StillSecure, After All These Years

Just could not help noticing the irony of Richard Stiennon ranting against those who claim there has not been innovation in network security lately. This from the IDS is dead, NAC is dead, Twitter is dead, this is dead, that is dead expert.  Richard likes to talk about technologies acting like magic, but I wonder if he is actually digging under the covers to see what is really so special about the “magic” he is describing or is he swallowing the bill of goods the vendor feeds the analyst.

One thing about Richard though is that he still looks at himself and security as if he is the Knight standing at the drawbridge over the moat surrounding the castle.  Any talk of de-perimeterzation elicits a visceral response from Richard.  Subsequently a lot of what he considers innovative deals with the tried and tired M&M view of security.  Hard on the outside, soft on the inside.  Melts in your mouth and not in your hands.  I don’t want to get into the whole Jericho thing with Richard, but I do think we need as much security “in the network” as we do at the perimeter.

Richard Stiennon is up to his old tricks again.  The latest from the IDS is dead, then NAC is dead, yada, yada, yada is dead is this:  Twitter is dead.  First Richard wrote a few days ago about Twitter being doomed and now he is laying out the scenarios in this article.

Richard is if nothing else, consistent.  In the meantime if Twitter is as dead as IDS, all of their investors will be doing somersaults!  Funny thing is I notice Richard using Twitter quite a bit lately, as well as pimping for followers. Now of course Richard is also the person (or so he claims) that told McAfee who and what to acquire to make themselves who they are today as well.  In fact, Richard is I think the Al Gore of information security.  So what could be next, poor security leading to global warming?

Just when we thought we would see a net loss of security analysts blogging comes word that it is not to be the case.  First former analyst and now vendor puke, Mike Rothman tells us about the big G men starting to blog out in the open. Now comes word that former G man (among other things), Richard Stiennon is once again firing up IT-Harvest and the accompanying ThreatChaos blog. Just when Rich Mogull and Adrian Lane thought they only had to compete with the 451 guys.  It just goes to show that Stiennon's first and only law on analyst blogging is indeed true.  Analysts abhor a vacuum and love to hear themselves speak (or write).

I heard that Richard was not going to re-launch ThreatChaos because he was about to take an executive position with a NAC company, but that NAC company went out of business.  Too bad, I would have liked to see Richard hawking NAC. Just kidding.  In any event and in all seriousness I actually like Richard and despite our many blog slugfests, have a lot of respect for him.  I wish him well in this old/new endeavor and I am sure he will have lots to say now that the handcuffs are off.  Look for the new Threat Chaos in the Security Bloggers Network feed soon.

RENOWNED SECURITY BLOGGER MIA SINCE TAKING JOB

The Pragmatic, Inciteful Mike Rothman Has Gone Missing From His Blogging Since Taking a "Real Job"

(Alpharetta, GA. – November 2, 2008) – The mouth of the south, renowned security blogger, Mike Rothman has turned up missing in action shortly after announcing his acceptance of a full time position as a vendor puke with eIQ. Several inquiries have been made, but even “the boss” has been mum on his whereabouts. Several prominent security experts are already suspecting foul play and some even whisper of some sort of left wing conspiracy.

Rothman originally sounded optimistic about continuing his blogging workload and not abandoning his legion of fans in the RSS feed world. However, it appears that a “real job” has proven more than he had bargained for. Could it be, that after for so long making fun of others who blogged in addition to their full time jobs, the task is more daunting than Mike could handle? Could the Security Twits have kidnapped him? Where is Mike Rothman?

Other rumors flying around the blogosphere have reports of Rothman sightings. One report had him canvassing door-to-door on behalf of Ron Paul in Montana. Still others say that Rothman has been in an “undisclosed location” (the same undisclosed location Dick Cheney uses) working on Barak Obama’s cybersecurity plans. Rothman’s name has been floated as a possible Czar in an Obama administration. Some are saying Mike was holding out to be the Sheik of cybersecurity, not the Czar. Others say Mike was far too pragmatic to get mixed up in politics.

Several other well known security bloggers were asked to comment on Rothman’s whereabouts:

Chris Hoff of Rational Survivability said, “I hope and pray for the best for Mike. Unfortunately my suspicion is that he has been virtualized and sucked up into the cloud. We all know how insecure that can be.”

Martin McKeay of Network Security Blog said, “You know Mike always made fun of my privacy views, but for once I wish we had a way to get past privacy laws and find out what really happened to Mike. I may have to don my purple tights and Captain Privacy suit to lead the search for Mike”

Rich Mogull of Securosis had this to say, “Mike did ask me for a hazmat suit that I used for the Democratic convention. I hope something did not go terribly wrong and Mike winds up as a green, muscular super hero”.

Amrit Williams of Techbuddha had nothing to say at all about Mike. In fact he said he never really liked Mike anyway.

