StillSecure, After All These Years

Is that one management too many?  Yesterday StillSecure announced that we were rolling out a managed vulnerability management service based around our VAM vulnerability management product.  Why a managed vulnerability service versus the SaaS model that is all the rage? Simple, for a large percentage of our target customers just having a vulnerability scanner and server hosted is not enough! They need help through the whole lifecycle of vulnerability management.  They need help in determining what assets to scan - why, what, when, how to scan.  What do to do with the results and most importantly they need help to asses their risk and take appropriate steps.  Traditional vulnerability management products and SaaS solutions just don’t do it for them.

On the other end of the spectrum security consultants can come in and give a picture in time assessment.  However because they are generally one time scans they lack the continuity to give a complete vulnerability lifecycle perspective. So we think the idea of a managed vulnerability management service is one whose time has come! Lets see what the market says.

Now this is scary and gives new meaning to the “physician heal thyself” quote. It seems that in the company who tries to be everything security to everyone is itself vulnerable to several XSS exploits. The folks over at Read, Write, Web detail more than one McAfee site that appears to be easily compromised.

Besides being hugely embarrassing, one has to wonder if the McAfee technology is just so useless that they did not pick this stuff up with a simple scan or if they were so arrogant that they did not even use their own products to check these web sites before putting them up.  Either way you have to ask yourself if this is the company you want providing your security.

So we all woke up today and the world was still here. In fact the market is even up as I write this. So was all of this Conficker stuff much ado about nothing? Maybe, maybe not, but it has certainly captured the imagination of the mainstream media and the public. More importantly it has given the security industry a much need shot in the arm. I have not seen such buzz and working together in a long time.  Kudos to Dan Kaminsky and my friend Rich Mogull for facilitating a lot of that.

A good old fashioned worm is just what NAC was designed to stop.  This could turn out being a really big boost for NAC vendors.  Alas it may come too late for some. I heard yesterday about yet another round of RIF’s at a NAC vendor based up in the Northeast.

Here is a roundup of some other security industry – Conficker news:

1. eEye back to their old ways – Remember when eEye would always release a free scan for whatever the fear de jour was? I haven’t seen them do that in years.  But they released a free test for Conficker yesterday. I wonder how many people will download it.  Ross Brown used to tell us, not sure if we will find out now, but it was nostalgic to see.

2. McAfee fails the Conficker test.  Good blog on ZDNet by Ed Bott on what McAfee did wrong with Conficker. I don’t see where there NAC can do anything about it.

3. Bill Brenner applauds the industry.  Bill has a good article up on CIO Online commending the whole industry in not over reacting to Conficker and acting reasonably for a change.

In other news:

4. Symantec dealing with its own security incident.  Oh the irony!  What does it say when your security company loses the credit card numbers.  Tsk, tsk.

5. Please tell me your just stupid. This article in the SDTimes by David N. Kleidermacher asks if the lack coding more secure apps and OS, as well as adopting better security practices is the result of apathy or ignorance.  Probably a little of both.  But I think most of it comes down to coin operation.  Put the incentives in place and people will do things more securely.

Thats it for now, have a great day!

Well this weekend was the start of daylight savings time. I always think of it as spring ahead, as opposed to fall back. It usually takes me a good week to get used to being an hour ahead.  But are you really an hour ahead. Yes it is still dark when many of us get up and it stays light longer in the evening, but do you think of it as being an hour ahead?  Maybe you should.  What is so bad about thinking of getting out ahead of things?  Nothing at all.  Especially in security, so much of what we do is reactive, after the fact.  Maybe a good security strategy would be to spring ahead.  Get out ahead of the security issues before they become incidents or big problems.  Why not make that a mantra.  The clocks have been set ahead, try to stay ahead of bad guys yourself and enjoy the extra daylight at the end of the day!

Have a great day.

