StillSecure, After All These Years

In a blast from the past, Sybase is aiming to be your mobile phone security provider. According to this article in Information Week, Sybase iAnywhere division's, Afaria security line already provides device authentication and encryption and now will add anti-virus and firewall capabilities.

I was glad to see the Sybase name in the article.  I have fond memories of Sybase on Sun servers from my early web hosting days.  It is also good to see a new competitor in the mobile phone business. Lets see if Sybase gives the McAfee's, Symatecs, etc a run for their money. Or who knows maybe another not yet heard from name will come out to dominate the mobile phone market.

What I also was unaware of was that there were over 500 viruses that target mobile phones.  With Sybase covering Windows Mobile, Symbian (they just went open source), Blackberry and more, even the Apple iPhone appears to be covered.  Though overall I still think this is an immature market, it will be interesting to see who steps up.

Dr Anton has a short to the point post up about a conversation he had with someone recently. The bought a "security appliance" (and I use that term loosely) that is just off the shelf hardware with Linux/BSD and some security software. The vendor however refuses to give the customer who bought the frigging box the root password! Root password is shared among vendor's support people only!

Dr Anton want to know if somebody is insane. I am afraid the answer is yes. Too many vendors do this to add a layer of mystique to their "black box, purpose built" schtick. Give me a break. If you buy a box and you can't have root password to it, either give it back or use it as a flowerpot!

I was reading an article in Information Week tonight about a case going to the 9th Circuit Court of Appeals about the governments right to search, seize and copy laptops and other electronic devices at our borders.  Two groups that don't often find themselves on the same side of issues, the Electronic Frontier Foundation (EFF) and the Association of Corporate Travel Executives (ACTE) have filed briefs with the court asking them to strike down a lower courts ruling that granted the government these broad powers to confiscate laptops.

As the article points out here in the US there was quite an uproar about China "slurping" laptops from people on travel there, but we seem to think it is OK for our government to do it.  Well at least our government is telling people they are doing it.  What they are not telling us is what they are doing with the data after they search or copy it.  How do we know, no US security but nevertheless confidential data is being secured and or destroyed promptly?  The government telling us "trust me" just doesn't cut it.

However, I think technology is going to pose a bigger problem for the government regardless of whether the court upholds the governments position. I think any terrorist or other bad guy would never have confidential data on their laptop that is not encrypted.  In fact with full disk encryption coming to the masses from the likes of McAfee and others, what will the government do?  Sure they can take the encrypted data to the NSA and let them brute force the keys, but that sounds impractical.  Perhaps, the TSA will demand encryption vendors to put in a back door or secret key that will allow the TSA to decrypt the data similar to what they do with the special luggage locks now.

I know what they can do. Perhaps they can go back to Checkpoint and find out for sure about those back doors that they always suspected was in their software and see if it is there for sure. If so the government can appoint Checkpoint the official encryption vendor for laptops ;-)  Just kidding of course, but really guys.  What self-respecting bad guy is not going to encrypt their data knowing the government has a right to search their laptop.  I think it makes this whole case much ado about nothing.

There are some days where nothing strikes me as interesting enough to blog.  Than there are days like today where there are just too many things that I find compelling enough to comment on.  So rather than do 4 or 5 posts today, let me condense all of this goodness (I hope) into one post:

1. Sophos releases "financial results ahead of analysts expectations". While I applaud the Sophos folks for making public their revenue numbers (at least gross, net and deferred totals it seems), I am not sure what analysts they are talking about.  As a private company, it is not like people are trading their stock and the financial analyst crowd is putting their numbers on the street.  200+m is a lot of revenue, even for an AV company and 40+m to the bottom line is impressive, but until you are public, no one is holding your feet to the fire and analyst coverage is just not the same.

Authors note: Dr. Jan Hruska, co-founder of Sophos wrote me off line and gave me permission to publish this comment: 2. Apple is ready to enter the platform war - Larry Dignan over at ZDNet has some good comments and stats on Apple vying with Microsoft and Linux/open source to be "the platform" of the future. I agree that the iPhone and iPod are Trojan Horses into the enterprise and along with the Mac represent a viable platform that could compete with Microsoft and the Linux/open source crowd.  However, I don't think you can judge how many developers are developing Mac/iPhone apps based on the crowd at the upcoming WWDC (worldwide developer conference).  Steve Jobs is a master showman and I think these conferences have become media events.  Many people are there to to twitter and report and to "be there".

In October last year we prepared for a float on the London Stock Exchange. As a part of the exercise we had analysts from the three sponsor banks produce their projections for revenue etc for the next three years. We did better that their projections for 2007/08.

Larry is right though that Apple has to balance being too iPhone and iPod crazy at the risk of ignoring the "real" platform here the Mac.  His example about PGP developing a Mac version is a great point.  I have heard many other security companies likewise bringing Mac versions to market. This graphic I think shows the point well:

  But my ultimate point on this one is that the ultimate platform will be the web.  What the underlying OS is for future web apps should be somewhat meaningless.  The webtop platform would seem to me to be the platform going forward!

