StillSecure, After All These Years

For a while over the past few years it seemed like there was a security show a month. It got so watered down that it was hard finding any value in some of these shows. Over the last few years though in a case of natural selection I guess, many of these shows began falling by the way side. This past year I have attended a few good shows and over all I would say the shows have been better attended. I think shows that have great content and not just a trade and exhibit floor provide the value that people want to see.

In any event, the folks at SC Magazine first approached me about show they were planning in the NY area, around the time of RSA. I think a good security show in the Northeast would be great. I also have a lot of respect and admiration for the Haymarket Media group who run SC Magazine. So I am really happy to write about the first SC Magazine World Congress taking place December 9and 10th at the Javits Center in NYC. I will be there for sure and hopefully you will be too! Mark your calendars.

Here at the well-heeled Gartner IT Security Conference at the brand new, spectacular Gaylord National hotel.  The hotel is only 2 months old or so, but it is supposedly the largest on the East coast and really first rate.  Also, the Gartner folks put on a first rate show, though it is on the pricey side for everyone from exhibitors to attendees. Vendors who really want to have a big presence are in for big bucks reaching a relatively small number of customers.  It was good to run into a number of StillSecure customers here at the show.  Even though we did not exhibit our presence was felt in several of the tracks discussing security solution areas that we offer products in.

While at the show I had a chance to catch up with several other security vendors.  One fellow I spoke to was Phil Neray of Guardium.  Guardium is best known for providing database security to many of the largest financial institutions and other large companies.  They recently announced a major new release of their flagship product with something they call "S-GATE". I won't bore you with all of the details but the gist of it is that for the first time database security can move from passively reporting or alerting of data access violations to actively blocking such violations. 

For me the active versus passive mode of security is one that transcends different layers of security.  Whether we are talking about IDS passive response versus IPS active response, vulnerability scanning passively assessing and reporting to NAC testing and blocking access, to now database access, ultimately security follows a similar route. First comes the ability to actually detect.  Often times the ability to detect is a major step up from what was available before.  The next evolutionary phase is to be able to prevent or block the dangerous or malicious event from taking place.

This active blocking mode though is often not as readily accepted at first by the market.  Everyone is always afraid of blocking the wrong user, the wrong email message or other request.  I think it is part of human nature that we inherently distrust our technology to block, always thinking it will block legitimate traffic.  This has been true in every security technology I have seen.  Eventually active response does win out, but it takes time and there are always doubters.  It will be interesting if what Guardium has done here is viewed with the same suspicions at first and than catches on or not.  We will have to watch.

Getting ready to head out to Interop tomorrow. I have a bunch of interviews and meetings scheduled, but if you are going to be at the show, stop by the StillSecure booth and say hello or drop me a note or twitter to get together. Interop is always a blast and I am looking forward to see what is new this year.

Just a quick note on some recent events I will be attending. I am really psyched to be moderating a panel on NAC (does that mean I can give all of the panel a hard time?) at the IT Hot Topics Conference 2008 at Grandover Resorts & Conference Center, in Greensboro, NC. I also get a chance to play golf on a great course, the afternoon of the 16th! You can read more about the conference and some of the other guests and tracks on Jennifer (JJ) Jabbusch's blog here.

Also, I am at the Intrusion World Conference & Expo May 14th at the Baltimore Convention Center. I am speaking on a number of topics. You can check out the site for details.

If you are attending either of these, stop by and say hello!

Martin and a bunch of others have written about the recent clarifications around section 6.6 and 11.3 of the PCI DSS. Jim Carr over at SC Magazine ran an article on it today that he interviewed me for. While I am not the PCI expert Martin is, I was happy to contribute my 2 cents (ain't I always).

Anyway, sounds to me like these new clarifications are going to wind up with a lot of web application firewalls being sold.  Here at StillSecure we are thinking about some ways to take those to the next level as well. Hopefully we can announce something soon on this.  Overall, just another indication that right or wrong, compliance is driving a lot of the spending in security today.

