StillSecure, After All These Years

A few weekes ago I wrote about the current state of vulnerability assessment being like a parody of an Obama/Hillary commerical.  Who answers the phone at 3am?  For vulnerability assessment, the results are only as good as who answers the scan.  This has been a problem for security managers and vulnerability assessors for some time.  Balancing scanning during prime time and impacting network performance versus scanning during down times when the devices you need to scan may not be available.

Today StillSecure announced our reponse to ending this problem. We call it Dynamic Vulnerability Assessment (DVA).  With DVA you will have vulnerability and compliance data as of at least the last time a device logged on the network.  This closes the loophole and gives organizations a much more comprehensive and secure assessment of who is on the network and what they look like.

To accomplish this we are using some of our NAC technology from Safe Access. This allows us to detect devices as they come on the network. We can also use the purpose built Safe Access testing engine to deep compliance checks to supplement the tradtional vulnerability checks.  We think this is a big step up in vulnerability assessment and management.  Am interested in what others think.

The folks over at Cisco Subnet (not sure if this is still my friend Brad Reese writing this over there) had an interesting blog yesterday about an announcement we made here at Interop. We announced that we will throw our support behind Cisco's AXP. That is the blade extension to turn a Cisco ISR into a Linux app server. You may remember that I blogged on this earlier here and here in relation to an article by Don Marti on LinuxWorld. Well this announcement, as the Cisco subnet article points out, put our money where our mouth is on this one.

As the subnet article points out as well, I think the real question is not whether we in IT are going to run more apps on our router boxes, but whether or not these "God boxes" will be expensive, proprietary black boxes like Cisco routers or low-cost standards based off the shelf hardware. With this announcement, we are covering all of our bases and saying you pick the platform of your choice, we will support it. That is the StillSecure way.

Dmarti's blog over on LinuxWorld has an article up titled "Dumbest networking vendor idea since Network Access Control", which talks about what a dumb idea it is for Cisco to allow Linux apps to run on their ISR routers. Besides the fact that the title of the article alone is enough to make me want to tear this one apart, the underlying logic of the authors argument is just weak.

On one hand he talks about why would someone want to run Linux apps on a router, it is potentially bad design. On the other hand he says it is better to run them on a cheaper router alternative like Vyatta and than spouts some PR by Vyatta about their price/performance advantage over Cisco.  They back up this advantage with "3rd party testing".  Turns out the testing is by Tolly Group.  Oh, now that changes everything.  Have any of you ever had a Tolly evaluation done? Anytime you submit a form that contains what you would like to see the testing show in the final report and the final report shows it, well you know what I am saying. But seriously if it is good for Vyatta, why would it not be also good for Cisco?

Here is the real issue though that the author misses.  We live in an age of convergence!  The idea of having a stand alone box that only does routing is history and when Cisco themselves acknowledge it, you know it is fact.  People want more functionality out of their hardware.  Now that is not to say that your router should be your database server or mail server.  But there are certainly network functions that make sense to put on a router. Security is a no brainer to start. IPS, VPN, firewall, gateway AV- easy.  What about network functionality like DHCP, DNS, Radius, etc.  How about some next gen network stuff like WAP and VOIP?  That would make sense. By embracing Linux on the router all of these things and more are possible.  By the way you can do all of this now with our own Cobia platform.

That's right, we had this idea 2 years ago and have been working on it since.  With the convergence of networking, security, VOIP and wireless technologies, why wouldn't you want a multi-use box that can deliver all of this.

Michael Farnum has a great post up today wondering if we in the security industry have been stifling our creativity by designing all of our management interfaces in one of two paradigms. The GUI kind of look and feel pioneered by Checkpoint or the command line standard that Cisco has made their own. It struck a chord with me because it was actually the second time I have heard the same comment this week alone. In speaking with one of the big analyst firms our own VP of product strategy, Andrew Grealy made the same comment.

This actually goes to the heart of what we are trying to do, especially with our Cobia product. We think there has got to be a better way. Why can't products just work, the way Apple does it for instance. So many things in the Mac interface are binary. You plug a mouse in, you don't get a message that the system has detected a new pointing device and goes through the install and you may have to pick a driver. You plug it in and the mouse works. If it doesn't work, something is wrong. Andrew has some great ideas on this around security. Instead of plugging in your IPs and stuff, wouldn't it be great to just tell your security product to protect your web servers? Is there a better way to let you manage a firewall? We think there is.

At StillSecure we have a history of creating easy to use GUI that are powerful yet intuitive. Andrew and his team are working on a rework of our Cobia GUI and some of our other products that we think are going to break out of the Checkpoint/Cisco mold for good once and for all. We hope the market will reward the innovation and the easier way to do business.

