StillSecure, After All These Years

My friend Michael Farnum besides being a comic book nerd, blogs over at ComputerWorld. Michael writes today about his opinion that vendors have changed focus from concentrating on the tech geeks to focusing on the business decision maker. Michael's proof is rather subjective, but revolve around the fact that when he was a geek not in management, vendors use to wine and dine him to influence him to support their technology and tell his boss to buy their products. As he moved up to become a geek in management, he noticed the vendors shifting focus away from the technical stakeholder to the business stakeholder. Michael has a theory on some of the reasons for this shift of focus. The dotcom bubble, the evolution of IT, people making decisions on sound business principles, not on what technology is cool.

Michael I say rubbish! I think that sales techniques haven't really changed that much from the 90's. Good selling always involved courting the three stakeholders - technical, business and financial. It is just as a green (meaning new, not environmentally friendly) geek, you were not even aware of the vendors courting you, also reaching out to your management team and the business and economic stakeholder. You were blissfully unaware that the vendors you were dealing with had a full court press going on. Instead you went to a nice dinner, a ball game and got some t-shirts and other swag and thought you were making it happen for them. In the meantime your boss was getting tickets to the game too (I bet even better tickets) and nicer schwag than you were! As you started to move up the chain, you just assumed that everyone must be moving up with you. That Ptolemaic or geocentric model of the sales process, with you at the center is just your view from the inside, but sales people have been multi-threading into accounts for a long time.

Yes during the dotcom era and even before that sales teams used to spend a lot more on wining and dining. I still remember fondly the EMC sales teams of the mid to late 90's partying with their customers like it was 1999 (it was 1999). I was on the receiving end of many of those great dinners and other perks. With new economic times, it became less fashionable to lavish money in trying to buy business. But that more economically austere model did fundamentally shift the focus in sales from the technical to the business stakeholder.

Some companies like Symantec for instance have always concentrated on the business stakeholder more than the technical stakeholder. But Michael in sales there is little new under the sun. Just because you have begun to become aware of it, don't assume it has not always been so.

So here is one of my pet peeves about the IT world. Too many "technical" people consider themselves (pick one:) superior, smarter, more ethical, better than, their marketing counterparts. Hey people, everybody is selling something all of the time, even if it is themselves. Case in point, a recent "spat" between my bud Mike Rothman and another friend, Misha Govshteyn. Now Rothman and I go back a bit and have had our share of blog bad blood, but all in good spirit. Misha is a good guy too. Anyone who knows where to find a schmaltz herring in Houston after all can't be too bad. And my friend Farnum who serves as the peanut gallery in this story is solid as well. OK now that we have the players, lets lay out the story.

It seems that Alert Logic had a webinar titled _ Simple & Affordable PCI Compliance w/ Alert Logic. Mike thought that this was very misleading marketing from the slimy, no ethics, don't understand the real pain marketing folks at Alert. They are preying on the simpletons who are responsible for security and PCI compliance in the world and Mike delivers his full venomous wrath (according to Misha anyway, I bet Mike could be worse) on Alert Logic and their marketing team. Misha than responds with his own venomous wrath, that Rothman is literally full of baloney, a shameless self-promoter on par with Michael Savage. To add fuel to this fire comes Michael Farnum, who tells Misha in his comments that while he likes Alert Logic, "many manufacturers use their marketing as fly traps."

OK, here is my take. To Mike Rothman: come on Mike, you never did anything like that when you were a marketing guy? What are you some kind of reformed smoker? What would you have them name the webinar: "PCI is hard and our stuff can only help a little". Give it a rest. Also a little respect for the people they are marketing too. I think they realize what is what and can separate the bull from the cream. To Misha, hey at least Mike gave you some PR. I understand your frustration but instead of pointing at everyone else, say we stand by the name and that does it. Most of all to my buddy Farnum, dude, we know what you do, it is just a question of price. If those Venus Fly Trap marketing people weren't drawing people in, you would have to have a second job to feed the family and many not have the leisure time for blogging.

But seriously folks, marketing people have a hard job too. It is not that they are not technical or don't understand what is involved in PCI compliance or the like. It is their job to make these webinars appealing. I don't think most marketing people think of what they are doing is being misleading. They try to make these webinars deliver as advertised. The same way engineers try to make a product work as intended. Lets understand that it "takes a village" to develop, market, sell and support a product. Everyone has their job to do and for the most part do it the best they can and again for the most part with the highest of professional standards. Thinking that marketing people are slimy fly traps does a disservice to them, the people they market too and frankly comes across as self-serving arrogance.

Michael Farnum has a great post up today wondering if we in the security industry have been stifling our creativity by designing all of our management interfaces in one of two paradigms. The GUI kind of look and feel pioneered by Checkpoint or the command line standard that Cisco has made their own. It struck a chord with me because it was actually the second time I have heard the same comment this week alone. In speaking with one of the big analyst firms our own VP of product strategy, Andrew Grealy made the same comment.

