StillSecure, After All These Years

So despite his promises to the contrary, my bud Mike Rothman has been a blogging MIA pretty much since RSA. Hey I am sure he has a good reason, like some journey for self-awareness or something that is keeping him away.  Not even a Social Security Blogger award could get his juices flowing again.  So in Mike’s absence I am going to do another in my incite series with a bunch of short stories and even shorter commentaries.

Truth be told, I had too many things to write about today, so I blamed it on Rothman!

Have a great day.

1. InfoExpress does a press release on managed NAC – Last night I banged on InfoExpress for claiming a managed NAC service as reported by Tim Greene. It just didn’t sound like a managed service to me.  Well not sure if Tim jumped the gun or not, but today IE put out a press release on their service (though they still have nothing about it on the web site). To be fair the press release talks about more management of NAC than Tim’s article did.  But here is a bit of advice for the InfoExpress PR team: If you are going to have customer quotes in a press release, it may be worthwhile giving their name and title.  Just having quotes attributed to anonymous customers is a bit unbelievable. Something I would expect from NAC used car salesmen.

2. Mystery Virus plagues FBI and US Marshalls – It seems that a mystery computer virus (no not swine related) has hit both the non-classified FBI network and the US Marshalls network.  The FBI had to take down their network from the Internet, but it has now been reconnected. The US Marshalls service reportedly had 140 machines hit with the virus. They had to be taken down and are being disinfected as you read this.  I don’t have any more information on this, but there are rumors of a one-armed man being seen in the vicinity.  Where is Tommy Lee Jones when you need him?

3. Microsoft puts the heat on security vendors – Looks like my friend Charlotte Dunlap has herself a regular gig over at Forbes writing an infosecurity column sponsored by Juniper.  This time Charlotte writes about Microsoft rolling out a hosted email security solution as part of Stirling-Forefront. Charlotte is right on when she says that Microsoft clearly has Symantec and McAfee in their sights with Forefront.  I have written about this before as well. Go ahead and make fun all you want, Microsoft is serious about this and will keep at it till they get it right.  Of course I love the fact that they are partnering with forward looking security vendors (like StillSecure) and think there is a real opportunity to shake up the security world here.

4. How much work can you do on an iPhone?  Earlier this week I wrote about an iPhone being a Prius to Blackberry being Pinto (hey not my words, but some other author). In continuation of that story, Galen Gruman writes about using an iPhone instead of a laptop for a few weeks. I don’t know but I find it near impossible to write more than a sentence or two with my iPhone. Maybe my fingers are too fat or I just don’t have good hand to eye coordination, but I find it painful compared to my old HTC Windows Mobile phone to type longer then that.

Anyway, that is a wrap on this incite.  Good day to you Mike Rothman, no matter where you are!

So I have made the annual pilgrimage to the city by the bay for RSA.  As usual I got in late Sunday night in order to be at the Americas Growth Capital Conference on Monday.  This was the 5th AGC Conference. It has become a must attend event for many CEOs and other C level execs in the security industry.  Uncle Art of RSA delivered the keynote. Based upon his previous keynotes, I am surprised there was more than 3 or 4 companies there to listen to him, as we were all supposed to disappear.  Anyway his talk focused on DLP, GRC and encryption. Hey, when you are a nail, . . .

Anyway, the Qualys party was decent enough, very similar to last year. Tonight I will be a the SC Mag awards show.  If you are here at RSA stop by the StillSecure booth and say hello!

In other news:

1. What would you pay to put perhaps your biggest competitor out of business? If you are Oracle, about 7.4 billion. Hey and you get Java to boot!  Not sure what else they get though. Not sure of the future of Solaris or Sparc.  But Larry now has added another Silicon Valley legend to the stable.  What does the future hold for MySQL?  Will they just kill it? We will have to wait and see.

2. While we are discussing M&A, Lumension bought Securityworks and Symantec bought Mi5. Ok, seems like your average deals, but I bet the Mi5 folks are a lot happier with Symantec stock then the Securityworks guys are with Lumension.

3. Cloud and GRC – So far those are my votes for this years RSA buzzwords. They seem to be all over the place. Oh and DLP becoming real this year. That sounds like a familiar tune!

4. Shameless plug. If you are here at RSA be sure to join Mike Rothman, Rich Mogul, Michael Farnum, Mike Murray and I Thursday morning for a panel on good security in tough times. Catch it if you can!

Have a great day!

Where is Mike? I know he is around, I have spoken to him, but he said he was in an undisclosed location. Is he on the lamb? Will he truly in fact be at RSA? Has he been working on his next book? I don’t know but his blog is looking for him. If you spot Mike please tell him to drop us all a note once in a while!

My friend Mike doesn’t get a chance to do his daily incite as much. I know he says that he gets 30% more readers when he just does a rant on a single topic, but everyone I speak to misses his round up of whats news in security with his two cents thrown in.  So here is my daily incite.  We will see how this goes before committing to doing more of it.