Brad Feld has a funny but true story up on his blog today about how we at StillSecure and our co-tenants Return Path decided who would stay in our office space.  We both started in the old Hotbank incubator and watched as other companies came and went.  Brad and his people left and it was just StillSecure and Return Path. Finally we both came to the realization that this place ain't big enough for the both of us.  We were faced with several options to settle this mess. Some of the suggestions were a rumble outside in the parking lot, but they have a lot of big guys over there.  Another was a race of the fastest hot rods in both companies, winner keeps the lease, sort of a Grease way of doing things.  But that got voted down.  Than we were going to have Rajat Bhargava, our CEO just throw down with Matt Blumberg, Return Path CEO. But that seemed so un-Colorado like.  Law suits were out of the question, as would both rather spend the legal fees on new space.

So we settled on a coin toss with Brad Feld being the referee to toss the coin. As Brad recounts it was actually a best of three coin toss and we won two of them!  So we stay in our swank and comfortable space and Return Path has to look for new space.  I am glad we won, as I like our space.  It is very Colorado tech and comfortable. If you are in the area come by and check it out for yourself.  In the meantime, to my friends at Return Path I dedicate the Meatloaf song below to you!

Could you use an extra 2k? How about an extra 5k? Here is the best part, you don't have to do anything illegal and you will actually feel good about doing it!  Here at StillSecure we are growing again.  We have a number of openings up on our web site under the careers section. Every so often we designate certain jobs as "hot jobs".  If you refer someone for one of our regular jobs and they are hired, we pay you a thousand dollars on hiring. If they stay 6 months, we send you the other thousand!  If it is one of the hot jobs you get 5k instead of 2k.  How do you refer a potential candidate?  Easy, just have them send their resume to careers@stillsecure.com with a note saying you are the referrer and your email address, as well as the position they are applying for. Sound easy enough?  I think so.

Of course no offer like this is complete without the fine print. So here it is:

Candidates cannot refer themselves and only the first person or agency to refer a candidate that is hired will be compensated.  If a candidate is already under consideration at the time of the referral under this program, no compensation will be paid.  Referrers must complete a W-9 for tax purposes before compensation can be distributed.  This program will run through April 30, 2008 or until all open positions are filled, whichever comes first.  Specifically referrals must be provided by April 30, 2008 and referred applicants must be hired by May 31, 2008 to qualify. Don't miss your chance to earn some extra cash!

Just kidding, here are the details:

Candidates cannot refer themselves and only the first person or agency to refer a candidate that is hired will be compensated.  If a candidate is already under consideration at the time of the referral under this program, no compensation will be paid.  Referrers must complete a W-9 for tax purposes before compensation can be distributed.  This program will run through April 30, 2008 or until all open positions are filled, whichever comes first.  Specifically referrals must be provided by April 30, 2008 and referred applicants must be hired by May 31, 2008 to qualify.

If you have any questions or concerns regarding this program or our open positions, please contact our HR department at careers@stillsecure.com.  StillSecure reserves the right to alter or modify this program at any time by posting changes to its website.  Whether a referrer is entitled to compensation shall be within StillSecure's sole discretion and StillSecure's decision will be final.

Like anyone else there are some days where I just ask myself what am I doing.  Daily frustrations, the world not moving at my speed, my atrocious spelling and grammar mistakes all serve to have me ask myself if there is not a better way. However, there are other moments when I positively love what I do.  I think the key is making sure those moments outweigh the times you just feel like packing it in.  If not, it is probably time to pack it in.

Anyway, where was I? Oh yeah, one of the cool things I like about my job is talking to the various analysts and talking shop about the industry.  You know the kind of chit-chat, did you hear about this one or that?  I enjoy the give and take and have made some great friends over the years with the analysts I meet. Today I had the chance to speak with Derek Brink over at the Aberdeen Group, who are conducting research on how companies enhance their enterprise security based on the principles of trusted computing and the use of Trusted Platform Modules (TPMs). If you’re interested in this topic and want to contribute to the research by taking the survey (here is the link: http://www.aberdeen.com/survey/tctpm), you’ll be able to see how your experiences in this area compare with those of your peers, benchmark your performance, and see how you can achieve “Best-in-Class” results.End-user participation is a vital part of their research process, and serves as the foundation of Aberdeen’s reports. They’ll even provide you with complimentary access to the final benchmark report when it publishes at the end of February.

Derek is a very nice guy and very interested in what is happening with the NAC and 802.1x market.  If you want to help shape policy and public opinion this survey is a great way to do it.  I am going to try and get together with Derek in person.  In the meantime speaking to him today was enough to remind me why I love what I do!

Let me get right to the point. I hate paying headhunters.  StillSecure is looking for a killer sales person for the Northeast US.  If you are based in Boston or NY, this is a great chance to join our company at an exciting time in the market and our history.  If you think you have what it takes, drop me an email at alan at stillsecure dot com and lets talk.

Today over at StillSecure we announced the release of Safe Access Lite. Borrowing (or stealing) the description that an analyst I spoke to called it, it is "laid back NAC".  What we are offering with Safe Access Lite is a free means of finding out who is getting on your network and what their machine posture is.  What it does not offer is quarantine enforcement for people who fail policy checks.  We think that this is a great first step in anyone looking to implement NAC. First put in a program that will see what devices are coming on the network and what their posture is. For those who are looking for no more than that, hey today is your lucky day, you get it for free. For those who then want to build policies to enforce based upon your findings, you can upgrade to our regular Safe Access product or for that matter use another NAC solution.

