StillSecure, After All These Years

Image via CrunchBase

I don’t know what is with me. I must be either a  closet masochist, a glutton for punishment or just plain stupid (or maybe all of the above).  For whatever reason I felt it necessary to try and upgrade to the latest version of iPhone software today when prompted.  Every fiber of my being was screaming no don’t do it. But I did anyway.  For those not familiar, every since I got my iPhone about a year ago, everytime Apple has put out an upgrade to the OS, my phone has bricked.  So why should this time be any different?  Did I really think Apple would give a crap about their AT&T customer base and actually fix whatever bug consistently causes this problem?  Of course not! 

Same old, same old. I upgraded, the phone bricked, iTunes froze, locked up the computer. Had to reboot, same thing happened. When on to another computer did a clean install. Wiped out everything on my phone, came back to my old computer did a sync and now I am spending the rest of the night re-customizing and trying to find what I have lost. 

When am I going to learn.  Apple you suck!

I thought I would continue my Mike Rothman Daily Incite series today.  The only dangers I can see in this are I might start getting grumpy and give up meat!  But hey Fake Steve Jobs stopped blogging, maybe I can be Fake Mike Rothman.  Seriously, this format allows me to comment on a bunch of different things in one blog post, so will go with  it a while.

First of all I want to call out that today is my 19th wedding anniversary! My wife Bonnie (the real Boss) continues to amaze me every day.  Most times it is around how she puts up with me.  But seriously in this day in age where so many couples come and go, 19 years is an accomplishment.  Marriage in some ways is a lot like security.  You are not successful at it without a lot of hard work, staying on top of the game and being passionate about it and it seems I am always one step behind!  In the meantime, I still feel like Ralph Cramden, happy to have my Alice. So in the words of Ralph -  Bonnie, you are the greatest!

Now on to the news and have a great day!

1. Sourcefire goes into the 3rd party patch business.  Shades of Ross Brown and eEye, the VRT at Sourcefire have released on their blog a “home brew patch” for the critical Adobe Acrobat vulnerability, which is actively being exploited in the wild.  Adobe is supposed to have a patch out by March 11th.  In the meantime just as happened in the past, we really don’t know if the 3rd party patch has been adequately tested.  If it turns out it breaks something, Marty and team may wind up with egg in their face. As I have written before, generally I am against 3rd party patches.  In the meantime, Adobe come on! If you want Acrobat to be ubiquitous, you need to do a better jog of getting patches out.  This vulnerability has been kicking a long time!
2. Checkpoint comes out with '”software blades” for the UTM. Checkpoint has introduced a new concept in their UTM line up.  They call them software blades. “The company describes a software blade as a security building block that is independent, modular and centrally managed.” The software blades operate on a software chasis.  Checkpoint wants to sell each blade for $1500. I don’t now about you but this sounds a lot like StillSecure Cobia to me! Modular security apps that run as software that can be mixed and matched on the management platform.  Very little is new under the Sun!
3. Top Ten web hacking techniques of 2008. And the winner is . .  If you did not get enough on Oscar night here is the list of the academy awards of web hacking by Jeremiah with help from an all star cast of judges: The Mogul, HD Moore, Hoff and Forristal). Reading this post and Rich’s post on it, the mice continue to get smarter. That makes us work harder making better mouse traps.  Jeremiah will be presenting on this at a bunch of conferences including RSA. You probably want to catch that one.
4. New kid on the block.  A friend of mine, Jack Mancini who has been working in security since Symantec first bought Norton (or was that when Ralph met Norton?) has started his own security blog called “Secure or Not Secure”. Jack is just launching a new security VAR down here in Florida. He has already put up some good stuff and I am sure will continue to do so!

Anyway that’s my news for today. I am putting the Pragmatic CSO ad down here. If the real Rothman wants to work out a revenue share deal with me it might find its way back to the top!

