StillSecure, After All These Years

I started blogging about 2 and half-years ago because I felt like it would be fun to add my two cents to the public debate.  When Brad Feld introduced me to the Feedburner guys I was given an insiders view into the quickly developing blogging world.  When Feedburner started networks, I thought it would be interesting to start a network of all the security blogs that I was reading.  I also inherently knew in my gut that eventually there would be some common good that would benefit all of the members of the network by aggregating our content and buying power for ads. I also believed and still do believe that there are other ways that a network such as the Security Bloggers Network can be a force for good.

However, reading the SBN feed tonight I was just blown away! From being on the road, I had not read the SBN feed in my Newsgator reader for almost 2 days.  I had over 160 articles cued up in the feed.  Forget for a moment that the Security Bloggers Network now has over 160 blogs and a combined feedburner subscriber base of almost 67,000 readers!  The content is king.  Going through the articles I could not believe the total coverage, the ongoing commentary and give and take, but most of all it was the quality.  There are so many great members of the network who are just so damn smart and are writing about such important stuff.

I am humbled and incredibly proud of the what the Security Bloggers Network has become. If you are interested in security, whether it be the technical aspects of security, the business of security or the security industry, you cannot afford to miss this SBN feed. 

We are kicking around a lot of new activities and ways to publicize the member blogs of the network over the coming months.  Stay tuned for details, but in the meantime keep reading, you won't be sorry!

So our first topic of interest as part of the Black Hat Bloggers Network promotion was virtualization and security in honor of our own Chris Hoff presenting at Black Hat this year. While several members of the network wrote some really great stuff, I was hoping we would get more of a broader response from the 150+ blogs on the network.  So for topic #2 I wanted to pick something more generic and easier to blog on.  Our topic is why go to Black Hat.  Most of the blogger network members either go to Black Hat or wish they did.  Why?  Lets hear your reasons for going to Black Hat. Is it the briefings?  the parties? seeing old friends? what?  I am hoping to see a lot of blogs on this subject from all of our BHBN member blogs!

I should also point out that Black Hat is doing some great promos leading up to the show.  They have a great webinar coming up today that I totally spaced on because I wanted to give everyone more notice and time to register. In the meantime, don't be like Mike, I mean Shimmy, go register and check out the webcast!  Also be on the look out for some of the other great events they have cooking, as well as registering for the Black Hat Twitter feed.

One of the newer, but very well known members of the 155+ blogs of the Security Bloggers Network, is the Errata Security blog from Dave Maynor, Rob Graham and Marisa Fagan.  Dave has a post up today about his frustrations with trying to remove McAfee AV from his new mobile phone. I share his frustration.  Having run Windows Mobile for over a year now and changing ROMS in addition to installing and deleting a multitude of applications, I am often frustrated by the lack of visibility you have into the files and system on Windows Mobile.  if an application does not remove itself cleanly, you are hosed.

A far larger frustration for me though is removing AV vendors security from any computer, mobile or otherwise.  It is not just a McAfee thing either.  Symantec, CA and Microsoft are just impossible to remove with out a major pain.  What is the reason?  Do they make it hard because they think people might remove them by mistake?  I don't think so.  Like Dave says, when does AV become a virus itself?

ts/sci security blog is the first SBN member out of the blocks to blog on our Black Hat Security Bloggers Network topic of interest and it is a great one! Thanks to dre! I was afraid none of our bloggers would pick up on this but am looking forward to seeing more on virtualization and Hoff's discussion at Black Hat.

I will be writing my on post on this topic later this week.

This post is intended to member of the Black Hat Bloggers Network and others who blog on security.  When we announced our affiliation with the Black Hat folks, we said that between now and the show in August we would pick topics of interest tied to presentations at Black Hat for us to "shine a light on".  With over 150 blogs in the network, if even a small percentage of us write on one particular topic that should be quite a concentration.  I am looking forward to see the many different tangents our members will take these topics. 

Our first topic comes to us from an SBN member who will be presenting at Black Hat. It is one of our resident big brains, Chris Hoff talking about virtualization and security. I asked Chris to give me a quick write up on what he is presenting and here it is:

This talk will clearly demonstrate that unless we radically rethink our approach, the virtualization security apocalypse is nigh!

• Some security things you do today are perfectly reasonable and work well in virtualized environments, others simply don’t work at all
• Virtualized Security can seriously impact performance, resiliency and scalability
• Replicating many highly-available security applications and network topologies in virtual switches don’t work
• Monolithic security vendor virtual appliances are the virtualization version of the UTM argument
• Virtualizing security will not save you money, it will cost you more

You can read more on this at Chris's blog here. So bloggers here is the deal.  You have what Hoff thinks, what do you think.  Wrap your heads around virtualization and security and lets hear what you have to say.  We will all be reading!  ON YOUR MARK, GET SET, BLOG!