I will be up in Orlando Monday and Tuesday for SANS 2008 in Disney World.  Next week I am in Vegas for the big Interop show. If you are attending either one of these and would like to chat, please drop me a line and let me know.  You can stop by the StillSecure booth as well with a good shot of finding me somewhere near there.

I will be at RSA between Sunday April 6 and April 11th.  I will be answering email and messages as best I can and blogging when I am able.  Hope to see many of you at RSA!

Well after all the planning and talking, here we are just a few days away from the RSA conference.  I have a full plate and wanted to just let everyone know where I will be and what I will be doing over the next week. My RSA week starts Sunday night when I arrive in San Fran.  I am speaking on Monday at the Americas Growth Capital Conference.  This will be the third year in a row I am presenting at the AGC conference.  This event has become a must attend event for the security crowd.  Over 70 security companies, public and private will be presenting at the conference.  The overwhelming majority of the presentations are by the CEO or CTO.  Great time to catch up on what the industry is doing and a high level networking event.  The AGC folks usually have a decent reception after the conference Monday night as well.  I will be speaking on the NAC market (surprise, surprise)

Tuesday is the first day of RSA and I am pretty much booked up the entire day through the SC Magazine Awards reception that night. Wednesday is another day full of interviews and meetings, but I do have an hour or two towards the end of the day open.  Than another few parties Wed night.  Thursday I have a few morning meetings and then off to the airport.

Knowing how these things always work, I do find myself with time in between open, so if you stop by the StillSecure booth you will probably be able to track me down.  Or drop me an email and see if we can hook up.  At RSA I usually find myself wrapping up the night at the W hotel bar, so you can always look for me there later on.  The week usually goes by in a blur, but it is a great time and is the catalyst for a lot of business over the year.

I will be following it up with another few days at Interop in Las Vegas later this month and than a few more speaking appearances in May.  These next few months are shaping up as busy times, but that is better than the alternative.

Hope to see many of you at the show.  Please stop by and say hello!

The ball has begun to drop in the countdown to the RSA Security Bloggers Meet up.  Jennifer and the rest of the event committee have made the list and checked it twice.  Naughty or nice, we just can't fit another person in.  The buzz around this years event is palpable.  Both in person at several events I have attended, as well as on email and especially with the tweet crowd, the security bloggers and media are all a twitter (OK bad pun I know) about the event.  Whether it be a chance to hoist some cocktails with friends old and new or ask that question you have always wanted to ask that person, we are just a week or two away.

Remember, there will be live audio and video podcasting for you to join in the fun (you will have to buy your own drinks though) if you are not there in person.  Also, we think the live Twitter feed should add a new dynamic element to the virtual attendees.  Be sure to follow the feed @RSABloggers2008.

We are already looking at other blogger meet ups at other events.  If you are interested please drop us a line or leave a comment.  To everyone who has RSVP'ed already, we are really looking forward to seeing you at the event!

I am scheduled to appear at the 5th annual Charlotte ISSA conference at the Charlotte Convention Center this Tuesday.  I will be leading a session on NAC. If you are in the area, please stop by and say hello.

Also, besides RSA and Interop in April, I am speaking at Intrusion World in Baltimore May 14th and moderating an All-Star panel on NAC at the IT Hot Topics conference in Greensboro, NC on the 16th.  If you are attending any of these, it is always nice to meet people who read the blog at these shows.

Drop me a line and we can plan to meet up.

Up in Orlando today and yesterday at the InfoSec World conference put on by the MIS Institute.  StillSecure has a booth but I have spent most of my time talking to old friends in the security world.  Some of the folks I have seen are Ian Poynter, Jeremiah Grossman, Jordan Wiens, Bobby Dominguez, etc, etc.  Another person I had a chance to catch up with and get to know much better is Ofir Arkin from Insightix.  Ofir always has something interesting to say and we spent some time with the SC Magazine folks talking shop.  Speaking of SC Magazine, they are in full swing getting ready for their awards show at RSA this year.  That is always one party I look forward to.  But it sure would be nice to win this year. I think we are finalists in 3 or 4 categories.