JJ of Security Uncorked said, "I think Mike is just holed up somewhere in the Deep South working on the next set of 802.1x standards. But if I don't start blogging more they may be putting out MIA releases on me next"

Richard Stiennon (sorry Rich, couldn't find your blog URL) said, “Though I am sorry to see Mike’s disappearance, it does leave a real vacuum for blogging security analyst and Stiennon’s first law is “blogging abhors a vacuum”

Alan Shimel  of StillSecure, After all these years, put perhaps the finishing touch on the Rothman situation saying, “You know Mike was a fast-talking NY guy who always spoke his mind. His up front, in your face style might have just rubbed someone the wrong way. He could very well be the security industry’s Jimmy Hoffa. But you know being the huge Giant fan he is, I am sure he would not mind being buried in the end zone of the new Giants Stadium”

In the meantime a Ten ($10.00) Dollar reward has been offered by the Security Bloggers Network for any information leading to the whereabouts of Rothman. Anyone with information regarding this mystery can email podcast@stillsecure.com. All information will be kept confidential, as well as HIPAA and PCI compliant.

**All names and quotes are purely fictitious. Who knows where Rothman really is?**

I have had my share of blog wars with Richard Stiennon. I try to go easy on him now, so as to stay out of it. But, once again Richard shows that sometimes he just doesn't get it. His latest flub comes in a post on Nokia exiting the security appliance business.

Richard says in essence "good riddance".  He says Nokia was lucky to capitalize on Check Points failure to come to market with an appliance.  But they missed the boat by never developing their own solutions and moving into UTM (isn't UTM the answer to everything for Richard?) and other security technologies.  Richard says they should have sold 5 years ago and now of course will have to take a bargain basement price.

Richard you are wrong because you don't understand Nokia's value. They never claimed to develop great software.  They developed a great hardware platform.  Yes Nokia is a giant telecommunications company and the appliance business was never really more than a small rounding error on the bottom line I guess. But the division that ran the appliance business did a good job.

I have met with and spoken to engineers and sales people who worked for Nokia.  They were able to clearly articulate their value prop and never tried to hide the fact that they ran best of breed software on the appliance.  The Nokia boxes were quality appliances.  In a market where far too many appliances are Dell boxes with a different color bezel, the Nolia appliance was a more than just a white box.  Over the last few years they branched out beyond Checkpoint and ran several other applications on the appliance.  All in all, Nokia had a good product and a good channel. I wish they would sell StillSecure on a Nokia box.

Also, for a good explanation check out the comments to Richard's post by Gray haired security Wonk.  If you think you know who it is, mail me.

Related articles by Zemanta

• Nokia evolves enterprise strategy
• WabiSabiLabi gets into the hardware business

Ellen Messmer has an interesting article up in Network World today (I wish Network World would stop that annoying page fold over ad that forces you to click close to view the page. It is just a pain in the butt and I wouldn't buy anything from anyone using that type of ad just on principle.), around the latest results of an Infonetics research survey commissioned by Tipping Point. The respondents were mostly from big companies with about 10k employees. Remembering who commissioned this report, you need to take this numbers with a grain of salt, but some interesting findings:

1. Cisco is hands down the market leader in IPS.  It is almost universally agreed by this reports findings and in other reports, that while the Cisco product is far from the best in usability and functionality, by sheer numbers it dwarfs the other IPS vendors. That continually amazes me that everyone knows the product is not good, yet people still use it.  For me that just reinforces the notion that people put IPS in as checkboxes.  They really don't care if they work or not, are easy or not and are up to date or not.  They just want to say they have something.  When their local friendly Cisco rep throws it in with the shiny switch, they are happy campers.

2. Most people are finally deploying in line, but not filtering and blocking. Of course the Tipping Point customers overwhelmingly had the box in line. Tipping Point was always an in line IPS, so that is to be expected.  The Sourcefire boxes on the other hand tend to be deployed out of band more often. The IBM/ISS and McAfee IPS are more in the middle. Regardless of whether they were in line or out of band, though the amount of filters that were being used to actually block traffic was way low.  Most people are still alerting, not blocking.  IDS is not dead, that is clear.

3. A sizable number of users do not update the latest filters (Tipping Point lingo for signatures and rules).  This is the one that really blew me away.  With all of the focus on zero day and all you would think people want to be up to date against the latest attacks.  Evidently not.  Even given that some people like to test the filters first, I would think they find themselves into the field pretty quickly, but it looks like I am wrong.  Maybe this is a big company versus mid-market thing though. I don't think mid-market companies have the time and resources to go through that type of QA check. They expect their IPS vendor to send down signatures that don't break the box.

All in all, despite Richard Stiennon's prediction of the death of IDS, it appears that we are still a long way off from everyone using their IPS as an IPS.