I wanted to take a quick moment to welcome Samuel Colt Van Ryder to the blogosphere. I know Sam for a number of years now. He was a sales person here at StillSecure for a long time working both with channel partners and direct sales. During that time I got to know Sam pretty well.  He is an interesting fellow.  A genuine Texan, Sam is a descendant of the Colt 45 Colts.  He moved to Switzerland, where he met his wife.  They then moved back to Texas where he has raised his family and worked in the security industry.  Always a stand up professional, I have stayed in touch with Sam after he left our company and went to work at Alert Logic. 

It seems that Sam has grown tired of trying to get Misha to blog regularly on the Alert Logic blog, so he has taken it over himself.  He posted his first article today. Good for Sam and we will be reading to see what he adds to our community discussions.  Welcome aboard Sam!

Speaking of community, the Alert Logic blog was already a member of the Security Bloggers Network.  However, the network is over 135 blogs strong with a combined distribution of 50,000 feedburner subscribers!  You can subscribe to the combined feed of all of these blogs by clicking here.

Well the RSA security bloggers meet up 2008 is in the books.  The party was a smashing success!  Before I go any further let me extend thanks to Jennifer Leggio of Fortinet for all of her hard work in putting together a great party.  Also going over and beyond was StillSecure's Sonya Caprio.  The organization of this party went far beyond anything the likes of myself or Martin Mckeay could have done.  On that note though, let me also thank Martin for all of his hard work putting this together as well.  Also Rich Mogul.  The Microsoft guys, Adam Shostack and Jeff Jones.  Also a big thankg from Jeanne from RSA! OK, enough with all of the thank yous.

The party was well attended by a virtual who's who of the security blogging world.  From the biggest to the smallest and everything in between, from here in the US to the farthese reaches of the world, they were all here.  It was an excellent mix of bloggers who blog on behalf of their companies, to individual bloggers. Media type bloggers like Mike Fratto and George Ou to the Paper Ghost.

Martin and Rich Mogul has the virtual aspect covered with live streaming video.  I will have a link up to the video cast as soon as I get it from Martin.  The tweets on twittering were flying as well.

Overall the biggest thing for me was that I was amazed by the turnout from a bunch of people who like to blog.  The security industry is well represented in the blogosphere for sure.  I personally am proud and honored to count many of these people as my friends.

Today believe it or not we are already starting to talk about making next years parties bigger and better. Microsoft has indicated they would like to be involved again.  RSA said they will help.  We have some ideas on letting those of you who participate in blogs by reading and commenting come to the party as well.  Stay tuned for more over the coming months!

I was talking to an analyst the other day and the security bloggers network and meet up at RSA came up. In talking about it the analyst asked me if I knew anything about the "hot blond blogger chick that everyone was talking about". At first I didn't know who he was talking about, but soon I realized he meant Jennifer Jabbusch. After I stopped laughing for a while, I told the analyst that I actually found JJ's blog a while ago and had written about it and become friendly with her ever since. I told him that I met Jennifer in person a week or so ago, and believe me she may be blond, but she ain't no dummy and knows her stuff both technically and from a business perspective. After a while I thought about it and realized what a double edged sword woman like Jennifer have to deal with. The fact that she is a woman and blond gets her attention easier than she might if she was just some guy, but is it the right attention? Do people assume that she is not somehow as sharp or as relevant? Last year I asked why the security industry had not outgrown booth babes. Today I ask why security bloggers are no better. Why do we assume because a woman is blond and not frumpy looking she must be some sort of booth babe blogger? I say bull crap to that. Maybe if Jennifer had not put her picture on her blog she would not be as popular, but would she be taken more seriously? People get with the program, JJ has a lot to say and let her words and intelligence stand on its own merit without your pre-conceived notions. Blogging has no room for booth babes!

On that note, Jennifer has a great post up today on a primer for 802.1x. I was presenting NAC to a group from a large security company this week and was frankly amazed at their lack of knowledge of what 802.1x is and how it works. They did not know where Radius ended and .1x began. I would have liked to send them this before presenting to go over as homework.