An IF-MAP in Juniper’s future? – Juniper updated their NAC solution yesterday for the first time in 2 years.  It seems like the big news is that NAC is now part of the fabric because it can interact with other security technologies using IF-MAP the the Trusted Juniper Computing Group’s standard for data sharing. Of course the problem is that it takes two to MAP.  If other products don’t support it and use it, Juniper by themselves is not going to do it.  What does it give you, you ask?  Well Juniper says according to this article by Sean Michael Kerner that now you can enforce quarantine and NAC after a device has been on the network. I say BFD to that, most NAC solutions have some sort of post-connect capability already (except Cisco of course), Juniper is just playing a bit of catch up there. But at the end of the day Juniper is all about beating Cisco so I guess that is what counts!

eEye’s any means possible – Those wild and crazy guys at eEye (they have not been as wild and crazy lately frankly) announced a new service yesterday based on services they have been providing for years (according to them anyway). It is a super-penetration testing service called any means possible.  Based on eEye research and super hacking techniques as well as social engineering., the eEye team seems to be going whole hog into services.  I don’t have a problem with it, but what does that mean about its commitment to Blink endpoint security not to mention the forgotten Retina/REM suite?  Maybe the products are not paying the bill and the any means possible name refers to eEye’s determination to keep the lights on?  In this economy no one is immune!

PCI sends two QSA’s to the principles office – Martin reports on article in tech target about two QSA’s who have been called out by the PCI council about their PCI auditing.  OK, so they are going for a proctology exam.  Are they being made examples as a warning to other QSA’s or is this the start of the PCI council starting to get more serious about enforcing standards around the huge infrastructure they have fostered?  I have a great PCI podcast panel being scheduled now, we will be discussing this very topic, so stay tuned!

Today’s lesson comes courtesy of my friend JJ.  For those who don’t know JJ was born and raised around her parents integrator business down in North Carolina. Yesterday JJ sent out this very funny video she found based on the “what do I want to be when I grow up” theme.  There is some mildly offensive language that I doubt any of you will mind.  While watching though remember that for most of us, vendor or user – the integrator, VAR, channel  partner is the key distribution and delivery vehicle that is responsible for much of our security and IT in general. 

I have some other good articles below, so be sure to continue on after the video. Have a good day!

Browser Wars continued? – Couple of articles today about browser security wars.  And here I thought the browser wars ended when Marc Andreessen left Netscape! First Brian Krebs has a good article about a report from Secunia. The report details two metrics. One is how many security flaws were reported and fixed over the past year. The second and as Brian points out much more important metric, was how long on average it took to fix.  On the first metric, believe it or not Mozzila far outpaced other browsers in the number of vulnerabilities fixed with over 100. This was like 4 times more then IE for example.  But again as Brian says, the key thing was that Mozzilla fixed their holes on average in 43 days versus over 100 days for the Redmond team.  Me, I think these are both too much. Of course I want to see less vulnerabilities found, but that is a pipe dream.  Quicker response times is the key and I would like to see them both under 30 days!

Browser Wars continued part 2- A new version of the Opera browser was released to address some security flaws. Who cares?  Between IE, Firefox, Safari and Chrome, all being free, is their any room for another browser? If there is how does Opera make enough money to keep the lights on against these competitors that give it away?

Cisco discovers SaaS for email security – where is the innovation? – The Cisco marketing machine was out in all of its super heavyweight force this week with the announcement that its IronPort email security division was rolling a hybrid SaaS model.  Even I got spammed by the PR folks.  While I think it noteworthy that even Cisco is joining the SaaS/Managed security market, I have to agree with Eric Ogren (who I rarely agree with), what is so unique about this offering? Is there anything that Google/Postini doesn’t offer? For that matter is there anything that Symantec or Websense or any number of other vendors don’t offer.  Don’t look like it.  I also had a thought about all of those Cisco powered MSPs out there.  How do they feel about Cisco going into direct competition with them? Its bad enough that most Cisco partners would cut each others throats for an extra 2 or 3 points, how do they compete with Cisco itself in offering managed email security?

