21 posts categorized "VAM"

September 27, 2008

Do you need a free vulnerability management solution?

Vulnerability management is still one of the most important things you can do to increase your security posture.  To many people vulnerability management means scanning for vulnerabilities or applying the latest patch Tuesday updates.  Of course there is much more to it than that.  Managing the complete lifecycle of vulnerabilities is the key to successful risk management in this area.  Whether PCI, HIPAA, SOX or just good old fashioned common sense is driving you to do it, vulnerability management is the right thing to do.

vam_lite_bab_small This week StillSecure announced the latest addition to our line up of free security tools.  VAM Lite is a freeware edition of our award winning, enterprise class VAM vulnerability management platform.  VAM Lite has most of the features of the full VAM product but is limited to scanning just 100 devices and offers only our basic reporting package.  Because you can only scan 100 devices, it does not support the distributed scanner architecture that full VAM does either. 

If your organization can be scanned with just 100 devices or if you just want to give it a try and if you see the value possibly upgrade to full VAM, download it from our site. It can run on a dedicated server or in a VMware environment as well. 

If you like, try some of the other StillSecure freeware products like Strata Guard Free and Safe Access Lite as well.

Posted at 01:56 PM in StillSecure stuff, VAM, vulnerability management | | TrackBack (0)

October 23, 2007

Its that time of year again

Vote_button_3Scawards07logo_2Hands down the biggest security show of the year is RSA (most fun though is probably Black Hat, but thats Vegas).  One of the highlights of the RSA show for me is going to the SC Magazine Awards show.  It is a nice night, you get dressed up in a tuxedo, drink free and mingle with the industry.  The guys from HayMarket and SC Magazine always do a great job.  On top of this, unlike many other awards for sale, the SC Awards seem to be on the up and up.  Over the years we have won once (Safe Access, best endpoint solution) and made the finals a bunch of times, but either way it is always a good time.

Well though the awards (and the RSA show) have been pushed back to April (they usually are in February) this year, it is that time of year again.  Voting for the SC Magazine Awards has begun!  It seems like they have expanded the categories of Reader Trust Awards this year.  These are the awards you can vote for.  They have another set of awards that are selected by the judges.  Here are the categories for the Readers Trust Awards:

Reader Trust Awards

All four StillSecure products are nominated.  Safe Access in the endpoint category, Strata Guard in the IDS/IPS, VAM in the vulnerability management and making its debut, Coba in best integrated security solution.  I would love to see all of my readers vote for the StillSecure products, but since many of you work for other vendors nominated, that probably won't be the case.  In any event, if you get a moment go vote for your own choices, but at least vote!

Posted at 09:10 AM in awards and PR, Cobia, SC Magazine, VAM | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , ,

February 15, 2007

My SLA can beat up your SLA

My buddy Ross Brown (you know I really do consider Ross a buddy, having had a chance to get to know him in person at RSA, but that is another story) has an article up taking a shot at nCircle's 24 hour SLA.  To tell you the truth, I was not aware of nCircle's SLA, but a long dormant brain cell in my head fired up something about me having written on this before.  A Technorati search of my blog turns up that exactly one year ago, Feb 16, 2006, I wrote about last years RSA and some of the SLA's and guarantees that were being offered.  Besides showing that very little in security is ever really new, I thought even back then, that SLAs in security seem to be long on marketing and short on real protection.

For the record, I agree with Ross, I think a 24 hour SLA is nothing to write home about.  We, like eEye and I am going to guess nCircle and most other companies do a good job of getting tests out for the new vulnerabilities (Ross I don't think nCircle is putting out patches, but rather tests to see if the patch is applied or if the vulnerability is present) pretty quickly.  Usually in just a few hours.  However, when you are going to put your money where your mouth is, I think you tend to be conservative. The 24 hour SLA  is not meant to be the normal expectation, but the worse case scenario.  Frankly, if you want to force nCircle to do better, come out with a better SLA, that they will have to match to compete. Let me know when you do and we will look at matching it here.  However, my question is this:  Is anybody buying product based on this SLA?  If the answer is no, who gives a hoot.

Posted at 02:47 AM in patching, Ross Brown, VAM, vulnerability management | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , ,

December 11, 2006

Vulnerability Assessment is dead, can I sell you a scanner?

Taking a page from the Richard Stiennon playbook, let me make an outrageous statement/prediction, that if it pans out will result in me being labeled a visionary (yeah right).  I say now that vulnerability assessment as it has existed for the last 5 or 6 years is dead!  I think everyone familiar with the VA market has been pussyfooting around this issue for a while now.  To understand why I say this, you need to take a look at the evolution of the VA market.

When StillSecure first entered the VA market back in 2002, the state of the art was that there were scanners out there that would scan your network for vulnerabilities and give you a report on what was found.  Players such as eEye and ISS sold commercial scanners and the open source Nessus scanner was by many viewed as the equal or superior of them. There was another category of vulnerability assessment that was performed via an agent like NetIQ and Pedestal Software (acquired by Altiris). Essentially, one was network scanner based, the other agent based but doing similar things.  The scanner based versions then matured to include distributed systems that allowed large enterprises to be scanned in a timely manner and centrally managed.

The next step in the evolution of VA occurred when some of the pure scan and report vendors started adding workflow and vulnerability management to the mix.  StillSecure's VAM and Foundstone were early entries in that space.  The next big trend in vulnerability assessment was its integration with other security and network management tools.  Integration with patch management, trouble ticket systems, asset inventory systems, network management, etc. began to integrate vulnerability assessment products into the larger fabric of IT management.  At the same time integrating and correlating vulnerability data with other security technologies also came into vogue.

