StillSecure, After All These Years

Today StillSecure announced something that I have wanted for a long time.  Our Safe Access NAC product can now use WSUS to remediate non-compliant endpoints. Prior to this it was possible to use WSUS but it was much more of a custom job. We have had integration with MS SMS for a long time and from time to time have worked with many of the patch mangers out there. But WSUS is the most widely used of any patch solution out there. It should make life much easier for users whose devices are not compliant.

For too long people have emphasized NAC’s ability to quarantine and remove non-compliant devices from the network. But that in my mind is a red herring.  Unless it is a rogue user or something like that, keeping them off the network is not productive to anyone.  NAC should be about making sure they are compliant. If they are not, make them compliant and get them on their way. Don’t throw them off the network, that doesn’t do anyone any good.

There have been various ways of doing this with NAC. Some solutions have sort to have their own file push capability built in. The problem is that being a NAC solution is hard enough. So is being a patch manager.  Being both is a recipe for disaster. You wind up doing neither well. You can work with patch managers, but which ones? With SMS and now WSUS we are guaranteed to work with the widest number of devices out there.

So despite his promises to the contrary, my bud Mike Rothman has been a blogging MIA pretty much since RSA. Hey I am sure he has a good reason, like some journey for self-awareness or something that is keeping him away.  Not even a Social Security Blogger award could get his juices flowing again.  So in Mike’s absence I am going to do another in my incite series with a bunch of short stories and even shorter commentaries.

Truth be told, I had too many things to write about today, so I blamed it on Rothman!

Have a great day.

1. InfoExpress does a press release on managed NAC – Last night I banged on InfoExpress for claiming a managed NAC service as reported by Tim Greene. It just didn’t sound like a managed service to me.  Well not sure if Tim jumped the gun or not, but today IE put out a press release on their service (though they still have nothing about it on the web site). To be fair the press release talks about more management of NAC than Tim’s article did.  But here is a bit of advice for the InfoExpress PR team: If you are going to have customer quotes in a press release, it may be worthwhile giving their name and title.  Just having quotes attributed to anonymous customers is a bit unbelievable. Something I would expect from NAC used car salesmen.

2. Mystery Virus plagues FBI and US Marshalls – It seems that a mystery computer virus (no not swine related) has hit both the non-classified FBI network and the US Marshalls network.  The FBI had to take down their network from the Internet, but it has now been reconnected. The US Marshalls service reportedly had 140 machines hit with the virus. They had to be taken down and are being disinfected as you read this.  I don’t have any more information on this, but there are rumors of a one-armed man being seen in the vicinity.  Where is Tommy Lee Jones when you need him?

3. Microsoft puts the heat on security vendors – Looks like my friend Charlotte Dunlap has herself a regular gig over at Forbes writing an infosecurity column sponsored by Juniper.  This time Charlotte writes about Microsoft rolling out a hosted email security solution as part of Stirling-Forefront. Charlotte is right on when she says that Microsoft clearly has Symantec and McAfee in their sights with Forefront.  I have written about this before as well. Go ahead and make fun all you want, Microsoft is serious about this and will keep at it till they get it right.  Of course I love the fact that they are partnering with forward looking security vendors (like StillSecure) and think there is a real opportunity to shake up the security world here.

4. How much work can you do on an iPhone?  Earlier this week I wrote about an iPhone being a Prius to Blackberry being Pinto (hey not my words, but some other author). In continuation of that story, Galen Gruman writes about using an iPhone instead of a laptop for a few weeks. I don’t know but I find it near impossible to write more than a sentence or two with my iPhone. Maybe my fingers are too fat or I just don’t have good hand to eye coordination, but I find it painful compared to my old HTC Windows Mobile phone to type longer then that.

Anyway, that is a wrap on this incite.  Good day to you Mike Rothman, no matter where you are!

Saw an interesting article in the German version of CIO today. It claims that InfoExpress is the latest NAC vendor to push a managed NAC service. It goes on to describe something that InfoExpress describes as CARE (Compliance, Authorization, and Rogue Enforcement). Just as a point of interest there is nothing on the InfoExpress web site that talks about this at all, other than a pointer to this article under news and events. Anyway, the way the article describes this “managed service”. It will have InfoExpress perform “evaluation of customer needs; developing a written proposal; certification of the hardware; defining and creating policies; configuration and periodic updates. Some customers might simply want help deploying the software but not ongoing policy updates.”