Anyway, enough of the page 6 social news.  The conference seems to be very well attended this year by the usual mix of folks trying to learn more about security.  I hear rumors that next year the show is moving back to Coronado Springs at Disney World.  I hope not as the Shingle Creek Resort is very nice and offers many less distractions than the Disney venue.

Anyway, this show has me thinking that with many of the security shows having fallen by the wayside over the last year or two, we could use a good Security event in the Northeast.  Maybe some one will pick up on that.

Also, in case any of you want to know, the only booth babes I saw at this show were from Fortify Software inviting people into their party after the exhibit hall closed.  Shame on you Fortify!

It is already the end of February and the buzz is in full swing for this years RSA Conference. I usually know that it is RSA time because it takes place around my wedding anniversary.  However, this past Monday was my anniversary and no RSA.  That is because this year RSA is a little later, taking place the 2nd week of April in San Fransisco.

Over the years I have come to really enjoy RSA as a chance to catch up on the industry, friends and of course, parties!  Some of my favorites are the SC Magazine Awards show and the RSA conference party itself.  Last year one of my favorite events was the bloggers meet up that I had a hand in putting together along with Martin McKeay and a few others put together and was sponsored by Microsoft and Fortinet. That party has become legendary with posts about it here, here, here and here among other places. We had a similar event at Black Hat last year and that was fun too.  There is something about getting together with all of the folks you virtually talk to all the time via the blogosphere and put a real face and voice to a name.  We try to keep these blogging parties confined to blogger and media types, so the that everyone is comfortable sharing and conversing without the "general public" there. 

For this years RSA conference we wanted to do a similar type of event. However, the blogroll of security bloggers attending has grown quite a bit and of course most security media types are blogging now as well.  So we wound up getting about 100 of the top security blogging crowd together and got Fortinet, Microsoft and StillSecure to sponsor.  It is shaping up to be the bash of RSA, for me anyway.  The buzz around it was so loud that before we knew it we had a logo, our own official blog on the RSA conference site and a full committee running invites, food, drink and logistics (OK so Jennifer Leggio does most of the work)!  I am just totally pumped to meet a bunch of the folks on the RSVP list and have a great time. Truth be told I am also proud as a peacock that I played a role in putting this thing together from the beginning.

If you have a security blog or podcast, are going to be at RSA and want to attend there is information on the RSA blog page on how to get an invite. For many of you reading this, I know you are saying to yourself, "great sounds like a cool party, free drinks and I can't get an invite because I don't blog".  Well you don't have to fire up that old free blogger page you started but never finished months ago.  Through the magic of modern technology you can party along with us virtually!

We are going to have live video streaming, live audio podcasting and a live Twitter feed.  The RSA site has more details on signing up for the Twitter channel we have set up to follow on the pre-party chatter (or is it twitter) you can follow that at @RSABloggers2008. Hey it will be almost like being there.  Anyway, hope to see as many of you as possible at the party and as many of you as possible virtually if you can't make it!

I am down here in beautiful Clearwater Beach, Florida this week at the 15th annual Competitive Intelligence MindXchange hosted by Frost & Sullivan. The F&S folks invited me down to speak on CI based on some of the stuff they read in my blog. I was flattered and since it wasn't that far from home agreed to appear.  The conference has opened my eyes to huge effort that many companies especially larger public companies are putting into gather market intelligence and information.  Also the global focus of CI.  I always find it refreshing to meet people from outside my core discipline.  So security is not top of the mindshare here, but I kind of enjoying learning about something else.  You can never tell what you may learn that helps you later on.