This actually goes to the heart of what we are trying to do, especially with our Cobia product. We think there has got to be a better way. Why can't products just work, the way Apple does it for instance. So many things in the Mac interface are binary. You plug a mouse in, you don't get a message that the system has detected a new pointing device and goes through the install and you may have to pick a driver. You plug it in and the mouse works. If it doesn't work, something is wrong. Andrew has some great ideas on this around security. Instead of plugging in your IPs and stuff, wouldn't it be great to just tell your security product to protect your web servers? Is there a better way to let you manage a firewall? We think there is.

At StillSecure we have a history of creating easy to use GUI that are powerful yet intuitive. Andrew and his team are working on a rework of our Cobia GUI and some of our other products that we think are going to break out of the Checkpoint/Cisco mold for good once and for all. We hope the market will reward the innovation and the easier way to do business.

Michael Farnum has a good post up today about a customer of his over at Accuvant. In a real life reenactment of every security vendors dream (come on, admit it), while the customer was procrastinating about whether to spend the money on security or not they were pwned. Michael says this is the second time this has happened since he has been at Accuvant. Obviously nothing loosens up the purse strings like a real live security "incident". However, we can't as an industry rely on a security breach happening at the moment a customer is contemplating a security purchase to drive the sale through.

What does drive the security sale? Over my years in security I have seen the answer change from FUD to compliance. There was a time when to sell security you would ask your customer, what would happen to your business if your network was brought down? What would happen if your IP was stolen? What would the negative publicity of a security breach cost you? Of course some of these questions could be turned on their side into the infamous Security ROI argument. But whether or not security can show a true ROI is highly questionable and I am from the school that it does not really exist. Than about 5 or 6 years ago, we started to see compliance becoming the driver. The first big driver in compliance for me was the Graham-Leach-Biley Act for the financial industry (when was the last time you heard that as a driver for security). Then always on the horizon and promising more than it actually delivered was HIPAA. Of course as Ilena Armstrong says "...HIPAA, say it with me now, "had no teeth." After HIPAA, California's breach notification law served as a model for many other states and finally brought some real compliance drivers to business outside of finance and health. FISMA brought the fear of God to the federal space.

Of course these all paled in comparison to the twin giants and darlings of the security industry, SOX and PCI. Have there ever been two sweeter words to the security industry. I remember speaking to security consultants who would relay how in their sales pitch to C-level execs they would tell them that failure to do something now about SOX could put them in jail. How did they look in stripes? PCI is still driving the merchant world security business and I don't think we have seen it peek yet. Yes, how sweet it is.

But what is next for the security industry? What is going to make people buy security next. Can we rely on the next gimmick or sales angle? Will there be a new statute, rule or regulation? Will a security breach scare the rest of us into doing something. Should we just wait around for our customers to get pwned and than come in like the cat that swallowed the canary with the magic bullet (even if there is no such thing as magic bullets). Or maybe as Bruce Schneier says people will just start expecting security as part of what they buy, not as a separate entity. They don't need to buy products that secure their network, they buy a network that is secure. Bruce says it better than I here:

Honestly, no one wants to buy IT security. People want to buy whatever they want -- connectivity, a Web presence, email, networked applications, whatever -- and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear. It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling.

It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.

To be fair Mike Rothman has preached a similar heresy for sometime as well. I use the term heresy because writing this article I feel a little like Jerry Maguire having a moral epiphany. However, the more I see and hear and learn, I become more convinced that StillSecure's emphasis on convergence is actually an off shoot of this truth. People are going to want secure networks, secure endpoints, secure products. Not products that secure them. Security companies that recognize this fact will succeed in the years to come, companies that do not will be the dinosaurs of tomorrow.

My friend Michael Farnum is a big boy and doesn't need me to stick up for him.  But reading the comments to Michael's article on an admittedly mistaken DDos attack on a school in the Netherlands that was intended against the Church of Scientology moves me to write.  The overwhelming majority of comments seem to be negative to Michael's position. The comments which are overwhelmingly from anonymous folks seem to be from the no harm, no foul school of thought. However, underlying these comments and more outwardly in others is that the COS is a bad thing or is somehow worthy of DDOS attacks. That it was just a shame that this school got in the way, but pleeease give me a break about the poor students. 

Now, I don't know a lot about COS and am not a member or even a fan. I know even less about the school in question. But I am a fan of the constitution of this country which grants us all the right to practice religion as we see fit. I think the folks commenting about the no harm, no foul attitude miss the point. It isn't the fact that the school suffered little, if any damage. It isn't even the fact that it was a school that was attacked. I have a problem with this group attacking any religion because they don't agree with that religion. I don't care whether it is Islamic fundamentalist sites, Christian sites, Jewish sites or any other religion, including the COS.  People have a right to practice and to attack them either physically or via cyberspace because of it by using illegal means is just plain wrong.  If you want to do something about the COS, do so within the bounds of legality and by all means have the stones to at least state your name and don't hide behind the veil of anonymity. 