I don’t know about you, but at StillSecure we call that implementation and support. Lets not burden managed services with the same asinine definitions that so hampered NAC. This is not a managed NAC service! Helping someone set up your product is not managing it for them. It is helping them set up your product.  There is a difference. Unless you are going to monitor the network and stand ready to make changes to the network beyond the NAC product, you are not really managing the NAC solution.

The real reason behind CARE can be found later on in the article though:

The common thought behind InfoExpress's CARE service is that customers might want NAC but have trouble getting funding for a new technology because of budget restrictions. Without a hard return on investment from NAC, many CIOs and CFOs reject these projects, but perhaps will go along with it if they can get it for a relatively modest recurring cost, service providers say.

So while the customer owns the hardware, the software is sold cheaply on a subscription basis, rather than traditional licensing.  OK I can see that, but again that does not make it a managed NAC service.  It is a NAC product sold with subscription licensing.  BTW, the article says pricing is set on a case by case basis.  Again, does this sound a like fully-baked, scalable managed NAC service?  I don’t think so.  Both InfoExpress and the author of the article do us all an injustice even calling it such.

Authors Note: I just realized that this is actually a reprint of an article by Tim Greene in Network World

Here at Interop the show floor was pretty dead yesterday.  I had a chance to sit in the audience on a panel on NAC hosted by Mike Fratto.  Mike had 5 panelists including a few friends of mine. It was pretty much the usual NAC panel.  Steve Hanna from Juniper/TNC touting the standards that his group offers, Cisco saying they will support standards, HP ProCurve always loves standards, Microsoft actually being very pragmatic and then there was JJ.  My friend Jennifer Jabbusch was her usual self talking as she sees it and giving quote fodder to the journalists like Michael Sean Kerner who wrote about the panel in this article.

Of course the media loves to jump on any angle as to why NAC has not brought world peace and helped cure cancer.  So Kerner’s article screams that authentication is where we screwed up.  He says the audience demanded to know when NAC is going to deliver on the promise. How can we have a standard without Cisco. Well I was in the audience too and had all I could to bite my tongue and not say anything.  But hey that is why I have a blog. So let me respond here:

1. Authentication is where we screwed up.  Who said NAC was about authentication?  Listening yesterday you would think that 802.1x authentication was a direct result of NAC needing a secure authentication process.  Guys lets not put the cart in front of the horse.  802.1x offers a lot of other features and advantages besides NAC authentication. In fact it is the other way around.  NAC vendors adopted 802.1x because it offered some distinct advantages.  It was widespread in wireless networks.  However, JJ is right.  It is complex. There are a lot of moving parts. If you have not done everything right to implement 802.1x on your network, don’t bother trying  to use it for NAC.  But if you had, it does work like a charm. As I have said  before it is not for the faint of heart.

But back to my original comment.  Originally NAC/NAP was not the authentication.  NAC rode on top of your existing authentication. We as an industry have issues around easy to use, robust authentication methods.  So this became NAC’s problem?  A good NAC solution should be able to use the authentication system you are using.  Authentication sucks?  Look to the folks developing authentication.  Hint: it is the same network vendors sitting on the panel.  But lets not saddle NAC with albatross.

2. Searching for the mythical NAC Unicorn. Fact is there was one member in the audience who was quite vocal (no not me) and kept insisting that NAC would not be real until everyone adopted one standard, that no matter what network we log into, no matter what different software I had, NAC would solve it all because “a big database” would contain all of this information. Yeah, all right.  I wanted to ask the guy if he still leave out cookies and milk for Santa Claus.  From what I understand this particular individual makes a habit of doing this at NAC panels.

The guy from Microsoft said it best. It is OK if NAC does not give you all of this, it is still valuable.  Stop trying to make it all things to everyone and take it for what it is. It is not the answer to authentication, it is near impossible to treat heterogeneous network environments like they were homogenous, but that is  not what it is about.  Stop looking for Unicorns and make use of what you have to work with!

One thing I try to be on my blog is true to myself.  I am far from perfecr (just in case you didn’t know) but when I am wrong I pride myself in trying to correct it.  Another case in point came to my attention this weekend.  Last week I wrote about a NAC webinar that Forescout was doing featuring Paul Roberts of 451 Group. In the article I called on both Forescout and 451 to come clean that they were being compensated to appear and that they certainly did not endorse any one NAC vendor.