Ken Belva, a blogger in the SBN is starting a new InfoSec magazine in blog format. Below is Ken's post on the new venture.  I wish him and the team well and will be reading!

http://www.bloginfosec.com/2008/03/10/announcing-bloginfoseccom-an-information-security-magazine-in-a-blog-format/

Announcing bloginfosec.com, an information security magazine in a blog format. bloginfosec.com is written by professionals for professionals.
Our magazine delivers content for executives and practitioners written by working information security executives and practitioners.

Our columnists are respected information security veterans who hold influential positions at major corporations. bloginfosec.com prides itself on being free from vendor and commercial influence. Our columnists have an amazing flexibility to write their columns as they see fit with minimal editorial constraints.

Spotlight on Our Columnists
This week and next we will be spotlighting our columnists. We have some great column posts scheduled for publication.

        * Monday: C. Warren Axelrod - ROSI: Security Returns?
        * Tuesday: Frank Cassano - The core truth of risk
        * Wednesday: Allan Pomerantz - Our End Users: The Weakest Link
        * Thursday: Micki Krause - Core Program Practices: Assess, Implement and Monitor
        * Friday: Sam Dekay - Information Security: Orphan of the Org Chart?
        * Monday: Russell Handorf - Wi-Fu! Attacking the 802.11 Client
        * Tuesday: Derek Schatz - Are We Less Secure Now Than Before?

iPod Newsletter Raffle
Any corporate (.com, .net, .com.xx, etc.) or educational (.edu) activated email address registered between Monday, March 10th, 2008 and Friday, March 15th, 2008 on bloginfosec.com will have the chance to win a free 8G iPod Touch with video. We will mail the iPod anywhere in the world. Generic email addresses (such as yahoo.com, google.com, aol.com,
etc.) are not eligible to win. All entries are subject to our discretion. We will pick the winner and contact you via email for your physical mailing address.

Blogging from MISTI InfoSec World 2008
Stay tuned for posts, pictures and possibly video of InfoSec World 2008.
Point your feed reader here for all of the RSS action!

Qualified Writer?
Please review the columnist agreement. If qualified, please email us at authors()bloginfosec.com or contact the editors through the contact form.

I wanted to give a quick update on happenings with the Security Bloggers Network.  The network continues to grow and is now 125 blogs strong, with a combined FeedBurner subscriber base approaching 50,000 subscribers!  A couple of other pieces of news:

1. Marko Ruotsalainen from Liquid Info suggested to me that I create a group in Linked In for the SBN members to join and allow us to share our contacts as another way of providing benefit to the members of the network.  So I took Marko's suggestion and have started a group in Linked In. If you are a member of the SBN you can join by going to this link: http://www.linkedin.com/e/gis/64292/58076562A6C7.  Groups in Linked in are fairly new, so I am not sure what all the benefits of this will be, but will certainly look into it further. I welcome your suggestions on this as well.

2. Our big beta.  As some of you know we are experimenting with the Intense Debate comment system with some of the key members of the network. Intense Debate offers many advantages over vanilla comment systems that come with most blogs. However, I am in discussions with the management there to add some special sauce features that will allow us to share comments across keywords throughout the network.  This is something I have wished for since I first started the network and hope that ID can provide this functionality. In the meantime you can sign up for Intense Debate at their web site right now. It works pretty well and is free!

3. Security bloggers RSA meet up.  All members of the SBN should have received invites to the security bloggers meet up party at RSA.  If you have not, please drop me a line at alan at stillsecure dot com.  Also as I have mentioned, the RSA conference people have put up a blog about the bloggers meet up and you can stay on top of stuff there.  I have written an article on who you would like to meet at the party and what would you ask them.  With all of the virtual events going on, you can meet your favorite blogger and ask them what you want. Just leave a comment on the RSA site with your wishes.

The SBN is really becoming a powerhouse in the security blogging arena. If you have a security blog and are not yet a member, what are you waiting for?  Drop me a line and join the fun!

I have been thinking more about the RSA Bloggers Meet up that I wrote about yesterday. That got me thinking about how bloggers are so socially interactive and probably explains why we are such suckers for things like Twitter, Facebook, etc. Than I started thinking (I know a lot of thinking going on here, where it goes I don't know) about how blogging has changed in the years I have been at it. While blogging is bigger than ever, alot of the social network around has changed. For the most part, for the better I would add. However, one thing that has changed for me anyway, is Technorati.

