StillSecure, After All These Years

Here at Interop the show floor was pretty dead yesterday.  I had a chance to sit in the audience on a panel on NAC hosted by Mike Fratto.  Mike had 5 panelists including a few friends of mine. It was pretty much the usual NAC panel.  Steve Hanna from Juniper/TNC touting the standards that his group offers, Cisco saying they will support standards, HP ProCurve always loves standards, Microsoft actually being very pragmatic and then there was JJ.  My friend Jennifer Jabbusch was her usual self talking as she sees it and giving quote fodder to the journalists like Michael Sean Kerner who wrote about the panel in this article.

Of course the media loves to jump on any angle as to why NAC has not brought world peace and helped cure cancer.  So Kerner’s article screams that authentication is where we screwed up.  He says the audience demanded to know when NAC is going to deliver on the promise. How can we have a standard without Cisco. Well I was in the audience too and had all I could to bite my tongue and not say anything.  But hey that is why I have a blog. So let me respond here:

1. Authentication is where we screwed up.  Who said NAC was about authentication?  Listening yesterday you would think that 802.1x authentication was a direct result of NAC needing a secure authentication process.  Guys lets not put the cart in front of the horse.  802.1x offers a lot of other features and advantages besides NAC authentication. In fact it is the other way around.  NAC vendors adopted 802.1x because it offered some distinct advantages.  It was widespread in wireless networks.  However, JJ is right.  It is complex. There are a lot of moving parts. If you have not done everything right to implement 802.1x on your network, don’t bother trying  to use it for NAC.  But if you had, it does work like a charm. As I have said  before it is not for the faint of heart.

But back to my original comment.  Originally NAC/NAP was not the authentication.  NAC rode on top of your existing authentication. We as an industry have issues around easy to use, robust authentication methods.  So this became NAC’s problem?  A good NAC solution should be able to use the authentication system you are using.  Authentication sucks?  Look to the folks developing authentication.  Hint: it is the same network vendors sitting on the panel.  But lets not saddle NAC with albatross.

2. Searching for the mythical NAC Unicorn. Fact is there was one member in the audience who was quite vocal (no not me) and kept insisting that NAC would not be real until everyone adopted one standard, that no matter what network we log into, no matter what different software I had, NAC would solve it all because “a big database” would contain all of this information. Yeah, all right.  I wanted to ask the guy if he still leave out cookies and milk for Santa Claus.  From what I understand this particular individual makes a habit of doing this at NAC panels.

The guy from Microsoft said it best. It is OK if NAC does not give you all of this, it is still valuable.  Stop trying to make it all things to everyone and take it for what it is. It is not the answer to authentication, it is near impossible to treat heterogeneous network environments like they were homogenous, but that is  not what it is about.  Stop looking for Unicorns and make use of what you have to work with!

As I wrote about a few weeks ago StillSecure has partnered with Microsoft in supporting the Stirling beta release of Forefront. We have integrated both Strata Guard our IDS/IPS and VAM our vulnerability management solution with Stirling.  The official release of Forefront with this functionality is scheduled for Q4 or Q1 of next year. 

I have been trying to figure out what is the best way to work with Microsoft in supporting this release and obviously what is the best way for StillSecure to capitalize on this.  Brad Feld recommended a book called Partnering with Microsoft.

Reading this book was invaluable. It really gets you to understand Microsoft’s structure and what to do to be successful.  If you are working with Microsoft, I highly recommend it!  Also, don’t be silly and buy it new, you can get it for a fraction of the cost used!

All that glitters is not gold, sometimes its “Stirling”. Yesterday Microsoft officially took the wraps off of the next beta of their ambitious and audacious play to become a major player in information security.  StillSecure is very happy to be a strategic partner in Stirling, as one of just 10 3rd party companies that Microsoft choose to work with.  We are also one of the only ones who actually have the integration working and will be demonstrating this next week at the RSA show! Both our Strata Guard and VAM products integrate with Stirling.

