StillSecure, After All These Years

As I wrote about earlier this was the first year of the Social Security Blogger Awards. Rich Mogull did a great job lining up a blue-ribbon panel of judges and I think the winners of the awards were very deserving.  You can see the complete list of winners and the full video on the RSA conference blog here.  But here is just part 1 of the video with Rich, Martin and then me:

So I have made the annual pilgrimage to the city by the bay for RSA.  As usual I got in late Sunday night in order to be at the Americas Growth Capital Conference on Monday.  This was the 5th AGC Conference. It has become a must attend event for many CEOs and other C level execs in the security industry.  Uncle Art of RSA delivered the keynote. Based upon his previous keynotes, I am surprised there was more than 3 or 4 companies there to listen to him, as we were all supposed to disappear.  Anyway his talk focused on DLP, GRC and encryption. Hey, when you are a nail, . . .

Anyway, the Qualys party was decent enough, very similar to last year. Tonight I will be a the SC Mag awards show.  If you are here at RSA stop by the StillSecure booth and say hello!

In other news:

1. What would you pay to put perhaps your biggest competitor out of business? If you are Oracle, about 7.4 billion. Hey and you get Java to boot!  Not sure what else they get though. Not sure of the future of Solaris or Sparc.  But Larry now has added another Silicon Valley legend to the stable.  What does the future hold for MySQL?  Will they just kill it? We will have to wait and see.

2. While we are discussing M&A, Lumension bought Securityworks and Symantec bought Mi5. Ok, seems like your average deals, but I bet the Mi5 folks are a lot happier with Symantec stock then the Securityworks guys are with Lumension.

3. Cloud and GRC – So far those are my votes for this years RSA buzzwords. They seem to be all over the place. Oh and DLP becoming real this year. That sounds like a familiar tune!

4. Shameless plug. If you are here at RSA be sure to join Mike Rothman, Rich Mogul, Michael Farnum, Mike Murray and I Thursday morning for a panel on good security in tough times. Catch it if you can!

Have a great day!

So we all woke up today and the world was still here. In fact the market is even up as I write this. So was all of this Conficker stuff much ado about nothing? Maybe, maybe not, but it has certainly captured the imagination of the mainstream media and the public. More importantly it has given the security industry a much need shot in the arm. I have not seen such buzz and working together in a long time.  Kudos to Dan Kaminsky and my friend Rich Mogull for facilitating a lot of that.

A good old fashioned worm is just what NAC was designed to stop.  This could turn out being a really big boost for NAC vendors.  Alas it may come too late for some. I heard yesterday about yet another round of RIF’s at a NAC vendor based up in the Northeast.

Here is a roundup of some other security industry – Conficker news:

1. eEye back to their old ways – Remember when eEye would always release a free scan for whatever the fear de jour was? I haven’t seen them do that in years.  But they released a free test for Conficker yesterday. I wonder how many people will download it.  Ross Brown used to tell us, not sure if we will find out now, but it was nostalgic to see.

2. McAfee fails the Conficker test.  Good blog on ZDNet by Ed Bott on what McAfee did wrong with Conficker. I don’t see where there NAC can do anything about it.

3. Bill Brenner applauds the industry.  Bill has a good article up on CIO Online commending the whole industry in not over reacting to Conficker and acting reasonably for a change.

In other news:

4. Symantec dealing with its own security incident.  Oh the irony!  What does it say when your security company loses the credit card numbers.  Tsk, tsk.

5. Please tell me your just stupid. This article in the SDTimes by David N. Kleidermacher asks if the lack coding more secure apps and OS, as well as adopting better security practices is the result of apathy or ignorance.  Probably a little of both.  But I think most of it comes down to coin operation.  Put the incentives in place and people will do things more securely.

Thats it for now, have a great day!

As most of you know, this years Security Bloggers Meet up at the RSA conference is going to be a quite a party. In addition to the usual food, drink, podcasting and mingling among the who’s who of security blogging and media, this year we also have the Social Security Awards.  The Social Security Awards are the security blogging awards and we have over 1500 blogs nominated in the 5 categories!  At the end this month the finalists will be given over to our all star panel of judges and the winners will be announced at the awards ceremony at the meet up. 