In any event the WWDC should be a lot of fun and I will be watching to see if any new reports come out.

3. Belden buys Trapeze - Another independent WLAN provider gets bought. Doesn't seem like a great multiple, 133m on 2007 revenue of 56m.  There are not many independent WLAN providers out there now.  Meru Networks is probably the biggest of the bunch. You don't hear too many people saying that wireless is not here yet anymore.

4. McAfee still chasing the dragon on security ROI - McAfee announced that using the Forrester Economic Impact Calculator you can now easily find out your ROI from buying a McAfee product. They have a very nice diagram that I have pasted in here. They ask you to plug in a few numbers about type of security you want, desktops, laptops and servers and presto - they give you an ROI.  I didn't call them to get the scoop, but it really underwhelmed me.  Looks like smoke and mirrors to me, just like many of these security ROIs do.

A couple of weeks ago I was offered a free year membership in the Clear airport security program for registered travelers.  Though my home airports of Ft Lauderdale and West Palm Beach don't yet offer Clear access, I fly enough in airports that do like Denver and Regan that I thought for free, what do I have to lose.  I filled out the forms on line and last time I was in Regan airport I handed it in along with fingerprints, Iris scans, passport, etc.  This past week my Clear card came in the mail and I have been looking forward to using it.

I thought that with my background check and all, they knew that I was a low risk for terrorist or other type of activity and therefore would not be subject to the same scrutiny and testing that we all endure when we have to fly.  Turns out that I don't think that is exactly the case.  However what it does do is allow you to go right to the front of the line in security, much to the dismay of others waiting on those lines.

The experience was great.  I went to a special entrance for Clear members where I was met by a very helpful young lady.  She escorted me to a Clear machine where we inserted my card and did a fingerprint scan.  After that was done she escorted me to another young lady who walked me past all of the people waiting on line (and a long line it was).  At the head of the line, the Clear lady gave my boarding pass and ID to the TSA person.  The TSA person checked my id and pass, same as always and they passed me through.  Than my Clear escort brought me to a special metal detector line which had no one on it, just waiting for me.  Again skipping another line.  I put my computer and other metal objects in the same old grey bin, took off my shoes and went through the metal detector.  I thanked the Clear escort came out the other side, scooped up my stuff and proceeded to my gate.  The entire process took less than 3 minutes I bet!  That was great!  The looks on the faces of the people I bypassed on line also gave me a perverse pleasure as well, I will admit.

After finishing this though I sat down and thought about it.  What security did bypass?  They still checked my ID and boarding pass. I still went through the metal detector and took off my shoes.  In fact if anything security was added to my check in, as they now did a fingerprint match.  So fact is, with all of the background checks and everything, having the Clear program did not relieve me of any security obligations and tests. In fact it added to them.  What it did give me was a "first class" personal escort to the front of the line and than a first class que for the metal detectors.  Because I was willing to pay some money and have a background search, I got the first class treatment.

To me this is not a scalable solution.  As more Clear passengers come on board, having a dedicated person walking me through the security line is just not going to work.  Also, lets be clear (no pun intended), this is not about going through less security.  Why the background check and all?  This is about paying money and skipping the line, but still going through the same security procedures that everyone else goes through.  Just faster.  Hey, don't get me wrong.  I loved it!  But I was wrong to think this was about bypassing security, this is a "first class" traveler lane.  As long as you are "clear" with that, it is good by me!

Here at the well-heeled Gartner IT Security Conference at the brand new, spectacular Gaylord National hotel.  The hotel is only 2 months old or so, but it is supposedly the largest on the East coast and really first rate.  Also, the Gartner folks put on a first rate show, though it is on the pricey side for everyone from exhibitors to attendees. Vendors who really want to have a big presence are in for big bucks reaching a relatively small number of customers.  It was good to run into a number of StillSecure customers here at the show.  Even though we did not exhibit our presence was felt in several of the tracks discussing security solution areas that we offer products in.

While at the show I had a chance to catch up with several other security vendors.  One fellow I spoke to was Phil Neray of Guardium.  Guardium is best known for providing database security to many of the largest financial institutions and other large companies.  They recently announced a major new release of their flagship product with something they call "S-GATE". I won't bore you with all of the details but the gist of it is that for the first time database security can move from passively reporting or alerting of data access violations to actively blocking such violations. 

For me the active versus passive mode of security is one that transcends different layers of security.  Whether we are talking about IDS passive response versus IPS active response, vulnerability scanning passively assessing and reporting to NAC testing and blocking access, to now database access, ultimately security follows a similar route. First comes the ability to actually detect.  Often times the ability to detect is a major step up from what was available before.  The next evolutionary phase is to be able to prevent or block the dangerous or malicious event from taking place.

This active blocking mode though is often not as readily accepted at first by the market.  Everyone is always afraid of blocking the wrong user, the wrong email message or other request.  I think it is part of human nature that we inherently distrust our technology to block, always thinking it will block legitimate traffic.  This has been true in every security technology I have seen.  Eventually active response does win out, but it takes time and there are always doubters.  It will be interesting if what Guardium has done here is viewed with the same suspicions at first and than catches on or not.  We will have to watch.