When I first started blogging Technorati was the Google of blogs. In fact on the not too rare times that it took for ever to search on Technorati I would think it was being overrun with queries. Putting Technorati tags into my articles was elementary and mandatory. I used to check my Technorati rankings everyday and judged my blogs popularity by its "authority". I would eagerly comb the rankings to see who linked to my site. Then a funny thing happened. Technorati started making so many changes, when I would log in I couldn't find what I was looking for anymore. Than it would seem that no matter what I did, unless I went in and manually pinged my site, it would not update. After a while I got tired of manually pinging from Technorati and my authority started going down.  Frankly, I didn't even care. Then after a while, I couldn't even figure out where to go to ping my site manually on Technorati anymore. It has just lost all relevance for me as a blogger. The shame is I think the blogger community was what Technorati was about.

Instead, I think Technorati has gone after the blog reader community. I can see the wisdom there. There are a lot more readers than their are writers. However, I am not sure they do a great job on that count either. Both Google and Yahoo and even MSN do a good job of blog coverage now. So do blog readers have any allegiance or affinity for Technorati? Does it do anything for them? I don't know. What I do know if they would have done a better job of keeping me abreast of the changes to their site and showing me how to use it and get value out of the service, I would spend more time there and not find it so irrelvant as I do now.

This is something I am going to discuss with my blogger buddies at the RSA bloggers meet up. With a "who's who" of security bloggers in attendance, what would you talk to them about?

It is already the end of February and the buzz is in full swing for this years RSA Conference. I usually know that it is RSA time because it takes place around my wedding anniversary.  However, this past Monday was my anniversary and no RSA.  That is because this year RSA is a little later, taking place the 2nd week of April in San Fransisco.

Over the years I have come to really enjoy RSA as a chance to catch up on the industry, friends and of course, parties!  Some of my favorites are the SC Magazine Awards show and the RSA conference party itself.  Last year one of my favorite events was the bloggers meet up that I had a hand in putting together along with Martin McKeay and a few others put together and was sponsored by Microsoft and Fortinet. That party has become legendary with posts about it here, here, here and here among other places. We had a similar event at Black Hat last year and that was fun too.  There is something about getting together with all of the folks you virtually talk to all the time via the blogosphere and put a real face and voice to a name.  We try to keep these blogging parties confined to blogger and media types, so the that everyone is comfortable sharing and conversing without the "general public" there. 

For this years RSA conference we wanted to do a similar type of event. However, the blogroll of security bloggers attending has grown quite a bit and of course most security media types are blogging now as well.  So we wound up getting about 100 of the top security blogging crowd together and got Fortinet, Microsoft and StillSecure to sponsor.  It is shaping up to be the bash of RSA, for me anyway.  The buzz around it was so loud that before we knew it we had a logo, our own official blog on the RSA conference site and a full committee running invites, food, drink and logistics (OK so Jennifer Leggio does most of the work)!  I am just totally pumped to meet a bunch of the folks on the RSVP list and have a great time. Truth be told I am also proud as a peacock that I played a role in putting this thing together from the beginning.

If you have a security blog or podcast, are going to be at RSA and want to attend there is information on the RSA blog page on how to get an invite. For many of you reading this, I know you are saying to yourself, "great sounds like a cool party, free drinks and I can't get an invite because I don't blog".  Well you don't have to fire up that old free blogger page you started but never finished months ago.  Through the magic of modern technology you can party along with us virtually!

We are going to have live video streaming, live audio podcasting and a live Twitter feed.  The RSA site has more details on signing up for the Twitter channel we have set up to follow on the pre-party chatter (or is it twitter) you can follow that at @RSABloggers2008. Hey it will be almost like being there.  Anyway, hope to see as many of you as possible at the party and as many of you as possible virtually if you can't make it!

This is for all members of the security bloggers network (there are almost 120 blogs in the network now!). We are trying to do a "beta" of a new feature to bring more value to members of the network.  If you are interested in participating, please drop me a line at alan at stillsecure dot com.

thanks!

A couple of weeks ago I followed a link and wound up on a blog called Security Uncorked, JJ's complete unofficial guide to Infosec.  Though it was a fairly new blog, the person writing it obviously was a pretty hands on security practitioner who knew what they were doing and was doing a good job of writing about it. with some good tips and tricks.  Further investigation revealed that the blog belonged to Jennifer Jabbusch. I don't know a lot about Jennifer other than what she has up on the blog, but she is obviously very deeply involved in nuts and bolts information security and has a great writing style.

The first thing I did was contact her about joining the Security Bloggers Network, which she promptly did.  I thought she was an excellent addition to the network. Since then I follow her blog and though she doesn't write often enough, her articles are quality work.  I hope to have her as a guest on the podcast soon.  But I wanted to call this blog out to all of you to check out, it is good stuff.