Well that is the case usually when analysts appear on vendor sponsored events (sometimes even including press releases). However this is not the case with 451 Group.  When a client subscribes to their enterprise services included in it are quotes for press releases and appearances on webinars and such.  This way the whole stigma of being paid to appear is averted.  Nick Selby of 451 pointed this out to me.  I think that is very enlightened

Received a media alert today about a webinar Forescout is doing on the state of NAC.  Regular readers of my blog know that I don’t think much of their nessus-nmap based, TCP reset NAC technology, but you have to hand it to them for marketing chutzpah. The webinar advertises a joint webinar with the 451 Groups Paul Roberts, presenting at the webinar.  Paul covers NAC pretty well and I am sure will recap the 451 report on NAC. What I have a problem with, is do you think Paul and 451 are doing this because they need the publicity? Do you think even though I am sure Paul will remain “neutral”, that the appearance of some implicit endorsement of Forescout is not implied?  Of course not and of course. For the sake of 451’s integrity and in the interest of full disclosure, lets disclose that Paul and 451 are being paid to appear to appear at this webinar.  Lets bring a little transparency to both the analyst business and NAC marketing!

By the same token Forescout’s announcement that the webinar was given also is  light of NAC day at Interop ‘09 is a slick move again.  It would lead you to believe that they were actually involved in NAC day at Interop.  But a perusal of the Interop NAC Day site  does not show any sponsorship or appearance by Forescout.  Just another case of sleazy slick marketing by the used car men of NAC. But you can't blame them. The Interop people made participating in NAC day so expensive that very few can actually participate.

When it is all said and done I am involved in many things at StillSecure.  I like that because it feeds my own ADD tendencies. I need to be working on different things all the time.  But the core of what I do and in many ways what I like best is business development / corporate development.  I have been in BD for a very long time and during those many years have had a chance to meet some really great people.  Generally BD people understand that what comes around goes around and a relationship which benefits both parties is one that will enjoy continued success.  As a result you tend to deal with the same folks over and over again.  The names don’t change but the companies and exact titles do. 

One of the people I have dealt with over the last few years is Michael D’Eath formerly of Mirage Networks. Michael ran BD and strategy over at Mirage for some time.  Though we never did a deal directly with each other, we did have partners in common and have gotten to know each other a bit through the NAC wars.  Anyway Michael has started a new business performing BD and CD services for companies called CMT Consulting.  He is also going to start sharing some of his tips, tricks, experience and thoughts on business development and corporate development via his new blog. It is called 3 dimensional business development.  I already like what I have read so far and am looking forward to hearing more from Michael.  If you are involved in BD or would like some great insight to what we do in business development and corporate development I recommend you read it too!

Welcome to blogging Michael and we will be reading!

It was with great sadness that I read the end of Tim Greene’s NAC column today. Tim tells us that he is ending the NAC column and newsletter and transitioning to cloud security (that should make Hoff and Amrit happy).  While I don’t always agree with what Tim writes about NAC, he has been a consistent voice and great advocate for the technology.  The NAC industry will miss the spotlight he shined on it.  I am sure he will do a bang up job on cloud security and wish him well.

The following quote from Good Night, and Good Luck movie is by Edward R. Murrow about TV, but in many ways it could be said about NAC and Tim’s column:

To those who say people wouldn't look; they wouldn't be interested; they're too complacent, indifferent and insulated, I can only reply: There is, in one reporter's opinion, considerable evidence against that contention. But even if they are right, what have they got to lose? Because if they are right, and this instrument is good for nothing but to entertain, amuse and insulate, then the tube is flickering now and we will soon see that the whole struggle is lost. This instrument can teach, it can illuminate; yes, and it can even inspire. But it can do so only to the extent that humans are determined to use it to those ends. Otherwise it is merely wires and lights in a box. Good night, and good luck.

Good Luck Tim!

OK I got back early from California (because someone I was meeting had to be hospitalized I am afraid) so have some time to blog.  It has been tough lately, but there are lots of stories to touch on.  First of all we are in full swing for the pre-RSA season.  My calendar is already filling up with appointments while I am out in San Fran.  I will be presenting at the Americas Growth Conference again this year on the Monday before RSA.  The AGC event has become a staple over the years and in these challenging times should be even more interesting this year.  Of course there is the security bloggers meet up with planning in full swing ready to rock (SBN members get an invite). Also the SC Magazine awards dinner and event which I was invited to and will be attending.  Thursday morning I moderate an all star panel on what to do about security in this economy.   All in all, RSA is shaping up as a great time! 