I have been following the Don "Cutaway" Weber/ Chris Hoff "dialog" around whether UTMs just add complexity and risk to the security equation. Of course the peanut gallery than had to join in.  That Georgia peanut, Mike Rothman puts in his 2 cents and complete with a reference to Shinola comes Michael Farnum with his own play-by-play and color commentary. This in addition to lots of comments from various sundry sources like AndyIT Guy and others.  Frankly, I was content to read, chuckle and keep quiet.  However, something Michael Farnum wrote struck a chord with me and reminded me of a discussion I had with some folks at a large tech company recently. 

Michael says that Don, Andy and that crowd are equating "UTM=big Linux box with a bunch of security apps thrown on it."  Michael is of the opinion that "real" companies like Checkpoint, Fortinet, etc. don't use that and have "proprietary OS’s that do not typically fall prey to the same problems that a Linux server with Squid, Snort, and SpamAssassin installed on it".  To that I say, jokes on you Vet.  Many of the biggest names including some of the ones you mention do in fact take a Linux distro, pile on some open source, slap a GUI on and abracadabra you have a UTM.  Yes they  may have ASIC or custom silicon, but many of these UTM's are Linux and many may have one or two non-open apps and then load the open source on from there.  ClamAV, Spam Assassin, etc are staples of these boxes.  Yes, Hoff's old company Crossbeam may not follow this, their schtick (put that with your Shinola, Michael Farnum) was they took best-of-breed apps and put them together on one UTM.  But the rest are guilty as charged.  Let me be clear.  I am a big believer in UTM.  I don't buy the single point of failure stuff, I don't buy the increased complexity and security crap.  But Linux and some open source mash up with a smiley GUI is unfortunately the state-of-the-art with many UTM vendors.

As I said earlier in this post, I was talking to a large tech company who wants to bring a UTM/Network gateway product to market.  In our discussions it was clear what type of applications they would want on the box.  But no matter how much I tried to explain and not matter how much I banged my head on the brick wall, they just could not understand that when you pile crap high one on top of another, you end up with high pile of crap!  There has to be more to it.  You need to leverage efficiencies, you have to make products work together.  Customers want to manage these things out of one GUI.  Not a portal where you click on an app icon and it launches another browser window.  You need a way for them to share information, licensing and user accounts.  In short you need a framework, much like we built with Cobia. If you think you can do a mash up of a bunch of open source apps all just running on Linux without any glue holding them together, you don't have anything worth buying.  I suspect the tech company I was speaking to is going to find this out the hard way.  I also suspect that many of todays UTM players who are not doing more than this are going to learn that hard lesson as well.

In the meantime, Don, Andy and the rest, you are spitting into the wind. The UTM train has already left the station.  Though it may not account for 50% of network security purchases by 2011 as Stiennon and IDC project, it is gaining momentum every day. It is going to be tough to buy a stand alone IPS or firewall in the near future.

My bud Michael Farnum has an interesting, yet naive post up about using friends as business contacts being potentially dangerous.  I think Michael being new to the "sales game" shows that he has a lot to learn about networking (I don't mean ethernet either), friendship and business. Michael's point is that when you "use" a friend to get into a potential new customer account, you run the risk of damaging the friendship if things don't go well.  My reply in short is, "nothing ventured, nothing gained", Michael.  But lets dig deeper.

I think there is a ton of business done through friends and acquaintances making introductions. In fact it is the norm rather than the exception. I also think it says a lot about you and your friends expectations around your friendship if you think that the fact that your companies products or services didn't work as planned would kill your friendship.  In sales this is a classic example of sales reluctance.  Many unsuccessful sales people suffer from sales reluctance and not wanting to risk a friendship is only one type of it.  Here is a chart inspired George Dudley, the founder of Behavior Science Press.  It is his dirty dozen of sales reluctance as explained by Sales Champions:

The Twelve Faces of Sales Call
Reluctance®

Michael, you fall under the separationist category.  You are losing 3 new accounts every month!  What is interesting, is if the friends contact you, then it is OK to go in and try to "help" them.  What happens if it goes south from there?  Is your friendship OK because they came to you?  What difference does it make who came to whom.  If both parties recognize you are trying to help and doing your best, there should not be any long term effects to the friendship. Don't worry Michael there is still hope for you yet.

What about the rest of you?  Do you recognize any of your own traits in this chart?  Are any of these holding you back from success?  Don't think it is just selling products either.  Remember in one way or another we are all always selling.

A while back I left a comment on a post my good friend Michael Farnum wrote about a recent sales call he made along with a vendor partner to a potential customer.  It started a bit of a dialog between Michael and I and some others about what the expectation should be for a VAR or reseller's engineer selling a vendors product.  Today the Georgia peanut gallery weighs in by way of Mike Rothman.

Let me first of all say that I get it.  As a vendor, my expectation that the VAR/reseller's (should there be different expectations between a VAR and reseller?) engineers should be proficient in my products is pie in the sky.  Today's VARs sell too many products and have too much to learn to really know it as well as my own people do.  What I don't buy is that they are not making enough margin on the deals to make it worth their while to learn.  Yes, VARs may fall over themselves and cut their own throats on a Cisco deal and wind up with less than 5% margin, but VARs selling products from smaller companies like StillSecure routinely make 25 to 30% margins on sales.  Granted there is a lot more demand and business from Cisco, but you have to make the decision if low margin-high volume is your game or not.