A new Mogull? A very big shout out to Rich and his wife and new daughter.  Congratulations! Anyway that is it today.  Its almost 7am and I have a full day of meetings before flying home Fll.  Have a great day!

I thought I would continue my Mike Rothman Daily Incite series today.  The only dangers I can see in this are I might start getting grumpy and give up meat!  But hey Fake Steve Jobs stopped blogging, maybe I can be Fake Mike Rothman.  Seriously, this format allows me to comment on a bunch of different things in one blog post, so will go with  it a while.

First of all I want to call out that today is my 19th wedding anniversary! My wife Bonnie (the real Boss) continues to amaze me every day.  Most times it is around how she puts up with me.  But seriously in this day in age where so many couples come and go, 19 years is an accomplishment.  Marriage in some ways is a lot like security.  You are not successful at it without a lot of hard work, staying on top of the game and being passionate about it and it seems I am always one step behind!  In the meantime, I still feel like Ralph Cramden, happy to have my Alice. So in the words of Ralph -  Bonnie, you are the greatest!

Now on to the news and have a great day!

1. Sourcefire goes into the 3rd party patch business.  Shades of Ross Brown and eEye, the VRT at Sourcefire have released on their blog a “home brew patch” for the critical Adobe Acrobat vulnerability, which is actively being exploited in the wild.  Adobe is supposed to have a patch out by March 11th.  In the meantime just as happened in the past, we really don’t know if the 3rd party patch has been adequately tested.  If it turns out it breaks something, Marty and team may wind up with egg in their face. As I have written before, generally I am against 3rd party patches.  In the meantime, Adobe come on! If you want Acrobat to be ubiquitous, you need to do a better jog of getting patches out.  This vulnerability has been kicking a long time!
2. Checkpoint comes out with '”software blades” for the UTM. Checkpoint has introduced a new concept in their UTM line up.  They call them software blades. “The company describes a software blade as a security building block that is independent, modular and centrally managed.” The software blades operate on a software chasis.  Checkpoint wants to sell each blade for $1500. I don’t now about you but this sounds a lot like StillSecure Cobia to me! Modular security apps that run as software that can be mixed and matched on the management platform.  Very little is new under the Sun!
3. Top Ten web hacking techniques of 2008. And the winner is . .  If you did not get enough on Oscar night here is the list of the academy awards of web hacking by Jeremiah with help from an all star cast of judges: The Mogul, HD Moore, Hoff and Forristal). Reading this post and Rich’s post on it, the mice continue to get smarter. That makes us work harder making better mouse traps.  Jeremiah will be presenting on this at a bunch of conferences including RSA. You probably want to catch that one.
4. New kid on the block.  A friend of mine, Jack Mancini who has been working in security since Symantec first bought Norton (or was that when Ralph met Norton?) has started his own security blog called “Secure or Not Secure”. Jack is just launching a new security VAR down here in Florida. He has already put up some good stuff and I am sure will continue to do so!

Anyway that’s my news for today. I am putting the Pragmatic CSO ad down here. If the real Rothman wants to work out a revenue share deal with me it might find its way back to the top!

The Pragmatic CSO:

Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Saw this recent release on two new board members joining the board of the Jericho Forum and it sparked a synapse in my brain about a good panel discussion I caught during the SC World Congress in December by several Jericho Forum members.  You can watch two of the presentations delivered that day here.  Getting away from all of the rhetoric around de-perimertization and talking about securing the cloud and other topical security subjects made the Jericho folks much more relevant to me.

One of the new board members is Phillipe Courtot, CEO of Qualys.  Of course Qualys's SaaS vulnerability management solution is more of a cloud solution and not about perimeters.  For me anyway, I think this is welcome change in focus by the Jericho Forum.

From the classic Casablanca:

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

Last week I wrote about the "shocked to find gambling going on in here" revelation by Symantec, that the underground market for stolen data was in the hundreds of millions of dollars. This weeks winner of the "Captain Renault shocked to find there is gambling going on here" award goes to Secunia. They announced that their findings show 98% of Windows computers have at least one known vulnerability and nearly half have 11 or more programs at risk.