Forefront is a complete line of security products including:

• Forefront Client Security
• Forefront Security for Exchange Server
• Forefront Security for SharePoint
• Forefront Threat Management Gateway (renamed from Internet Security & Acceleration Server)
• A complete management server and dashboard

Make no mistake about it. Microsoft plainly has Symantec and McAfee in their crosshairs with this product. They want to be a major player in security from the endpoint to the edge and even to the core of the network.  They are building on 2 aces in their hand. One is the ubiquitous presence of Active Directory which gives them an advantage around identity based control. Secondly, they obviously control the overwhelming majority of the desktops out there. But this is not Microsoft of 1995. The recognize that when they reach out into the network Windows is not everywhere. They are working with Linux systems, network gear and other non-Microsoft systems.

There may be some who think Microsoft and security is an oxymoron. To them I say be prepared to be fossilized. Microsoft is serious about security and this Stirling will go a long way towards bringing their security expertise to the “forefront”.

From the classic Casablanca:

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

Last week I wrote about the "shocked to find gambling going on in here" revelation by Symantec, that the underground market for stolen data was in the hundreds of millions of dollars. This weeks winner of the "Captain Renault shocked to find there is gambling going on here" award goes to Secunia. They announced that their findings show 98% of Windows computers have at least one known vulnerability and nearly half have 11 or more programs at risk.

Bill Brenner has a good article on this as just Secunia spreading FUD and not many CIO's or security administrators are surprised by these findings. Bill points to a Verizon study that says 90% of all incidents involve a vulnerability that has a patch available for 6 months or more.  I think this is really important.

For all of the emphasis, time and money wasted on zero day attacks, the fact is 9 out 10 attacks take place against well known vulnerabilities.  Has the patch management process broken down?  Did it ever really exist?  Vulnerability management just isn't sexy anymore, but there are good products available.  In the face of such numbers, how can the security industry as a whole not get serious about patching, vulnerability testing and taking these low hanging fruit off the table before we get all hot and bothered about zero day stuff.

Related articles by Zemanta

• I'm shocked, shocked to find out that gambling is going on here
• Every Windows PC is at Risk if not Lucky- Confirms Recent Research
• Virtually every Windows PC at risk, says Secunia
• Windows patching abysmal, and getting worse

I was reading an article today about Chinese "indignation" over Microsoft's black screen anti-piracy response.  I will tell you that my jaw dropped to the ground reading some of the comments from some of the Chinese officials and citizens.  Here are a few:

National Copyright Administration (NCA) Vice-Director Yan Xiaohong said his agency supported "the rights-safeguarding move taken by institutions including Microsoft," Xinhua news agency quoted him as saying in a report late on Monday.

But companies should "pay attention to the methods," Yan said. "Whether the 'black-out' method should be adopted is open to question. Measures for safeguarding rights also need to be appropriate," Yan said.

What could be more appropriate than stopping people from using software that they either pirated or are using in violation of copyright?

Dong Zhengwei, a Beijing lawyer, said Microsoft was abusing its market power and had filed a complaint to China's trade watchdog, the State Administration for Industry and Commerce, the China Daily said in separate report.

"Microsoft should be fined $1 billion," the paper quoted the lawyer as saying.

Yan said Microsoft's price policies needed to "fit the Chinese situation."

"The company adopted unified prices in the past without considering the income gap between developed and developing countries, so we need to kindly remind them that Chinese customers' affordability should be considered."

Are you kidding me?  Is this the same country that just put on that Olympic spectacle, to show they have "arrived" on the world scene.  The same country that runs billions of dollars in trade surplus with most every country in the world? The same country sending people to the moon?  The same company taking jobs away from our own economy everyday because of their lower  prices?  Sure their prices are lower, they don't follow the same rules we do.  What about if most American companies decided they didn't need licensed software.  Why stop there.  Lets not honor patents either.  The heck with it, lets bypass our electric and water meters and don't pay that either. Do you think it might make us more competitive?