My friend Bill Brenner has landed as Senior Editor at CSOonline.com. His latest article is introducing something called FUD Watch. Bill has had enough of his mailbox being full of every chicken little saying the sky is falling with the latest security threat. He gives on of many examples but is asking for others. An obvious one is the recent Symantec call for everyone to stop using Flash. Than today, it retracted saying that in fact the latest version of Flash was not vulnerable.

Do you have a good example of FUD? If so you can share it with Bill at bbrenner@cxo.com. In the meantime, we will be watching for some continued good stuff from Bill.

Had to laugh reading this story about the three men charged with hacking and installing a packet-sniffer at several Dave and Buster restaurants across the US. The scam did result in hundreds of thousands of dollars of fraudulent bank card charges. However, the packet sniffer software was so buggy that when it was first installed at the first Dave and Busters, it did not even work and captured no credit card data.  The next version of the program worked a little better, but it seems the criminals had to continually go back to the restaurants and restart the program when it hung up!

I don't know what is more disgusting.  The lack of quality of the sniffer program or the apparent lack of any security at all by the folks running the restaurants.  In any event I see a bright future for the outsourcing of hacking programs to people who can do a better job than this Apple Dumpling Gang.

I was reading Ellen Messmer's report today about the security incident over at Lending Tree. Yeah, I know another information breach by insiders case, BFD.  But I think there is something different about this one.  From what I am reading this is more a case of corporate espionage than the usual hackers for fraud and financial gain type of deal.  For a long time now we have been hearing from people like Bruce Schneier in this article talk about the front in security moving from dealing with script kiddies working for kicks to organized cybercriminal gangs that are in it for financial gain. Mostly the gain is about identity theft and gaining access to funds fraudulently.

In the Lending Tree case though there was not evidently a motive to use the ill begotten information for identity theft or fraud.  Rather they represented Glengary, Glen Ross leads.  That is the names, contacts and qualifications of people looking for mortgages.  A mortgage company would consider these leads more valuable than gold, more valuable even that gasoline!  So to my mind this is more a case of corporate espionage where a company that is competitive to Lending Tree infiltrated their networks through people, rather than technology to gain access to their corporate crown jewels. 

This sort of stealing your competitors information has been going on for decades, well before computers and cybercrime were around.  However, this is a great example of some things not going out of style.  Obtaining your competitors information is a great motive, computers are just the container where the information is kept.  Sort of like cracking a safe.  It is always easier getting into a safe if you are given the combination, than if you have to crack it yourself. 

Yet another front in the cybercrime war that security folks need to be on guard for!

So without my luggage I had to do something about clothes for my presentation at the Americas Growth Capital conference today. Wearing Levis jeans with a t-shirt and sneakers was just not going to cut it.  I waited until 10am (with still no word on when my luggage would show up, thanks Delta!) and than walked over to Macys, a few blocks from my hotel.  I went to the men's department and picked out a nice shirt (on the clearance rack), a matching tie (clearance too), underwear, socks and casual shoes.  I could not get pants that would fit.  Though I have lost a lot of weight, I am still one pants size to big for off the shelf at the likes of Macys. 

When I went to the cashier to pay they asked me how I would like to pay.  I explained to them that I had lost my luggage and had to make a presentation.  I told them my wife had a Macys account and I would like to use that.  I didn't have her charge card and I am not an authorized user of the card.  I than gave them Bonnie's Macys charge card number and our zip code and they charged my whole purchase!  I am sure that somewhere PCI or not, this is not kosher.  Anyone with the account number and zip code could have done this.

Now, maybe they liked my story and I have an honest face.  Frankly, I am glad they did as it helped me get my clothes.  However, it just doesn't feel right and shows you that even with PCI and everything else in place, you can still abuse credit cards.

Read an interesting article by Sean Michael Kerner today in eSecurityplanet.com.  Sean talks about the fact that both Juniper and Nortel are both OEM'ing the Q1's Radar product to help them compete against Cisco's MARS solution.  Of course Juniper and Nortel compete against each other and the logical question is how can they compete against each other with both offering an OEM of the same product.  I thought the answer by both the Juniper and Nortel folks were great and shows the strength of an OEM strategy, much like we have pursued here at StillSecure. 

Sean says that technology vendors who need to fill a need in their product line can build, buy or partner to fill that need.  It is right on.  But as Sanjay Kapoor at Juniper points out, Juniper takes the Q1 product as a starting point and builds functionality on top of that.  Nortel's Shmulik Nehama makes another point about competitors OEM'ng the same product when he says, "... this validates our choice of technology and choice of partner".  A great point.  If one of your competitors have vetted the solution and picked it over the competition, there is probably a good reason they did so. If your own analysis shows that this solution is superior, you should not "settle" for second best because a competitor is using it as well.  I think you look at how you can add value over and above the base solution.  If you are going to compete with Cisco, you are going to need the best product you can have.  Not choosing the best product because someone else has is just not a smart move! 