Yours truly is the MC for the awards. I had invited Beyonce to come down and do a musical number with me ala Hugh Jackman at the Oscars, but she was busy and I don’t think will be at the meet up.  But you never know.  If not perhaps Martin McKeay, Rich Mogull and I could do a “if I were a boy” musical number ;-)

Anyway, what I wanted to say before going off on that tangent is that none of this would be possible without the very generous sponsors who have donated money, equipment and services.  In these tough times putting on an event this size is not cheap.  Also though not listed, a special thanks to the RSA conference folks themselves who have given so much to make this event a reality. Thanks to all of them!

Our latest sponsor, Seagate is donating prizes for for the Social Security Award winners and now has given us a NAS as a door prize as well!  How cool!  Now if we could just get a nice package of prizes and gifts for the event organizers!

We have all heard of the millennium generation. Generally it refers to people born after 1985 through now.  The older millennials are already young adults and their impact is being felt in social networking, politics and many other fields.

But it is the younger millenniums who are going to blow us away.  They are growing up in a world where the internet, ubiquitous connectivity and unfettered access to information is the norm.  They never saw an encyclopedia made out of paper. I was reminded of this tonight while getting Google tips from my 7 year old son Bradley.  Bradley was working on some Pokemon character and was looking for a picture that he needed edited.  He asked me to Google the character’s name and then grab a picture and edit it.  When I Googled the name no pictures came up.  Bradley said, “Dad put “for real” after the characters name.” When I asked why, he said that is what he does when he can’t find something on Google.  Frag (Battlestar Galactica word) if that didn’t work!  How did Bradley come up with this?  Is Google aware of it? It must change the search algorithm or something. Glad I have web filtering on the machine.

What is going to happen when Bradley and his friends grow up? What challenges will this present for the security industry?  Maybe they will help with security. I don’t know, but I do know that they have an instinctual intuitiveness around computers and such that previous generations on the whole don’t have.

Anyway, here is something you very rarely get with Mike Rothman’s Incite – a report on Friday!  Have a good weekend!

1. When open is open only if  or its about the platform stupid – Hoff has a good point today about VMware’s use of the terms open and interoperable.  These two abused terms get tossed around alot. Open used to really mean open source. You had access to the source. Interoperable in my meant that out of the box it would work with other platforms and products. Then open was not really about source, but at least the openness of the product to use generally accepted means of communication. In my mind SQL and ODBC connectivity in databases is a perfect example of this. But I think what Hoff is getting at but is not saying clearly is that now it is all about the platform.  VMware wants to be the platform here. They want you to use tools and applications, as long as you use their platform. By having to use their APIs to connect, you are locked into their platform. That is the real hook and makes it not very open at all.
2. Can IT Vendors be Objective? Probably not – Michael Farnum has a guest post up from a vendor friend of his venting about the fact that he has been “discriminated” against because he is a vendor and therefore deemed not objective.  I agree that most people out of hand say you are a vendor and therefore not objective.  Not that you can’t try. I have been accused of the same thing.  But being objective on this question, I have to say vendors can’t be objective. Not to say we would lie, but if we didn’t believe that our products were better, could we sell them? So yes IT vendors are not going to be objective.  But here is the kicker, neither can anyone else.  We all bring our own views and prejudices to the game and that effects our objectivity.  Therefore it is up to the audience to filter what they think is truth from fiction, opinion from fact. I think most people recognize that and perform that task.
3. Mogul calls BS – Rich Mogull calls out Bob Russo of the PCI council.  Seems Russo says that no business that are PCI compliant have ever been breached.  They may have been compliant once, but when they were breached they were not. Rich rightfully I think calls bull on this. I am not sure if Russo is playing semantics here or what.  Maybe he means that having a breach automatically puts you out of compliance? I don’t know but have invited Rich and a few friends I know on the PCI advisory council to appear on a podcast. Stay tuned!

