StillSecure, After All These Years

When I first read the headline of the Shavlik-Sophos deal, I thought it made a lot of sense.  Sophos (who bought the Endforce NAC product), was going to use Shavlik to deliver automated patching and remediation to out of policy endpoints.  To me this is one of the 4 pillars of NAC going forward, along with pre-connect testing, post-connect monitoring and identity based access control.  As a matter of fact, I think we are going to see more and more built in auto-remediation as NAC products mature.  Self-remediation is just really not an option for many customers.

A closer read of the Shavlik press release seems to indicate something different.  The release states, "If customers then require an automated method to remediate discovered problems, Sophos will recommend Shavlik’s advanced deployment solutions, which provide simple, automated and configurable methods to test and deploy patches onto vulnerable systems."  This would indicate that Sophos is going to "recommend" Shavlik but it sounds like it is not integrated.  Also, Mark Shavlik says, "... this integration will make it very easy for Sophos’ customers and partners to come to Shavlik in order to simplify and automate the next step of deploying of critical security patches across their network." Again clearly the plan is if you want actual patching you come to Shavlik, it is not integrated into Sophos.

So if it is not patching, what is this deal about?  I don't know for sure, but my reading of it is that Sophos is replacing the Nessus engine they used, for a Shavlik vulnerability assessment engine.  However, this is more I think than just replacing one vulnerability scanner with another one.  As I have written many times depending on how you use Nessus, it may not be the right product for NAC.  You have to make sure you are on the right side of the license, including the plug ins you use to scan.  Also, because of the nature of local versus network scans, banners, etc., speed/scalability can be an issue.  Many NAC vendors actually use Nessus (some admit it and others try to hide it), but generally those that do use Nessus, only use it with a handful of plug in scripts.  Maybe a dozen and a half at most.  In this way, they only check for a small sample of what a full blown vulnerability scanner like Nessus can check for.  However, this has been enough for most NAC products until now.  At StillSecure because we use our own custom testing engine optimized for NAC, we never had that issue and so have been able to check for a wider range of configurations and policies than most other NAC products.  With the Shavlik product will Sophos be able to match this? I think not.

The reason I think not is that to the best of my knowledge, Shavlik is no better at this type of scan than Nessus is.  It remains to be seen whether Sophos will actually check for anywhere near the 22,000 patches that Shavlik claims to support.  In fact I would bet the actual number is no where near that.  But, there is another reason that I think this is an apple to oranges comparison.  Shavlik only checks for patches and vulnerabilities.  NAC is just not another pretty name for a vulnerability scanner.  NAC checks should look for the presence or absence of applications, services and settings that do not require a patch, but are a security policy. 

Ultimately the market has to decide if NAC checks and enforces for violations of security policies including vulnerabilities or is it just another form of vulnerability scanner and VM.  I don't think the world needs more vulnerability scanners, but it does need NAC.

Not sure if this article in Dark Reading by Kelly Jackson Higgins is some sort of joke or if Pat Clawson thinks the security business is a big Texas Hold'em tournament. But it could get real embarrassing if someone calls him and he has to show his cards. It seems the spark for this story is the long rumored name change of the former Patchlink Security to Lumension Security.  They have been threatening to change their name for months, if not years now and have finally gone and done it.  They really had no choice.  It really gave their sales team a lack of creditability when they would try to sell the fact that they were not a patch company with a name like Patchlink. Of course the fact that Big Fix says they are secure configuration management drove the Patchlink guys crazy, as they didn't want Big Fix to be anything Patchlink wasn't.  Where they came up with a name like Lumension though is anyone's guess.  I have two - One they ran a new name contest and someone's 13 year old daughter came up with it. Two, they paid a small fortune to one of those boutique naming shops to come up with that one.  I don't know but it sounds like last years new Chevy model to me.

Anyway, Pat Clawson takes the opportunity to spin a yarn that Kelly dutifully reports (come on Kelly, how about some more up close and personal features like this one on Thomas Ptacek).  Clawson tells us that the reason for the name change is the company is "retrenching" for an IPO in mid-2008.  Retrenching?  As if we don't know that an IPO would mean cool hand Pat would have to file an S-1 that would show us all what he is really holding.  I suspect that when those cards see the cold, hard light of day, Lumina-Patchlink would not exactly be a Wall Street darling as an IPO candidate.  A reverse merger-pink sheet candidate maybe, but getting a top bank to underwrite this one would be like trying to get a sub-prime mortgage with no money down right now.  In any event, my bet is Pat is way to cagey a poker player to ever let anyone have a peek at the numbers behind him here.

Next Pat tells us that with his two acquisitions he has now risen above the likes of Big Fix and Shavlik and is more like McAfee and CA. He throws in all of the good buzz words, "cloud", "agentless", "SaaS", etc. and we are supposed to take it all in. While he is at it, he claims to also have policy compliance and NAC too.  Pat has it all, or so says he.  You can almost see Nick Selby of 451 choking down the laughs in his quote in the article when he calls Pats claims "an overstatement".

I am starting a little tournament of my own. I am taking odds that patchlink or whatever they are called never IPO's in its present state and will instead be shopped hard.  Anyone want to take any action on that one?