So if as a vendor I should not have an expectation of the VAR engineer being proficient in my product that he is selling to his customer, what should my expectation be?  Yeah, I know that they all worship at the alter of customer satisfaction and trusted security adviser. But making sales and money is ultimately what they are there for. Let a few bad quarters of sales go by and watch how quick they convert to the god of the almighty buck.

Let me give you an even better example.  Post-sales professional services.  VARs like to claim that they add value by adding services and support. They don't want the vendor to do the post-sale install, as that is high margin work that they would prefer to do themselves.  So, what is my expectation as a vendor there?  Should I not expect that if the VAR is taking it on themselves to install and implement the solution, they should have a level of proficiency in the product to properly do so?  I would think the answer is obvious, but it is not.  In fact with things like NAC, I see lots of VARs that though they want to make the money from pro services, don't have the network expertise and the product specific expertise to do it right.  Before we learned this lesson we had several customers that we had to come in ourselves and rescue because the VARs limited knowledge really screwed the pooch. 

Now, we just tell the VARs that we understand their model. We will do the pro services and implementation ourselves and still give the VARs the margin on it. It actually is more profitable for them to do it that way, then for them to have their own people do it.  Mike Rothman says I am trying to buy their business.  Maybe I am.  But I am also trying to make sure that the customer gets the solution he paid for, working the way it was intended.  Is that such a bad thing?

My good friend Michael Farnum and I had a brief exchange this weekend regarding a post he had on managing expectations with customers. Michael is a straight shooter, who I know takes his responsibility to help his customers be secure seriously.  There is no doubt in my mind that if he did not think he was the "trusted security adviser", he would have a tough time doing his job in good conscience. Michael likes to think of himself as the one "telling the customer the real deal". Michael positions himself and the role of the VAR as the defender of truth and justice, who separates the marketing from the reality and is the only one who tells the customer the truth. All of this in contrast to the vendor, who will do and say anything to make the sale.

I commented on his original article and Michael responded with this article.  Let me summarize my feelings on this and then I will respond to some of Michael's specific points.  To me Michael sounds a bit like an expensive call girl talking down on a lowly street walker.  At the end of the day they are both working girls, who work hard for the money, but they are what they are.  As long as Michael is putting the food on the table by selling products to customers, whether they be from a line card that Accuvant offers or from a specific vendor, he is selling nevertheless.

Lets look at some specifics.  First of all Michael assumes that only someone like a VAR would tell the customer that a case study or lab result are "done in pristine situations". Why would a vendor be disqualified from saying that?  Then he talks about telling the customer the truth about how long it takes to install the product. Do you think a vendor is going to lie about this?  Especially if the vendor is selling install professional services along with the product.  Come on now Michael.  Here is another one, only Michael would be able to enlighten "the naive customer" that trade rag product reviews are often rigged.  First of all, I don't agree with that.  Some awards are certainly rigged, but most reviews are what they are, but the reviewers believe what they have written. Second, most customers are already dubious about reviews anyway. Do you think a vendor would not tell a customer about a product review from a competitor being "rigged".  Same thing Michael.

Michael seems to base his opinions on the low morals of vendors compared to the beatific VAR's, on a bad interview he had with a vendor a while back.  Michael thinks a vendor would try to sell a product that was not a good fit. Now Michael, if Accuvant did not have a product that was a good fit, would you send the customer to EnPointe, Cadre, Fishnet or another VAR.  I doubt that very much. However, just because you don't send them to a competitor does not mean you would force a square peg into a round hole.  You ask what we train our people to do. Exactly that.  Don't waste time trying to make square pegs go into round holes.  Go on to the next opp and hopefully it is a better fit.  Michael, you say that if you sell a bad product to a customer they won't be a customer anymore, in the vendor world it is the same thing.  Most vendor sales people have sold to the same customers over and over again throughout their careers. It is not some sort of pump and dump scheme over here.

Michael here is another example you site.  The vendor who is upset with you for bringing in his competitor in a deal.  Of course he is.  You would be too.  In fact you are upset by it and you even say that your dander was up because the vendor admitted he wanted another reseller in there.  You wouldn't mind the vendor suggesting another reseller? See the point.

Here is the bottom line my friend.  As long as you are getting paid to put products in at the customer, whether you make and sell them or just sell them, you still sell.  As long as you sell, you are as guilty or innocent, moral or immoral as anyone else in the food chain.  When you try to make yourself better by stepping on the back of those you perceive below your level, remember to take a look from on high to see what really separates you. In another words to quote someone else, who really was a on a level above, "let he without sin, cast the first stone".