The next big thing in VA was risk management/compliance (some might say it was all about risk management from the beginning).  Expanded, customized reporting that allowed administrators to manage their risk month to month and generate reports for auditors and geared towards compliance issues were a new way for VA to offer more value.

Over the past year, many have asked what is next for VA.  I think we are seeing the answer.  The answer is VA is morphing into security configuration management.  Ron Gula and the Tenable team have been pushing this with Nessus and their commercial products for a while now.  Now nCircle announces today their Configuration Compliance Manager.  At StillSecure we have had this ability for some time and our newer tests are more geared to this type of test and policies.  Our customized reporting lends itself well to this task. I am sure we will see the rest of the VA pack hopping on this bandwagon soon.

Why is vulnerability management in this torpid state and morphing into configuration management?  There is no easy answer.  First of all, even though it is not growing as fast as it was or is as cutting edge as it was, it is still a widely deployed and used technology and will continue to be so for years to come.  Much as IDS is dead, but alive and well in networks everywhere, vulnerability assessment will continue to live on.  However, it has seemed to loose some of its appeal.  The reasons for this are many.  One is the natural evolution of the security market.  Another is the basic fact that vulnerability assessment and the patch management market it works with is a hamster wheel game, bad news generator.  You scan, you find bad stuff, you fix, you scan again and again and again.  Can you ever get out ahead with that strategy? I think the market is looking to break the cycle and find a more efficient way of dealing with the problem.  In the meantime the security configuration management space is not an end game for VA, just a another step on the road.  The problem with using these tools for security configuration management is they do not have any enforcement or teeth.  Unless combined with some sort of NAC solution (that is where this stuff is really going), configuration scanning is just good for generating reports.  The market will demand action if these products are going to succeed.  Look for that action coming soon. 

At StillSecure we already have this.  We call it the policy driven network and we are implementing it with a large government customer.  This is the future of VA. In the meantime remember you read it here first, VA is dead!

Posted at 10:26 AM in NAC, patching, VAM, vulnerability management | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , ,

November 20, 2006

StillSecure scores another Hat Trick

Scawards07logo Well SC Magazine has just announced the finalists for their Readers Trust Awards for this year.  The winners will be announced at the SC Magazine award show at the RSA show in February.  I am proud to report that for the second year in a row, all three StillSecure products made the finalists in their respective categories! For endpoint security, the category that Safe Access won for last year, we are in a tough fight with Lockdown Enforcer, Mirage Networks NAC, Senforce ESS and Safend Protector.  Tough competition and it should be interesting!

Now I know some (Rothman) have said, bah humbug to these awards.  In fact, I myself have taken to task some of the awards in the past.  However, my problem with some of them, is that you can buy them, as in the case of the InfoSecurity Products Guide. There you can create your own category and no one else can compete in that category.  Mike points out correctly, that in SC Magazine there is a fee to nominate your product.  But from there it depends on reader voting to make the finals.  My understanding is that once you are in the finals, it then is up to a panel of judges to pick the winners.  I just think it is a much more legit way of doing these things. Hey, if we don't win anything, I may have another opinion ;-)

Posted at 01:26 PM in IDS/IPS, NAC, StillSecure stuff, tradeshows, VAM | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , ,

November 10, 2006

PCI compliance tools

As Mike Rothman points out, I am a vendor (actually Mike, I just work for a vendor), so I walk a thin line when it comes to competitors products. Make no mistake about it, I am partial to StillSecure products.  However, over the months on this blog I have tried to give credit where credit is due.  On that note, I wanted to talk a little about PCI compliance. Actually we have been doing a lot with all of our products to help our customers to comply with the various PCI standards.  You can read all about it here.  Be sure to check out the matrix that shows how each StillSecure product helps with what specific provisions of the PCI regs. Next week we should be announcing some more news around how we can help with PCI.

To be fair, I want to point out a new service Qualys has come out with aimed at SMB/SME merchants who have to generally perform self-tests for PCI compliance.  Called QualysGuard PCI, it is a pretty slick all-in-one solution for complying with the vulnerability assessment and reporting requirements under PCI for some of the lower volume merchants.  You can see a good flash demo of it here.  Now, while I think there is more to PCI compliance then just vulnerability management, I am happy to see these types of solutions coming to market.  Competition being what it is, it will drive the whole market to go one better and the eventual winner is the end user customer who gets a better product.

Posted at 08:59 PM in compliance, other security companies, Security Incite, VAM, vulnerability management | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , ,

October 11, 2006

The future of Vulnerability Management

Evolution Ron Gula of Tenable Network Security hosted a webinar yesterday on the future of vulnerability management.  It was an excellent webinar that really started me thinking on what my own views are regarding the future of vulnerability management.  Many of the observations Ron made were in sync with our own experience here at StillSecure.  We see vulnerability management as undergoing a very profound change in the market and as security vendors it is important that we recognize this to stay current and relevant. 