What is that you say? What is so different about this Patch Tuesday.  For my Jewish friends out there, am I adding another question to the existing 4. Well it ain't cause we eat unleavened bread or anything like that.  This Patch Tuesday will go down in history as the first Patch Tuesday to contain a specific patch for a vulnerability in the vaunted Vista.  Oh well, it was good while it lasted but did you think there would never be one.

According to this article in TechNewsWorld, the Vista vulnerability is not critical but only moderate. However, unlike other vulnerabilities that effected Vista, this is the first one that effects only Vista and is probably a flaw in the newer core.  There is some good commentary about the other patches in this release including some quotes from the security architect at Vernier Network, Mark Loveless.  What a great name for a security guy!

Anyway, by now your patching process is probably pretty standard so hopefully you are protected already. 

Patchlink announced today that they had taken Harris STAT off of the hands of Harris Corporation.  This is pretty much in line with their CEO Pat Clawson's plan to do acquisitions and fits the mold of acquisitions he has done in the past at other companies.  What is Harris STAT you ask.  It is a vulnerability scanner.  About 2 years ago they did an OEM deal with Patchlink, where Patchlink was integrated into their product.

If you are not active in the government market you may have never heard of STAT or Harris even.  Harris is huge in the federal market. They make a lot of advanced communications gear for the DoD.  STAT was always out of their sweet spot I thought, but with the Harris machine pushing it, it was widely used within in the various defense department networks.  I say was, not is though.  About 2 or 3 years ago DISA did a DoD wide deal with eEye and Citadel for the Retina scanner and Hercules patch manager.  Since that time STAT has basically been a dead man walking. In the 5 years we have sold vulnerability management products, we have never seen STAT outside of the government space.  The Hercules contract (now owned by McAfee) is also the reason why Patchlink has not been able to break into the DoD.  I would imagine that with this background and it not really being in its sweet spot, Harris was only too happy to offload STAT and Patchlink probably got a sweet (read cheap) deal.

Now the question is, what does Patchlink do with this?  They talk about it advancing their strategy for Unified End Point Security Management Framework.  Sounds to me like they would like to take on Big Fix from that. Not really sure this deal gets them there though. Frankly, I think they might find buying a vulnerability scanner and keeping it up to snuff in this hyper competitive market may be a bigger bite then they were looking to chew.

My buddy Ross Brown (you know I really do consider Ross a buddy, having had a chance to get to know him in person at RSA, but that is another story) has an article up taking a shot at nCircle's 24 hour SLA.  To tell you the truth, I was not aware of nCircle's SLA, but a long dormant brain cell in my head fired up something about me having written on this before.  A Technorati search of my blog turns up that exactly one year ago, Feb 16, 2006, I wrote about last years RSA and some of the SLA's and guarantees that were being offered.  Besides showing that very little in security is ever really new, I thought even back then, that SLAs in security seem to be long on marketing and short on real protection.

For the record, I agree with Ross, I think a 24 hour SLA is nothing to write home about.  We, like eEye and I am going to guess nCircle and most other companies do a good job of getting tests out for the new vulnerabilities (Ross I don't think nCircle is putting out patches, but rather tests to see if the patch is applied or if the vulnerability is present) pretty quickly.  Usually in just a few hours.  However, when you are going to put your money where your mouth is, I think you tend to be conservative. The 24 hour SLA  is not meant to be the normal expectation, but the worse case scenario.  Frankly, if you want to force nCircle to do better, come out with a better SLA, that they will have to match to compete. Let me know when you do and we will look at matching it here.  However, my question is this:  Is anybody buying product based on this SLA?  If the answer is no, who gives a hoot.

So, another patch Tuesday and another flood of press releases announcing that these great security companies protect against them.  We used to do this at StillSecure, but realized that our customers expected us to provide protection against these almost as soon as they came out.  Is it really worth putting out a press release over, month after month?  Is it newsworthy?  Does it influence you in any way? I don't think so.  I would like to see a company put out a press release that they don't protect against the latest vulnerabilities. That would be news.

Guys lets save the paper.  Protecting against the latest vulnerabilities by Tuesday night is table stakes to sit at the table.  Not anything to jump up and down about.

Happy Valentines Day!

I was reading a press release by a UTM vendor today, whose latest box now also claims to perform network access control by combining layer 2 switching with UTM functionality.  Interesting to see yet another player jump on the NAC bandwagon, though the details of what they do were kind of vague.  Anyway, the thing that caught my eye about it was they made such a big deal out of their ability to provide self-remediation.  They claimed that it was key to cutting down on help desk calls and thereby reduce operating costs. Sounds logical doesn't it?  Wrong!

This is a common misconception in the NAC market.  Frankly, it shows that the marketing and product management team have not yet spoken to a lot of real life customers about the issue.  Hey, we had the same notion here at StillSecure and still of course do offer self-remediation.  However, experience has shown us a couple of things.  One is that outside of the IT department, very few employees in the enterprise are capable of actually self-remediating their computer.  Even something as simple as updating their anti-virus dat file is a daunting task to the folks over in the HR or finance departments.  Another thing is having one page that contains all of the various places one goes to update (one site for AV, another for windows, another for applications) can be confusing to users. The bottom line is that self-remediation often leads to increased help desk calls and so higher operating costs.  Not to mention that many enterprises already have patch management solutions deployed and unmanaged users should not drain your help desk resources.