Remember The Doors tune "The End". For me it always brings back memories of the film Apocalypse Now.  Coppla's story - Martin Sheen, Marlon Brando, a nightmare in Vietnam with Stones and Doors music playing in the background.  One of my favorite classes in college was movie soundtracks (hey I was a political science/liberal arts major, give me a break).  For the final, we had to watch a movie in the theater and write about how the soundtrack effected the movie.  I did it on Apocalypse Now and have never forgot this song and The Stones, "Can't get no satisfaction" and how they both made that movie. That class also taught me how important the soundtrack is to any movie.  Try watching a movie without the soundtrack next time and see how the movie loses something. 

Anyway, how did we wind up here?  Oh, yeah the end.  I wrote earlier this week about SSL decryption before it reaches its end. It was based on an article by Michael Farnum over at ComputerWorld. In response to my article, two readers left comments, Knujlla and Landon Lewis. Both said that the risk of malicious traffic hidden inside encrypted traffic was high and that once the traffic was inside your "managed" or "trusted" network is it was OK to decrypt it.  While I realize the danger of letting non-inspected traffic in, my point was exactly about the trusted-managed network part.  Is there really such a thing anymore as a trusted network? I don't think there is for the most part.  Just because you are inside the perimeter does not make it safe.  Unless you are going to decrypt and then re-encrypt it, you are going to send it in the clear and it can be sniffed, snooped or otherwise found out and potentially exploited. Ultimately I think you have to weigh the risk about not inspecting the SSL traffic (maybe based upon where it comes from) with the risk of having that information purloined inside the network. As long as you weigh the risks and understand them, I think you make your call and live with it.

In the meantime, if you have never seen the movie, I highly recomend it!

Michael Farnum has an excellent article up over on ComputerWorld today about SSL offloading.  Michael makes an excellent point that with so many devices decrypting SSL traffic before its intended "end", if that information is then compromised, someone has some 'splaining to do.  A reader comments that he does not consider it to serious a problem, that SSL was to ensure end to end encryption and they just replaced the end.

Reading this article brought back flashes of when McAfee Intruvert first started touting their ability to decrypt and inspect SSL traffic.  They would decrypt at the IPS (often at the gateway) and then send it in the clear to its destination. I thought it was a bad idea then and I think it is a bad idea now.  SSL was intended to encrypt end to end.  When you hijack the end and then send that data in the clear you are defeating the whole purpose of using it in the first place. I understand the need to inspect this traffic, but decrypting this traffic before its "end" is not a acceptable answer for me and is too much of a risk.  Michael is dead on!

SSL offloading / accelerating / load-balancing is scary - Computerworld Blogs

Back in September of 2006, I wrote an article about this being a "golden age" for security blogging and podcasting.  I was afraid at the time that this golden age of innocence may be short-lived due to commercial pressures that would take away the special comradeship that exists among the security blogging community.  I am happy to report that so far that is not the case.  The folks at ITSecurity.com have put out a list of the 59 Top Influencers in IT Security.  Reading the list I was amazed at how many of these folks I have developed relationships with over the years via blogging.  The community is really making a difference and leading the industry.  I know Martin (number 11 on the list, congratulations!) thinks we are just talkers and the real heroes are the doers, but still I am very proud to be associated with this group of folks.  I hope we can use our leadership and influence to do good things around security.

Of course, I would be remiss if I did not mention that I was listed number 2 on the list behind Amrit Williams.  I am humbled and grateful for the recognition.  Other notables and friends Mike Rothman at 7, Mitchell at number 9, Michael Farnum and Michael Santangelo and just about everyone else.  Congratulations to you all, you all deserve it.  I was also really proud to see at number 19 the Security Bloggers Network, which is now 65 blogs strong.  I feel responsible for starting the Network and hope to see it continue to grow in influence and usefulness.

Well the answer can be summed up in 3 bullets:

1. Mitchell is lucky most of his necessary organs and appendages are attached to his body.  First he lost his Motorola Q phone on the shuttle bus from the show.  Luckily he had phone insurance and was able to get a replacement. Of course he lost all of the numbers and info stored on the phone.  Then at the bloggers party (more on that later) after a full day of recording some great interviews (including a fantastic discussion on booth babes with Ross, Rothman, the Phantom Blogger and me), Mitchell leaves the damn, brand new portable recorder at the place and it is now gone!  They don't have portable podcaster machine insurance so Mitchell is out on that one.  Frankly, I wouldn't have been quite so heartbroken if we had at least downloaded the audio files on there.  I am going to start bringing a tag with Mitchell's name and phone number as well as the hotel he is staying at for Mitchell to wear at these events, in case he gets lost too.

2. In the immortal words of Dean Wormer in Animal House, "fat, drunk and stupid is no way to go through life". I try not to get too crazy at shows and make sure I get a good nights sleep, as my schedule at these things are usually packed.  Well, I was so excited about meeting so many virtual friends in person at the bloggers party, I went to three more places drinking with the boys and stayed out until almost 3am.  Even with Mitchell losing the podcasting equipment, I still could have put an update on the days activities up. I didn't when I finally got to my room, because I was afraid at what drunken ramblings would find there way on to the blog.  I guess Mitchell was not as worried about that. Instead I threw my clothes all over the room and went right to bed.  Four hours later, I woke up still buzzing and headed over to the show before going back to pack and finally flying home.  I think for the next show, I am going to go on a diet, so I will just be drunk and stupid.