To understand where the market in vulnerability management is going, I think you have to look at where is has been.  At StillSecure, our VAM product has been in the market since September of 2002.  We have seen many changes in the market since then and like to think that we helped bring many of them about.  So for a moment, lets go back to those dark days right after 9/11/01 when our ideas for VAM were being forumulated (VAM has nothing to do with 9/11, I just remember us working on the idea around that time).  At that time vulnerability management really meant scanning and reporting.  Generally a vulnerability scan was done, usually manually once a year or maybe twice a year.  A report was generated showing all of the vulnerabilities found.  This was usually put into a spread sheet, that someone was then responsible for tracking.  You had to track down and filter out the false positives and see if you could fix the real vulnerabilities.  I always say it was a form of job security, similar to bridge painters.  By the time you got done painting the whole bridge from start to finish, it was time to start painting again.  Same with vulnerability management. By the time you remediated the last vulnerability on the report, it was time to run a vulnerability scan again.

We saw two things that were critical to the process that were missing. One was the automation of network discovery and vulnerability scanning.  The second was a closed loop process to manage the remediation process through discovery to confirmation, repair assignment, verification of repair and reporting.  When VAM came out in Sept. 2002, this was pretty cutting edge.  Most of the competition were just manual scan and report.  Over time much of our competition has caught up and today there are several good VM commercial solutions available.  The next evolutionary step we saw in VM, was integration.  VM is very much an enterprise problem.  As such it does not exist in a vacum and works with and is intrinsically linked to other security and management processes and applications.  Therefore in order to be successful a VM tool has to be able to leverage your existing investments in systems for patch management, trouble ticketing, network management, configuration management, etc.  Again, we came out with this years ago as an enterprise integration framework.  Today, most good VM solutions have published API's and integration into systems such as those above. 

Another key evolutionary step was correlation.  Actually, the folks at Tenable jumped on this one early on. Much of the correlation has to do with correlating vulnerability data with IDS/IPS data or syslog files.  This sort of crossed the line into SEM or SIM territory, but the key for me is what action is taken as a result of the correlation.  Correlation for correlations sake alone is not enough, it must be actionable.  We took a slightly different tack, in that we import vulnerability data directly into our IPS so it can take action accordingly.  Again, today several of the leading VM solutions perform some correlation with IDS/IPS and other systems.

So what is next?  This is why I asked Ron to sit in on his webinar.  I think to a certain extent the VM vendors themselves are asking themselves the same question. A couple of things are apparent.  First of all the reporting function has grown tremendously.  Today reporting is really about risk management. Like our own Security POV module for VAM, reporting-risk managment has to be able to show with historical context how the enterprise is faring with managing the risk of vulnerabilities.  Reporting has to be tailored for compliance issues such as SOX, PCI, FISMA, etc.  Different reports need to be generated for different levels of the organization (CIO, auditors, sys admin, etc.).  Reports have to be generated on the fly and delivered automatically to the relevant parties.  What else is needed?  NAC has certainly influenced VM.  In fact NAC in some ways is real time actionability with VM.  Instead of testing on a pre-determined or random schedule, now devices can be tested whenever they log on (though a NAC policy test is an should be very different than a vulnerability scan).  I think correlation and interoperability  of NAC and VM systems will be become more prevelant.  Expect something from StillSecure soon on this.  Configuration Management is another one.  The scanning and patching game is to some extent like chasing your tail.  You never quite win.  Better to be proactive with configuration management.  Is patching the right way?  With so many vulnerabilities and patches constantly flooding us, is their another way?

We could go on for longer on this and I welcome your comments and thoughts. I do know that we have not seen the final chapter in the evolution of vulnerability management and I am looking forward to what else will come down the road. BTW, Ron is doing a few more webinars on VM.  You can find out about them at the Tenable site.

Posted at 02:34 PM in Current Affairs, VAM, vulnerability management | | Comments (0) | TrackBack (1)

Technorati Tags: , , , ,

August 28, 2006

IBM/ISS, what fits and what doesn't according to Gartner

As I wrote about when I first heard about the IBM/ISS deal, the ISS MSSP and services piece make a lot of sense for IBM. I was less sure about what IBM's intentions were regarding the network security software that ISS develops.  This weekend I saw an usual Google Alert on a first take on the deal from no less than Gartner.  They usually don't give advice out for free to non-customers. Anyway, their take on this is similar to mine. They think the service elements of the acquisition are a nice fit. But that the network security product offerings are "less well-suited to IBM's market approach". They distinguish between host-based offerings like Proventia desktop, which they see combining with Tivoli versus network based stuff like Proventia IPS and Internet Scanner.

So what does this mean?  Depends who you are I guess. If you are a network security vendor like StillSecure who competes with ISS, I would be going after every deal where ISS is involved and mailing this link out. I think the FUD arising out of this Gartner warning will make it very difficult for the ISS sales team over the coming months, at least until the dust settles.  If you are an ISS customer or contemplating buying an ISS network security product, I guess you have to factor in what does the future hold for this product on a go forward basis. If you are an ISS salesperson, I would have the answer to this down pat and hit it head on.  Even so, it will be something they will have to deal with. So it looks like ISS's good news in this acquisition, might translate into good news for competing security vendors as well.  As I said earlier, time will tell.

Posted at 01:00 AM in IDS/IPS, other security companies, VAM, vulnerability management | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

August 16, 2006

People in glass houses, ....

Filed under the people in glass houses, shouldn't throw stones banner, comes this tidbit from Brian Krebs at the Washington Post.  It seems a Russian Security blog by Valery Marchuk, http://www.securitylab.ru, has posted a list of sites that have vulnerabilities around cross-site scripting flaws.  These vulnerabilities make it easy for phishers and other hackers to use these URLs in scams to get people to give up their legitimate personal and financial data.  Low and behold among the sites listed is none other than eEye Digital Security.  For those who may not know, eEye is a company that has made their bones by exposing vulnerabilities in other security companies products.  You can read more about it (if you read Russian) here.  I wonder what their Chief Hacking Officer is going to say about this. 