At StillSecure we have OEM partners in the same situation and they have arrived at the same conclusion.  Of course we have had some folks who did not OEM our solutions because of this, but at the end of the day, they wind up with a solution that is at best second rate.  Moral of the story, pick the best product you can.

As I have written before, I always laugh when I remember speaking to a potential NAC customer who had recently met with a NAC competitor of ours.  We got around to discussing enforcement options and the customer was hell bent on using SNMP to have his switches enforce access policies.  I explained to him that since he had switches from at least 3 different vendors and different models of switches from each of those vendors, the idea of scripting each of those switches and than updating each of them every time there was a change was a lot of work. He understood that but was willing to put up with the extra work for the added security that SNMP afforded him over 802.1x.  Amazed, I informed him that SNMP is not usually thought of as very secure and that 802.1x while not perfect, had many advantages in terms of security over SNMP.  Than the kicker! The prospect told me I must be mistaken, after all SNMP stood for Secure Networking Management Protocol, didn't it?  When I stopped laughing I asked him where he heard that.  He told me that the NAC vendor he spoke to before me told him that and touted how by using SNMP he was getting the most secure method of NAC.  After all SNMP was designed for security!  Well after some quick Google searching, he quickly found out that the other NAC vendor was feeding him a line and it made me and StillSecure golden in his eyes.

I never forget that story and am reminded of it every time I read about a security hole around SNMP. This week came two reports of SNMP vulnerabilities in DarkReading.  One by Kelly Jackson Higgins details a report that researchers doing a simple SNMP scan over the Internet turned up over 5000 devices that reported back with names, models and even patch levels.  The devices were not off brands either, but Cisco, Apple and Microsoft devices.  This underscores how leaky SNMP can be if you don't lock it down right. 

This report came on the heels of an earlier report by Kelly that researchers had discovered a new attack vector of using SNMP in a persistent XSS attack.  Just another reason to lock down your SNMP capable equipment. By the way, for those of you wondering, SNMP stands for simple networking management protocol.

One of the knocks against outsourcing applications and storage has always been control or rather the lack of it.  Whether I am referring back to my Interliant days where we stored customers Lotus Notes and PeopleSoft financials data or Qualys storing their customers vulnerability data or as Douglas Schweitzer  over at ComputerWorld points out, Google's plan to pilot a program with the world renowned Cleveland Clinic to store patients medical records on line, the idea of confidential, sensitive data being out of your direct and sole control scares many people. Never mind that the data may be more secure with the controls these SaaS providers put in place to than it would be in your own location.  There is just something about the concept that deep down instinctually turns people off.

To be fair, the SaaS industry has done many things to overcome this bias.  3rd party audits of security procedures have helped.  Also having the data encrypted with only you holding the key helps get many people comfortable.  In fact over the last few years, I think on the whole we are seeing more and more IT and risk management departments getting comfortable with outsourcing their applications and the storage of this sensitive data. There are still some last bastions of holdouts, such as the US government with vulnerability data.  But as I say, by and large it is much more acceptable.  However, every time we take this paradigm to another market, such as confidential medical data the whispers and old doubts surface again.  I think if we are truly going to see the Google Apps or Microsoft Live office stuff really take off, people are going to have to get over this phobia.  Whether they do or not will go a long way towards determining if this is just a passing fad or the longterm future of the software industry.

In the case of the 3Com-Bain-Huawei merger it is spelled "sell Tipping Point". As has been widely reported since this deal was announced, the fact that a Chinese company would own a substantial stake in an IPS/security vendor has caused significant heartburn within the Federal Government. This same issue kept Sourcefire from being acquired by Checkpoint (I bet that 200+ million looks good right about now).  Todays article in the Washington Times indicates that Bain has officially notified the Treasury Department of its mitigation proposals including the selling off of Tipping Point.

In my mind the question is: Will that be enough?  Is it only the Tipping Point stuff that causes the issue?  Does 3Com have other sensitive technology.  I don't know, but I am sure the recent arrest of 4 Chinese people on espionage type of charges did not help the Bain position. Also, do you spin Tipping Point off as a public entity. If not do you find an acceptable buyer.  Does the fact that the buyer would have to be a US based company decrease the potential buyer pool, making Tipping Point less valuable?  All of these are great questions that are going to need answers before this deal is finalized.  In the meantime is being in M&A limbo taking its toll on 3Com.  Questions, questions, questions, but I don't have the answers.

McAfee has been making hay lately with their "triple play" promotions. But the biggest security vendor out there has recently announced a triple play themselves.  I am referring to Cisco of course.  In the past few weeks Cisco has made several announcements that show they are serious about keeping competitive, if not best-of-breed n security. But having best-of-breed is not necessary when you are Cisco. When you control 75+% of the networking market, like Joe Namath said, "if you got it, flaunt it". However, when you take a close look at these announcements and the products they tout, we see t is more of the same from Cisco.  Trying to play catch up to other security vendors and driving more into the switch box to leverage their advantage. Lets have a look.