3. The Blogger/Podcaster party- As Martin, Michael Farnum, Rothman, Mitchell and I don't know how many others have mentioned, the party even exceeded our expectations. I have not had this much fun in a long time.  I was really looking forward to this event for a long time. I really felt like I knew most of these folks already.  Some of them like Farnum, Martin, Rothman and even Ross, I count on as my blogger family (maybe posse is a better word).  I can't wait for next years show and have some ideas I will be blogging and discussing later.  One fact that was really heartening to me was that most of the folks there were also part of the Security Bloggers Network.  The network has really picked up and if anyone security blogger/podcaster wants to join, drop me a line at podcast@stillsecure.com. Also, Rich Mogul is someone I was really looking forward to meeting. I think we will continue to keep in touch and become fast friends.  As a result of the good will and free drinks (thanks Microsoft and Fortinet), it resulted in me continuing on a binge for the rest of the night. As Michael mentioned I did have an altercation with a cab driver, but it was all in a nights work. I am not going to rehash it here, Mitchell and Michael can if they want.  Just another moment with Shimel, as far as I am concerned.

So, I have no update for day 3, the dog did not eat my homework and now you know why.  If I can ever get around to it, I will try to

Michael Farnum has been really letting loose on his Information Security Place blog lately.  If he doesn't watch out, someone is going to accuse him of being a blog bully or even worse, a Rothman wannabe!  The latest victims of his ire are Cisco and Cybertrust.  It seems Cybertrust has given their rubber stamp of approval to some Cisco set ups that will somehow make the user PCI compliant.

Michael is right on here.  There is no magic wand or correspondence course for PCI compliance  (well maybe Qualys, but I digress).  I don't care what subject matter expertise Cybertrust used to validate the Cisco solutions to make sure they are optimized for PCI compliance. Every merchants situation will be different. 

We went through the same thing getting our solutions certified to help with PCI.  Though I can show how the StillSecure solutions can help and what specific sections of the PCI regs each StillSecure solution can help with, it still does not give you automatic compliance.  Like Michael points to, Michael Crawford on ComputerWorld-Australia calls BS on vendors selling PCI compliance. 

Moral of this story is there are no short cuts to good security.  That sounds pretty pragmatic to me. Michael keep up the good work!

So my esteemed colleague and friend, Chris Hoff of Crossbeam (sounds like we are US Senators or something) takes offense to some of what I wrote earlier, about the bump-in-the-wire statements of Brian Smith of 3Com/TippingPoint.  First off, let me say that Chris is right, usually we are on the same page on most issues that float around the security blogsphere. However, there is something that will cause us to disagree almost every time.  That is when his best interests and those of Crossbeam don't coincide with mine and those of StillSecure.

Chris is right, Tipping Point is certainly a competitor on the IPS front and I think will try to move into the NAC market as well (they may already have, if you listen to them).  However, Chris's view, we should be clear on, is influenced by his biggest competitor being Cisco, a company who is moving security into the switch and network infrastructure in a big way.  So I would expect Chris to take a contrary view on this one.  However, at the end of the day I suspect we don't disagree as much as it appears. I think the knot at the center here is how we define bump-in-the-wire.  Also, not to be ignored is the view of Michael Farnum, who unlike Chris and I, does not have a vested interest here.  Actually, on second thought Michael is not the innocent he once was, now that he works for a security VAR. I am not sure what the Accuvant line card is on this though.  However, I do believe Michael would do nothing less than give us his honest opinion here.

So two issues:

1. Tipping Point, like it or not is part of 3Com.  A company that very much wants to be a player in the switch market.  Part of the reason they paid something like 17 times revenue  for Tipping Point was the idea of converging networking with security.  If as Michael says, they are late to the game and destined to be a 3rd rate player at best, I can understand the reluctance by the Tipping Point people to closely associate themselves with 3Com.  Maybe this is the real reason they want to pursue a strategy other than integrating the security into the switch and router.  They don't want to pull down their highly regarded IPS by marrying it to sub-par switches.  OK, I don't think Chris would argue this one and I think it is the crux of Michael's point.  My opinion is that Tipping Point has to get over themselves.  The long term prosperity and even the very survival of 3Com is tied into Tipping Points security business dragging up the 3Com switch business.  The sooner they get to it, the better off 3Com will be long term.  Frankly, I am surprised 3Com has not put their foot down on this sooner.  However, with a new CEO there from the switching side, maybe this will change soon.

2. What is a bump-in-the-wire security go for?  Here is where Chris and I disagree. When I talk about bump-in-the-wire security, I am talking about traditional IPS blocking.  You are either blocking the IP address, the port or actually dropping the offending packet that is triggering an attack alert.  Early IPS's did not have to be in line to do this, they relied on external firewalls to block.  The out of band IPS's however quickly were replace by the in line versions such as Tipping Point.  Of course this was fine when the only place you wanted IPS was at the border or perimeter. 