The bottom line is that self-remediation is not the slam dunk that some johnny-come-lately to the NAC market would have you believe.  Your NAC solution should also offer you the ability to have automated remediation including integration with your existing patch management product.

With the Patch Tuesday release today it seems that Microsoft is up to their ears in fixes.  However, two of potentially the biggest were not included in this fix.  I am of course referring to the two MS Word holes that were found and have been exploited in the wild already.

Just a few months ago Determina, eEye and ZERT were falling over themselves to help us all with 3rd party patches to hold the fort down until Microsoft got around to it.  Now when it would seem the need is extreme, they are no where to be found.  Maybe they realized it is not a profitable business?  Maybe it is really hard to patch these?  I don't know, but this is part of the reason why I think the whole VA thing is dead as a stand alone strategy.

Taking a page from the Richard Stiennon playbook, let me make an outrageous statement/prediction, that if it pans out will result in me being labeled a visionary (yeah right).  I say now that vulnerability assessment as it has existed for the last 5 or 6 years is dead!  I think everyone familiar with the VA market has been pussyfooting around this issue for a while now.  To understand why I say this, you need to take a look at the evolution of the VA market.

When StillSecure first entered the VA market back in 2002, the state of the art was that there were scanners out there that would scan your network for vulnerabilities and give you a report on what was found.  Players such as eEye and ISS sold commercial scanners and the open source Nessus scanner was by many viewed as the equal or superior of them. There was another category of vulnerability assessment that was performed via an agent like NetIQ and Pedestal Software (acquired by Altiris). Essentially, one was network scanner based, the other agent based but doing similar things.  The scanner based versions then matured to include distributed systems that allowed large enterprises to be scanned in a timely manner and centrally managed.

The next step in the evolution of VA occurred when some of the pure scan and report vendors started adding workflow and vulnerability management to the mix.  StillSecure's VAM and Foundstone were early entries in that space.  The next big trend in vulnerability assessment was its integration with other security and network management tools.  Integration with patch management, trouble ticket systems, asset inventory systems, network management, etc. began to integrate vulnerability assessment products into the larger fabric of IT management.  At the same time integrating and correlating vulnerability data with other security technologies also came into vogue.

The next big thing in VA was risk management/compliance (some might say it was all about risk management from the beginning).  Expanded, customized reporting that allowed administrators to manage their risk month to month and generate reports for auditors and geared towards compliance issues were a new way for VA to offer more value.

Over the past year, many have asked what is next for VA.  I think we are seeing the answer.  The answer is VA is morphing into security configuration management.  Ron Gula and the Tenable team have been pushing this with Nessus and their commercial products for a while now.  Now nCircle announces today their Configuration Compliance Manager.  At StillSecure we have had this ability for some time and our newer tests are more geared to this type of test and policies.  Our customized reporting lends itself well to this task. I am sure we will see the rest of the VA pack hopping on this bandwagon soon.

Why is vulnerability management in this torpid state and morphing into configuration management?  There is no easy answer.  First of all, even though it is not growing as fast as it was or is as cutting edge as it was, it is still a widely deployed and used technology and will continue to be so for years to come.  Much as IDS is dead, but alive and well in networks everywhere, vulnerability assessment will continue to live on.  However, it has seemed to loose some of its appeal.  The reasons for this are many.  One is the natural evolution of the security market.  Another is the basic fact that vulnerability assessment and the patch management market it works with is a hamster wheel game, bad news generator.  You scan, you find bad stuff, you fix, you scan again and again and again.  Can you ever get out ahead with that strategy? I think the market is looking to break the cycle and find a more efficient way of dealing with the problem.  In the meantime the security configuration management space is not an end game for VA, just a another step on the road.  The problem with using these tools for security configuration management is they do not have any enforcement or teeth.  Unless combined with some sort of NAC solution (that is where this stuff is really going), configuration scanning is just good for generating reports.  The market will demand action if these products are going to succeed.  Look for that action coming soon. 

At StillSecure we already have this.  We call it the policy driven network and we are implementing it with a large government customer.  This is the future of VA. In the meantime remember you read it here first, VA is dead!

Seems Greg Toto, VP of Product Management at Big Fix, took a little offense to my comments regarding patch management and Big Fix. I would normally leave his comment condemned to right hand column purgatory, but Greg obviously feels pretty strongly about his position and frankly I think he is dead wrong.  So I am going to publish his comments into the middle column along with my response.  Of course, I will give Greg a chance to respond as well.  You should also know that I have spoken to Greg a few times in the past and though he is passionate about his product, I have nothing personal against him.  However, Pride is one of the 7 deadly sins.  Interestingly enough it was St. Gregory the Great who originally introduced the 7 deadly sins and he lists Pride as the first and most deadly.  It would appear Greg has not read his namesakes work and is certainly guilty here.  Lets look at what he has to say:

OK, lets dig in here.  First of all to Greg's point about scanning based vulnerability assessment having a bleak future.  Greg's reasoning is that they are fundamentally doomed due to the laws of physics.  Greg sites what I guess is the Toto Law of Special Relativity, that says you cannot control something, any more tightly that (sic) half as fast as you measure it.  I assume he means any more tightly than half as fast.  In any event, I remember taking some physics in school.  I do remember some physics theories by a guy named Einstein and some laws by Newton, but I don't remember any by Greg Toto and I don't remember any law of physics anything like he is talking about.  Now maybe I was out in the Rathskeller that day drinking beers and missed it, but I doubt it.  So Greg I have to call BS on your laws of physics.  Next, what difference does it make anyway.  Are you telling me that your law would only apply to vulnerability scans but somehow host based assessments would be immune from this law of physics?  Are your host based assessments not subject to the laws of physics or do the laws of physics cease to function when applied to Big Fix.  Somehow, Greg says, that because I have an agent on a machine, the information I will receive from the assessment it does is of a higher accuracy, faster and more comprehensive than a network based scan.  Greg, maybe you should go to talk to Richard Stiennon and let him tell you about how you cannot believe an endpoint to honestly report on itself.  You probably need both views at certain times to truly deal with this problem.

Then Greg you point out that network based scans might have a problem with "mobile assets".  Glad you brought it up.  Yes if the device is not on the network at that time, it cannot be scanned.  Let me throw one out at you, can we say "unmanaged mobile assets".  Yeah Greg, what do you do when you can't put your software on the device to test it.  Don't start rambling about your partnerships with Infoblox and such who can put it in quarantine.  That is diminishing productivity.  Greg, you can jump up and down and rant all you want.  Fact is that putting agents on every single device is never a complete answer in todays dynamic environments. You are going to have devices that you cannot install software on and then what do you do? On top of this, last I looked there was not a very big fan club of putting yet another agent on machines to manage.  Frankly I don't care if you have agents for Windows, Mac, Linux, OS/2 or the microwave oven for that matter.  The more agents, the more overhead!

I think any rational security expert without an ax to grind or a product to sell, will tell you that you need both host-based and network based security in place.  You need to make sure you are getting an independent view of what is coming on the network and what its posture is.  In fact much of today's security technologies  come down to network based and host based approaches.  Though our products are clearly network based, I am not too proud to say that they are all you need. There is certainly a need for host based security. But Greg don't be so prideful to think that the reverse is not also true. I find it hard to believe you would not agree with that Greg. 

Next Greg takes out the marketing hose and starts spraying Big Fix marketing hype all around.  So lets put our boots on and wade on in.  It seems Big Fix can do it all.  Greg I think you left out access control, I know you claim to do that as well.  In fact Greg, Big Fix does so many things it is sort of the Popeil Kitchen Magician of security configuration.  Maybe you can get Ron Popeil to put you guys on after the Showtime BBQ rotisserie.  It could be a new distribution channel for you.  Remember the old saying though, jack of all trades, master of none! 

Are we to believe that Big Fix is so disruptive that Microsoft should stop selling SMS, IBM better not bother with Tivoli and HP should just junk Radia, not to mention Altiris, McAfee and the rest.  Please Greg, like the title of this article says, you are not in Kansas anymore son.  Don't come out here spewing marketing spin and expect to score any points or fans. When you are taking on companies like this, you are playing in the big leagues and a little humility may do you some good. These are all companies with exponentially more resources, experience, sales footprint and distribution models than Big Fix.  You tell us about a few customers, last time I checked Tivoli and SMS had a few customers too.  Greg, your pride is showing through and blinding you to common sense. But lets be real, at the end of the day you are not in their league fella.  Big Fix's bread and butter is still patch.  When you get big enough to become a blip on the big boys radar they will swat you like a fly.  At that point I suggest you put on the ruby slippers, click your heels three times and wish you were just a patch manager again. It may be to late.

Dennis Fisher over at SearchSecurity.com has an article up about patch management vendors under seige.  The gist of the article is that like Mike Rothman, Dennis believes the Citadel-McAfee deal is going to set off a feeding frenzy for stand alone patch managers, as the large security behemoths seek to add patching to the stable.  Where Dennis I think, is a bit confused, is that he must of drank a double dose of Patchlink CEO, Pat Clawson's Kool Aid.  I have to question Dennis's knowledge of the space when he says things like "The space is populated mainly by a handful of large players, such as CA Inc., Symantec Corp.'s BindView offering and PatchLink Corp., in addition to myriad smaller, more specialized vendors, including Altiris Inc., Shavlik Technologies LLC, BigFix Inc. and St. Bernard Software Inc.".  Large players such as Patchlink, in addition to the smaller more specialized vendors like Altiris?  Dennis, take a good look at Altiris's market cap and you tell me if they are a small vendor versus Patchlink.  Maybe it was Pat Clawson's spiel about being on an acquisition spree that fooled Dennis.  The only acquisition spree they are going on at Patchlink is maybe at the 99 cent store.  Pat looks like he is following the same strategy he followed at Cyberguard, from which he came.  Bottom fishing for distressed companies that might have some salvageable technology he can grab for next to nothing, to stack up and make it look interesting to a prospective buyer. 