By the way, eEye was not alone, other sites and companies including Verisign, Cisco, Snort.org and even the NSA were listed as being guilty of the above.  Scary stuff!

Posted at 12:00 AM in other security companies, VAM | | Comments (2) | TrackBack (0)

Technorati Tags: , ,

August 15, 2006

Who's afraid of the big bad worm (or the death of security as we know it)

Last week saw the "security pundits" ringing the alarms about a major worm attack on its way exploiting MS06-040.  I envisioned the next blaster/slammer wreaking havoc with our networks and computers.  Frankly as evil as it sounds, it's good for business (hey, I'm a vendor), and generally serves to refocus our attention and companies budgets on getting real about security.

After reading stuff like, Mike Murray, director of vulnerability management over at nCircle in an article in Information Week, say, "And no, this isn't an overreaction. We've always said that some day there would be another big, serious vulnerability. "Well, this is the one."  Then having DHS (someone should tell the guys at Information Week that it does not stand for Department of Homeland Defense) issue a US-CERT warning encouraging everyone to patch this.  Microsoft told us to give this one a top priority.  HD Moore made his exploit public showing it could result in a DDOS attack.  Murray over at nCircle further said, "It's only a matter of time or luck before this turns into the scale of MSBlast. Essentially, every Windows system is vulnerable. This is one
of those worst-case 'pull the plug on the Ethernet cable' events."  I was pretty confident that we were going to have some trouble. So here we are on Tuesday, the sun still came up, the Internet is still working and I have not seen any reports of a major worm outbreak.  Is it too soon?  They said we should see something in 2 to 4 days.  There have been reports of a botworm out that does exploit this, but it has not become a slammer/blaster type of event.  Why?  Is everyone already patched against it?  Are we ever really going to see another major outbreak of a mass market attack like we did in the past.  In my opinion the answer is no.  I think the reasons for this are several.  Here are the top ones in my mind:

  1. Who wants to create a mass exploit? People hack for profit, not for fun - In the past the kiddie scripters or people who wrote these worms for kicks were the main enemy.  After a few people getting arrested for this, maybe the air has gone out of that balloon. The real reason though, is where is the money in it. In the immortal words of Cuba Gooding, Jr. in Jerry Maguire, SHOW ME THE MONEY! Putting out a mass market worm like this does not make the worm writer any money (unless he does the talk show circuit after he gets out of jail). We have moved beyond people hacking for fun and kicks to people hacking for profit. Today's attacks are targeted at specific targets which yield financial gain.  Whether you subscribe to the cyber-mafia theory or not, there is too much money in play and hackers now will use a valuable exploit like this to maximize their profit, not waste it on a mass market attack. 
  2. We have gotten better at finding, patching and warning on this stuff.  There is no doubt that with the regular Patch Tuesday's from Microsoft and the proliferation of vulnerability management and patch management programs, as well as SP2's automatic updates, on the whole computer users are much more protected against known vulnerabilities like this, then they were a few years ago.

So what does this mean for you as a computer user and me as a security vendor.  Well, it does not mean that we let our guard down for one.  We have to continue to do the right things.  Stay on top of patching, vulnerability management done in a systematic way, prudence in opening unknown files and attachments.  Basically doing the types of things we have grown accustomed to.  However, for the security industry, I think we need to move beyond defending and planning to contain the next mass market worm outbreak.  We have to zero in on targeted cyber-criminals stealing and hacking for money.  That is the next battle ground.  We cannot rest on our laurels on fighting the kiddie scripters, that frankly was child's play compared to what we have to combat now.

Posted at 09:39 AM in patching, VAM, vulnerability management | | Comments (1) | TrackBack (0)

Next »

Search

Lijit Search

disclaimer

  • The views and opinions expresed here are those of myself only and in no way represent the views or positions or opinions of my employer, Latis Networks, Inc. d/b/a StillSecure or anyone else.

Forbes.com

  • Find the best blogs at Blogs.com.

StillSecure, After all these years, the podcast

Categories

Currently Reading

Read Recently

  • Thomas L. Friedman: Hot, Flat, and Crowded: Why We Need a Green Revolution--and How It Can Renew America

    Thomas L. Friedman: Hot, Flat, and Crowded: Why We Need a Green Revolution--and How It Can Renew America
    The most important thing you are going to read this year. How America finding its way can lead the world in solving the critical problems facing us all. (*****)

  • Nelson DeMille: The Gold Coast

    Nelson DeMille: The Gold Coast
    I never read anything be DeMille before. I needed to read something on a plane trip and it was about Long Island. What have I been missing all of these years! A great book. Not really heavy but great mental floss. I can't wait to read the sequel. (*****)

  • Jack Whyte: Standard of Honor (A Templar Novel)

    Jack Whyte: Standard of Honor (A Templar Novel)
    The master of the Templar novels. Whyte transports you back to Crusades. The factions, the characters and the plots keep you locked in from the first page to the last. (****)

  • Harry Turtledove: Settling Accounts In at the Death (Settling Accounts)

    Harry Turtledove: Settling Accounts In at the Death (Settling Accounts)
    This is the final saga in this master alternate history. It is WWII all over again except the US is fighting the Confederate states, while England and France fight Germany , a US ally. All of the parties are racing to create an atomic bomb. The one who makes it first could rule the world. Great alternate history by the master of this genre! (****)