So that is it for this week.  Have a great weekend!

I thought I would continue my Mike Rothman Daily Incite series today.  The only dangers I can see in this are I might start getting grumpy and give up meat!  But hey Fake Steve Jobs stopped blogging, maybe I can be Fake Mike Rothman.  Seriously, this format allows me to comment on a bunch of different things in one blog post, so will go with  it a while.

First of all I want to call out that today is my 19th wedding anniversary! My wife Bonnie (the real Boss) continues to amaze me every day.  Most times it is around how she puts up with me.  But seriously in this day in age where so many couples come and go, 19 years is an accomplishment.  Marriage in some ways is a lot like security.  You are not successful at it without a lot of hard work, staying on top of the game and being passionate about it and it seems I am always one step behind!  In the meantime, I still feel like Ralph Cramden, happy to have my Alice. So in the words of Ralph -  Bonnie, you are the greatest!

Now on to the news and have a great day!

1. Sourcefire goes into the 3rd party patch business.  Shades of Ross Brown and eEye, the VRT at Sourcefire have released on their blog a “home brew patch” for the critical Adobe Acrobat vulnerability, which is actively being exploited in the wild.  Adobe is supposed to have a patch out by March 11th.  In the meantime just as happened in the past, we really don’t know if the 3rd party patch has been adequately tested.  If it turns out it breaks something, Marty and team may wind up with egg in their face. As I have written before, generally I am against 3rd party patches.  In the meantime, Adobe come on! If you want Acrobat to be ubiquitous, you need to do a better jog of getting patches out.  This vulnerability has been kicking a long time!
2. Checkpoint comes out with '”software blades” for the UTM. Checkpoint has introduced a new concept in their UTM line up.  They call them software blades. “The company describes a software blade as a security building block that is independent, modular and centrally managed.” The software blades operate on a software chasis.  Checkpoint wants to sell each blade for $1500. I don’t now about you but this sounds a lot like StillSecure Cobia to me! Modular security apps that run as software that can be mixed and matched on the management platform.  Very little is new under the Sun!
3. Top Ten web hacking techniques of 2008. And the winner is . .  If you did not get enough on Oscar night here is the list of the academy awards of web hacking by Jeremiah with help from an all star cast of judges: The Mogul, HD Moore, Hoff and Forristal). Reading this post and Rich’s post on it, the mice continue to get smarter. That makes us work harder making better mouse traps.  Jeremiah will be presenting on this at a bunch of conferences including RSA. You probably want to catch that one.
4. New kid on the block.  A friend of mine, Jack Mancini who has been working in security since Symantec first bought Norton (or was that when Ralph met Norton?) has started his own security blog called “Secure or Not Secure”. Jack is just launching a new security VAR down here in Florida. He has already put up some good stuff and I am sure will continue to do so!

Anyway that’s my news for today. I am putting the Pragmatic CSO ad down here. If the real Rothman wants to work out a revenue share deal with me it might find its way back to the top!

The Pragmatic CSO:

Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

I posted this a few weeks ago, but we are getting near the end of nominations. If you have not done so yet, please be sure to nominate your favorite security blogs for the Social Security Awards!

Another dream of mine becomes a reality.  One of the things I have longed thought of doing was starting a security bloggers awards program. With over 200 blogs in the Security Bloggers Network, some recognition for the best of the best would be great.  There are so many great security blogs out there, with so much great content, in my mind it was only natural that we have some sort of recognition for the very best.  How to do these awards without making it a popularity contest though?  Where and when to hold an awards ceremony? Logistics, statistics and such.

It all came together this year.  Working with my fellow Security Blogger Meet up committee members, Jennifer Leggio, Martin McKeay, Rich Mogul and Jeanne Friedman we have made a Security Bloggers Awards a reality!  I am proud to give you the "Social Security Blogger Awards".  Pretty cool, huh?