First up is their the Cisco IPS 4270.  This is touted as a 4GPS IPS for certain types of media traffic.  For more conventional data, it does packet inspection at 2 GPS.  While not as high as the highest rated boxes from ISS/IBM. Tipping Point, McAfee, Sourcefire, etc., it does move Cisco into the multi-gig IPS space.  I am not sure if those "boys with toys" types who go in for these Ferrari IPS's will be satisfied though with less than the highest throughput vehicle though.  In the meantime I am sure there will be plenty of Cisco shops who will be only too happy to fork over the bucks (has anyone been able to get a price on this baby?) for this baby.  Besides speed though, I have always heard that Cisco's IPS is beast to use and is not updated very often.  I don't care how fast it goes, if they have not addressed these issues, who cares about how fast it is. It will be just another useless piece of Cisco gear. I have seen more companies than I can count who paid for Cisco IPS (or they think they got it for free with their network buy, but somewhere along the line they paid) and have the boxes not even plugged in, as they use something out.

I have a bigger issue here that I would like to draw attention to though.  That is what can we do to stop the BS around speed ratings in IPS.  Doing 4 GPS on only certain kinds of traffic is not a 4 GBPS IPS!  Cisco is not alone in this though.  Almost every single vendor is guilty of word games with their speed ratings.  2 GPS of traffic in is touted as 4GPS because it also sends those 2GPS out.  That is not 4GPS either!  I would like to see some vendor come along and blow the lid off of the marketing scam and see real throughput levels.  We need apple to apple comparisons!

Second player in the triple play, is Cisco's move into behavior based detection. Brad Reese (our latest guest on the podcast, coming up this week)on his Cisco Subnet, NetworkWorld blog talks about Cisco moving away from NetFlow to a new ASIC packet inspection card (again in the switch) and working with the Cisco QoS Policy Manager. I don't know enough about this one to say for sure, but I think at a time when the industry leaders (Lancope, Mazu, Arbor, etc. are standardized on NetFlow, Cisco at least according to Brad's article is moving away from it.

Finally is Cisco's TrustSec announcement.  I think the Wizard of Syracuse, Mike Fratto has done a good job on his Network Computing blog in calling a duck a duck. When I first heard about TrustSec I though TrustSec was part of the NAC framework. I was surprised to learn it is not. I see TrustSec absolutely competing with NAC.  The fact that one comes from the security group (NAC) and one from the networking group has all the earmarks of a political turf war to me.  In any event like Dom Wilde at Nevis pointed out, identity based access control - BFD. Nothing earth shattering there.  It will be interesting to see hwo TrustSec plays out with NAC when andif it is finally available.

There you have it, 3 new security plays for Cisco.  It certainly keeps it interesting and makes it harder than ever to compete with these guys!

StillSecure in partnership with Force 10 Networks is having a lunch and learn at the Palm Restaurant in Atlanta on December 5th. If you want to find out more about how to take control of your network and want a nice lunch to boot, register for the event and come on down. I wish I could be there myself for this, but I have to be on the other side of the country that day.  We have done a few of these with Force 10 and they have been well received.

If you are in Atlanta on the 5th, stop by and say hello, have something to eat and maybe learn something!

NOTE: Andy ITGuy makes the point that I forgot to put the link to register and the register button in the picture doesn'w work. My mistake!  You can register here.

Saw two surveys recently dealing with similar issues.  The first was from Barracuda Networks.  Analyzing data from customers using Barracuda Web Filters, about half of all businesses were blocking MySpace and/or Facebook.  The reasons given for blocking these social networking sites were:

1. Virus/spyware prevention - 70%
2. Productivity drain - 52%
3. Bandwidth concerns - 36%
4. Liability concerns - 28%

Of course you have to remember that folks using web filtering are much more likely to filter access and content than those not using web filtering (Thank you Captain Obvious), so overall industry numbers are probably much lower than this.

This leads me to the second survey done by McAfee.  Their data shows that over 66% of IT managers said they do not block employees from downloading music from the web.  This in spite of the fact that music downloading is consistently at the top of the list of potential threats.

I think this highlights the dilemma that we in security and management face.  We want to protect our computers and network from harm and we want to stop productivity draining, non-work related time drains.  However, having too heavy a hand on what employees can and can't do on line can lead to morale issues.  A happy worker is after all, a productive worker (do you believe that?)

Richard Stiennon fires a broadside at the US military in his latest post on his ZDNet Threat Chaos blog.  Seems that at a recent trade show  poor Richard after being on his feet for far too long was accosted by the CIO of one the branches of our military.  The CIO took Richard to task as another security vendor "...trying to sell us a new box, you are a money hole we keep spending on but we still get hacked”.  Reading between the lines, Richard did not respond to the man in the manner he wanted to at the time, so now lays out his response in his post.  Richard, did you not have your response formulated when the CIO confronted you, or did you think it the better part of valor not to go toe to toe with him.  I would hate to think you are hiding behind your blog and not saying anything you wouldn't say in person.