  • Kevin J. Anderson: Metal Swarm (The Saga of Seven Suns)

    Kevin J. Anderson: Metal Swarm (The Saga of Seven Suns)
    Has it been 7 years since this series started? Anderson has created a deep rich universe that rivals some of the greatest ever done in SciFi. There is one more book left for this series, though word is Anderson may revisit the universe in the future. This episode brings the surviving characters on a collision course that will determine the future of the universe. On its own, its a fair book, but as another step in the series it continues the story along nicely! (***)

  • David Gibbins: Crusader Gold

    David Gibbins: Crusader Gold
    A Dan Brown like plot, I didn't realize this was a sequel to an earlier book, Atlantis. I don't think this is anywhere near as Brown's but it is good reading for the plane. (***)

  • Orson Scott Card: Invasive Procedures

    Orson Scott Card: Invasive Procedures
    A medical mystery involving gene therapy and run away virus. So far it looks much better than the Crichton's Next. This is actually based on a short story by Card from a while back and then a screenplay written based on it. Good reading! (****)

  • Todd J. Mccaffrey: Dragonsblood (Pern)

    Todd J. Mccaffrey: Dragonsblood (Pern)
    After reading some of the heavy stuff I have recently, I picked up some brain floss. Returning to Pern and the world of dragons. This is by Anne's son Todd. It was good to get back into the Pern world, but this was not one of the best in the series. (**)

  • James Carroll: Constantine's Sword: The Church and the Jews -- A History

    James Carroll: Constantine's Sword: The Church and the Jews -- A History
    Looks like a book I will learn a lot from. It is long, but than again it covers two thousand years. Will be interesting to see what I say when I finish. (****)

  • Conn Iggulden: Genghis: Birth of an Empire

    Conn Iggulden: Genghis: Birth of an Empire
    I have always been drawn to stories of Genghis Khan. How was he able to take a primitive people and conquer most of the world? What did the Mongol culture have that enabled this. This is the first of a trilogy on the life of the great Khan. It is great, easy reading and gives a great picture into the life and times of GK. (****)

  • Wilbur Smith: The Quest

    Wilbur Smith: The Quest
    Smith has an amazing ability to transport you back to ancient Eygpt. I have read several of his novels about Eygpt and am always totally absorbed from the very first pages to the end. (****)

  • Jeff Shaara: The Rising Tide: A Novel of World War II

    Jeff Shaara: The Rising Tide: A Novel of World War II
    Great historical novel about WWII. North Africa and Sicily campaigns come alive. You feel like you really are getting to know Ike, Patton, Rommel and the rest. (****)

  • Dale Brown: Strike Force: A Novel

    Dale Brown: Strike Force: A Novel
    Another great book by Dale Brown. Iran is getting help from Russia and the Iranian monarchy is trying to overthrow the theocracy. Dreamland's super weapons to the rescue! (****)

  • Christopher Moore: Lamb: The Gospel According to Biff, Christ's Childhood Pal

    Christopher Moore: Lamb: The Gospel According to Biff, Christ's Childhood Pal
    The Gospel according to Jesus's childhood pal, Biff. Need I say more. Actually pretty funny stuff. (***)

  • David Weber: Off Armageddon Reef

    David Weber: Off Armageddon Reef
    Aliens have destroyed humanity. A small isolated colony has been hidden to grow into a new human empire, but they are robbed of the knowledge of their inheritance. A religion based on keeping the people in the dark about their legacy controls the world. Great reading, good fantasy (****)

  • Michael Chabon: The Amazing Adventures of Kavalier & Clay

    Michael Chabon: The Amazing Adventures of Kavalier & Clay
    Brad Feld gave me this book. It is a Pulitzer Prize winner from the author of the Yiddish Policemens Union. This book is even better. Funny, yet biting it brings the horror and excitement of WWII to life through the eyes of a jewish refugee from Prauge and his cousin from Brooklyn. All about the comic book industry and real life tragedies and love. Worthy of all the praise and awards! (*****)

  • W. Michael Gear: People of the Nightland (First North Americans)

    W. Michael Gear: People of the Nightland (First North Americans)
    I have read almost every book in this series of paleo Indians by this husband/wife team. I don't know what it is, but I love hearing these stories based upon Native American legends and myths. (***)

  • David Michaels: Tom Clancy's EndWar (Tom Clancy's Endwar)

    David Michaels: Tom Clancy's EndWar (Tom Clancy's Endwar)
    A new series inspired by Tom Clancy and based on a game. It is WW III, Saudi Arabia and Iran have exchanged nukes and the Russians are fighting the US and Euros. Not up to Clancy himself standards, but a good airplane read. (***)

  • John Grisham: The Appeal

    John Grisham: The Appeal
    A new legal thriller from Grisham. Does anyone do these better? It started right up from the get go and holds the reader captive. Without giving away the ending, Grisham brings the end of this book home to today's political climate. (****)

  • Gary Jennings: Aztec Rage (Aztec)

    Gary Jennings: Aztec Rage (Aztec)
    A continuation to the series started by the late Jennings. Not quite as brilliant as the first novel, but it is fairly faithful to Jennings style and continues the history of the Aztec/Spanish mix that becomes Mexico. (***)

  • Stephen Baxter: Navigator: Time's Tapestry, Book Three (Time's Tapestry)