With the advent of internal IPS monitoring, multi-segment IPS became prevalent.  The reasons are many. One is what else are you going to do with that big honking box, if your line is only 10/100/1000?  Another is that you don't want to drop boxes as Chris says "willy-nilly across the network".  By having a big box that can handle multiple segments on your internal network you can cover the enterprise with just a few boxes, albeit ones that cost six figures each.  Yeah, Chris is right, this is best suited for big companies and carriers, but I am not going to hide behind that one here, so rest easy my friend.  My point is this whole paradigm is fine if all you are going to do is perform IPS.  When you move beyond that, there are scalability issues with bump-in-the-wire unless you are going to morph into a switch yourself.  Go ask ConSentry, Nevis, Vernier Networks and those guys.  They will tell you that having to sit in line (and this is what I mean by bump in the wire, whether in multi-segments or not), you are going to have scalability issues.  These companies pray every day that some switch vendor will buy them and move their technology into the switch. In the meantime they are designing their products to be a switch as well.  Call them security switches if you will.  Tipping Point is already owned by a switch vendor, they should be moving it into there.

As far as Tipping Point's latest, biggest, baddest box that they are going to show at RSA a year late, Chris you know as well as I do, that that is all about who has the biggest one, in a contest where at least in Tipping Point's mind, size does matter. 

As far as what StillSecure and working with switches today and tomorrow, you will have to wait a little while longer for our definitive word on this.  However, I will tell you that we have designed our products to have relevant parts work in a switch or router type of device.  Many of our partnerships with network vendors will explore this capability even further.

Bottom line Chris, is that bump-in-the-wire may be all right for IPS, but when you start moving into other network security functionality, being in line is a drag.

My friend Michael Farnum, is I know a good person.  Though we have never met in person, from the many times we have spoken and exchanged emails, I know Michael is a straight shooter with a good sense of humor and most of all takes his responsibility as a security professional very seriously.  However, the road to hell or in this case to Christmas is paved with good intentions gone bad.  Michael has crossed the line here with his article about how companies should be responsible Internet community members, by stopping their employees from online shopping with company resources.  I think he is off base here and using all the wrong reasons to justify his position.

Really, it comes down to two reasons to limit employees online shopping during the holiday season.  The first is a productivity issue.  This is not the business what so ever of the security or network admin. This is strictly a management decision.  Personally, if someone is not abusing the privilege, I think there is nothing wrong with letting an employee use the companies internet connection to do some online shopping.  The alternative of shutting it down, I think will do more to hurt company morale and spirit and wind up costing you more in productivity.

The second reason is for security purposes.  Frankly, I see some merit in this.  But if you have defenses in place, I think you have to give more credit to the user that they are not going to do something totally stupid.  On top of this, I think it is more than potential phishing attacks which you have to be careful for.  Are they downloading any spyware, key loggers or botnets.  However, good security in place for this type of malicious traffic should do the trick here, without having to prohibit online shopping.  I have not seen enough evidence to allow the security arguments to outweigh giving the users the right to surf for holiday shopping.  Of course I would monitor to make sure no one is abusing this.

In any event, what really ticks me off are people who really want to limit on line usage by employees for productivity reasons and hide behind the security issue to justify it.  Releases like the one by St. Bernard that Michael refers to are the perfect example of this.  They don't make a clear case for either productivity or security but try to lump them together with a little FUD thrown in.  In any event, come on Michael, show your Christmas spirit and keep the employees happy!  Ho, Ho, Ho Merry Christmas ;-)

Sometimes people send me comments via email that don't make the comments section on the blog.  Some of these are important enough that I think you all should be made aware of them.  In that vein, Kim Markle over at Juniper informs me the acceleration technology for the Juniper BOBs comes from their acquisition of Peribit, not Redline.  Also, on the Juniper BOB article, Michael Farnum corrects me in that it seems the Juniper secure gateways do have some partner's AV and content filtering options available.  Thanks to Kim and Michael for the updates and education!

As to my post yesterday on Zillow, I committed a blogging faux pau, by not linking to Martin McKeay when I called him out yesterday as Captain Privacy and asked him to comment. Martin actually formally responded to my post and you can read it here.  Both he and Andy ITGuy pointed out that the Zillow information was always available at the local tax records center, so it is less invasive what Zillow is doing.  While I was aware of this, much of the information that Choicepoint keeps or that search engine where you can look up peoples facts (I forget their name now) is also culled from publicly available information.  However, it is the ease of availability and distribution that makes it to easy for the casual seeker that I think bothers me.  Anyway, thanks for commenting guys.

An All Star Cast brings you "Selling Security up the Ladder". In what may go down as a classic, tonights episode of SSAATY is proud to give you:

Martin McKeay of Network Security blog and podcast and ComputerWorld

Michael Farnum of An Information Security Place and ComputerWorld

Bobby Dominguez of Sykes, Inc. and

Special Guest Star: Mike Rothman of Security Incite

Discussing how to make your executive team take security seriously and approve the budget and resources you need to secure the enterprise.  Don't miss this one!