You can download Safe Access Lite here. It runs in the free VMWare player as well. It is free, but not open sourced. We think there is a big part of the NAC market whose needs will be satisfied by SA Lite.  It will be interesting to see what people say and do.  If you have any comments on SA Lite, drop me a line or leave a comment. 

Here at StillSecure we rely on our SAT (Security Alert Team) to protect our customers up to the minute against the latest threats. We don't hold ourselves out to be an eEye security research company or even an ISS X-force (haven't heard about them much lately, have you?).  For the most part our team which is now spread across multiple continents makes sure that our products have the ability to detect and defend against the latest bad stuff. They do a great job doing it, keeping all of our products up to snuff, whether it be vulnerability scans, IDS signatures, latest test updates for our NAC, etc.  Every once in a while though we come across something that can help and when we do, we try to be a good security neighbor.  Just this sort of thing happened this past week.

Our SAT folks became aware of a new email attachment that came with a very legitimate email purporting to be a bill and it had an invoice attached. Of course the invoice contained a nasty executable.  Your typical trojan that has been making the rounds lately like the IRS one a few weeks ago.  However, a finance or accounts payable person or anyone for that matter would probably click on this if they did not know better.  So we had a look at it, saw that none of the AV stuff we had was picking it up and realized this could be a problem. We of course made sure our products protected against this right away.

Brad Doctor, our director of security research (who is about to have his first child and is pretty up to his ears with that) went beyond that though and immediately notified as many outlets as possible about our findings.  We were glad to see that ClamAV put a signature out for it today. We saw McAfee post it and will have protection in a .dat file update soon.  Of course McAfee did not give us any credit for sending it in, but hey that is OK, maybe they saw it in other places first or maybe they don't want to ruin their security gunslinger image, whatever.  Interestingly, Brad mentioned that Symantec had no address to send it into, so we were unable to send it to them. For the first time, he actually thought of Microsoft as a company to notify.  Good for Microsoft!

I also read where PC World saw this one too.  Anyway, this is hardly another Code Red worm.  I am not holding our SAT team out as the premier security research team in the industry. We won't be sporting sarcastic shirts at Black Hat taunting Microsoft.  But then again we aren't laying off any engineers and our SAT team keeps plugging away keeping out customers protected and trying to do the right thing by the security community.  For that I say, great work team! At the end of the day isn't that what it is all about?

A while back I had mentioned a new whitepaper I was writing that was about the evolution of NAC and our vision of complete NAC.  I had given it to our marketing team for graphics and publishing and then frankly forgot to follow up on it.  Today during a presentation the marketing/PR team gave, they mentioned the paper had been downloaded hundreds of times!  I did not even realize it was published.

For those of you who may have been looking to read this. You can download the paper in .PDF format here or get it from the StillSecure site.  Hope you find it useful.

WARNING: Some may think this a blatant plug for StillSecure's Safe Access NAC solution

Just wanted to mention that WindowsIT Magazine in their June issue have a NAC review by John Green.  John looked at 4 different NAC solutions.  Sophos Endforce, InfoExpress's DNAC, McAfee's Policy Enforcer 2.0 and StillSecure Safe Access.  John looked at all 4 products and declared Safe Access the Editors Choice!  What I found particularly rewarding about this was that we were the only Linux based solution in this WindowsIT review.  Also, the next best solution from McAfee really was just picked because of its integration with other McAfee products, not because it was a very full featured NAC.  I think that this once again proves that Safe Access is truly a best of breed solution.  I won't bore you with all of the details, but be sure to read the review if you are interested.

God knows that when another company does some stupid marketing, I am the first one to jump up and down and call them on it.  Some companies and former friends have gotten upset with me for doing it, but I call them as I see them.  So it is with some regret that I have to stand up and say that we at StillSecure did some stupid marketing, that I have to apologize to my blogging brethren for.  It seems our PR folks, realizing the tremendous influence security bloggers exert (hey don't forget the most influential people in IT Security list), thought the best way to reach them was to send out a story pitch to all the people on our blogrolls. This is the same way they do to it in pitching to the traditional media. WRONG!  That's what makes blogging, blogging.  It was not cool, a mistake and we are all sorry here.  We will make sure that does not happen again.  Lesson learned and now on with the show.

Just wanted to highlight two NAC related pieces of news from Interop.  One is that finally the official announcement seems at hand formally announcing the interoperability of MS NAP and TCG/TNC.  This has the potential to revitalize the TCG effort to become the leading standard for NAC.

On another note, we at StillSecure announced a new partnership with Force 10 Networks today.  Force 10 is a leader in high performance ethernet switching.  They are also very serious about security and we are proud to be partnering with them. With this announcement StillSecure now is an alliance member or partner with most of the switch vendors including Cisco, Extreme Networks, Foundry Networks, Force 10, 3Com, etc.   The fact that all of these switch vendors see the value in our NAC solution in and of itself is a great testament to the product and our company.