The Pragmatic CSO:

Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

From the classic Casablanca:

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

Last week I wrote about the "shocked to find gambling going on in here" revelation by Symantec, that the underground market for stolen data was in the hundreds of millions of dollars. This weeks winner of the "Captain Renault shocked to find there is gambling going on here" award goes to Secunia. They announced that their findings show 98% of Windows computers have at least one known vulnerability and nearly half have 11 or more programs at risk.

Bill Brenner has a good article on this as just Secunia spreading FUD and not many CIO's or security administrators are surprised by these findings. Bill points to a Verizon study that says 90% of all incidents involve a vulnerability that has a patch available for 6 months or more.  I think this is really important.

For all of the emphasis, time and money wasted on zero day attacks, the fact is 9 out 10 attacks take place against well known vulnerabilities.  Has the patch management process broken down?  Did it ever really exist?  Vulnerability management just isn't sexy anymore, but there are good products available.  In the face of such numbers, how can the security industry as a whole not get serious about patching, vulnerability testing and taking these low hanging fruit off the table before we get all hot and bothered about zero day stuff.

Related articles by Zemanta

• I'm shocked, shocked to find out that gambling is going on here
• Every Windows PC is at Risk if not Lucky- Confirms Recent Research
• Virtually every Windows PC at risk, says Secunia
• Windows patching abysmal, and getting worse

When I first read the headline of the Shavlik-Sophos deal, I thought it made a lot of sense.  Sophos (who bought the Endforce NAC product), was going to use Shavlik to deliver automated patching and remediation to out of policy endpoints.  To me this is one of the 4 pillars of NAC going forward, along with pre-connect testing, post-connect monitoring and identity based access control.  As a matter of fact, I think we are going to see more and more built in auto-remediation as NAC products mature.  Self-remediation is just really not an option for many customers.

A closer read of the Shavlik press release seems to indicate something different.  The release states, "If customers then require an automated method to remediate discovered problems, Sophos will recommend Shavlik’s advanced deployment solutions, which provide simple, automated and configurable methods to test and deploy patches onto vulnerable systems."  This would indicate that Sophos is going to "recommend" Shavlik but it sounds like it is not integrated.  Also, Mark Shavlik says, "... this integration will make it very easy for Sophos’ customers and partners to come to Shavlik in order to simplify and automate the next step of deploying of critical security patches across their network." Again clearly the plan is if you want actual patching you come to Shavlik, it is not integrated into Sophos.

So if it is not patching, what is this deal about?  I don't know for sure, but my reading of it is that Sophos is replacing the Nessus engine they used, for a Shavlik vulnerability assessment engine.  However, this is more I think than just replacing one vulnerability scanner with another one.  As I have written many times depending on how you use Nessus, it may not be the right product for NAC.  You have to make sure you are on the right side of the license, including the plug ins you use to scan.  Also, because of the nature of local versus network scans, banners, etc., speed/scalability can be an issue.  Many NAC vendors actually use Nessus (some admit it and others try to hide it), but generally those that do use Nessus, only use it with a handful of plug in scripts.  Maybe a dozen and a half at most.  In this way, they only check for a small sample of what a full blown vulnerability scanner like Nessus can check for.  However, this has been enough for most NAC products until now.  At StillSecure because we use our own custom testing engine optimized for NAC, we never had that issue and so have been able to check for a wider range of configurations and policies than most other NAC products.  With the Shavlik product will Sophos be able to match this? I think not.

The reason I think not is that to the best of my knowledge, Shavlik is no better at this type of scan than Nessus is.  It remains to be seen whether Sophos will actually check for anywhere near the 22,000 patches that Shavlik claims to support.  In fact I would bet the actual number is no where near that.  But, there is another reason that I think this is an apple to oranges comparison.  Shavlik only checks for patches and vulnerabilities.  NAC is just not another pretty name for a vulnerability scanner.  NAC checks should look for the presence or absence of applications, services and settings that do not require a patch, but are a security policy. 

Ultimately the market has to decide if NAC checks and enforces for violations of security policies including vulnerabilities or is it just another form of vulnerability scanner and VM.  I don't think the world needs more vulnerability scanners, but it does need NAC.