Have a good day!

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

How can I do a daily incite without pushing the Pragmatic CSO?  There hope everyone feels better!

1. Big Fix offers 50% off – John Dunn at Network World reports that Big Fix is offering up to a 50% discount to customers who switch to the Big Fix patch management system from a competitor when it is time to re up. There is some other fine print with the deal (3yr commitment, only seats being replaced, etc.) but the bottom line is Dave Robbins and Amrit and gang are trying to use the current economy to grab some market share solely on price.  Yeah, it is a bit of a marketing thing and the competition will match it, but then the customer wins.  StillSecure did a similar thing with our 50% off Strata Guard deal.
2. Tim Greene predicts the future looking at the entrails of dead NAC companies. Tim makes a connection that since StillSecure bought ProtectPoint to get into MSSP and Trustwave took out Mirage, there must be money in NAC. While Tim may ultimately be right, I don’t think today there is significant revenue in fully managed NAC. According to the article Mirage derived 30% of their business from managed service. I question how much 30% actually was though.  Doing managed NAC is not as easy as it sounds.  The MSSP will have to access to network infrastructure as well as the NAC solution.  Stay tuned for more details on that one.
3. Say goodbye to FISMA? As I ranted on yesterday FISMA has become the poster child for all that is wrong with compliance for compliance sake alone. Yesterday a group with lots of support from the DoD, Mitre and SANs released the Consensus Audit Guidelines. You can get details on the SANS site here on the 20 critical controls. These look to me like the kind of common sense real security policies that will make a difference in the security of networks and not drown us all in paperwork without making us more secure. I sure would like to see this get adopted more widely.
4. Security company hackers speak up. Softpedia has an interview with the Romanian hacker group that broke into several security company webs sites including Kaspersky, F-Secure, Symantec, etc.  Personally I don’t care what they have to say. I think giving these guys any play is akin to negotiating with terrorists.  What they did was illegal and wrong and they should not benefit from it.

There you have it.  Shimel’s daily incite. Good day Mike Rothman no matter where you are ;-)

Its been way too long since I got into it with my friend Mike Rothman. Frankly since he became a vendor again I have been going easy on him, even though there were a few times I was tempted to write a thing or two about what he wrote.  Lately Mike has taken from reporting on the news with his own view thrown in, to ranting about what ever topic tickles his fancy.  Personally, I like it better when Mike reports on the news, instead of trying to make the news.

Today Mike tells us that for the security practitioner, desperate times call for desperate measures. Forget trying to sell the value of security. Forget showing the positives in having a security environment.  Mike says his years and years of being in the security industry fighting that fight were ineffective.  Fall back to go old fashioned FUD.  Plain and simple sell fear.  What ever happened to when the going gets tough, the tough get going? What about the only thing we have to fear is fear itself?  Come on Mike say it ain’t so.  Have a few months of being back in the vendor world turned you into a FUD whore? 

Mike makes the point that the life insurance companies have been selling FUD forever and are much smoother at it then security folks. He is right the life insurance industry is much smoother at it.  Then again so is the car insurance industry.  The key is they have a velvet glove over the fist. They also sell their advantage over other insurance companies.  Better service, cheaper price, more stability. Security professionals need to “sell” the necessity of security.  This has been true in good times and bad.  The lowest common denominator is FUD.  But the really successful security folks will rise up above the FUD and deliver a message of value, wrapping the velvet glove around the fist.  Mike with all of your experience I am surprised you would advocate bag diving so quickly!

To make matters worse, I commented on Mike’s blog about this and he responded with a particularly vindictive retort about it always being all about me anyway.  I guess Mike was having a bad day selling SEIM.  Anyway, how is one supposed to know that you are not talking about security vendors in your incite piece Mike.  I see you didn’t miss the chance to mention that you also blog on the eIQ blog as well about “business issues”.  Yes you have made that clear by the many links back to the eIQ blog over the last several weeks.  But then again my friend, it is never all about YOU or is it ;-)

I was pretty happy.  The folks over at Government Security News asked me to write a short piece for their weekly newsletter this past week and spoke about me possibly expanding that into a multi-week gig.  So after scouring the net for something good to write about, I decided that I wanted to talk about the lessons of the Heartland fiasco and how it applies to public sector as well as private sector security admins.  I wrote what if I do say so myself, was a nice little article and sent it over to the folks at GSN. They said they liked it and it would go out on Friday. Cool!

I forgot about it till tonight and then went over to the site to check out if it was posted.  Sure enough I see picture of my “pretty” mug next to an article titled, “The Heartland Debacle, take one”. I think to myself, geez, I guess it was too long and they had to split into two parts, they will probably run take two next week.  Well I scroll down the main page and sure enough I see an article called “The Heartland Debacle, take two” and whose smiling face is looking out at me? None other than Mike Rothman! In a case of parallel evolution or just a slow news week, Mike wrote the same thing I did and surprise, we actually had a very similar message. Shoot!  In the future if I do any more columns I guess I will have to check with Mike to make sure we don’t overlap.