Related articles by Zemanta

• Your Network is a Sitting Duck Without IDP
• Protecting your network with Strata Guard Free
• SaaSy Security Suits SMB

Just got done reading the transcript of yesterdays great NAC debate between Joel Snyder and Richard Stiennon.  As I predicted Snyder scored a knockout early on and it was mostly over from that point on.  The knockout came earlier than I expected though, right off the first question.  Each combatant was asked to define NAC and that was when it happened.  Richard brought an EPAC (end point access control) to a NAC fight.  That was akin to him bringing a rubber knife to a gun fight.  A quick bullet between the eyes by Snyder and it was almost painlessly over for Richard.

I have been preaching for some time about what I call complete NAC. That is a complete network access control solution, not just network admission control and certainly not end point access control.  It is not an evil plot to extend Cisco/Microsoft dominance and most importantly Richard, no one and let me say this again, no one has ever said that NAC negates the need for a layered security model.  NAC is just another layer in that model.  Richard’s comments deriding the .edu and .mil markets were also laughable.  Richard, have you ever heard the term military grade?  Are you seriously trying to say that enterprises take security more seriously than the military does?  Come on now Richard.

The bottom line is Joel Snyder is not only a sharp dude technically, but is street savvy enough to run circles around my friend Richard.  He made Richard stay focused on the question at hand, did not let him wander and so Richard had to face reality a bit. I am sure Richard will still say NAC is useless and will admonish people about hanging out with the likes of the StillSecure crowd, but I guess some things will just never change.  Except, I don’t think Richard will be in anymore of these bouts.  Maybe he can start selling a grill that takes the fat out of meat or perhaps a reality TV show like the other washed up palookas ?

I know many of you think I am like a pavlovian dog the way I respond to Richard Stiennon's anti-NAC vitirol.  After my last article, I really decided to just lay off Richard.  But just to show you that it is not me, I wanted to point out Richards recent attack on Grant Hartline, CTO of Mirage Networks.  Grant blogs and put up an article regarding the latest exchange between Richard and I.  Both Richard and I commented.  Check out Richards expective laced reply that I think shows just how unhinged he has become on this subject.  Richard rambles and stumbles taking shots at anyone he can.  I am telling you, he is really losing it.

In the meantime based on this, I am going to change my prediction on the great debate and say Joel Snyder in 2!

I am not sure what it is with Richard Stiennon.  Maybe his mom beat him with a NAC stick when he was young.  Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC.  In any event Richard never seems to miss a chance to take a pot shot at NAC.  I have fired back and debated him many times on this.  In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow.  Richard still thinks of NAC as Cisco’s network admission control, circa Dec ‘03.  He has not gotten up to speed on anything happening with NAC since.  Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard’s latest NAC knock comes on a comment to an excellent article by the Hoff.  Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can’t take the analyst out of the man), takes exception to Hoff’s “whining” (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong.  Great Richard you try to prove them wrong, when because of what they report you don’t have a market, can’t get any capital and have no visibility.  I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

“Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.”

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth.  Richard the fact is that the edu market is not the only viable market for NAC.  In fact, one of the biggest customers of NAC is the DoD.  That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can’t handle the truth!  You sleep securely under the blanket of protection that NAC provides.  If it is good enough to help “clean the sand” out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don’t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard.  Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions?  Why has Microsoft put such a big push on NAP?  Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that).  Richard we are still signing new major OEM partners.  I am afraid you are the one sadly out of touch on this one Richard.  Just as you are out of touch in missing Hoff’s point in his article.

As to Hoff’s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to “learn” from them while at the same time trying to educate them.  I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts.  Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc.  A vendor giving an analyst a real live“pet” customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy.  But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

Sir Lancelot or Guinevere? Hey don't laugh it could happen to you. In the meantime what has Richard so hot and bothered that he is subscribing mythical qualities to Rohati?  It seems they are using a layer 4 to 7 firewall to control access to applications. They call it network based entitlement control.  I wonder how they stack up to Palo Alto Networks and some of the other next gen application aware, access control firewall products.  From what I understand Nevis Networks and ConSentry can do similar things with the firewalls in their secure switches.

Nevertheless Rohati has gotten some good press, albeit with most coverage carping on the fact that they are founded by former Cisco employees (there are enough former Cisco employees to found many companies I would think). I do think that application aware access control is of tremendous value and this technology will find its way into many technologies. It is a logical extension of identity based access control. 

As usual though Richard can't resist taking a few cheap shots at NAC vendors.  In Richards idyllic view of Camelot, somehow performing pre-connect health or integrity tests is the devils own work.  Richard will just admit that these tests have value and people want them.  They do not preclude doing the rest of the job of access control that Richard seems to approve of though.  Alas, Richard and I have danced this dance before though and I am not going to get into the why it is important.  In fact, here is a new tact for you Richard, it is not important. If you are not going to be convinced, forget about them.  Look beyond admission control tests at what NAC vendors offer around access control and you may find similar type of technology to Rohati in the near future. 

Until than though Richard let me paraphrase Merlin from the movie Camelot "Never be too disturbed if you don't understand what a former analyst is thinking. They don't do it very often".