This article was intended to announce the latest member of the Security Bloggers Network.  But to show you how the creative process works, I came up with the title and it actually sparked an idea about something else I wanted to write. I guess this is what growing old does to your brain.  Anyway, first of all let me introduce the newest member of the Security Bloggers Network, The Cobia Blog. Yes, it is the blog that Martin McKeay and gang maintain for the Cobia Community.  I occasionally will write on there too.  I thought that being a StillSecure blog, we should "eat our own dog food and join the SBN".  Now I just need to get Martin to put up the SBN logo on the blog!

But back to eating your own dog food.  I have always liked that term.  I wonder how many of you actually practice it.  If you are selling something to customers, are you using it yourself?  At StillSecure, we actually have Safe Access deployed on our own network and find our network a great alpha/beta site.  Some of our best feedback comes from using the product on our network.  On top of that I find customers respect the fact that we use the product ourselves. It helps our people understand what the user experience is.  We also use our other products in our own network.  Next time you are buying product from a vendor, find out if they are using the product in their own business.  If they are not, that should tell you something.

Good weekend to everyone and hope to see some of you in Vegas for Interop!

As much as I hate to admit it, I agree with Mike more often than not.  Today Mike wrote about something that I was holding back on but am glad he did first, so now let me pile on. Earlier this week Frank Ohlhorst over at CRN wrote an article about a bake-off CRN did on three software based NAC vendors.  The bake off pitted StillSecure against Symantec and InfoExpress.  I have dealt with Frank before and have a lot of respect for him. I personally walked him through Safe Access and then he and his team took it for a drive on their own.

When the review came out this week I was somewhat disappointed that they rated us a close second to InfoExpress but ahead of Symantec. Hey, you can't win them all and Safe Access has certainly won its share of awards.  But when I read the whole review, especially the conclusion, I was baffled at how they picked InfoExpress. If you just read the reviews it was clear they thought Safe Access was the best product, they also came right out and said we made the most sense for the channel, but said InfoExpress "barely" edged us out.  But they never said what it was that caused them to edge us out. 

I didn't blog about it because I didn't want to come off as sour grapes or maybe I was being too sensitive.  But Mike Rothman calls this right on the head.  Read the review and tell me who do you think won this bake off?  I think stuff like this does confuse more people than it helps.  Mike is right.  Frank, I would love to hear what the reasoning here was.

There is a new StillSecure blog. No, its not Martin McKeay's  blog.  John Curry, our director of customer security at StillSecure has started a blog called the Village Elder.  John is a great engineer and a very technical dude.  We modeled our security samarui persona on him. However, his real strength is making security easy for the technical people that he deals with all day long. He also has a great sense of humor.  His blog I am sure will be a little more technical than most, but if you are into the nuts and bolts of security and networking and general IT wizardry, The Village Elder may be just the ticket! As an example, his most recent post is a great practical approach to setting up strong passwords and remembering them.  Real world help to real world problems.

Please give the site a visit and let John know what you would like to know about.  Welcome to blogging John and good luck! 

This is not a post about Mitchell.  But most of you may already know what we announced and made official today.  My good friend Martin McKeay has joined our company as product evangelist.  Martin was one of the first people I met through blogging and over time we have developed a close friendship.  Also, over that time I have admired Martin for his ability to take his technical background and marry it to his passion for blogging, podcasting and journalism to become the person he is today. 

Martin's role in our company is to evangelize our products and some of the research that Mitchell's team is working on.  Over time Martin's role will become more defined and I am sure he will be a valuable contributer.  When Mitchell and I were speaking about this role, it seemed a natural to me for Martin. Everything just lined up right, in that Martin was looking to go in a new direction, we needed his exact mix of technical and marketing skills and his web 2.0 chops.  In Yiddush/Jewish there is a word beshert, which roughly translated means, it was meant to be.  Actually the concepts of fate and pre-determination and all of that mystic stuff are rolled in to bershet too.  Bottom line is it it just feels right.

So Martin, welcome to the StillSecure team.  We are proud and happy to have you on board.  We are also sure that you are going to be a valuable piece of the puzzle towards our success. If nothing else, between Mitchell, you and I, we will be well represented in the blog-o-sphere. To the rest of you security bloggers/podcasters out there, not to worry, eventually we will hire you too ;-)

One of the hardest things about founding a company and being a little older than some of the people working there is saying good bye.  Unfortunately I have learned the hard way that sometimes great young people come into your organization and in order for them to continue growing along their career path it becomes necessary for them to move on.  Recently we had two people in our company that have moved on to hopefully bigger and better things.  First was Jeannine our marketing manager.  She has moved onto another company to pursue her dream of working in business development and channels.  We had no openings for her here and she felt it was time for her to go to the next level.  We wished her luck and were thankful for the all of the good things she did for our company.  Now today was the last day for a young gal we hired probably a year or more ago.  Courtney Smith from our PR team has been a great asset to the company and watching her become a real "PR Pro" under the guidance of our director of  PR Sonya Hausafus has been spectacular.  Now all grown up, Courtney is moving on to work in a PR agency to further round out her experience.  Again we wish her well and will miss her and all of the hard work and great things she did here.