    Stephen Baxter: Navigator: Time's Tapestry, Book Three (Time's Tapestry)
    The 3rd in this alternate history series by Baxter. I am still waiting to see what is alternate about this history. Alternate or not though, Baxter is a master storyteller and it is a pleasure to read. (****)

  • Harry Turtledove: Opening Atlantis

    Harry Turtledove: Opening Atlantis
    The first in a new trilogy by the master of alternate history. In this series there is an 8th continent between Europe and America called Atlantis. How it effects the unfolding of world history will be the subject of the series. So far it is pretty interesting. (***)

  • John Grisham: The Innocent Man: Murder and Injustice in a Small Town

    John Grisham: The Innocent Man: Murder and Injustice in a Small Town
    This is a non-fiction book but reads like lots of Grisham's legal thrillers. After reading this book it is hard to think that the death penalty can be enforced in this country without innocent men being executed. It also makes you think Oklahoma is just not a great place to be living in. (***)

  • David Michaels: Tom Clancy's Splinter Cell: Fallout (Tom Clancy's Splinter Cell)

    David Michaels: Tom Clancy's Splinter Cell: Fallout (Tom Clancy's Splinter Cell)
    I really like this series and its hero Sam Fisher. Based on a video game the author has done a great job making Sam Fisher a real person. In this one Sam is chasing his brothers killers who are involved in nuclear terrorism in the former USSR.

  • Michael Crichton: Next (Harper Fiction)

    Michael Crichton: Next (Harper Fiction)
    Everything comes together a little too coincidentally, but it shows us what can happen with gene science gone mad. (**)

  • Raymond Khoury: The Sanctuary

    Raymond Khoury: The Sanctuary
    I liked his Templar book so thought I would give this one a try. Set in 1700's Europe and modern day Iraq and Lebanon, it is a good thriller. (***)

  • Stephen Baxter: Conqueror: Time's Tapestry Book Two (Time's Tapestry)

    Stephen Baxter: Conqueror: Time's Tapestry Book Two (Time's Tapestry)
    Book 2 in the time tapestry series, it is a great historical novel of post-Roman Britain. I am just not sure what the alternative history is here. It seems pretty much as I remember learning it. (***)

  • John Grisham: Playing For Pizza: A Novel

    John Grisham: Playing For Pizza: A Novel
    Another one of Grisham's easy reading non-legal thriller kind of books. A disgraced NFL quarterback goes to play for pizza in Italy. (***)

  • Harry Turtledove: The Grapple (Settling Accounts, Book 3)

    Harry Turtledove: The Grapple (Settling Accounts, Book 3)
    Somehow I am on book 3 of this series. I read book 1 and 2, but did not write up the review of 2. Anyway, in book 3 the tide turns against the CSA and for USA. Great alternate history of WW II (***)

  • Bill Bryson: The Life and Times of the Thunderbolt Kid: A Memoir

    Bill Bryson: The Life and Times of the Thunderbolt Kid: A Memoir
    I was looking for something light on a trip back home. Though I am a bit young (beleive it or not) for a lot of this and did not grow up in the Mid-West there are some things about growing up that are universal. Very funny book! (****)

  • Dale Brown: Dale Brown's Dreamland: Retribution (Dreamland (Harper Paperback))

    Dale Brown: Dale Brown's Dreamland: Retribution (Dreamland (Harper Paperback))
    One of the better ones so far in this series. Lots of cool weapons and sinister bad guys. (***)

  • Thomas L. Friedman: The World Is Flat: A Brief History of the Twenty-first Century

    Thomas L. Friedman: The World Is Flat: A Brief History of the Twenty-first Century
    Finally it comes to paperback and a new updated edition at that! For some reason I never read this bible of our brave new world. So much of it now seems obvious, but there is still much to learn here. (****)

  • Brian Herbert & Kevin Anderson: Sandworms of Dune

    Brian Herbert & Kevin Anderson: Sandworms of Dune
    Finally! All of your questions around Dune are answered. The fate of the Universe and the Tyrant's Golden Path is revealed. Every Dune fan should read this one to tie up the loose ends. Also reading Herbert and Anderson's prequels to the original series will help. (*****)

  • Jack Whyte: Knights of the Black and White

    Jack Whyte: Knights of the Black and White
    I don't know what it is with Templars, but I am facisinated by the story. This is a good one and looks like the start of a series. I reccomend it! (****)

  • Patrick M. Lencioni: The Five Dysfunctions of a Team: A Leadership Fable

    Patrick M. Lencioni: The Five Dysfunctions of a Team: A Leadership Fable
    Got this book from Mitchell. It is a quick read and offers some excellent insight into how a real team can function allowing for the free flow of information and exchange of ideas in a healthy and productive way. Great read for anyone part of an executive team. (****)

  • Harry Turtledove: Return Engagement (Settling Accounts Trilogy, Book 1)

    Harry Turtledove: Return Engagement (Settling Accounts Trilogy, Book 1)
    The start of WW II in the alternate history series by Turtledove. The CSA gets off to a quick start against the USA. (***)

  • Michael Chabon: The Yiddish Policemen's Union: A Novel

    Michael Chabon: The Yiddish Policemen's Union: A Novel
    Full of Yiddish sayings, in this alternate history of post-WWII Jews is both funny and sad. A good read wrapped in a detective story who done it. (***)

  • Dale Brown: Edge of Battle

    Dale Brown: Edge of Battle
    Dale Brown does better when doing battle with other superpowers, not drug smugglers, terrorists and tackling topics immigration reform. I love his action and technology, but didn't like the subject matter. (**)