I checked in on the stats for Security Bloggers Network this morning to send out an invite to who I think will be the latest member of the network.  That would be the 109th member of the network.  I was really pumped to see that the combined Feedburner feed for the network is now just a few shy of 40,000!  Remembering when the feed was just at a few thousand, this is quite an accomplishment.  Of course this is just the Feedburner count.  Many member blogs of the network have much wider readership from feeds other than those burned by Feedburner.  Great stuff!

Explore Security Bloggers Network (a FeedBurner Network)

The Security Bloggers Network continues to expand and become "the feed" for all of the security blogging fit to print.  In just FeedBurner subscribers alone, the SBN is over 32,000 subscribers.  The total subscriber count beyond FeedBurner is probably a factor of 2 to 3 times greater!  The latest security blogger to join the ranks needs no introduction to security aficionados.  Mike Fratto, lead NAC analyst from Network Computing and keeper of their NAC Immersion Center has registered his Network Access Control Immersion Center Blog with the SBN. This means by subscribing to the SBN feed you will now get Mike's words of wisdom and insightful views on NAC.  Just another reason to subscribe to the SBN. Of course if you have a security blog, you can join the network for free by contacting me.

Welcome aboard Mike and thanks for joining!

A couple of weeks ago I wrote about the SBN approaching 100 members.  Just wanted to give a quick update and let you all know that the Security Bloggers Network is up to 102 separate blogs aggregating their feed into the Security Bloggers Network Feed!  In FeedBurner alone we have over 30,000 subscribers to these separate blogs. What a great way to stay on top of all the security fit to print.  You can check out and subscribe to the feed here.

The Security Bloggers Network really has become the official feed of security blogs the world over. Now some lucky security blogger is about to become the lucky winner of the 100th Security Blogger Network member prize. What is the 100th member prize you ask? Well actually nothing. But it is pretty cool that we have 100 of the best security focused blogs under one feed on the SBN. We are 96 blogs right now and need just a few more. The 96 current security blogs have a combined feedburner subscription of over 30,000 subscribers!

Hitching your wagon to this jet engine is a great way to get more exposure to your blog. If you have a blog with a security focus now is a great time to join the network. You never know, you could be the lucky 100th! If you don't have a blog but like to read about security you can get the SBN feed here.

Note: A reader pointed out that I did not give a way for you to join the SBN.  Sorry about that.  You can send me an email with your blog address to alan (at) stillsecure dot com.  I will send you an invite.

For those not aware and looking for a good resource on NAC, Dana Hendrickson runs a great site over at Secure Access Central.   Besides being a member of the Security Bloggers Network, SAC is a great repository of information about NAC, product selection guide and a ton of research.  Dana has put up a product profile on our own Safe Access.  It is a fair and balanced quick look at the product and he is looking for feedback.  If you are interested in NAC and have some questions, Secure Access Central is a good place to go.

Just wanted to take a quick moment to call out some of the great blogs that have recently joined the Security Bloggers Network. First of all, as has been already mentioned by many, Rich Mogull has cast aside the chains of the big G and is back blogging up a storm over at his Securosis blog.  Next the good folks over at RSA have added the RSA Conference Blog and the RSA Liberty Alliance Blog.  Finally, in addition to the previous two blogs, Ira Winkler's blog and Jeff Bardin's Conspiracy to Commit Security blogs have been added as well.  All of these blogs are high quality and bring added value to the network.  The good news is that instead of subscribing to all of them individually, you can subscribe to them all at once via the SBN. 

The SBN is now about 90 blogs strong and has some great blogs in the security arena. Its mission is contain "all the security fit to print".  As such there is no endorsement of any content by any of the member blogs.  Anyone who blogs on security is free to join and there are no fees or monies generated.  It is not some evil scheme to further my own aims or of StillSecure, or anyone else for that matter.  It is just a collected feed of security blogs.  If you would like to join drop me an email at podcast (at) stillsecure dot com and I will send you an invite.

As many of you know, I helped start something called the Security Bloggers Network via FeedBurner a while back. There are now 78 blogs in the network, including some of the leading security blogs out there.  The combined feed of these blogs is a great way to most of what the security blogosphere is writing about.  Now Tyler Reguly over at Computer Defense blog, has put together a mailing list for members of the network to communicate off blog via email (I know how not Web 2.0 like).  We have also decided to open the mail list up to the public at large.  So if any of the network members or readers of the network feed would like to subscribe to the mailing list, you can do so here.