I know that this is just the natural way of things but still will miss not working with these great folks on a daily basis anymore.  The good news is that we will hire two new people to take their place and watching them do their jobs and become part of the fabric of our company will be equally exciting.  Plus this month, we are adding someone else to our team who I have known for some time and I am really pumped about.  You will have to wait on that one though.  Until then, Courtney best of luck in your new job and keep us posted on your progress.

So Ross Brown admittedly seeks to upset the calm on this peaceful Friday with a post about how Open Source does not seem to do well in the security arena.  To put a little extra sugar on top, he makes some assumptions about the business models of StillSecure and even Tenable Network Security.  I will bite at the bait and respond to Ross and try to enlighten him a little. So, for your entertainment:

Why does OSS (Open Source Software) not seem to work in security - Ross not sure where you got this idea.  Actually, I think security represents one of the greatest success stories in the open source world.  There have been a multitude of open source projects around security that have been widely used and have spawned successful commercial companies. A few examples of open source security in the market are: Snort, Nessus, Tripwire, IP Tables, ClamAV, Spam Assassin, nMap, etc.  The companies like Sourcefire, Tripwire and Tenable who have directly been spun up by commercializing the open source products they manage are one thing.  There are also a lot of companies that either make products which enhance these open source tools or build upon them to make even better products.  On top of this, many of these open source projects have large, vibrant communities.  In terms of contributers, I think one of the myths around open source is that these communities are made up of hundreds and thousands of little open source elves around the globe contributing code.  Fact is, security or not, of the over 100,000 open source projects out there, the % of people who contribute code is very, very small.  Most community members are content to use the software, report bugs, get help and maybe beta the latest release.  I don't think security is any different in that regard.

There are lots of people who find pure Snort too daunting.  Though, there may not  be a Red Hat to provide the convenience Ross speaks of, there are plenty of companies who "put a pretty face" on Snort and make it easy.  There are also plenty of firewall companies who put an easy to use GUI on top of IP tables. Not to mention the UTM guys like Astaro or Fortinet, who just pile up lots of open source, put a GUI on and off to market they go.  Ross, I don't think security people are any more paranoid or freakier than regular IT folks. I think that security people are actually more likely to contribute any improvements they make to OSS code back to the community. They want to see people protected.

As to what companies like StillSecure do - again let me explain.  When we founded StillSecure 6 years ago, we looked at the state of the art in the categories we found interesting.  We quickly realized that in security anyhow, the open source products were every bit as good, if not better than many of the commercial products out there (Nessus vs eEye or Snort vs. ISS). Looking at what was available to us under the licenses at that time, we made a decision that rather than reinventing the wheel, we could build upon some of these great open source products and add additional functionality which made them much better. This allowed us to maximize our resources and come to market much quicker than we would have otherwise. Also, as the space matured the open source components became just some part of the much more expansive and feature rich StillSecure products.  That is why we take offense to being categorized as just repackaging open source software.  What we have done is use the OSS for some basic functionality, but frankly, if that is why you are using our software, you are overpaying.  It is all the additional functionality that we have built on top of the open source stuff which represents the value we think.

One thing we did not anticipate frankly was the changing landscape of open source licensing.  With companies commercializing the open source projects, our ability to use them as 3rd parties profiting off of them has been effected.  As a result, we have had to become experts on OSS licensing. Knowing when code is derivative to other code, what is legal and what is not.  However, this has not dampened our support for open source software.  Our products contain much open source software not security releated, such as MySQL, Apache, Linux, etc.  You can view a complete list on our site.  We are meticulous about complying with the licensing as well.  StillSecure will continue to support open source and you may even see us contribute some new projects to the open source community that may be more in line with a Red Hat type of model, you never know.

In the interest of being fair, a week or two ago I posted an article that poked fun at a release by a NAC competitor about a customer win with the International Centre for Diarrhoeal Disease Research, Bangladesh.  I said at the time, that there is nothing wrong with releasing press releases about customer wins, but could not resist some of the obvious jokes around that one.  Pete Lindstrom took me to task and asked me to apply my critical eye to some of our own press releases.

So as I said, to be fair, let me point you to a release we posted today about a customer win with the American Academy of Opthalmology using our Safe Access solution.  The title of the release says it all, "American Academy of Opthalmology's Clear Vision for Network Access Control Leads Them to StillSecure Safe Access". Hey at least we can poke (no, not in your eye) fun and see the humor in it ourselves, instead of leaving it to someone else.

Well SC Magazine has just announced the finalists for their Readers Trust Awards for this year.  The winners will be announced at the SC Magazine award show at the RSA show in February.  I am proud to report that for the second year in a row, all three StillSecure products made the finalists in their respective categories! For endpoint security, the category that Safe Access won for last year, we are in a tough fight with Lockdown Enforcer, Mirage Networks NAC, Senforce ESS and Safend Protector.  Tough competition and it should be interesting!