Not sure if this article in Dark Reading by Kelly Jackson Higgins is some sort of joke or if Pat Clawson thinks the security business is a big Texas Hold'em tournament. But it could get real embarrassing if someone calls him and he has to show his cards. It seems the spark for this story is the long rumored name change of the former Patchlink Security to Lumension Security.  They have been threatening to change their name for months, if not years now and have finally gone and done it.  They really had no choice.  It really gave their sales team a lack of creditability when they would try to sell the fact that they were not a patch company with a name like Patchlink. Of course the fact that Big Fix says they are secure configuration management drove the Patchlink guys crazy, as they didn't want Big Fix to be anything Patchlink wasn't.  Where they came up with a name like Lumension though is anyone's guess.  I have two - One they ran a new name contest and someone's 13 year old daughter came up with it. Two, they paid a small fortune to one of those boutique naming shops to come up with that one.  I don't know but it sounds like last years new Chevy model to me.

Anyway, Pat Clawson takes the opportunity to spin a yarn that Kelly dutifully reports (come on Kelly, how about some more up close and personal features like this one on Thomas Ptacek).  Clawson tells us that the reason for the name change is the company is "retrenching" for an IPO in mid-2008.  Retrenching?  As if we don't know that an IPO would mean cool hand Pat would have to file an S-1 that would show us all what he is really holding.  I suspect that when those cards see the cold, hard light of day, Lumina-Patchlink would not exactly be a Wall Street darling as an IPO candidate.  A reverse merger-pink sheet candidate maybe, but getting a top bank to underwrite this one would be like trying to get a sub-prime mortgage with no money down right now.  In any event, my bet is Pat is way to cagey a poker player to ever let anyone have a peek at the numbers behind him here.

Next Pat tells us that with his two acquisitions he has now risen above the likes of Big Fix and Shavlik and is more like McAfee and CA. He throws in all of the good buzz words, "cloud", "agentless", "SaaS", etc. and we are supposed to take it all in. While he is at it, he claims to also have policy compliance and NAC too.  Pat has it all, or so says he.  You can almost see Nick Selby of 451 choking down the laughs in his quote in the article when he calls Pats claims "an overstatement".

I am starting a little tournament of my own. I am taking odds that patchlink or whatever they are called never IPO's in its present state and will instead be shopped hard.  Anyone want to take any action on that one?

What is that you say? What is so different about this Patch Tuesday.  For my Jewish friends out there, am I adding another question to the existing 4. Well it ain't cause we eat unleavened bread or anything like that.  This Patch Tuesday will go down in history as the first Patch Tuesday to contain a specific patch for a vulnerability in the vaunted Vista.  Oh well, it was good while it lasted but did you think there would never be one.

According to this article in TechNewsWorld, the Vista vulnerability is not critical but only moderate. However, unlike other vulnerabilities that effected Vista, this is the first one that effects only Vista and is probably a flaw in the newer core.  There is some good commentary about the other patches in this release including some quotes from the security architect at Vernier Network, Mark Loveless.  What a great name for a security guy!

Anyway, by now your patching process is probably pretty standard so hopefully you are protected already. 

Patchlink announced today that they had taken Harris STAT off of the hands of Harris Corporation.  This is pretty much in line with their CEO Pat Clawson's plan to do acquisitions and fits the mold of acquisitions he has done in the past at other companies.  What is Harris STAT you ask.  It is a vulnerability scanner.  About 2 years ago they did an OEM deal with Patchlink, where Patchlink was integrated into their product.

If you are not active in the government market you may have never heard of STAT or Harris even.  Harris is huge in the federal market. They make a lot of advanced communications gear for the DoD.  STAT was always out of their sweet spot I thought, but with the Harris machine pushing it, it was widely used within in the various defense department networks.  I say was, not is though.  About 2 or 3 years ago DISA did a DoD wide deal with eEye and Citadel for the Retina scanner and Hercules patch manager.  Since that time STAT has basically been a dead man walking. In the 5 years we have sold vulnerability management products, we have never seen STAT outside of the government space.  The Hercules contract (now owned by McAfee) is also the reason why Patchlink has not been able to break into the DoD.  I would imagine that with this background and it not really being in its sweet spot, Harris was only too happy to offload STAT and Patchlink probably got a sweet (read cheap) deal.