Just wanted to take a moment and announce that the Security Bloggers Network has now reached 74 contributing security blogs!  The newest member is the Watchfire Application Security blog by Ory Segal.  Ory has a good article up on playing in the sandbox and asking why anti-virus vendors have not adopted this approach.  If you get a chance check out what Ory and the Watchfire guys have to say.

Ory joins some other great bloggers like Jeremiah Grossman of White Hat Security, Mike Rothman of Security Incite, Amrit Williams and Ryan Russell of Big Fix, the blogging guys from nCircle, Richi Jennings, Chris Hoff of Crossbeam (received a weird call from Chris and some "friends" last night but lets not go there) and many others to numerous to mention.  There is some great content there.  Subscribing to the combined feed is a great way to stay on top of all of these great blogs in one RSS feed.

Also, if you have a partially themed security blog at least and would like to add your feed to the mix, there is no cost to do so.  Just email me with your request.

Wanted to take a quick moment to recognize the newest member of the Security Bloggers Network, Nevis Networks. I was happy to see that the folks at Nevis Networks started a blog. They have wasted little time in putting some good content up on NAC right away.  If you get a chance have a look, either through the Security Bloggers Network or directly to the site.

Along with Michelle and the folks at ConSentry and us at StillSecure, NAC vendors are certainly well represented in blogland. I wonder when Mirage, Lockdown and some of the others will get with the program.

Just wanted to take a quick moment to commemorate a milestone.  The Security Bloggers Network now 68 blogs strong, reached a combined FeedBurner distribution of 10,000 subscribers today!  Let me be clear, that does not mean that 10,000 people subscribe to the SBN feed.  It means that the blogs of the members, cumulatively have 10,000 subscribers through their FeedBurner feeds.  Still it is pretty impressive and congratulations to all of the members whose feeds are part of the network.

Sorry for taking so long to get around to this but I wanted to shout out my friend Michael Mongold.  Michael works for a partner of ours at StillSecure. I am not sure Michael is saying where he works, so I won't mention it either.  Anyway Michael is a professional security engineer and an all around good guy.  He has started a blog a little while back called Technology Security and has recently joined the SBN.  He seems to be off to a good start, writing some good stuff on all sorts of security issues.  If you get a moment check it out.  Welcome to blogging Michael and good luck!

OK, I am going to come out of my self-imposed Mr. Nice Guy persona and return to the gruff NY'er.  What has put me in this state you ask?  It is all the radioactive fall out from the Top 59 list or as I now call it, "the fighting 59".  The latest drama comes from Mark Curphey over at Security Buddha.  He has dropped his feeds from the Security Bloggers Network due to a " low signal to noise ratio and some of the other members were not folks I want to be associated with".  Somehow this situation came to a head with the fighting 59 list.  First of all, so that we are all clear, as the administrator for the SBN, to paraphrase Bill Clinton, the SBN never had sex with that list.  It had nothing to do with the list and I was never contacted by those people.  So blaming the SBN in anyway for the list or even associating it with the list is not necessarily accurate.

Now lets get down to business, my good friend Michael Farnum, who I have a tremendous amount of respect and admiration for, seems to have been driven to some self-doubt around this whole thing and writes about "incest in the security blogosphere".  Michael, while I understand what you are saying, I think you have some fundamental mistakes here.  Frankly, Mark I think you have too.  The cardinal mistake you are both guilty of has nothing to do with security and who is most influential, but rather why people blog.  Fighting over whether the list is accurate, is the list full of crap or who should be on the list, is just frigging asinine.  I played along this afternoon with my own Top 10 list because Thomas asked me to contribute some names.  But frankly those are my names and I went out of my way to load it up with business people who some of the tech types might find down right repulsive.  Mark, the people you mention who were missing from the fighting 59 are I am sure worthy of inclusion on your list.  But hey there tiger, that is your list, not my list, not Farnum's list and not the ITSecurity.com list.  Frankly, Mark, Michael, Thomas, Hoff, Richard from Tao, Amrit (who I think actually has the right attitude on this one) and the rest of you, as regards the ITSecurity list, it is their god darn list and they can do whatever they want with it and put whoever they want on it.  You don't want to be on it, tell them to take your name off, but don't stamp your feed and hold your breath about what a joke it is.  Cause here is a newsflash for you all - the joke is on you!  I don't know about the rest of you, but the fighting 59 has brought over a thousand hits to my site since it was published.  If the list is really full of beans, people will see through it.  Don't discount the common sense of the public.  I think many of us who blog have breathed too much of our own exhaust and think that somehow we are smarter than some of the public at large who read this stuff.  Not the case.  To me this is no better than a magazine giving a best buy award to a product that I know sucks and is ripping off Ron Gula's NASL scripts.  Do I think it is fair?  Hell no, but it is what it is.  It is their magazine and they can write what they want.  Same thing with the fighting 59 list.  You don't like it, go make your own. If you are such a bigshot, see how many hits you get with it.