  • Kevin J. Anderson: Of Fire and Night (The Saga of Seven Suns, Book 5)

    Kevin J. Anderson: Of Fire and Night (The Saga of Seven Suns, Book 5)
    This one clears up a lot of the plot lines from the first four books in a neat bow. However, just when you think the end is near, a new twist comes along that has you waiting for the next book. A big time scifi epic! (****)

  • Kevin Phillips: American Theocracy: The Peril and Politics of Radical Religion, Oil, and Borrowed Money in the 21stCentury

    Kevin Phillips: American Theocracy: The Peril and Politics of Radical Religion, Oil, and Borrowed Money in the 21stCentury
    This can be dry and slow reading, but will open your eyes to what is really going on here. Phillips, a former Republican strategist, lays out a strong case on how oil, religious wars and debt are driving America away from world leadership. (****)

  • Raymond Khoury: The Last Templar

    Raymond Khoury: The Last Templar
    Another book on the long lost secret of the Templars, which can bring the Church to its needs. It was a good thriller. All of these DaVinci Code spawn are starting to run together in my mind. (***)

  • Harry Turtledove: American Empire: The Victorious Opposition (American Empire)

    Harry Turtledove: American Empire: The Victorious Opposition (American Empire)
    Turteldove is the master of alternate history. Many other SF writers are trying this genre, including Card and Baxter. In this one, the Confederate States of America takes on the role of the Nazi's in pre-WWII. Good read. (***)

  • Steve Berry: The Templar Legacy: A Novel

    Steve Berry: The Templar Legacy: A Novel
    A DaVinci Code type of novel, with the recent press and controversy around the tomb of Jesus being discovered, this one became more real from it. A good read. (****)

  • Steve Berry: The Third Secret: A Novel of Suspense

    Steve Berry: The Third Secret: A Novel of Suspense
    A love story of a priest, a pope and the woman they loved. Wrapped around a quest for the missing 3rd secret of Fatima and an anti-christ potential new pope. Good story (***)

  • Tobsha Learner: The Witch of Cologne

    Tobsha Learner: The Witch of Cologne
    A little slow moving at first, it picks up steam mid way through. A tale of the end of the inquisition and the begining of modern Europe. This is the backdrop of a forbidden love between a Kabalah trained midwife and her inquisitor priest. It did get you into the plot. (****)

  • Mark Winegardner: The Godfather's Revenge

    Mark Winegardner: The Godfather's Revenge
    Another follow on authorized by Mario Puzo's estate. This fills in the time between Godfather, Part 2 and Part 3. With the characters from the original, it can't help but be good. (***)

  • Orson Scott Card: Empire

    Orson Scott Card: Empire
    Its the red versus blue states, urban versus rural, neo-cons versus the far left, in this American Civil War II. A little far fetched, the treachery though kept you guessing who and what was really behind it. (****)

  • James Patterson: Honeymoon

    James Patterson: Honeymoon
    My first Patterson book. I don't usually go in for this type of thriller, but I was getting on the plane in 5 minutes and had to have something to read. I finished it in just a few hours, it was pretty good. (***)

  • Stephen Baxter: Transcendent (Destiny's Children (Paperback))

    Stephen Baxter: Transcendent (Destiny's Children (Paperback))
    The third in the hive series by Baxter. It has his usual long historical sweep between the near and far future. Good harc core sci fi. (****)

  • David Michaels: Tom Clancy's Splinter Cell: Checkmate (Tom Clancy's Splinter Cell)

    David Michaels: Tom Clancy's Splinter Cell: Checkmate (Tom Clancy's Splinter Cell)
    This series based on a PC game (corny isn't it) has actually turned into one of the better Clancy series out there. It is number 3 in the series and was pretty good. (***)

  • Dale Brown: Dale Brown's Dreamland: End Game (Dreamland (Harper Paperback))

    Dale Brown: Dale Brown's Dreamland: End Game (Dreamland (Harper Paperback))
    Another in the Dreamland series by Dale Brown. It started off a bit slow, but revved up to the usual Brown level of thriller. (***)

  • Eric Flint: 1812: The Rivers of War

    Eric Flint: 1812: The Rivers of War
    A good alternative history of the War of 1812 and the role of the Native Americans. The alternative prospective is allowing the Cherokee's a planned retreat West and sparing them the Trail of Tears. (***)

  • Harry Turtledove: End of the Beginning: A Novel of Alternate History

    Harry Turtledove: End of the Beginning: A Novel of Alternate History
    The great sequel to an alternative history where the attack is Pearl Harbor is followed by an invasion and conquest of the islands. No we take them back with a vengence. (****)

  • Mitch Albom: For One More Day

    Mitch Albom: For One More Day
    Like all his books, this one will make you laugh a little, cry a little and think a lot. This particular story was a bit close to home for me. It is a quick read. (*****)

  • Eliyahu M. Goldratt: The Goal

    Eliyahu M. Goldratt: The Goal
    A great book to make you think about managing a business in a new way. I highly recomend it to anyone interested in how to measure and effect efficient production (****)

  • Brian Herbert: The Road to Dune

    Brian Herbert: The Road to Dune
    Sort of like viewing the bonus features on a DVD, only the most hard core Dune fan is going to appreciate this. Stuff that wasn't good enough for the originals put together here. (**)

  • Brian Herbert: Hunters of Dune (The Dune Series)