Now I know some (Rothman) have said, bah humbug to these awards.  In fact, I myself have taken to task some of the awards in the past.  However, my problem with some of them, is that you can buy them, as in the case of the InfoSecurity Products Guide. There you can create your own category and no one else can compete in that category.  Mike points out correctly, that in SC Magazine there is a fee to nominate your product.  But from there it depends on reader voting to make the finals.  My understanding is that once you are in the finals, it then is up to a panel of judges to pick the winners.  I just think it is a much more legit way of doing these things. Hey, if we don't win anything, I may have another opinion ;-)

Mike Murray over on his blog has an article up today about news he is not seeing.  He says judging by the topics covered by the security blogs, there is just not anything really interesting happening.  Mike ponders could it be a lack of innovation or great thinkers in security, or could it be something else.  One of the something else's is:

"Terrible Management Plagues Security Companies - We saw the terrible valuation of Counterpane, but I haven't heard anybody talk about Qualys (who has seen the departure a newly hired C-level executive in less than 2 weeks there... twice in 2006), and other companies hemorrhaging employees like there's no tomorrow (one that I know of has lost almost 20% of their employees this quarter alone). Why is it that these little companies can't seem to hire management that can build strong teams, keep employee morale high, and deliver results?"

Could this really be the case? Yeah I know at least some of the people he is talking about at Qualys leaving, but hey that happens.  I agree Counterpane did not have a great valuation, but I think that has been covered already.  Not sure companies that have lost 20% of their employees this quarter alone (Mike maybe you can mail me off line on that one).  But I don't think the security industry is different than the IT industry as a whole on this one. 

Of course, my most intimate knowledge is based on my own experience at StillSecure.  Other than a VP of sales and business development over the last 12 months, our executive team has stayed stable but grown, as we have.  I don't think based upon our execution that we have lost any market valuation, but truthfully how the heck would we know unless someone actually paid for us.  On losing employees, we have had some loses, mostly due to the tight job market in Colorado and other companies raiding our people and paying salaries that we felt were just too excessive.  We have a bunch of reqs open right now (check out our website for listings if you are looking) and can never seem to find enough good people to fuel the growth. But again we are not alone in this and I don't think that is a security specific problem, it is behind the whole outsource thing.

I think employee morale is somewhat subjective, but you try to build a culture of people who are jazzed about building a great company and as Raj, our CEO says "an all star team, not a team of all stars".  Delivering results is the metric that we are all judged on eventually.  So are there not enough security companies doing it?  I look around and see plenty of companies that appear to be knocking it out of the park (if you can believe their PR, but that is another story).  Mike, I have to ask you, do you think security as a whole is plagued  by this.  It is just a security industry problem or maybe you are not taking in a wide enough sample to get an accurate view.  I know that my blog is read by many "insiders" in security.  I am not naming names but I would be interested in some of your thoughts.  Do security companies really have crappy management compared to other industries?  Let me hear from you.

Mitchell has a post up today on his idea of using his blog to attract some great talent to the team he is building around his ideas on network convergence.  If you think you have what it takes to be one of the team and help StillSecure with our next big thing, head on over to Mitchell or email him here.

Ross Brown over on his Technobabylon blog writes about what's killing NAC.  While much of what Ross brings up is certainly valid, the problem is he is mixing up and confusing the three heads in Cisco's  Ghidrah (that is a three-headed monster from the Godzilla movies, for those who don't know). In order to really understand what Ross is talking about and why I think he is mixing it up and possibly confusing us, lets first get them straight.  So here are the three elements in Cisco's endpoint universe:

1. Cisco NAC or sometimes called CNAC.  This is the original one and probably the least used of the three.  It refers to the use of the CTA (Cisco Trust Agent) communicating with the Cisco ACS (Access Control Server) and NAC compatible network gear.  It is also the one that has the 75+ plus vendors in the program (only a small fraction of them are actually lab certified to work with CNAC).

2. Cisco NAC Appliance - This is the old Perfigo Clean Machines nee Cisco Clean Access appliance.   It was originally a wireless security play, then an early NAC play, primarily in the .edu market.  Since Cisco took it over, they have developed an out of band version in addition to the original in line version that relies on SNMP to communicate with switches.  As far as I know, it is still not CNAC compatible but will be someday.  I hear Cisco is planning on making the NAC appliance the policy server in a more unified Cisco NAC offerring. It offers agent based scanning or Nessus based agentless scanning (I believe it still does, if someone from Cisco wants to tell me I am wrong, go ahead).

3. Cisco Security Agent or CSA - This is the old Okena Storm Watch HIPS product.  I suspect it is what causes Ross and the eEye folks the heartburn, as it goes head to head with their Blink product.  It is a monster to set up and tune, but from what I understand provides good HIDS/HIPS and it does work with the CNAC framework.  For a long time, the Cisco sales force claimed CSA did everything but slice bread (some of them even claimed it sliced bread, but you know how those slimy security sales guy can be).  However, I don't think it is anywhere near as bad a product as Ross makes it out to be.