Not to wrap myself in the flag, but let me pull an Otter from Animal House (watch the You Tube video for a refresher). Richard don't blame the over-worked, under paid military information assurance people for the failing FISMA scores they receive.  I am not sure how much business Fortinet does in the federal sector (not sure if foreign ownership or anything plays in here), but we have done a lot of business with the DoD and the military over the last few years. I can tell you that by and large, the people responsible for the security of the networks of the American Military are genuine American heroes worthy of our respect and praise, not our scorn.  They are often times, under trained and making due with less budget, as money is shifted towards the war.  They are saddled with a bureaucracy that ads time and money to their selection and procurement process.  They have to fight their own internal wars over risk management versus ease of use.  In spite of all this they do a damn fine job.  Their networks see volumes of attacks that most private sector security folks would only dream of in their worst nightmares. Yes we may hear now and then about some attack or incident, but compared to what they are defending against, they are doing great things on the cyberwarfare front lines every day.

Richard I understand that this CIO touched on one of your hot buttons.  But, if you think your feet hurt now from standing for too many hours at some Gartner trade show in Orlando, how do you think they will feel having walked a mile in the shoes of an information assurance officer stationed in Southwest Asia? 

I am sure all of you are already aware of this but October, 2007 has been designated National Cyber Security Awareness Month by the National Cyber Security Alliance.  Why you ask?  Well according to the NCSA:

National Cyber Security Awareness Month is a national campaign designed to increase the public's awareness of cyber security and cyber crime issues so that users can take precautions to avoid these threats on the Internet. The month will feature a number of initiatives including public relations activities, educational programs and events that target Home Users, Small Businesses, Education audiences (K-12 and higher education), and Child Safety online.

What can you do:

Place a web banner on your email header or your organization's website. We need your help to get the word out on the importance of cyber security and safety.  As a result, we're asking individuals and organizations alike to download our banners and either place them on your organization's website, blog site, or in your email header during the month of October. Click here to download our banners.

Endorse National Cyber Security Awareness Month. Your organization can also support National Cyber Security Awareness Month by endorsing the month. If you endorse the month, we will place your organizations name on the stay safe online website, along with other organizations that endorse the month.Click here to download the NCSAM endorsement form.

I don't know about you, but while I am all for this kind of stuff, do you think it really does any good?  How many people do you think are really motivated and are more aware, besides people in the security business that is.  At some level seems like it makes us feel good that we are trying "to do something", gives a nice ego boost that cyber security really is important and we are on the front lines, but does it really do anything to raise the cyber security profile?  Can someone point to any tangible benefit that this is providing? Am I the only one who feels this way?  Let me know.

There has been a bit of a brouhaha lately over the Jericho Forum and the amazing shrinking, disappearing, shifting, changing, eternal (take your pick) perimeter.  It started with Chris Hoff teeing off on Rich Mogul. Rich had a get out of jail free card while he was still at Gartner, as not even Hoff while working for a vendor, would piss off a Gartner dude.  However, the Teflon is gone and Hoff is on.  He took umbrage with Rich's views on the Jericho folks.  I was going to jump in, but every time I disagree with the Hoff man lately he accuses me of going off my meds.  No doubt Hoff can write a mean rhyme and a long blog post.  But sometimes he is so deep in the doo-do, that he kind of loses some of the subtler points being made.  Anyway, I digress.  What got this party started was another former Gartner dude weighing in, Rich Stiennon.  For those who do not know, Chris and Rich Stiennon have a long history of antagonizing each other.  Anyway, Dan Weber then brings up a point I wanted to comment on in Rich Stiennons comments.  Rich ends his article with this:

I work for a vendor of network perimeter security appliances. But, keep in mind, I would not be working for a perimeter defense company if I did not truly believe that the answer lies in protecting our networks. If I believed otherwise I would work for a de-perimeterization vendor, if I could find one. :-)

Dan calls BS on this and I agree 100%.  I don't believe for a second that Rich went to work at Fortinet because of his belief in the sanctity of the perimeter.  I think if Rich worked for an anti-spyware company (wait he already did that didn't he), he would be all for anti-spyware. If he worked for an endpoint provider he would be a big supporter of a endpoint security.  Lets be clear, it is not only Rich.  Many folks in the security sphere claim that they came to work where they did because of their deeply held beliefs in the supremacy of their companies technology and approach.  I say give me a break people.  You like it because it is yours and it is paying the bills.  Lets be open and honest about it. That would be a good place to start.

According to this PC World article based upon the annual CSI report, 2007 represents a watershed year for security incidents. Insider incidents (59%) were more widely reported than incidents involving computer viruses (52%) in the last year. Laptop and mobile theft was also hot on the heels of viruses with 50% reporting incidents.  I should mention that overall incidents are still trending down from their all time high in the year 2000.

But what does the increased incidence of insider threats and device theft mean for the security industry.  It could be big news.  It is what is driving encryption and data leakage.  In many ways it is also what is driving the NAC market.  For too long, too many security technologies were focused on stopping malicious traffic that may contain a worm., trojan or virus.  Not without reason, but are the AV folks a victim of their own success?  Lets not shed any tears, overall AV is still a cash cow.  But the time has come for the security industry to focus in on what is causing the greatest turmoil and harm now.  That is not virus or worms, but insiders and data theft.