    Brian Herbert: Hunters of Dune (The Dune Series)
    OK the son is not the father (talking about the authors, not the characters), but this is based on his outlines and haven't you always wondered who the outside enemy was. This is chapter 7 of Dune and if you read the others, you have to read this. (****)

  • Harry Turtledove: Days of Infamy

    Harry Turtledove: Days of Infamy
    I love Sci Fi and Historic novels. So I am drawn to alternate . This one involves the invasion of Hawaii after Pearl Harbor. Of course it will change the course of WW II, at least for a little while before the inevitible. (***)

  • Dan Simmons: Olympos

    Dan Simmons: Olympos
    Great conclusion to Ilium. This book ties up the the varied stories of both books into one story line. A vast sage, I think this may be his best yet! (****)

  • Jeffrey Anderson: Second Genesis

    Jeffrey Anderson: Second Genesis
    Great story on genetic manipulation, stem cells, medical ethics and just a great thriller. I really liked this book about genetically enhanced chimps. (****)

  • Chris Stewart: The Fourth War

    Chris Stewart: The Fourth War
    With everything going on in the Middle East, this one got a little to real. Pakastani nukes are up for grabs. The Israeli Shin Bet and US CIA try to get to them before an Al Queda type of organization can get there hands on them. Scary stuff! (****)

  • David McCullough: 1776

    David McCullough: 1776
    McCullough is a master of well researched history. This is just about the first year of the revolution and puts you in the middle of the pivotal events. (****)

  • Kevin J. Anderson: Scattered Suns (The Saga of Seven Suns, Book 4)

    Kevin J. Anderson: Scattered Suns (The Saga of Seven Suns, Book 4)
    After my last two books, it was time for something a little lighter. This is book 4 in a grand SciFi space saga. Lots of characters and plots, good reading. (****)

  • Karen Armstrong: A History of God: The 4,000-Year Quest of Judaism, Christianity and Islam

    Karen Armstrong: A History of God: The 4,000-Year Quest of Judaism, Christianity and Islam
    A great historical look at the evolution of our concepts and beliefs in God, primarily from the view of Judeo-Christian-Islam perspective. However, other philosophies and religous beliefs are discussed as well. It is very heavy on philosophy and mysticism. You need to think with this book. (****)

  • James Bradley: Flag of our Fathers

    James Bradley: Flag of our Fathers
    A detailed personal look at the 6 Marines in the famous Iwo Jima flag photo, written by the son of one of them. The loving attention to these American heros is well deserved. (****)

  • Arthur C. Clarke & Stephen Baxter: Sunstorm (A Time Odyssey)

    Arthur C. Clarke & Stephen Baxter: Sunstorm (A Time Odyssey)
    A sequel to their first book together, A Time's Eye, this is hardcore SF at its best. The story revolves around the inner workings of the sun and the catastrophic results to Earth and humanity if any minor deviation of the Sun's energy output were to take place (***)

  • Edward Rutherfurd: The Rebels of Ireland : The Dublin Saga

    Edward Rutherfurd: The Rebels of Ireland : The Dublin Saga
    Another great book by the master of historic novels. He may even be better than Michener. This is the sequel to The Princes of Ireland and is even better than the first. (*****)

  • Stephen Baxter: Exultant (Destiny's Children (Hardcover))

    Stephen Baxter: Exultant (Destiny's Children (Hardcover))
    A grand sweeping space saga of the type that Baxter is known for. This one covers from before the big bang to the early history of our universe and such hard science topics as dark energy and dark matter. Great book! (****)

  • Peter F. Hamilton: Judas Unchained

    Peter F. Hamilton: Judas Unchained
    The sequel to Pandora's Star, this book had almost too many sub-plots. It made it difficult to follow sometimes. The story that had so much promise in Pandora's Star, really seemed to just never get off the ground in this one. Not one of my favorite Hamilton books. He can be up and down like that. (**)

  • :


  • Dan Brown: Digital Fortress : A Thriller

    Dan Brown: Digital Fortress : A Thriller
    For some reason I thought his other books were not going to be as good as Da Vinci and Angels & Demons. No religous theme here, but a good thriller with lots of twists to keep you on the edge. (****)

  • Steve Perry: Tom Clancy's Net Force 10 : The Archimedes Effect (Net Force)

    Steve Perry: Tom Clancy's Net Force 10 : The Archimedes Effect (Net Force)
    This series used to be pretty good reading. Lately it is just not as good. It is OK to pass the time though. (**)

  • Troy Denning: The Swarm War (Star Wars: Dark Nest, Book 3)

    Troy Denning: The Swarm War (Star Wars: Dark Nest, Book 3)
    Set after the New Jedi Order series, good filler for trying across the country. (**)

  • Joseph J Ellis: His Excellency

    Joseph J Ellis: His Excellency
    Good biography on Washington, by one of the masters of revolutionary war history. (****)

  • Michael Crichton: State of Fear

    Michael Crichton: State of Fear
    Great book about the environmental movement. Chricton has another thriller, but this will make you think about your views on global warming, the media and other environmenta issues (****)

  • David Michaels: Tom Clancy's Splinter Cell: OPERATION BARRACUDA

    David Michaels: Tom Clancy's Splinter Cell: OPERATION BARRACUDA
    Based on a video game (yeah thats right), this series is actually pretty good. Makes for good airplane reading. (***)

  • John Grisham: The Broker

    John Grisham: The Broker
    I had low expectations but this book really hooked me. I was over 200 pages in before I took a breath. The end was sort of rushed, but enjoyed this book. He is a master storyteller. (****)