So with that out of the way, here is where Ross is wrong and right.  Yes, the problem with the CNAC partner program, is that the Cisco sales force is not compensated to sell or even recommend their NAC partners product (are you reading this Russel Rice or Bob G.?).  They do spin a compelling story around NAC and then use it to drive the NAC appliance (clean access) and/or the CSA stuff. I think because CNAC  by itself is just not that powerful.  All you get is hotfix level checking, anti-virus dat file check and that is pretty much it.  Yes with CNAC 2.0 you can kick off a Qualys scan (I am sure Ross would rather see a Retina scan kicked off) and the Cisco sales and marketing team use that to say CNAC has agentless capabilities.  I say bull!  Putting a device in quarantine or not allowing access to the network. while I do a full vulnerability scan is just not realistic or scalable and not a solution.  Ross knows this, in fact he says "... real scanning - malware, exploits, spyware, patch levels, firewall compliance, and so on - without making the user wait more than 5-10 seconds to connect."  You are not going to do this with an agentless remote vulnerability scan. So Ross is right again, but then he falls off the track.  He says that either you run a retina scan like eEye is doing with the Citrix remote access solution (Ross not everyone is a remote user) or I would assume you have Blink to do the scan report to the NAC server.  Ross can you imagine running thousands of Retina scans at the same time and not delaying more than 5 to 10 seconds?  The only answer is to let them on the network, then scan them and remove them if they are dirty.  This is flawed and I think even Ross would have to agree.  You need a purpose built NAC testing engine that does this job quickly and correctly.  You can do it agentlessly or agent based but it has to have nill false positives and be under 10 seconds.  Also, the vulnerability scan paradigm is not right.  You don't want a SANS top 20 scan.  It is a complaince with access policy test, not a vulnerability scan.  I don't think the two things are the same.

The patch issue is another one where Ross makes a good point but there are other choices.  There are ways of patching non-company owned assets and we will have more on this in a while.  However, patching is not the only answer.  What about using intelligent network technology to limit where a unpatched device can go to minimize risk to the network.  At the end of the day you are protecting the network from the endpoint, not the other way around.

Finally, Ross I agree with you, I have been waiting a long time for Cisco to really work with their NAC partners. However, it looks like unless your name is Microsoft, you still have a while to wait.

Ya gotta love Mike Rothman! Even when I agree with him, I disagree with him.  In todays Daily Incite, Mike goes off on New Boundary Technologies for trying to peddle the rubber stamp for PCI compliance. Mike tells us that most vendors trade on FUD and the new PCI standards are just the latest in a long line of examples on this point.  Mike then goes off about, that there is no such thing as a silver bullet on compliance. It is a byproduct (OK, he uses the term happenstance, but I am a plain kind of guy) of good, best practices in security.  Surprise, Mike I agree with you!  When I first started in the security business years ago, FUD was certainly the driving force in selling security.  Certainly, some vendors still resort to FUD as the compelling reason of  last choice.  I do think that there is no silver bullet to compliance.  There are no HIPAA or PCI police to regulate people making wild claims, though there are PCI certified tools you can use to help with PCI compliance. 

Where I disagree with Mike, is on two fronts.  First off vendors who have spent some time on these compliance issues and are in this game for the long run, can do it right.  Not to blow our own horn, but at StillSecure, we are actually in the middle of PCI campaign right now. On our web site we have some great material that talks about the specific PCI security requirements, a matrix showing you how a specific StillSecure solution matches up to the requirement, a good whitepaper on PCI complaince and a whole lot more including some tips on passing an information security audit.  We don't claim to be the be all and end all to PCI compliance and we don't claim that you will fail your audit without using our products.  However, we can help.  This is not FUD, this is not snake oil sales, this is working hard to give customers what they ask us for and solve their everyday problems.  Sorry for the StillSecure commercial, but it was the best example I could find.

I said I disagree with Mike on two fronts, here is the second.  Mike and his friend Rich Mogull (yeah I saw the second post on this about liars and crack) make the point, that it is the greedy, lying, scheming security vendor who is duping the poor, innocent security buyer who just fell off the Turnip Truck.  Hey guys, they  may have fallen off the truck at night, but it wasn't last night!  Let me give you another view on this.  How come no matter what the vendor develops, the customer always wants what is either in the next release or wants some custom feature that they decide is a must have for them.  They push the vendor to get the most features for the least price and put as much hair and strings on the deal they can.  After all they don't want to get taken advantage of. They buy the product knowing that the functionality they say they want may not be fully baked yet, but they want it now and when it does not work as they want, the security vendor fooled them?  Mike was right originally when he said it was about mismatched expectations.  However, those expectations are as often set up by the buyer, as they are the seller.  It takes two to tango boys and one can't always blame the big bad vendor, even if the other guy is paying your salary.

Editors Note: thanks to David Shiflet, In the Turnip Truck - for providing the book I doctored up.