StillSecure in partnership with Force 10 Networks is having a lunch and learn at the Palm Restaurant in Atlanta on December 5th. If you want to find out more about how to take control of your network and want a nice lunch to boot, register for the event and come on down. I wish I could be there myself for this, but I have to be on the other side of the country that day.  We have done a few of these with Force 10 and they have been well received.

If you are in Atlanta on the 5th, stop by and say hello, have something to eat and maybe learn something!

NOTE: Andy ITGuy makes the point that I forgot to put the link to register and the register button in the picture doesn'w work. My mistake!  You can register here.

Podcast #43 is another NAC-tacular one with two special guests.  One is Andrew Braunberg, research director for enterprise security at Current Analysis.  Our second guest is Andy Dornan, renowned author, journalist and senior technology editor of Network Computing.  Current Analysis and Network Computing recently published the results of their second annual NAC survey.  The survey shows some real trends in NAC adoption, as well as some very interesting views on NAC from real world users.  Mitchell and I spend some great time with Andy and Andrew talking NAC

Also, Mitchell and I talk about Black Hat coming up this week.  We will try to do a podcast from the show if possible. If you are going to be at Black Hat, please stop by and say hello!

Our friends from South Africa, Sensepost have a special offer for those who would like to attend their hacking classes at Black Hat this year. Anyone who signs up for this offer can also pick up a StillSecure T-shirt by coming by our booth at Black Hat with proof of signing up for the course. Please have a listen to this message and visit their site.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Or download here:

mp3 

Or how about, a NAC vendor walks into a bar and ... or NAC, NAC, who's there? Isn't that the question.  There are only so many jokes you can make about NAC and there are only so many ways a NAC vendor can distinguish themselves from the other NAC vendors in the market.  I appeared today at the Network Computing NAC Forum at the St. Regis Hotel in NYC.  It was a day dedicated to NAC with 12 NAC vendors sponsoring.  Besides opening remarks and keynotes, there was a panel on out-of-band NAC, in-line NAC, infrastructure NAC and even a chance for the NAC vendors to trot out their favorite pet customer/references to talk about how they NAC.

I appeared on the out-of-band NAC panel and was the 6th of 7 vendors to present.  Each vendor had 10 minutes and then we had too short a time period for questions that bled into lunch (where we were given a 30 minute Symantec "lunch" presentation. I would have preferred a dirty water hot dog outside and skipped the Symantec presentation, but hey that is me.).  After listening to each of the vendors before me, what was I really going to say that was not already said.  My NAC was better than their NAC.  So I focused in on what is NAC and what people seem to be looking for.  A couple of interesting things I heard and saw today. One CEO (you know who you are), actually said that one of the good things their NAC product enabled was that their customers were finally able to have a complete list of all the printers on the network.  I don't know, that sounds like a pretty expensive way of finding that out.  Better off downloading nMap or something like that.  Another NAC vendor talked about quarantine via ARP poisoning (and no it was not Mirage, they twiddle ARP, not poison it and they weren't there anyway).  I was really glad the Cisco guy stood up and said sorry Charlie, but ARP poisoning does not qualify as quarantining.

One thing I do want to mention is that Dan Clark, VP of marketing at Lockdown Networks corrected something that I had taken him to task on in this blog a while back.  He clearly gave Lockdown's history as having its roots in the vulnerability space and coming to NAC in 2005.  Dan, I was quick to jump on you back then and I want you to know that I appreciate your correction on that fact.

Anyway, it was a great way for people looking at deploying NAC to come up and touch and feed a real live NAC vendor. Ultimately, you still have to install the product and play with it yourself to see if it works.  There were lots of claims and NAC crap flying today.  I also would like to see more of a panel of answering questions then just giving our elevator pitch powerpoints to the crowd.  Still a worthwhile day and a good job by Network Computing. I think all of the elevator pitches will be posted on NC site soon.