Make no mistake about it, Dennis and Rothman are right.  We are going to see consolidation here.  Dennis has Symantec's BindView as a large player in the patch field.  I think he is wrong again. Bindview is a vulnerability assessment player (and not a great one at that, never understood why Symantec picked them) that actually would benefit from a patch acquisition by Symantec. I think the folks to acquire patch vendors are the vulnerability assessment players.  Look for IBM/ISS to make a move here.  Possibly look for Qualys or nCircle (if they are not acquired themselves) to either try to acquire or forge a strategic relationship here. I have always wondered why Cisco is not a bigger player in vulnerability management. Maybe even eEye will make a move.  I do think Patchlink will be the next to go though.  With their founders lawsuits hanging over their heads, Clawson's track record and the company size, they make a good target.  One company I think may get left out in the cold on all of this is Big Fix.  Because they have tried to position themselves as so much more than just patching, they may have positioned themselves right out of this feeding frenzy.

Important thing to remember though is that at the end of the day, there is a giant 8000 pound gorilla in this space who will ultimately own it.  Whether it be WSUS, SMS, Windows Update or their next version, Microsoft is the player that keeps the rest of the guys up at night.

Yesterday it was announced that McAfee acquired Citadel Software for 56 million dollars.  I have known the folks over at Citadel for many years.  Congratulations to Steve Solomon, Carl Banzhoff, Michael Hall, Michael Wiser and the rest of the gang over there. If you are not familiar with Citadel, let me tell you that in the federal market place they are a powerhouse and they probably have the largest library of patches and remediations available.  AT 56 million it seems like a bargain for McAfee.  Not sure where there stock was before this, but at one time Citadel was trading for many times that number. 

McAfee has now bought Preventsys, Foundstone and Citadel.  If they can put them together without to much overlap it could be a great combination in vulnerability management.

So it seems the genie is out of the bottle on 3rd party patching. With the new IE vulnerability that became public last week, it has been reported that both ZERT and Determina have released patches until the official patch is releasd.,currently scheduled for the regular Patch Tuesday release for October 10th.  This is on the heels of a previous ZERT patch for the VML flaw a few weeks ago, a Patchlink workaround for the same flaw and of course eEye's 3rd party patch of a few months ago.  I still think that Ross Brown is right on with this one.  3rd party patching is not a business.  I think the ZERT guys are looking to do this to make a statement and their commercial aims are less clear.  I think commercial companies release them from time to time but quickly find out the gain is not worth the risk.  However, we are going to continue to see one company after the next experiment with these and more people are going to give them a try.

Another problem is if you have multiple 3rd party patches for a given vulnerability, which one should you apply?  How do you distinguish quality?  I think it is going to be pretty much the wild, wild west out there and it won't get better any time soon.

As I expected, Ross Brown responded to my question on 3rd party patches.  His answer both surprised me in that I think we actually agree on some things and disappointed me in that for the sake of pushing Blink (that does seem to be his latest crusade) he seems to have taken a very narrow approach to risk management and security that goes against a best practices, layered approach to security. For this reason Ross wins my book of the month club award.

First, why I was surprised and agree with Ross.  Third party patches are as he says, not a great idea and a necessary evil that should be used sparingly. I agree and said as much in my earlier article.  The reasons Ross cites are exactly the kind of things that I and others have said from the beginning.  To many moving parts and to much risk, not familiar with the source code involved.  Ross flat out says it is not worth the return from a business perspective.  This of course is a little different than what we heard from eEye a few months ago, but to be fair, Ross was not CEO then.  I wonder how much the rise of ZERT has influenced this decision, if at all. I will leave it to you all to decide. Here is my question to you Ross, if this is not a business you want to be in, why don't you promote and help ZERT in their efforts. 

Where I disagree with Ross is his answer to the zero day problem (oh no, not another answer to the zero day problem), Blink. In a nutshell Ross's arguments for Blink are similar to those made most popular by Tipping Point, but by others as well.  Namely, that patching is a losing battle, that other security technologies are rendered superfluous by their favored product and that they have the magic bullet.  Tipping Point claims digital vaccines and all kinds of other zero day protection, that will allow you to apply patches in your spare time, when you get around to it.  Now Ross is giving us the same spiel.  Anytime I hear the magic bullet speech, the hairs on my neck stand up (my neck is one of the few places I still have hair near my head) and I fight back the urge to puke.  Ross says that in fact Blink is so good they are coming out with server versions next.  Geez, maybe they should change the name from Blink to Stare, you know, always on versus on and off. 

Sounds to me like eEye wants to take on ISS and Cisco in the host-based protection market.  However, what Ross appears to be missing or at least is not saying, is that host based protection alone is never going to be enough.  The same way network based IPS is never enough by itself, which is why you see Tipping Point adding UTM type functionality to their line up.  ISS positions host based protection as just one piece of the total security answer.  Frankly, the host based market has several good products.  ISS, Cisco and McAfee are but three vendors that have quality offerings.  However, none of them claim it to be the be all and end all.  Ross, there is no Santa Claus, there is no Tooth Fairy and there is no silver bullet in security.  You can tout your product as a great selection in its class all you want, but when you over promise, you can only under deliver. A good layered security model is still the best bet for anyone serious about reducing their risk and securing their network.