One of the classic mistakes that armies on the losing side make is fighting the next war with the last wars weapons and tactics.  I am afraid Mr Hoff is guilty as charged in talking about the recent Google/CapGemini deal.  In case you have not heard, CapGemini will offer Google Apps to the one million strong corporate desktops that it services.

Chris does a nice job of explaining how CG will make money on this and some of the advantages of Google Apps. However, Chris seems to side on the camp of those who think that SaaS based, centrally managed applications and the data that goes with it, will present compliance and security concerns that could slow adoption. 

I say poppycock to that.  I heard the same thing about Qualys storing vulnerability data 5 years ago and over the intervening time have seen that argument melt away except for maybe in the federal government space.  In fact Qualys has now become the tester of choice for PCI compliance in many cases.  But beyond that, the whole issue of outsourcing application hosting brings me back to my days at Interliant, an early entrant into the ASP market.  We hosted Lotus Notes, PeopleSoft and other enterprise level applications. As well as managed security (mostly checkpoint firewalls, which was sold to Akiva).

One thing that we learned the hard way at Interliant is that people will not outsource applications which they consider critical and core to the business.  So for instance, if they were an accounting firm, they would probably not outsource the hosting and management of their accounting software.  However, critical, non-core applications are good candidates for outsourcing.  I think for the most part, this is exactly where the Google Apps fall.  I think the success of hosted CRM like Salesforce.com also shows that people are willing to outsource critical, non-core applications.

Now the fact that it is Google after all, raises in my mind anyway, two other issues. One is the privacy of my data from Google.  Is Google going to use that to hone the ad words they serve up to me?  The other is that as Google continues to grow, will it suffer from Microsoft like "evil empire" syndrome, where people attach dark aspirations to everything they do.  I guess we will have to see how this plays out.

My friend Chris Hoff has himself all worked up. In fact Hoff is in a huff. What has Christofer (for those who may not realize he spells his name funny) so worked up you ask? It seems the good folks over at InfoWorld are staging an Executive Forum on virtualization next month down in NYC.  No where on the agenda is even a mention of security and the challenges that a secure virtualization environment poses.  Chris goes so far as to offer, on his own dime, to go down and personally deliver a presentation on security and virtualization. Well Chris it would be nice to see the InfoWorld folks take you up on this, but I would not hold my breath.

But Chris there is good news.  I know for a fact that security in virtualized environments is going to get the attention it deserves.  How do I know this you ask?  Simple, it is my 2 out of 3 ain't bad test.  No, I am not talking about some Meatloaf song from Bat Out of Hell.  I am talking about last week alone doing two interviews. One with a large analyst firm and one with a large VC firm who were only interested in my take and what StillSecure was going to do about the problems around security and virtualization.  The fact that both the analyst and VC asked me in the same week, makes it a high probability of this becoming the next hype sector in security.  In fact the only thing missing is a media interview request.  Something tells me I will get one of those very soon too.

So Chris you are out in front of this one, but have no fear.  Security in virtual environments is going to be big!

What a novel idea.  Like many of you, I read Ron Gula's blog in my feedreader. Over the months Ron has written some great stuff on how to use Nessus and Tenable's other products for vulnerability management, configuration management and auditing.  The articles are usually pretty good, but are very much aimed at end users getting more value out of Tenable's product.  Today however, Ron had a good article recounting a recent experience he had with a friend of his.

This friend was an attorney for an application hosting company and he and Ron scanned (Ron I did not know Tenable had Nessus scanners set up to scan over the Internet, is there an SaaS Nessus service in the works?) one of the sites his company hosts.  The scan turned up some relatively benign stuff.  Ron tried to show the guy some other type of stuff that could be turned up in a scan.  The guy was just interested in one thing.  Was the site secure or not.

Ron comments that can you imagine that topics like CVSS , NSA best practices never came up.  I bet neither did PCI, SOX, Sarbanes-Oxley or any of the other compliance buzz words. Ron says his friend was just interested in risk to the business and it is a good thing.  That is exactly right. I think we lose sight to often of this simple fact.  It is about reducing risk and making the customer more secure. Yeah, allowing them to show how they comply with some politician or someone else's idea of secure is nice.  Yes allowing them to check off the box on the audit and SEC forms are nice.  But it is good to not lose sight of the fact that it is about being secure.  Like Jim Carville might have said back when Bill Clinton and not Hillary was running for President, it is about being secure, stupid!

take your pick. Stiennon, Rothman, Rob Newby from over in Spain or how about yours truly. To me, whenever I see people trying to make long range predictions of what is going to happen in any market, I think Johnny Carson probably had as good a chance of being right than any of these understudies. In my mind there is the next 24 to 36 months.  Beyond that is better left to Nostradamus, Carnac and the like.  Who knows what kind of devices we will be using for access by then.  This alone makes it hard to predict that far out.