That is a fundamental thing about blogging.  Guys you have a forum to write and say what you want.  You can be on even ground with securityit.com, the same way I get a chance to go toe-to-toe with Richard Stiennon, Mike Rothman, Amrit, Ross Brown and the rest.  You want to rail against the ITsecurity guys, go ahead.  Thomas has it right, he spoke his mind.  The rest of you bandwagon jumpers, get an original thought and do something about it or just shut up. The whining about who I would put on my list is baby crap already that is beneath most of you.  You have your own blog, get to it.  There are people who don't have blogs and somehow you think they have gotten a raw deal as influencers because they don't blog, too fucking bad (now you did it, made me curse again, I must be really mad).  No one stops them from blogging.  Mark and Michael, you think some people have written about PCI who don't know their ass from their elbow, go ahead and call them out on it, but stop threatening to do it. In the words of Jack Nicholson as Randall McMurphy, "which one of you nuts has any guts". Hey, I have done it time and time again.  Sometimes I am right and sometimes I take my lumps, but I do it, I don't threaten to do it.  Ultimately as I wrote on Marks blog in my comments, the market will decide who they want to listen to, who they value and who influences them.  One thing that pisses me off is the elitist, I know better than the rest of you attitude that some have. To me it is much more offending then the legend in your own mind stuff.  In the real world we count success not by how many cool vulnerabilities you found or how "cool" your friends think you are.  In the real world the scoreboard is kept in dollars and cents.  When I see whining about people who have big budgets and have never got their hands dirty with security not being "worthy".  I want to say, dude wake up and smell the coffee.  You think it is easy building a company and getting people to buy your product.  Go ask people who have done it, then come tell me about what a PCI expert you are.

Next, bloggers have egos.  If you didn't like to hear yourself talk, you wouldn't blog. Blogging in security is no bigger than it is in any other industry Michael. In fact compared to some others, it is tiny.  Of the 65 sites on the SBN we have a combined circulation of about 8000.  To put it in perspective, Brad Feld's VC bloggers network with 74 sites has a combined subscriber base of 200,000!  We are still a tiny cottage industry here and according to all of the numbers I have seen it is only just beginning.  We are blogging for all of our own reasons, but Michael you admit it and Mark deep down you will to, everyone wants to be recognized for contributing something worthwhile.  Frankly, when I started blogging, most everyone laughed at me, including my wife, my friends and co-workers.  Martin McKeay and Brad Feld were the only people who encouraged me.  Today, though I love to watch my stats and am amazed that people find reason to read what I write, I still write mostly to satisfy myself and my own ego. If I want to use my blog to boost my ego and make me feel like a legend in my own mind, that is my god given right to do so, so go find another hydrant to piss on. 

Feeding off of what other people write and putting your own 2 cents in is what blogging is all about.  I actually look back at my posts and probably 40 to 50% or more are commenting on other articles.  That boys is what blogging is all about.  It is your own channel where you can say what you want on anything you want.  There is no law that you have to be original on your blog.  There is also no law that you have to read anyones blog.  If too many that you don't like to read are aggregated like it apparently was for Mark with the SBN, he is free to not read the feed.  He could have unsubscribed from the feed and left his sites in, but again that is his right and prerogative to pull them off, it is his blog (and I am still subscribed to them BTW).  Just like it is ItSecurity.com's list to put on who they want.  To each his own and that is what makes the world an interesting place.

And now back to our regularly scheduled program.  Mr. Shimel, Nurse Ratched is calling, time for your medicine.

Back in September of 2006, I wrote an article about this being a "golden age" for security blogging and podcasting.  I was afraid at the time that this golden age of innocence may be short-lived due to commercial pressures that would take away the special comradeship that exists among the security blogging community.  I am happy to report that so far that is not the case.  The folks at ITSecurity.com have put out a list of the 59 Top Influencers in IT Security.  Reading the list I was amazed at how many of these folks I have developed relationships with over the years via blogging.  The community is really making a difference and leading the industry.  I know Martin (number 11 on the list, congratulations!) thinks we are just talkers and the real heroes are the doers, but still I am very proud to be associated with this group of folks.  I hope we can use our leadership and influence to do good things around security.