We will return to our regular format next week.  Enjoy the show.

As usual thanks to ClickCaster for hosting my podcast. Tonights music is again from Jon Schmidt, To the Summit.  You can hear more from Jon at http://www.jonschmidt.com.

If you don't see a media player, click here

http://clickcaster.com/resource/audio/stillsecure-after-all-these-years-episode-15.mp3

I was putting the final touches on the agenda for tonights SSAATY podcast.  I think this is going to be our best podcast yet.  We have an All Star cast with a virtual who's who of security bloggers and podcasters on the panel.  The topic is, selling security up the ladder.  The panel is made up of Martin McKeay of Network Security blog and podcast, Michael Farnum of Information Security Place, Michael Rothman of Security Incite, Michael Wright of MCWresearch and Bobby Dominguez of Sykes. To think that we could assemble such a distinguished panel on rather short notice speaks volumes about how powerful the blogging/podcast medium has become.  I also think that because we have not yet reached the point where blogging and podcasting has become too commercial (at least in regards to security), it is still possible to call on members of the community to do worthwhile shows like this.

My thoughts are that as the medium continues to grow and commercial pressure increases, we are going to leave behind this golden age of innocence where people are doing their blogs and podcasts as much for the passion as for the money and fame.  I saw it happen to the web and to many other things. I guess it is inevitable.  Until then, lets all enjoy it while we can.

In case you are interested, we will be recording tonight and I will be posting the podcast as soon as possible, within a few days for sure.  Be on the look out as it should be a good one!  BTW, if this is the golden age of blogging and podcasting, does that make Rothman Uncle Milty?

This is episode 10 of StillSecure, After all these years.  Tonight I am joined by a good blogging friend of mine, Michael Farnum.  Michael besides being a security stud, also blogs at An Information Security Place. Michael also has a blog up on ComputerWorld.  Michael and I are joined by my trusty sidekick, Mitchell Ashley, CTO of StillSecure and author of The Converging Network blog.  In tonights episode we discuss:

• Another Microsoft Patch Tuesday
• Another computer gone from the VA
• Vendors (security and others) always selling futures and why

It was a great show. I enjoyed speaking with Michael who really is a great example of the folks out in the real world who keep your networks safe at night (and day too for that matter).  Hope you enjoy!

As usual thanks to ClickCaster for hosting my podcast. Tonights music is again from Jon Schmidt, To the Summit.  You can hear more from Jon at http://www.jonschmidt.com.

If you don't see a media player, click here

http://clickcaster.com/resource/audio/stillsecure-after-all-these-years-podcast-10.mp3

Today's tip of the day is going to be another obvious one as I am here at Black Hat, it is late and I am tired ;-).  It is regarding OS'es.  No I am not going to suggest you switch to a Mac, though the Mac Book Pro's are hot! But at this stage of the game there really is no reason you should not be running XP.  If you are running XP, you should be running SP2 with windows firewall turned on (unless you have another personal firewall) and automatic updates turned on as well.  Just enabling this across the devices on the network will make a huge difference.

My friend Michael at MCWResearch has come up with a "pay it forward" idea for bloggers to give a security tip a day for a week. Michael Farnum has joined in with his tip here. I wanted to join in with a quick tip.  I am out here in Black Hat so excuse the brevity.  My tip for today is a simple one.  Make sure you and everyone else in your company have their machines set so that you need a password to unlock the screensaver.   I can't tell you how many times I have walked into an office and seen confidential information displayed on screens with no one sitting at the desk.  It is not hard to set this up and it should be a company wide policy that everyone has to abide by.

Michael Farnum continuing his discussion about the never-ending list of responsibilities of a security manager, posts an article about using outsourcing to lighten the load.   I commented that outsourcing generally is good for commodity type of security, like firewalls, IDS, etc., but not for some of the more complex security functions.  CJ Kelly, another Computerworld blogger comments that in her opinion there is never a good reason to outsource security.  While I don't agree with CJ, I think for certain functions and in the right circumstances it is OK to outsource security. I don't think the reason to do it is to save the overworked security manager time. 

From an economic prospective, outsourcing does not save you any money.  For someone looking to stretch the dollar and get more bang for the buck, outsourcing does not deliver the goods.  In an earlier life I helped put together a company called Interliant.  We were an ASP, host and MSSP (before it was fashionable), though we tried to sell the outsourcing saves money point, our own studies proved it did not.  If someone like Michael would take the money he is going to spend on outsourcing and hire a good, young security wannabe, I think he would get a lot more productivity and retain an important level of control versus outsourcing.

Besides the economics, the other outsourcing factor to consider is the quality of the tools that the MSSP uses.  Many use their own homegrown solutions based on the popular open source tools.  Though the open source underlying tools are good, the packaged applications the MSSP uses are generally not exactly best-of-breed compared to COTS (commercial off the shelf) products.  So, not only are you paying more, you are getting less.  There are other reasons to consider about outsourcing, including the stability and integrity of who you are trusting your security to.  I am not saying never to outsource, but I would think long and hard before I did though and I would make sure it was for the right reasons.