This initial year of the Social Security Awards will feature awards in 5 categories:

* Best Security Podcast
Who is the voice you listen to week after week?
* Best Technical Security Blog
Who is digging deeper than anyone else?
* Best Corporate Security Blog
Which vendor's contributing the most to the blogosphere?
* Best Non-Technical Security Blog
Who's got the best 30,000 view?
* Most Entertaining Security Blog
Who keeps you riveted? Or who makes you laugh?

We will allow readers to nominate specific blogs, come up with finalists and than have a combination of reader votes and a blue ribbon panel of judges.  The judges we have lined up are:

Brian Krebs
Washington Post
Bill Brenner
CSO Magazine
Kelly Jackson-Higgins
Dark Reading
Dennis Fisher
TechTarget
Jeremiah Owyang
Forrester Research

There will be awards and surprises at the awards ceremony which will take place at the Security Blogger Meet up at RSA this year. You don't have to be a member of the SBN to be nominated, but like the old man says, "it couldn't hurt". If you would like to nominate your blog or have someone else nominate you can use this picture and link to http://www.socialsecurityawards.com

For those of you wondering, I and the rest of the committee and judges are not eligible to be nominated or win any awards.  Also in case you are wondering these awards are not for sale and you can't buy your own category ;-)

Anyway, I am really proud to see this idea becoming a reality. I hope that it will be a great program that will grow better year after year.  For now though, what are you waiting for?  Go nominate you favorite security blogs!

Author's note: Martin posted some good articles on this at the RSA Bloggers meet up site and his own blog, even if he did steal my graphic.

Related articles by Zemanta

• The Social Security Blogger Awards

RENOWNED SECURITY BLOGGER MIA SINCE TAKING JOB

The Pragmatic, Inciteful Mike Rothman Has Gone Missing From His Blogging Since Taking a "Real Job"

(Alpharetta, GA. – November 2, 2008) – The mouth of the south, renowned security blogger, Mike Rothman has turned up missing in action shortly after announcing his acceptance of a full time position as a vendor puke with eIQ. Several inquiries have been made, but even “the boss” has been mum on his whereabouts. Several prominent security experts are already suspecting foul play and some even whisper of some sort of left wing conspiracy.

Rothman originally sounded optimistic about continuing his blogging workload and not abandoning his legion of fans in the RSS feed world. However, it appears that a “real job” has proven more than he had bargained for. Could it be, that after for so long making fun of others who blogged in addition to their full time jobs, the task is more daunting than Mike could handle? Could the Security Twits have kidnapped him? Where is Mike Rothman?

Other rumors flying around the blogosphere have reports of Rothman sightings. One report had him canvassing door-to-door on behalf of Ron Paul in Montana. Still others say that Rothman has been in an “undisclosed location” (the same undisclosed location Dick Cheney uses) working on Barak Obama’s cybersecurity plans. Rothman’s name has been floated as a possible Czar in an Obama administration. Some are saying Mike was holding out to be the Sheik of cybersecurity, not the Czar. Others say Mike was far too pragmatic to get mixed up in politics.

Several other well known security bloggers were asked to comment on Rothman’s whereabouts:

Chris Hoff of Rational Survivability said, “I hope and pray for the best for Mike. Unfortunately my suspicion is that he has been virtualized and sucked up into the cloud. We all know how insecure that can be.”

Martin McKeay of Network Security Blog said, “You know Mike always made fun of my privacy views, but for once I wish we had a way to get past privacy laws and find out what really happened to Mike. I may have to don my purple tights and Captain Privacy suit to lead the search for Mike”

Rich Mogull of Securosis had this to say, “Mike did ask me for a hazmat suit that I used for the Democratic convention. I hope something did not go terribly wrong and Mike winds up as a green, muscular super hero”.

Amrit Williams of Techbuddha had nothing to say at all about Mike. In fact he said he never really liked Mike anyway.