Editors Note: Of course I made this picture from the great book Blink, by Malcolm Gladwell

I have been reading some more on this 3rd party patch from ZERT.  Reading the ZERT Manifesto, it would appear that they are serious about providing protection for 0-day exploits. It would also appear that this is not a group that was formed for profit in releasing these patches.  At the very least, not a commercial entity.  Now the only commercial entity that has done 3rd party patches that I know of is eEye.  I have been thinking that if there was a situation where I was going to consider deploying a 3rd party patch, would I want to use one from a non-commercial, non-profit type of organization or a commercial entity such as eEye?  I know Ross Brown of eEye reads this blog.  I would be interested in what Ross thinks.  The obvious answer from Ross is the commercial entity.  However, give me some good reasons why. 

Is there a place where these two types of entities work together so that there is one 3rd party patch, tested and approved by non-commercial and commercial entities alike. I think 3rd party patches to be successful are going to have to be rarely used and of top quality. It should be interesting to see what type of 3rd party patch provider you would prefer.  Maybe we can get someone from ZERT and eEye on the podcast one night.  Anyway, which would you use?

I have written before here and here about my feelings on 3rd party patches. Basically, my feeling is that it is like playing Russian Roulette.  However, with this latest VML vulnerability and the subsequent patch by ZERT (zero day emergency response team), I am beginning to think that my opposition may be akin to spitting in the wind.  People unwilling to wait for MS's patch cycle to address this, are going to take their chances.  I do not think this will work for large enterprises.  Generally, they do not put out patches willy nilly, however for small business or consumers, they are going to be driven into this.  Good discussion of this on IT Business Edge.

Another approach is being taken by Patchlink.  Instead of releasing a patch, they have released a more limited work around which should protect you until MS releases their patch.  The catch is you have to be a Patchlink customer to get it.  Sounds safer, if you are a customer. If it is any good, I think they would gain more PR and good will by making it generally available than hording it for their customers only. 

Thomas over at Matasano blogs on two recent article by Pete Lindstrom and Rich Mogull around the constantly swirling disclosure debate.  Mike Rothman and Martin McKeay have joined in here, and of course I have already been down this road with Ross Brown. Thomas actually lays out some good points that he has made in previous posts.  However, at this point I think everyone has taken a shot at this and it is safe to say reasonable folks are going to disagree reasonably.  The shame I think is that at the less extreme ends of the views, there is enough common ground to come to a consensus.  I gues we will have to let the emotions calm down a bit and then revisit.

Last week saw the "security pundits" ringing the alarms about a major worm attack on its way exploiting MS06-040.  I envisioned the next blaster/slammer wreaking havoc with our networks and computers.  Frankly as evil as it sounds, it's good for business (hey, I'm a vendor), and generally serves to refocus our attention and companies budgets on getting real about security.

After reading stuff like, Mike Murray, director of vulnerability management over at nCircle in an article in Information Week, say, "And no, this isn't an overreaction. We've always said that some day there would be another big, serious vulnerability. "Well, this is the one."  Then having DHS (someone should tell the guys at Information Week that it does not stand for Department of Homeland Defense) issue a US-CERT warning encouraging everyone to patch this.  Microsoft told us to give this one a top priority.  HD Moore made his exploit public showing it could result in a DDOS attack.  Murray over at nCircle further said, "It's only a matter of time or luck before this turns into the scale of MSBlast. Essentially, every Windows system is vulnerable. This is one
of those worst-case 'pull the plug on the Ethernet cable' events."  I was pretty confident that we were going to have some trouble. So here we are on Tuesday, the sun still came up, the Internet is still working and I have not seen any reports of a major worm outbreak.  Is it too soon?  They said we should see something in 2 to 4 days.  There have been reports of a botworm out that does exploit this, but it has not become a slammer/blaster type of event.  Why?  Is everyone already patched against it?  Are we ever really going to see another major outbreak of a mass market attack like we did in the past.  In my opinion the answer is no.  I think the reasons for this are several.  Here are the top ones in my mind:

1. Who wants to create a mass exploit? People hack for profit, not for fun - In the past the kiddie scripters or people who wrote these worms for kicks were the main enemy.  After a few people getting arrested for this, maybe the air has gone out of that balloon. The real reason though, is where is the money in it. In the immortal words of Cuba Gooding, Jr. in Jerry Maguire, SHOW ME THE MONEY! Putting out a mass market worm like this does not make the worm writer any money (unless he does the talk show circuit after he gets out of jail). We have moved beyond people hacking for fun and kicks to people hacking for profit. Today's attacks are targeted at specific targets which yield financial gain.  Whether you subscribe to the cyber-mafia theory or not, there is too much money in play and hackers now will use a valuable exploit like this to maximize their profit, not waste it on a mass market attack. 
2. We have gotten better at finding, patching and warning on this stuff.  There is no doubt that with the regular Patch Tuesday's from Microsoft and the proliferation of vulnerability management and patch management programs, as well as SP2's automatic updates, on the whole computer users are much more protected against known vulnerabilities like this, then they were a few years ago.

So what does this mean for you as a computer user and me as a security vendor.  Well, it does not mean that we let our guard down for one.  We have to continue to do the right things.  Stay on top of patching, vulnerability management done in a systematic way, prudence in opening unknown files and attachments.  Basically doing the types of things we have grown accustomed to.  However, for the security industry, I think we need to move beyond defending and planning to contain the next mass market worm outbreak.  We have to zero in on targeted cyber-criminals stealing and hacking for money.  That is the next battle ground.  We cannot rest on our laurels on fighting the kiddie scripters, that frankly was child's play compared to what we have to combat now.

