeek has a good interview with Jody. My view on this one is that PCI is totally driving this market.  The issue is will it be a victim of its own success. If it becomes big enough the firewall vendors will do a better job of packaging management tools with the firewalls and the 3rd party tools will find it hard to compete.  But who knows, maybe they get bought out by then.

Related articles by Zemanta

My friend Mike doesn’t get a chance to do his daily incite as much. I know he says that he gets 30% more readers when he just does a rant on a single topic, but everyone I speak to misses his round up of whats news in security with his two cents thrown in.  So here is my daily incite.  We will see how this goes before committing to doing more of it.

Have a good day!

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

How can I do a daily incite without pushing the Pragmatic CSO?  There hope everyone feels better!

1. Big Fix offers 50% off – John Dunn at Network World reports that Big Fix is offering up to a 50% discount to customers who switch to the Big Fix patch management system from a competitor when it is time to re up. There is some other fine print with the deal (3yr commitment, only seats being replaced, etc.) but the bottom line is Dave Robbins and Amrit and gang are trying to use the current economy to grab some market share solely on price.  Yeah, it is a bit of a marketing thing and the competition will match it, but then the customer wins.  StillSecure did a similar thing with our 50% off Strata Guard deal.
2. Tim Greene predicts the future looking at the entrails of dead NAC companies. Tim makes a connection that since StillSecure bought ProtectPoint to get into MSSP and Trustwave took out Mirage, there must be money in NAC. While Tim may ultimately be right, I don’t think today there is significant revenue in fully managed NAC. According to the article Mirage derived 30% of their business from managed service. I question how much 30% actually was though.  Doing managed NAC is not as easy as it sounds.  The MSSP will have to access to network infrastructure as well as the NAC solution.  Stay tuned for more details on that one.
3. Say goodbye to FISMA? As I ranted on yesterday FISMA has become the poster child for all that is wrong with compliance for compliance sake alone. Yesterday a group with lots of support from the DoD, Mitre and SANs released the Consensus Audit Guidelines. You can get details on the SANS site here on the 20 critical controls. These look to me like the kind of common sense real security policies that will make a difference in the security of networks and not drown us all in paperwork without making us more secure. I sure would like to see this get adopted more widely.
4. Security company hackers speak up. Softpedia has an interview with the Romanian hacker group that broke into several security company webs sites including Kaspersky, F-Secure, Symantec, etc.  Personally I don’t care what they have to say. I think giving these guys any play is akin to negotiating with terrorists.  What they did was illegal and wrong and they should not benefit from it.

There you have it.  Shimel’s daily incite. Good day Mike Rothman no matter where you are ;-)

As I think I mentioned earlier I have been doing some columns over at Government Security News magazine on security.  GSN is an excellent resource for timely information and not just for public sector employees.  They have some great newsletters as well.  Anyway this weeks column deals with a recent admission by the Department of Justice that they sent out their own phishing emails to DoJ employees.

Though some employees and others thought it “unjust” (pun intended), this was no more than good security awareness and testing.  Any 3rd party auditor worth their salt is going to try some social engineering type of exercise to probe for weakness.  I think it would be good for internal security departments to do this type of thing in the commercial sector as well.

Its been way too long since I got into it with my friend Mike Rothman. Frankly since he became a vendor again I have been going easy on him, even though there were a few times I was tempted to write a thing or two about what he wrote.  Lately Mike has taken from reporting on the news with his own view thrown in, to ranting about what ever topic tickles his fancy.  Personally, I like it better when Mike reports on the news, instead of trying to make the news.

Today Mike tells us that for the security practitioner, desperate times call for desperate measures. Forget trying to sell the value of security. Forget showing the positives in having a security environment.  Mike says his years and years of being in the security industry fighting that fight were ineffective.  Fall back to go old fashioned FUD.  Plain and simple sell fear.  What ever happened to when the going gets tough, the tough get going? What about the only thing we have to fear is fear itself?  Come on Mike say it ain’t so.  Have a few months of being back in the vendor world turned you into a FUD whore? 

Mike makes the point that the life insurance companies have been selling FUD forever and are much smoother at it then security folks. He is right the life insurance industry is much smoother at it.  Then again so is the car insurance industry.  The key is they have a velvet glove over the fist. They also sell their advantage over other insurance companies.  Better service, cheaper price, more stability. Security professionals need to “sell” the necessity of security.  This has been true in good times and bad.  The lowest common denominator is FUD.  But the really successful security folks will rise up above the FUD and deliver a message of value, wrapping the velvet glove around the fist.  Mike with all of your experience I am surprised you would advocate bag diving so quickly!

To make matters worse, I commented on Mike’s blog about this and he responded with a particularly vindictive retort about it always being all about me anyway.  I guess Mike was having a bad day selling SEIM.  Anyway, how is one supposed to know that you are not talking about security vendors in your incite piece Mike.  I see you didn’t miss the chance to mention that you also blog on the eIQ blog as well about “business issues”.  Yes you have made that clear by the many links back to the eIQ blog over the last several weeks.  But then again my friend, it is never all about YOU or is it ;-)