Anyway it gave me a chance to use a phrase I always found cool, twin sons of different mothers.  Dan Fogelberg and Tim Weisberg did an album (does that word show my age?) by that name and it was excellent.  The best song on it was Power of Gold.  Click on the album cover to go listen to it. Enjoy!

Mitchell and I are joined by our friend Mike Rothman for this show taped on Thanksgiving Eve.  Mike has "taken off the objectivity suit" and is now a vendor puke for eIQ Networks.  Mike talks about his reasons for taking the job, what eIQ is about and what about the analyst gig.

We also discuss with Mike some of the latest news in security.  As always, Mitchell and I have a great time with Mike and the time goes by too quickly. I am sure you will enjoy what Mike has to say as well.

Mitchell and I had two shows taped, so rather than wait I released them both . We have another one ready to go in the next week or so as well, so stay tuned.

Thanks to Pod0matic for hosting our podcast. Tonight's music is the usual, To the Summit by Jon Schmidt. You can hear more from Jon at http://www.jonschmidt.com. Music transitions between segments are by our own Mitchell Ashley!

Enjoy the podcast!

One of the things I am always cognizant of is that no matter how much I rant and rave about this being my own private blog, no matter what disclaimers at the top right say, people still say this is a StillSecure blog and a vendor blog.  Hey they are right to a certain extent.  It truly is my blog. I pay for it myself (we have already seen proof of that) and write it myself, but I do promote StillSecure within it, so call it what you will.

My friend Mike Rothman always recognized it and was not shy about calling me out on it.  Just for giggles I would send him an email now and then that I heard rumors he was going to take a job as a SVP of marketing at a NAC company. He would always write back with something about hell freezing over.  Not sure how cold things are down there today, but in a case of truth is stranger than fiction, Mike announced he has taken a job. Well it isn't a NAC company, but a "company redefining security and compliance management", eIQNetworks.

I don't know much about eIQ, but I assume the fact that Mike is joining along with Jim Geary, his colleague at SHYM, they have high hopes.  I am glad to see Mike coming over to the "darkside" and joining the vendor wars.

Mike has done a great job with Security Incite.  It is one of my favorite blogs to read and I enjoy interacting with Mike. I am sure that he will continue on with the incite, but now he will have to deal with the "vendor issue" as well.  But hey that goes with coming over to the dark side.  I am sure Mike will handle it well and still give us interesting takes on what is going on in the security world.

Good Luck Mike!  Now that you have come to the dark side (in my best Darth Vader voice), do I need to tell you who your father is?

From Mike's Security Incite yesterday:

Microsoft rides a paper surfboard to the top of the Wave

So what? - The Forresters checked out a bunch of data sheets and decided Microsoft was "top of the NAC heap." Not sure if they used those words, but that's what Tim Greene says were the results of Forrester's NAC wave. That kind of finding is pretty laughable. There is no question that Microsoft will be a player and they will absolutely own the agent that checks desktop device integrity. But to think they've got something that is enterprise-ready is a bit strange to hear. Even better, they put in a disclaimer saying the study isn't based on "units sold or performance tests," but how well the products will "meet the challenges of a set of real-world deployment situations." At least Gartner's ability to execute rating is based largely on company revenues and product sales. So basically this was an RFP process. And Microsoft prepared the best response. Great. People that really buy products understand that a good RFP response gets you into the bake-off. That's when things like "performance tests" start to matter. That's why I find it ridiculous that vendors get judged on this qualitative crap. Ultimately customers only care about whether a product can solve its problem, not whether the vendor gives GOOD RFP. Smart customers understand these types of reports can maybe provide a little perspective on identifying the long list of vendors to chat with. But to base a buying decision on it is irresponsible.

'nuff said.

Thats right, talkin' 'bout my, my g-g-g-generation. The generation where good enough, is . . . good enough. There is no sense of being the best you can be or going over and above. Just enough to get it done is the way of the world. So with Rothman revisiting Big is the New Small, I thought another look at the good enough generation was in order. It was just over two years ago, that I wrote the original "Is good enough security, good enough"

Now with hindsight it appears Mike and I were saying very close to the same thing. That the sad truth is that for most people having security that is good enough, is enough for them. Subsequently if the big guy has good enough, why bother with dealing with a multitude of vendors and tower of babel security infrastructure. So after all this time Mike is not entirely wrong.

However, I still believe that there is a percentage of the world that doesn't buy into the just good enough theory. For folks like that given the resources, being the best they can be is the way of the world. If I didn't believe that, I would not be as jazzed about building a company like StillSecure as I am.