I missed this one a few days ago, but thought it ludicrous enough to mention anyway.  Oracle just released their quarterly update patch.  Looks like a lucky thing they did, seems it takes care of 65 discovered vulnerabilities, some 23 or so critical.  I wonder what Martin McKeay and my friends on the Security Roundtable would say about this.  Funny, I don't see anybody jumping up and down like they do when Microsoft puts out a patch.  Take 3 months worth of Patch Tuesdays, and you have just about the same amount of patches here.  Anybody want to tell me that Microsoft's record on these are worse than the rest of the industry?  Here is another thing I don't understand, with all of the critical data kept in Oracle databases, why aren't their customers demanding better written software and more frequent updates. Quarterly updates is just not responsible or reasonable in today's atmosphere.  This type of response I think screams for more public disclosure by people finding these holes.

Microsoft fresh on the heels of fixing a record 21 vulnerabilities last month, this month rolled out 7 patches to fix 18 more according to an article in Information Week.  I guess the QA folks and testers for these patches will be busy tonight.  Once the announcement on these are made, it is a race against the clock to get the patches in place before th bad guys have the exploits out for them.  The cat and mouse game continues.  But hey look at the bright side, if these patches were not coming out, then what would we do.

Plan on missing lunch or working late on Tuesday.  MS has lined up a busy Patch Tuesday for this month with perhaps 12 new patches, nine for Windows, two for Office and one for Exchange.  You can read all about on Dark Reading here.

Yesterday I wrote about the researcher who recently reported the latest bug in Internet Explorer.  I also blogged about an article by Larry Seltzer about irresponsible bug disclosure.  Well, I feel obligated to say that inadvertently, we were involved in what may have been certainly a premature, if not irresponsible disclosure.  As part of our SAT (Security Alert Team) research on new vulnerabilities, we are involved with several other companies in pooling research and writing tests and scripts for new vulnerabilities.  Well the team that works for this group of companies (not StillSecure employees), thought they found a bug in the Nessus vulnerability scanner.  Without first disclosing this to StillSecure or the other members of group, the team went and reported the bug on Bugtraq on Security Focus.  Besides not telling us first, they did not even give the developers of Nessus, the folks at Tenable Network Security, the courtesy of notifying them first, so they could fix it before anybody exploited this.  As it turns out, though technically it is a bug that Tenable will address, it is not clear that it could have been exploited or not. That however, is not the point.  The developer should have been notified first, anything less is irresponsible whether it is my company that does it or another company, whether it is about a competitor or a partner.  It is about unnecessarily exposing  people to security incidents.  How can a developer do something before an exploit is out, if they don't know about it.  Needless to say, the team that does this research, will not be following this practice again.  We have put safeguards in place that will prevent that type of thing from happening.

Earlier I wrote about the new possible zero-day vulnerability for MS IE that was announced today.  What particularly raised my ire, was the fact that the researcher did not even give Microsoft any advance warning before publishing.  No Larry Seltzer over at E-week, has written an expose that gives us a little more insight into this.  It seems this particular researcher had some sort of ax to grind against Microsoft and did this for  purely spiteful reasons.  Not a good thing for sure!  Larry has some great takes on this and you should take a look at the article.

Article in e-week yesterday outlined yet another potential critical flaw in Internet Explorer.   It does not seem that  it is for certain whether or not this flaw can actually be exploited though.  One thing I did not like about this, is the researcher who found it, blindsided Microsoft by not first notifying them of the flaw.  This raises an ethical question of whether someone who finds a new vulnerability should have some sort of moral obligation to report the flaw first to the vendor whose product has the flaw, so that they can fix it before the bad guys find out about it.  With many companies like 3Com paying for new vulnerabilities, I think we are not giving much of an incentive for these people who discover these new bugs to do the right thing.  Then on top of this when the media interviews them and treats them to their 15 minutes of fame, the researchers get drunk on the attention. You can't blame these guys for racing to make their findings public under these circumstances.

Good article today by Mathew Schwartz on Enterprise Systems on the elusive goals of automated patch management.  When talking to customers about VAM, our vulnerability management platform, they are often confused by spin they receive from some of the patch vendors, that automated patch management is not just a part of a comprehensive vulnerability management strategy, but is the whole answer. It is just not the case. Mathew has some good examples of this.  Vulnerability management as we practice it at StillSecure, involves everything from finding devices on the network, identifying their profile, scanning them for vulnerabilities via the network.  Depending on resources in place, we can then correlate that with data obtained from other sources such as other scanners, host-based agents, IDS data, asset inventory systems, etc..  Then we take the vulnerabilities found and manage the process of remediating them and verifying their remediation.  Automated patch management is one part of this entire life-cycle and at best still needs to be managed and overseen by a real live human.  We think of remediation as both manual and automated and our vulnerability work flow takes both of these into account.  Then of course you need verification and reporting/risk management.  This is why I think any patch vendor that tells you their automated patch system is a stand-alone vulnerability management solution, is not being honest.  There is just so much more that needs to be done if you are going to be successful managing your risk from vulnerabilities.