It was also good to talk shop with the other venders.  The NAC community is really made up of some folks who have gotten to know each other over the years. Heck, many of them blog and are part of the Security Bloggers Network.

Just wanted to mention that we recently confirmed that I will be appearing at the Network World NAC Forum 2007 at the St. Regis Hotel in NYC on June 19th.  The day starts pretty early and goes all day. I am speaking before lunch I believe in the out of band NAC panel. 

Many of the leading NAC vendors will be sponsoring and presenting, as well as some of their reference customers who have actually used some NAC solutions. Mike Fratto of Network Computing will be speaking as well. We are given a limited number of tickets for attendees to this event.  If you are looking at implementing a NAC solution and would like to attend, please let me know.  It should be a good day to learn about NAC.

PS- thanks to Chris Hoff for turning me on to image chef. Now I know how he does all those cool customized images!

Episode 40 of the podcast is here for your listening pleasure.  In this weeks episode Mitchell and I recap the week at Interop and some of the security news from the last week:

• Microsoft-TCG NAC interoperability
• Google-Green Border acquisition
• 10 Gbps switching and IPS
• . . . and more!

In this weeks "The Converging Minute" Mitchell talks about the ecosystem building around Cobia with the Cobia partner program.

This week we have a new feature. Our friends from South Africa, Sensepost have a special offer for those who would like to attend their hacking classes at Black Hat this year.  Anyone who signs up for this offer can also pick up a StillSecure T-shirt by coming by our booth at Black Hat with proof of signing up for the course.  Please have a listen to this message and visit their site.

If you like the content of these shows or have any other comments or questions, please drop us a line at podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at  http://www.jonschmidt.com.  Music transitions between segments are by our own Mitchell Ashley!

http://www.clickcaster.com/resource/ashimmy/40.mp3

It's already Wednesday and I have to start getting ready to head out to Vegas for Interop for next week. Interop has really become a huge show with lots going on. My meeting schedule is already packed.  Of the 3 and half days I am at the show, I think I have one slot open during one day that is not already booked!  But hey its Vegas and I have plenty of time at night.  And you know what they say, what happened in vegas, yada, yada, yada.  Actually I am taking Bonnie out with me (believe it or not she has never been there) and looking forward to showing her around.

We have lots of good stuff planned for the show including some announcements around Cobia and a new partnership around Safe Access. We also have for us, a big booth with some cool stuff to see. If you are not lucky enough to be at the show, pay attention to the press wire to get all of the juicy details.  If you are lucky enough to be there, let me know and lets squeeze in some time to meet and chat.

Mitchell and I are guests on today's TechForum LIVE! weekly radio webcast.  We will be discussing NAC (no surprise there). If you like, the show starts at noon east coast time. However, I think you can also listened to a recorded version afterwards.  Anyway, it should be lots of fun and sorry about the short notice.  I think they allow live questions as well, if you would like to call in and ask us something.

Back in September of 2006, I wrote an article about this being a "golden age" for security blogging and podcasting.  I was afraid at the time that this golden age of innocence may be short-lived due to commercial pressures that would take away the special comradeship that exists among the security blogging community.  I am happy to report that so far that is not the case.  The folks at ITSecurity.com have put out a list of the 59 Top Influencers in IT Security.  Reading the list I was amazed at how many of these folks I have developed relationships with over the years via blogging.  The community is really making a difference and leading the industry.  I know Martin (number 11 on the list, congratulations!) thinks we are just talkers and the real heroes are the doers, but still I am very proud to be associated with this group of folks.  I hope we can use our leadership and influence to do good things around security.

Of course, I would be remiss if I did not mention that I was listed number 2 on the list behind Amrit Williams.  I am humbled and grateful for the recognition.  Other notables and friends Mike Rothman at 7, Mitchell at number 9, Michael Farnum and Michael Santangelo and just about everyone else.  Congratulations to you all, you all deserve it.  I was also really proud to see at number 19 the Security Bloggers Network, which is now 65 blogs strong.  I feel responsible for starting the Network and hope to see it continue to grow in influence and usefulness.