While I am registered as a speaker, an exhibitor and 5 year member, I was surprised that this year to attend just the expo and keynotes, there were no free passes.  In some ways it is good, it may keep some people out who are adult trick-or-treaters or resume pushers.  In other ways if you are in the local area the 75 dollars for an expo pass may stop you from attending.  Well here is where I can help. I have 4 expo passes to RSA to give away.  Leave a comment with why you deserve one and if you can convince me you win one. I wish I had full passes to give out to all of the tracks and all, but those are hard to come by. Hope to see you at the conference.

Couple of other stories:

1. Vyatta adds security to the router. I don’t know about you but this is so Cobia 2007!  Come on guys we did this at StillSecure with Cobia 2 years ago.  Plus reading the press on it, it is hard to see what special sauce if any Vyatta adds over the plain vanilla open source offerings that it is based on.  I guess it was to be expected, but I think they are going to have to do better then this to be successful.

2. Is Sun going to rise at IBM? – Looks like Big Blue might be picking up what is left of Sun.  Great, that gives IBM another database to work with (they already have DB2 and Informix), some open source stuff and another silicon design.  On the other hand, Sun has to do something as I am not sure what the future holds for them as a stand alone.

3. How to evaluate if MSSP is right for you- article in searchsecurity about how to properly evaluate whether MSSP is the right for you.  Pretty elementary stuff, but a start to making the decision.

4. NAC, its not just for compliance anymore. – Tim Greene’s article this week calls out how NAC for compliance is yet another great use of NAC.  Yes NAC can be quite the Swiss army knife of security, but is NAC as a compliance tool enough to drive a new NAC sale or just another use for a tool you already bought?  That is the big question about the NAC market.

Well this weekend was the start of daylight savings time. I always think of it as spring ahead, as opposed to fall back. It usually takes me a good week to get used to being an hour ahead.  But are you really an hour ahead. Yes it is still dark when many of us get up and it stays light longer in the evening, but do you think of it as being an hour ahead?  Maybe you should.  What is so bad about thinking of getting out ahead of things?  Nothing at all.  Especially in security, so much of what we do is reactive, after the fact.  Maybe a good security strategy would be to spring ahead.  Get out ahead of the security issues before they become incidents or big problems.  Why not make that a mantra.  The clocks have been set ahead, try to stay ahead of bad guys yourself and enjoy the extra daylight at the end of the day!

Have a great day.

An IF-MAP in Juniper’s future? – Juniper updated their NAC solution yesterday for the first time in 2 years.  It seems like the big news is that NAC is now part of the fabric because it can interact with other security technologies using IF-MAP the the Trusted Juniper Computing Group’s standard for data sharing. Of course the problem is that it takes two to MAP.  If other products don’t support it and use it, Juniper by themselves is not going to do it.  What does it give you, you ask?  Well Juniper says according to this article by Sean Michael Kerner that now you can enforce quarantine and NAC after a device has been on the network. I say BFD to that, most NAC solutions have some sort of post-connect capability already (except Cisco of course), Juniper is just playing a bit of catch up there. But at the end of the day Juniper is all about beating Cisco so I guess that is what counts!

eEye’s any means possible – Those wild and crazy guys at eEye (they have not been as wild and crazy lately frankly) announced a new service yesterday based on services they have been providing for years (according to them anyway). It is a super-penetration testing service called any means possible.  Based on eEye research and super hacking techniques as well as social engineering., the eEye team seems to be going whole hog into services.  I don’t have a problem with it, but what does that mean about its commitment to Blink endpoint security not to mention the forgotten Retina/REM suite?  Maybe the products are not paying the bill and the any means possible name refers to eEye’s determination to keep the lights on?  In this economy no one is immune!

PCI sends two QSA’s to the principles office – Martin reports on article in tech target about two QSA’s who have been called out by the PCI council about their PCI auditing.  OK, so they are going for a proctology exam.  Are they being made examples as a warning to other QSA’s or is this the start of the PCI council starting to get more serious about enforcing standards around the huge infrastructure they have fostered?  I have a great PCI podcast panel being scheduled now, we will be discussing this very topic, so stay tuned!