Of course, I would be remiss if I did not mention that I was listed number 2 on the list behind Amrit Williams.  I am humbled and grateful for the recognition.  Other notables and friends Mike Rothman at 7, Mitchell at number 9, Michael Farnum and Michael Santangelo and just about everyone else.  Congratulations to you all, you all deserve it.  I was also really proud to see at number 19 the Security Bloggers Network, which is now 65 blogs strong.  I feel responsible for starting the Network and hope to see it continue to grow in influence and usefulness.

Alex Bakman has been really writing some good stuff lately. I was reading an article on his blog the other day and it triggered something in my head.  That is one of the nice things about reading the spliced feed from the Security Bloggers Network.  You are reading the combined output of over 50 blogs in one place.  Sometimes I don't even realize where the feed is from unless I take the time to look.  Anyway, back to the subject. Alex writes about an article by David Greene of BMC in itworld. Both Alex and David point out that rather than running a keystones cops firedrill every time a compliance audit or event takes place, wouldn't it be better to build compliance into your process or automate compliance.  David points out how much more really valuable this.  Rather than practicing good security for compliance sake alone, practice good security for security's sake and get compliance as an afterthought.  Makes perfect sense to me.

This is exactly what we are doing with one of our customers at StillSecure. Our customer is providing network and security services to another organization and the contract is governed by a number of SLAs. These SLAs include both network and security areas. Prior to working with StillSecure, each audit was essentially a fire drill for our customer. They would run around making sure that devices were all patched and shift people from one group to another to make up short falls, etc. Because of the nature of the contract, they became acutely focused on meeting compliance rather than building processes that allowed compliance to become a by-product of their daily operations. Our proposal which they have adopted calls for a "policy driven network". Under this plan, the network managers have at their fingertips a list of every device's status as of the last time they logged onto the network. This is true for managed and unmanaged devices, wireless and wired, remote and local.  Now when they are audited,  they just run reports of those devices and the latest status is right there.  No scrambling around, no keystone cops, no chaos.  Compliance with the audit is built into the policy driven network. Please don't mistake my message here - products are only one piece of the puzzle, albeit it an important if not frankly a large portion - they are just a means to an end. The real pony in here is the architecture / framework / approach to driving compliance. We worked with our customer to embed it into the fabric of their network through our policy driven network approach.

So, how did we help accomplish this?  Good question.  We started by using both our VAM vulnerability management solution and Safe Access, our NAC product.  How it works is that policies are set in Safe Access and VAM as to what profiles and configurations are allowed and not allowed.  VAM does its regular scanning on a scheduled basis.  On top of this, Safe Access detects every device as it comes on the network.  Unlike a normal NAC practice though, Safe Access alerts VAM to the presence of the device and VAM can initiate a full vulnerability scan in the background. Of course the network administrators also have the ability to initiate a NAC test at the time of log in as well.  All of this information, as well as other data such as IDS alerts and syslog are correlated and stored in VAMs on board database.  Of course, you could do this with similar technology to the StillSecure products, assuming they have similar interoperability.

In the future we will take this to the next level by combining the post-connect capability we have built into Safe Access and policing even more of the network activity.  This is a perfect example of providing real security and compliance by building it into the network process and not doing a compliance audit, for compliance sake alone.

A new member of the Security Bloggers Network is Alex Bakman, the founder and CTO of Ecora Software.  I first became aware of Alex's blog when he linked to me on Security Consolidation.  Alex has a good article up today about the call to revamp FISMA and specifically on a report from an RSA panel featuring Alan Paller of SANS and Bruce Brody, currently of CACI, but formerly the CISO (I think) of the Veterans Affairs and Energy departments.  For those not familiar with the federal information security market, FISMA is the  Federal Information Security Act.  Under this act, federal agencies are graded each year on their compliance with the act.  We usually read about them in the news, as this agency and that one receives failing or poor grades. 

It is generally agreed that we need to do something to improve the security posture of the federal government.  However, as Alex points out I think Alan Paller is off base when he blames the security vendors and calls for "products security configured by default".  As Alex points out, one size does not fit all when it comes to IT configurations. It is unrealistic to think you can have a default configuration that will be right for everyone. 

My own experience with the federal government leads me to believe that the issue is more around resources and expertise.  I can't tell you the number of times we have run into issues with our federal customers who due to budget considerations do not have the resources to adequately support the software they purchased.  Then when they do have the budget, the skill set does not match. Linux guys trying to do Windows, Windows guys on Unix, network people on the desktop, etc.  I think if they would put better management and budget around implementation and operation of security tools, FISMA scores would go through the roof.  It is not that the government does not have the right tools or good tools, it is that they are not being used correctly.