Count on my bud Mike Rothman to call BS on the hyper-active spinmiestering practiced by some marketing/PR types.  For Mike the recent announcement around the new CEO at Tablus was what set him off.  Funny stuff, how a fire sale becomes the height of a Trump style "art of the deal".  I don't know Anne Bonaparte either, but do agree with Mike that Mail Frontier was very lucky to find a safe harbor in Sonic Wall.

Eric Ogren over at ComputerWorld has an article up today that says the right place for NAC is for remote users.  While remote users is an obvious starting point for NAC, I don't think it stops there.  I think attacks or more accurately security incidents happen mostly as a result of devices already inside the network rather than penetrate the network.  I don't think that most organizations really have their managed devices locked down 24/7, especially mobile devices that go on the road or home at night.  I think the allure to Eric is that he thinks you can do the remote piece "without massive switch upgrade projects and modifications to your networking infrastructure, and gives the best return on your energy (ROYE)."  Again, the answer here is maybe.  I think Eric is thinking this is because you can do this as a simple bump in the wire or in NAC terms "in line".  While this is a possible deployment scenario, it is not always the best way.  It usually means you are talking simple layer 2 bridging, not layer 3.  It also can mean that the in line device is a potential point of failure and you need to look at scalability issues.  While Safe Access can be deployed this way, we do not recommend it for every remote scenario.

I think the biggest issue though is the agentless approach.  While this seems the simplest, again it is not always the right way to go.  First of all Eric mentions some NAC solutions that do this agentlessly. One is InfoExpress.  Unless their website is wrong and they have something new, I am not aware of, I do not believe they can check devices remotely without some sort of agent/client on the box.  Also, Lockdown Networks, uses Nessus to do the agent- less scans.  I have written lots on why Nessus is not the right tool for NAC (even though Nessus has released some audit and configuration scans, they are good for classic vulnerabilities, not NAC and not in the time frames necessary for NAC).  Even our own agent-less approach is actually used more for remote users in a domain than true unmanaged devices.  We all would love to do this without any software being installed, I just don't know if it works and scales for every unmanaged situation.  As we see more NAC deployments actually move forward, I think lessons like this will become more widespread.

Today's tip of the day is going to be another obvious one as I am here at Black Hat, it is late and I am tired ;-).  It is regarding OS'es.  No I am not going to suggest you switch to a Mac, though the Mac Book Pro's are hot! But at this stage of the game there really is no reason you should not be running XP.  If you are running XP, you should be running SP2 with windows firewall turned on (unless you have another personal firewall) and automatic updates turned on as well.  Just enabling this across the devices on the network will make a huge difference.

My friend Michael at MCWResearch has come up with a "pay it forward" idea for bloggers to give a security tip a day for a week. Michael Farnum has joined in with his tip here. I wanted to join in with a quick tip.  I am out here in Black Hat so excuse the brevity.  My tip for today is a simple one.  Make sure you and everyone else in your company have their machines set so that you need a password to unlock the screensaver.   I can't tell you how many times I have walked into an office and seen confidential information displayed on screens with no one sitting at the desk.  It is not hard to set this up and it should be a company wide policy that everyone has to abide by.

(Warning self-serving article to follow) I wanted to write up a quick note to acknowledge that yesterday marked the release of our vulnerability assessment and management tool, VAM v 5.5.  From the outside there is not a lot of difference between earlier versions of VAM and this one.  However, under the hood there are big differences.  This version of VAM has been optimized for speed and scalability, especially in the scanning engine.  VAM 5.5 represents our first release in optimizing and enhancing the base Nessus engine that VAM uses for vulnerability scanning (note: not NAC testing, our NAC product, Safe Access, uses a different engine).  Users can expect to see improvements of up to 400 percent in scanning.  The interface has also been made much snappier, with a 200 percent increase in responsivness. VAM's vulnerability workflow engine is also greatly enhanced including a newer, more powerful version of MySQL database.  We also made some significant improvements in the POV risk management module. 

If you have an enterprise-wide need for complete vulnerability management, VAM is the perfect tool for the job.  All of the developers and engineers on the VAM team have really pushed the envelope here to make this best version of VAM and the best complete life-cycle vulnerability management platform available!

For a long time now I have been the only blog in town over at StillSecure (except of course for Ricky's Lunch blog). I am pleased to announce that my fellow StillSecure exec, Mitchell Ashley has joined the ranks of bloggers and soon podcasters.  Mitchell is our CTO and VP of customer experience.  He has appeared on my podcast and has written a bunch of stuff in the past. Mitchell's blog is The Converging Network and he will be writing about the ongoing convergence of security and networking among other things.  You can read his opening comments here and get in at the beginning.

Good luck with the blog Mitchell and we will all be reading!

Bert Latamore over at Computerworld has an article up where the director of IT at Neumont University (in South Jordan, Utah, for those of us who only know schools that make the NCAA March Madness tournament) gives his 6 things you should know about network endpoint security.  In the words of Mike Rothman over at