Sorry for the late notice, but I forgot to mention that I am in Austin Monday and Tuesday at the SXSW festival and conference.  Monday at 10am I am on a panel "revisiting commercial open source business models".  If you are at the show stop by and say hello before or after.  I will be around the show, the rest of the day as well.  I hear it is a great event and am looking forward to a good time and meeting some folks.  Drop me an email at alan at stillsecure dot com.

Not to blow my own horn (but if I don't, who will), I usually don't mention in my blog when I am quoted in the media.  Frankly, with the great job our PR team led by Sonya Hasafus does, Mitchell and I are quoted in the media quite a bit. However, it is not every day I am in the NY Times.  Growing up in NY, the Times was always "the paper of record".  Anyway, they had an article today about successful startups.  Some of the numbers and dates are wrong, but what the heck. 

While I am at it, I was also in Processor today in relation to my post and paper on vulnerability assessment being dead.  Ross Brown and some others are quoted as well, but I kind of liked that it was my premise on the changing nature of the VA and VM market that drove this conversation. Pretty cool if I do say so myself.  Finally, I met with Tim Greene of Network World, who covers the NAC scene for them.  Tim featured us in his NAC newsletter today.  Tim is very influential and widely read on NAC and I was pleased he highlighted us.

The links for all three articles are here:

The NY Times article: http://www.nytimes.com/2007/02/22/business/22sbiz.html
Processor article: here
InfoWorld newsletter by Tim Greene: http://www.networkworld.com/newsletters/vpn/2007/0219nac2.html

Well the answer can be summed up in 3 bullets:

1. Mitchell is lucky most of his necessary organs and appendages are attached to his body.  First he lost his Motorola Q phone on the shuttle bus from the show.  Luckily he had phone insurance and was able to get a replacement. Of course he lost all of the numbers and info stored on the phone.  Then at the bloggers party (more on that later) after a full day of recording some great interviews (including a fantastic discussion on booth babes with Ross, Rothman, the Phantom Blogger and me), Mitchell leaves the damn, brand new portable recorder at the place and it is now gone!  They don't have portable podcaster machine insurance so Mitchell is out on that one.  Frankly, I wouldn't have been quite so heartbroken if we had at least downloaded the audio files on there.  I am going to start bringing a tag with Mitchell's name and phone number as well as the hotel he is staying at for Mitchell to wear at these events, in case he gets lost too.

2. In the immortal words of Dean Wormer in Animal House, "fat, drunk and stupid is no way to go through life". I try not to get too crazy at shows and make sure I get a good nights sleep, as my schedule at these things are usually packed.  Well, I was so excited about meeting so many virtual friends in person at the bloggers party, I went to three more places drinking with the boys and stayed out until almost 3am.  Even with Mitchell losing the podcasting equipment, I still could have put an update on the days activities up. I didn't when I finally got to my room, because I was afraid at what drunken ramblings would find there way on to the blog.  I guess Mitchell was not as worried about that. Instead I threw my clothes all over the room and went right to bed.  Four hours later, I woke up still buzzing and headed over to the show before going back to pack and finally flying home.  I think for the next show, I am going to go on a diet, so I will just be drunk and stupid.