Another point from the article is that NAC is a great way of catching devices that have slipped through the patch system.  That is 100% correct.  In my series on what makes a great NAC solution, remediation options will be a factor to consider.  What I also considered interesting is one of the quoted individuals from another NAC vendor takes the typical agent-only based approach to how NAC can help.  If you don't have the agent, they rely on a DHCP server from another vendor for un-managed systems that don't have their agent installed.  In my series, the ability to perform NAC on all matters of devices, managed and unmanaged, is one distinguishing factor you should look into before picking a NAC solution.

Maybe old news by now, but I wanted to comment for the record and make sure everyone is aware that there will be a new patch from Microsoft tomorrow (Tuesday) that will supposedly correct some of the issues surrounding the problems with the last Patch Tuesday patches.  For those companies that had not rolled out the patch yet because of the problems or because they were still testing them in their own QA labs, they can skip right to the new ones maybe.  You can read more about it on SC magazine here.

Following up my comments this morning, on some of the problems with the Microsoft patches, from this last Patch Tuesday, Jennifer LeClaire at Technewsworld, had an article today in which I am quoted in.  You can read it here.

Last week I wrote about another MS Patch Tuesday release and how mundane they had become. Well maybe I was wrong.  It seems that this set of patches contained a patch that changed the way Internet Explorer handles ActiveX controls.  As a result Siebel and several other web based clients are having problems, reports ComputerWorld.  Also, it seems dynamic content animations like some of those in Flash and in Java applets are having issues as well.  These changes were in response to a violation of patent lawsuit against Microsoft and were previously optional changes in Internet Explorer.  Tuesday they became mandatory.  Those applications that don't play well with the new patch will have to be changed to conform.  Microsoft has released another patch which puts this change off for another 60 days.  That means Oracle aka Siebel has 60 days to fix this on their end. 

On the issue of software patents, there has been a lot of talk lately about whether they should exist or not.  Brad Feld has a good article on this, where he calls for them to be abolished. Fred Wilson also wrote a thoughtful article on this topic as well. 

BTW, I also read that another one of the patches from this past Tuesday does not play nice with some software with HP and is causing problems with IE and MS Office applications.  Just goes to show, that sometimes racing to apply the latest patches may not be the wisest strategy to follow.

This past Tuesday was another Patch Tuesday, actually a pretty significant one, compared to earlier Patch Tuesdays.  I don't know if I was too busy being out of town, getting ready for the holidays or what, but I was just not as focused on this one.  Maybe it is a true sign that it is just becoming so routine now. 
Thank goodness our SAT team was not as blase about this.  As usual they were working well before the patches came out to make sure our customers were protected.  Shortly after the release by Microsoft, all StillSecure customers were updated and protected.  That is not to say we were the only ones.  Most security companies also released signatures and tests shortly after the MS release.  Unlike some others though, we have decided to stop putting out a press release every time we release after a Patch Tuesday.  Customers expect this from their security vendors and I don't think trumpeting the fact that you did what you are supposed to do is anything more than blowing your own horn over nothing.  Anyway, hope you are all protected by now and StillSecure :-)

Good article in SC Magazine on the results of a survey about using 3rd party patches.  45% of US CIOs, SCOs and IT managers and 31% of those in UK thought it was all right if an official one was unavailable and a zero day exploit threatened their systems.  Interestingly though, only 13% deployed the 3rd party patch for the WMF exploit this past January.  This says to me that though they might be willing to deploy the 3rd party patches if they feel really threatened, it is really going to take something to make that % of deployed move from 13 to 45%. 

Other interesting info was that overwhelmingly (74%) regular patch cycles like MS Patch Tuesday improved their overall security patching process.  But about half would like to see a combination of some patches, especially those with zero-day implications released right away, while maintaining the regular schedule for the rest.  I read that as people are scared to death of zero day attacks.  I think overall the security industry has done a great job, maybe too good a job of banging the drums on zero day stuff. 

I was reading an article today, on the temporary patch that eEye Digital Security has created for an unpatched vulnerability in Internet Explorer.  Microsoft is supposedly working on a patch for this one as well, and may even release an out of cycle patch for it shortly.  In that event, the eEye patch is supposed to uninstall itself.  For those of you who do not know, eEye is a company that sometimes finds and frequently announces the existence of vulnerabilities as part of their vulnerability scanner research and other security products line. 

The significance of this for me, is that this is the 2nd time in the last few months that a 3rd party has released a patch for an MS vulnerability.  The first time was with the WMF flaw and the patch that came out by Ilfak Guilfanov.  Though originally hailed as a positive, when it became known that the patch caused problems with certain printing functions, the potential for problems with 3rd party patches became apparent.  That is, that at best the quality of 3rd party patches  could be uneven  compared to  patches  from  the  vendors  who actually  own  the vulnerable  application (though vendor patches can be of poor quality too).  In spite of this possibility, it seems like 3rd party patches are going to keep appearing. In fact, I wonder if a company like eEye, who gains a lot of publicity by announcing vulnerabilities sees an extension of this PR or even a business model around releasing 3rd party patches.  If the quality is good, why not?  Another view is that 3rd party patches force vendors into speeding up availability of their own patches.  This could be a good thing or perhaps forces a vendor to release a patch before the full QA is completed, in which case we all suffer.  In any event, I think 3rd party patches will have an effect in vulnerability management strategies going forward.