JJ of Security Uncorked said, "I think Mike is just holed up somewhere in the Deep South working on the next set of 802.1x standards. But if I don't start blogging more they may be putting out MIA releases on me next"

Richard Stiennon (sorry Rich, couldn't find your blog URL) said, “Though I am sorry to see Mike’s disappearance, it does leave a real vacuum for blogging security analyst and Stiennon’s first law is “blogging abhors a vacuum”

Alan Shimel  of StillSecure, After all these years, put perhaps the finishing touch on the Rothman situation saying, “You know Mike was a fast-talking NY guy who always spoke his mind. His up front, in your face style might have just rubbed someone the wrong way. He could very well be the security industry’s Jimmy Hoffa. But you know being the huge Giant fan he is, I am sure he would not mind being buried in the end zone of the new Giants Stadium”

In the meantime a Ten ($10.00) Dollar reward has been offered by the Security Bloggers Network for any information leading to the whereabouts of Rothman. Anyone with information regarding this mystery can email podcast@stillsecure.com. All information will be kept confidential, as well as HIPAA and PCI compliant.

**All names and quotes are purely fictitious. Who knows where Rothman really is?**

Some of the Stiennon "magic" must have rubbed off on Rich Mogull when they were both at Gartner or maybe in a case of the imitation being the sincerest form of flattery, Rich M secretly admires Richard S. In any event taking a page out of the "xxxx is dead" playbook, Rich writes that GRC is dead. In fact Rich says it was stillborn and never really alive. There are many things that Rich says in his article as well as Gunnar Peterson's article that he references, that I agree completely with. However, overall I think Rich's fatal mistake is one of Titanic proportions. He is mistaking the tip of the iceberg for the entire mountain of ice that is under the water and not as easily seen. The reports and dashboards of GRC products represent the by product of much of the real work and value they bring not just to the "C" level but to the security practitioner who is tasked with ensuring compliance as well. I am seeing the compliance workload fall on the already over worked, underpaid security guy time and time again and they need help with it!

I know people like Mike Rothman say compliance is bull and if you just follow good security practices, compliance takes care of itself. However, lets be real folks, between PCI, SOX, FISMA, etc., compliance is driving budget in the security industry. In an industry where the "security guy" just did not have the tools to push through budget for the resources required, compliance has become the sledgehammer that the CISO and other security types use to crash through the doors into the CFO's office and get the budget required.

Before I delve further into why I disagree with Rich though, let me state where I do agree with him and Gunnar for that matter. I do agree that a by-product of compliance has been a move towards running your business as "audit-driven rather than business-driven". Somewhere along the line we have forgotten that the rules, regulations and statutes that compliance is driven by were put in place to provide a minimum of acceptable security and confidentiality to protect sensitive information. It was supposed to be about protecting the data, not about checking off the compliance box! I agree with Rich that it has become a way into the C-level office. But what is so bad about that? Symantec has been selling their security into the CFO for years. Rich not having worked at a vendor, I don't know if you realize how hard it is for the security folks to get budget approval for the tools they know they need. In order for security to get its fair share of the budget pie, it is imperative that security budget decisions are made at the C-level. If the security team can't get the approval, the security vendor is going to try and help.

While dashboards and reports are the tip of the iceberg and the shiny baubles that are used by the GRC vendors to get the attention at the C-level, I think that the bulk of the work takes place below the water. It is making sure that in fact the enterprise is in compliance. Making sure that everyone has the latest patch level, has AV installed and that data is protected from leakage is the real work. Testing and ensuring this is the real job of GRC, the reports and dashboard is just the way you can show it working. Rich I think you are the one being short sighted if you think these products are just about the reports. Without actually doing the analysis and investigation the reports are meaningless. In my mind is much like SIM reports. Without actionability and correlation, how much value are the SIM reports?

GRC is a needed tool in todays security practitioners tool kit. They are being placed in the position to ensure compliance and they need the ability to do so. They also need help getting the budget approved for the tools they need to do the job. We can rant all we want about compliance for compliance sake being asinine, but the fact is that is the world we live in right now and rather than spitting into the wind, lets figure out how to make it work best for us.