3. The Blogger/Podcaster party- As Martin, Michael Farnum, Rothman, Mitchell and I don't know how many others have mentioned, the party even exceeded our expectations. I have not had this much fun in a long time.  I was really looking forward to this event for a long time. I really felt like I knew most of these folks already.  Some of them like Farnum, Martin, Rothman and even Ross, I count on as my blogger family (maybe posse is a better word).  I can't wait for next years show and have some ideas I will be blogging and discussing later.  One fact that was really heartening to me was that most of the folks there were also part of the Security Bloggers Network.  The network has really picked up and if anyone security blogger/podcaster wants to join, drop me a line at podcast@stillsecure.com. Also, Rich Mogul is someone I was really looking forward to meeting. I think we will continue to keep in touch and become fast friends.  As a result of the good will and free drinks (thanks Microsoft and Fortinet), it resulted in me continuing on a binge for the rest of the night. As Michael mentioned I did have an altercation with a cab driver, but it was all in a nights work. I am not going to rehash it here, Mitchell and Michael can if they want.  Just another moment with Shimel, as far as I am concerned.

So, I have no update for day 3, the dog did not eat my homework and now you know why.  If I can ever get around to it, I will try to

So RSA was a circus today.  It is bigger and better than ever.  What else was great was walking around the floor with Mitchell.  We were blown away by how many people recognized us from our blogs and podcast.  It was flattering to say the least.  However, one thing I did not like was that some companies still think the way to sell security and get people to come to your booth is by exploiting women. Hiring booth babes and dressing them in skimpy outfits to appeal to the nerdy computer geeks, who would never get the time of day from girls like these, is degrading and has no place in our business.

Now I am no prude and realize that sex sells.  However, there is a time and place for it and the security industry trade shows are not it.  I find it debasing and exploitative of the women involved.  It is also disrespectful to the intelligence of the show attendees who are here to find out about security.  I think it is also incredibly disrespectful to the legitimate women working at these companies. What message is being sent here? What is the connection between scantily clad women and security?  None, that I can see.  This is so 1970's, it is an embarrassment to us all. I think the marketing people at these events should get with the program and realize it is more than just not PC to have booth babes, it is not the image that a competent security company wants to project and is bad for business.  I have put up some pictures Mitchell and I took at the show today showing what I mean.  Also, one female security professional I spoke to said, the fact there are no men booth babes (is there such a thing?) makes it even worse.

For my part, I say booth babes are sleazy marketing at its worse and should not have a place at our table.

Join Mitchell and I from the first evening of the RSA show and the Americas Growth Capital Conference in San Francisco.  We discuss the days events and the themes we see developing.  We also interview some of the people we ran into.  Tonights guests are:

  Maria Lewis Kussmaul, CFA, Founding Partner Americas Growth Capital

Abe Klienfeld, CEO, nCircle

David Hughes, CEO, Reflexion Networks

Erich Baumgartner,VP Sales and Marketing, Ingrian Networks

We will have more from tomorrows sessions.  In the meantime any questions or comments can be sent to podcast@stillsecure.com

Thanks to ClickCaster for hosting our podcast. Tonights music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com.  Music transitions between segments are by our own Mitchell Ashley!

http://clickcaster.com/resource/audio/stillsecure-after-all-these-years-live-from-rsa-day-1.mp3

Packing tonight for RSA/Americas Growth Capital Conference.  I am leaving in the morning and arrive in San Fran around 5pm.  Between suits for when I am speaking, business casual for the show, clothes for at night, work out stuff and sneakers, my guitar, podcasting equipment, computers, cameras and lots of cards, I am going to have to take two suitcases and two carry on bags.  I feel like I am packing to go away to security sleep away camp.  Hope it is all worth it and I have a great time.  I will be reporting every night from the show.  Mitchell and I are going to try to do some on site interviews as well.

See you over there.

alan

No this is not some new show on Spike TV about wrestling or ultimate fighting (at least I hope it doesn't degenerate into that).  It is the panel I am on at RSA. Hosted by the irascible Mike Rothman and featuring Christofer (I spelled his name right) Hoff from Crossbeam, Alex Quinonez of Astaro, Mr. Network Fabric, Richard Stiennon, newly installed at Fortinet and yours truly.  Rothman has done tons of preparation for this, sending out a 2 slide outline with about 4 questions.  The good news is with this group, that is probably enough to keep us going for about 2 days. It promises to be a free for all, no holds barred look at approaches to UTM.  It is scheduled for Wed at 10:40am.  If you are free and not squeamish about the sight of blood, stop in and have a look.