Now the question is, what does Patchlink do with this?  They talk about it advancing their strategy for Unified End Point Security Management Framework.  Sounds to me like they would like to take on Big Fix from that. Not really sure this deal gets them there though. Frankly, I think they might find buying a vulnerability scanner and keeping it up to snuff in this hyper competitive market may be a bigger bite then they were looking to chew.

My buddy Ross Brown (you know I really do consider Ross a buddy, having had a chance to get to know him in person at RSA, but that is another story) has an article up taking a shot at nCircle's 24 hour SLA.  To tell you the truth, I was not aware of nCircle's SLA, but a long dormant brain cell in my head fired up something about me having written on this before.  A Technorati search of my blog turns up that exactly one year ago, Feb 16, 2006, I wrote about last years RSA and some of the SLA's and guarantees that were being offered.  Besides showing that very little in security is ever really new, I thought even back then, that SLAs in security seem to be long on marketing and short on real protection.

For the record, I agree with Ross, I think a 24 hour SLA is nothing to write home about.  We, like eEye and I am going to guess nCircle and most other companies do a good job of getting tests out for the new vulnerabilities (Ross I don't think nCircle is putting out patches, but rather tests to see if the patch is applied or if the vulnerability is present) pretty quickly.  Usually in just a few hours.  However, when you are going to put your money where your mouth is, I think you tend to be conservative. The 24 hour SLA  is not meant to be the normal expectation, but the worse case scenario.  Frankly, if you want to force nCircle to do better, come out with a better SLA, that they will have to match to compete. Let me know when you do and we will look at matching it here.  However, my question is this:  Is anybody buying product based on this SLA?  If the answer is no, who gives a hoot.

So, another patch Tuesday and another flood of press releases announcing that these great security companies protect against them.  We used to do this at StillSecure, but realized that our customers expected us to provide protection against these almost as soon as they came out.  Is it really worth putting out a press release over, month after month?  Is it newsworthy?  Does it influence you in any way? I don't think so.  I would like to see a company put out a press release that they don't protect against the latest vulnerabilities. That would be news.

Guys lets save the paper.  Protecting against the latest vulnerabilities by Tuesday night is table stakes to sit at the table.  Not anything to jump up and down about.

Happy Valentines Day!

I was reading a press release by a UTM vendor today, whose latest box now also claims to perform network access control by combining layer 2 switching with UTM functionality.  Interesting to see yet another player jump on the NAC bandwagon, though the details of what they do were kind of vague.  Anyway, the thing that caught my eye about it was they made such a big deal out of their ability to provide self-remediation.  They claimed that it was key to cutting down on help desk calls and thereby reduce operating costs. Sounds logical doesn't it?  Wrong!

This is a common misconception in the NAC market.  Frankly, it shows that the marketing and product management team have not yet spoken to a lot of real life customers about the issue.  Hey, we had the same notion here at StillSecure and still of course do offer self-remediation.  However, experience has shown us a couple of things.  One is that outside of the IT department, very few employees in the enterprise are capable of actually self-remediating their computer.  Even something as simple as updating their anti-virus dat file is a daunting task to the folks over in the HR or finance departments.  Another thing is having one page that contains all of the various places one goes to update (one site for AV, another for windows, another for applications) can be confusing to users. The bottom line is that self-remediation often leads to increased help desk calls and so higher operating costs.  Not to mention that many enterprises already have patch management solutions deployed and unmanaged users should not drain your help desk resources.

The bottom line is that self-remediation is not the slam dunk that some johnny-come-lately to the NAC market would have you believe.  Your NAC solution should also offer you the ability to have automated remediation including integration with your existing patch management product.