Bill Brenner has a good article on this as just Secunia spreading FUD and not many CIO's or security administrators are surprised by these findings. Bill points to a Verizon study that says 90% of all incidents involve a vulnerability that has a patch available for 6 months or more.  I think this is really important.

For all of the emphasis, time and money wasted on zero day attacks, the fact is 9 out 10 attacks take place against well known vulnerabilities.  Has the patch management process broken down?  Did it ever really exist?  Vulnerability management just isn't sexy anymore, but there are good products available.  In the face of such numbers, how can the security industry as a whole not get serious about patching, vulnerability testing and taking these low hanging fruit off the table before we get all hot and bothered about zero day stuff.

Related articles by Zemanta

• I'm shocked, shocked to find out that gambling is going on here
• Every Windows PC is at Risk if not Lucky- Confirms Recent Research
• Virtually every Windows PC at risk, says Secunia
• Windows patching abysmal, and getting worse

Vulnerability management is still one of the most important things you can do to increase your security posture.  To many people vulnerability management means scanning for vulnerabilities or applying the latest patch Tuesday updates.  Of course there is much more to it than that.  Managing the complete lifecycle of vulnerabilities is the key to successful risk management in this area.  Whether PCI, HIPAA, SOX or just good old fashioned common sense is driving you to do it, vulnerability management is the right thing to do.

This week StillSecure announced the latest addition to our line up of free security tools.  VAM Lite is a freeware edition of our award winning, enterprise class VAM vulnerability management platform.  VAM Lite has most of the features of the full VAM product but is limited to scanning just 100 devices and offers only our basic reporting package.  Because you can only scan 100 devices, it does not support the distributed scanner architecture that full VAM does either. 

If your organization can be scanned with just 100 devices or if you just want to give it a try and if you see the value possibly upgrade to full VAM, download it from our site. It can run on a dedicated server or in a VMware environment as well. 

If you like, try some of the other StillSecure freeware products like Strata Guard Free and Safe Access Lite as well.

Fortinet has been making noise about moving beyond the UTM space for some time. Today they took a very tangible step in that direction with the announcement that they have acquired Secure Elements. For those of you not familiar with Secure Elements, they were a DC-area based vulnerability management solutions provider. Their C5 platform started out as a run of the mill vulnerability scanning tool. I think they used the Nessus scanner and than started importing other scanner data.  Over time they morphed more to configuration management solution.

Secure Elements was virtually unknown outside of the Federal Government space.  I would bet 90+% of their customer base was in the Fed space.  They were one of the leaders in the FDCC and S-CAP requirements that NIST recently put out.  Their founders and pedigree had a long history of working in friendly confines of the DC Beltway. 

Fortinet on the other hand, while trying hard did not have a ton of success in the Federal space.  Is the fact that much of their development and design happens in Asia and China specifically represent a reason for this? Perhaps it did. Also beyond UTM what technology did they have. They recently announced an endpoint based agent for security that sounded suspiciously like a McAfee or Symantec type of play.  They had been making noises around doing vulnerability scanning and management as well.  Now the other shoe drops and we see where that comes from.

So what is Fortinet's end game.  Well certainly if the public markets were not in the sad state they are in, they would be a good candidate for an IPO. But beyond financial goals, what do they want to be when they grow up?  I think it is becoming clear.  They want to take on Symantec, McAfee, Checkpoint and others as providers of a full spectrum of security solutions. They want to use their base as an ASIC based UTM and move to the endpoint and beyond.  With the kinds of units they sell in UTM they certainly have the revenue to fund it.

My final question is:  How long until Fortinet offers a NAC solution?  If they are interested I know a company that is pretty good at OEM'ing their NAC solution to others.  You know how to reach me ;-)

Related articles by Zemanta

• Fortinet toasts sales success