Hey, if you want to play with the big boys, you should be playing by the rules. Inequalities and unfair advantages like not complying with copyright laws should not be tolerated.  Either we all play by the same rules or don't play at all!

It is not just who is going to put Lehman Brothers out of their misery in the M&A grist rumor mill.  In the tech world there are two interesting potentially big deals being rumored:

1. Why are wireless companies like bellybuttons?  Because it seems like everyone has one.  Continuing the recent trend Juniper wants to be latest one on the block to acquire their own wireless company.  According to reports, they are interested in buying Meru Networks (96 million raised) or publicly traded Aruba.  While Meru has nice technology, an Aruba buy would be a great fit for Juniper.  Aruba is Cisco's biggest competitor in the wireless space, so should fit well with Juniper's take on Cisco persona.

From various sources, it will be one or the other of these two wireless providers, but Juniper is certainly buying one.

2. What took them so long?  I have always thought for the longest time that Citrix was a good buy for Microsoft.  Now once again rumors are flying that Redmond will finally pull the trigger on this multi-billion dollar deal.  Cicso, IBM and HP are also rumored to be in the hunt this time though. I guess the virtualization stuff is driving a lot of that.

I have also heard rumors that Citrix will be moving its HQ from Ft Lauderdale to Silicon Valley.  The South Florida tech community would certainly be a big loser in that one.

In any event, the march of consolidation moves on.

I have written before about what a joke I think it is when people write that Microsoft’s best days are behind it and that their corporate grave is already being dug.  Google is going to usher in a new age of net centric computing and topple the once and future king. Yeah sure.  Don Dodge had a good article up the other day about Microsoft’s recent end of FY numbers.  The Redmond rockets racked up over 60 billion (yeah with a b) in revenue last year, an 18% increase over the year before!  They dropped 17.6 billion (again with a b) to the bottom line.  To give it some perspective, Yahoo all told only does about 7 or 8 billion in gross revenue a year.  Microsoft grew 9 billion in revenue last year.  That is they grew organically more than a whole Yahoo.  You can check out Don’s article for more financial facts and figures.

I ask you ladies and gentlemen, does this sound like the numbers of a company on the way down?  If you were a betting person, would you be betting against this monster?  I would not be.  Do you think by 2011 things are going to fundamentally change? Next time someone tells you how open source, Linux, Google or anyone else is going to kill Microsoft try to put some of these numbers in prospective.

You have to both admire and laugh at zealots and extremists no matter what guise they come in. Whether it be religion, politics or technology they find God's hand guiding you towards their position in every event, good or bad. A perfect example was brought to my attention by Michael Farnum. Steven J. Vaughan-Nichols, the resident Cyber Cynic and Linux zealot at ComputerWorld, has taken the current state of our economy as a message from God that Linux is on a messianic mission to save us from high gas prices, high food prices, the mortgage and credit crisis and those satan's in Redmond. Vaughan-Nichols says that by switching to Linux and other open source products you could save your company, your job and be more secure to boot!

Michael who is no Microsoft fan boy points out some obvious pitfalls with Vaughn-Nichols strategy. I am far from a Microsoft shill myself (now my friend Mitchell might be another story). I personally think it is ludicrous. One thing obvious is the cost of the switch. Economic cycles being what they are, by the time you actually planned and implemented this switch the economy would probably be back on the upswing and the economic reasons for undertaking this drastic a move would be gone. Than you would have the expense of moving over including training and downtime. I think by the time you are done with doing all this, if the economy hasn't killed your company, the cost of switching will!

I guess that is why Vaughan-Nichols is just a fanatic on ComputerWorld and no one has nominated him for any Noble prizes or confused him with John Kenneth Galbraith.

My podcast co-host and friend Mitchell Ashley started a bloggers network for people who write about anything Microsoft. It is not just security related, but anything to do with Microsoft. If you do, the Microsoft Bloggers Network If you would like to join the network, you need to send Mitchell and email here. I am joining today.