However, let me audition for the role here a bit.  I agree with Richard on two things.  First of all I don't think innovation is dead in security. I think venture money may be harder to come by for security start ups, but there are lots of ideas out there for new security methods and even more ideas to combine existing security technologies in ways that have not been done before and will result in more effective and efficient security.  I also agree with Richard that security as a service is going to be hot. However, I have seen this pendulum swing before. I think services will heat up and then over time cool off, as people realize it is not any cheaper and gives them less control over their own security. A fact of life is that as the mice get smarter, we need smarter mouse traps.  This is also a fact of life in security.  As the bad guys figure out new vectors in, we have to figure out smarter ways of preventing and detecting them.

I disagree with Mike and Richard that security as a stand alone goes away. I think there are going to be pure play security companies that specialize in protection.  I think that there will always be smaller security companies getting swallowed up by the bigger boys.  This sort of farm league of security allows the bigger companies to buy innovation, rather than having to innovate themselves.  Many larger technology companies are going to want in on the security market, so you may seem them entering the market via acquisition like EMC a few years back.

I totally agree with Rob Newby about a generic platform on generic hardware "that we can turn into whatever device we want, anywhere in the network".  That actually sounds very much like Cobia. I think virtualization and multi-core technology is going to make that happen. I also think open source and "freemium" applications are going to make themselves felt in security, even more than now.  Of course convergence with networking will make security more ubiquitous, but it will not just be blended in.

Beyond that, your guess is probably as good as mine.  One thing for sure though is that don't worry about Rothman or me, we will find a way to to live off of the fat of the land somehow.

Wanted to write about the recent press around Wesley Clark's appearance before a US House Committee regarding the leakage of classified information via P2P applications. Jaikumar Vijayan has a good article up on Network World about it. It looks like my friends over at the 360 Security blog by nCircle beat me too it. However, let me give my two cents on it anyway. 

At first blush I thought this was just Clark pitching a company   he is on the board of called, Tiversa. Here is some of his testimony:

"There's all kind of data leaking out inadvertently," he told the commmittee, noting that the documents he cited were "simply what we found when we put the straw in the water. The American people would be outraged if they are aware of what is being inadvertently being disclosed on P2P networks."

Tiversa seems to have an enterprise solution/service around P2P leakage. I thought to myself, how powerful is retired General Clark if he can get a Congressional hearing on this stuff for a company he is on the board of? Crap, maybe we should get him on our board.  But after reading more it became obvious to me that this is a real problem and it is not just Lime Wire.  Though they appear to be the butt of the committee's wrath right now. 

The good news is, this is a relatively easy problem to thwart and I don't think you need a monitoring service.  The nCircle people talk about "continuous compliance". I guess that fits right into their recent acquisition of I forget the name of the company.  But there is more than one way to skin this cat.  Using StillSecure's Safe Access NAC solution, we can check every device coming on the network for the presence of any P2P application and not allow it on.  Using a good IPS like StillSecure's Strata Guard you can filter our P2P traffic and block it.  Of course the StillSecure products are not the only ones in their class to offer this. 

The bottom line is, any US Government IT manager who is not implementing one of the many solutions available to thwart P2P applications and traffic, in light of this testimony deserves what he gets.  Namely to be the next one to achieve 15 minutes of infamy due to sensitive information being leaked out of a network they are responsible for.

OK, so I got it backwards, sounded good anyway.  Actually, Google continues to make security news by announcing a new automated tool they have developed (imagine that, a large company developing their own tools and not just innovation via acquisition.  How long will Google keep that up?) called Lemon.  Actually according to this story in the Register. Lemon is based on common fuzzing technology is primarily used to uncover application vulnerabilities like cross-site scripting (XSS) flaws. 

Google will use the tool initially for their own security and plans are unclear as to whether or not they will release it for general use.  Pretty cool.  One mistake in the Register article is they compare Lemon to tools like Nessus, eEye Retina and Foundstone.  Sounds to me more like tools from White Hat Security and that crowd.

In any event Google and security increasingly look perfect together.

No, I am not talking about Kobe, Shaq, Tim Duncan and the rest of the athletes over at the National Basketball Association.  I refer of course to Network Behavior Analysis.  The estimable Mr. Rothman in his daily rant laments the fact that 5 years later we are still trying to explain what it is and that is pretty sad.  I don't think it is sad at all, it is just the facts.  In spite of this though, I think NBA has made terrific strides. Here is why:

1. NBA has grown to encompass a wide range monitoring and detection technologies and techniques which can actually detect potentially malicious behavior and traffic.

2. NBA has shown itself to be one of the best ways to detect zero-day type of attacks (if you don't have a signature for it, you can't detect it).  With security practitioners increasingly concerned about zero days, NBA seems to have found a niche.

3. As Mike points out, NBA has found its way into several other security product lines and adds real value.

Ultimately Mike I think you have to get your head around the fact that NBA may never be a successful stand alone security product.  However, its transition to feature inside of other security products is well under way.  If you want to find more about "market (or product) vs function" I refer you to Mr. Hoff (of the joining with Shimel to pile on Stiennon and promote our own products fame). Of course if you are a stand alone NBA vendor, I would probably be pursuing a very aggressive partnering and business development strategy.  If any NBA business development types are reading this, give me a call.  I think this technology is a great fit for some of the things we are doing at StillSecure.