On Monday the day before RSA I will be presenting once again at the America's Growth Capital Information Security Conference.  In only its 3rd year the conference is quickly becoming a tradition on the day before RSA.  It is a great forum for most of the leading public/private security companies to present to the financial community.  For me more importantly, it is also a great business development opp with many CEO's presenting and the decision makers on the scene.  I don't think it is too late to request an invite if you hurry.

There are like 77 private security companies presenting and 24 public companies.  These 100 companies represent a wide swatch of the security industry and it promises to be a don't miss meeting.  Also for those getting in early on Sunday they are throwing a Super Bowl party and the American Stock Exchange is sponsoring a post-conference cocktail party.  Of course RSA's opening reception is about that same time.  Ah the life of a Chief Strategy Officer, so many parties and so little time!

Well the buzz is really building for RSA. This years show is really shaping up to be a great one.  I was given my schedule today and I am booked for large chunks of the day and night from Sunday through Thursday.  It should be great, but I will make time to walk around and see what is new as well.  Mitchell and I are planning some blogging/podcasting surprises with some new equipment.  Mitchell is such a gadget guy, he is all stocked up.  Be sure to check our blogs each night of the show for the latest.

In the meantime if you are going to be at the show and I am not already scheduled to meet you and you would like to meet me, drop me a line or leave a comment.  I would really like to hear from folks who either read the blog or listen on the podcast.

Growing out of my article on VA being dead, I was interviewed by Kelly Jackson Higgins at dark Reading.  The article called Vulnerability Tools Get Teeth, talks about what is going on with vulnerability assessment and what it is evolving too.  It quotes me a bit, but also has some views by Ron Gula of Tenable Network Security, Tim Keanini of nCircle and Mike Rothman of Security Incite.  They all have their own views on what is happening with vulnerability assessment. 

What is really interesting to me about this is that I am planning a podcast right after new years with a panel on the future of vulnerability management.  So far accepting invitations, if we can get the timing down are none other than Ron Gula, Tim Keanini and Mike Rothman.  They will join Mitchell Ashley, StillSecure CTO and myself in what should be a great podcast.  I also have an invite out to one other player in the vulnerability space and am waiting to hear back from him (you know who you are).  Stay tuned for further details on what should be a great show.  I get a kick watching how things I blog about make there way into main stream press.  I guess it feeds the ego that all bloggers I think have and is one of the reasons we blog.

I had the pleasure yesterday of being down in Monterey, CA for the Globalpress IT International Press Summit. The event was held at the beautiful Monterey Plaza Hotel & Spa.  It is right on the beach at Monterey, right near the aquarium.  It was great during lunch, watching sea otters and seals frolic in the kelp beds.  I was there appearing on a panel on Security: From the inside out and the outside in.  It was moderated By Amrit Williams of blogging fame (and oh yeah, Gartner too!) and featured besides myself, Gregory Toto of Big Fix, Paul Miller of Symantec and Todd Theimann of Trend Micro.  It was good to sit down with Gregory, as well as with the rest of the folks there.  The audience was made up of international press and I was surprised by how technical the journalists were.  Also, Amrit (who is wise beyond his years) made sure that Greg Toto and I had some time to sit down together and chat and do the security bonding thing. 

Anyway, if any of you have a summit or event on the beach at Monterey or at a similarly situated location and would like me to come down and appear please drop me an email ;-)

So it seems some of the media have picked up on my Less Than Zero posts. Today the IT-observer, SecurityPro News and IT News Online all ran with the story.  I was also interviewed by a few other media outlets and will see if they run with anything.  It seems there is just a tremendous amount of confusion around this stuff still.  I don't think we have seen the last of it either.  Will keep you posted, but am interested in others thoughts on this as well.