Read the Cramer Mad Money blog tonight on Fortinet being the top pick next week as it debuts with its IPO. While it is always amusing to hear the mainstream media try to describe what security is about, I don’t necessarily disagree with his view that at 9 to 11 dollars a share, the stock is undervalued.

Cramer thinks the secret is Fortinet’s subscription business which he describes as “100 professionals in eight locations worldwide who monitor security outbreak in real time – for a fee, of course. Pay subscribers get the white-glove treatment, and Fortinet gets some seriously sticky revenues, as few people ever opt out. The service accounts for 60% of total revenues and carries a higher margin than Fortinet’s hardware.

Hey I wonder if that is not true of most security appliance vendors who all sell the subscription to rule updates and such.  However, I don’t think the stock is a bargain because of their CFO. Nothing against the Fortinet CFO, but is that what should drive this stock up?  Cramer is right though that when you look at their revenue and bottom line the stock is underpriced and looks like a good buy.

Good luck to Fortinet! Also remember that sometimes a rising tide lifts all ships. Maybe other public security companies will feel the love.

Lori says its not bad lock-in if the vendor:  (a) does what it says it does, (b) solves all their problems and (c) the company isn’t going anywhere. I agree monolithic vendor solutions can be quite efficient. Hey Mussolini was loved by the Italian people early on because he made the trains run on time.  That didn’t mean that a fascist form of government was best for Italy and that it was not a bad thing. But a single party dictatorship is more efficient than a democracy usually.  Doesn’t make it befter.

What does this have to do with data center vendor lock-in? I think where Lori’s wheels fall off the tracks on this one is when the vendor uses that monopolistic lock-in to ensure that customers now have to use vendors products for ancillary solutions. Imagine if you will (well you don’t have to imagine, it used to be like this) that if you want to use VOIP and your a Cisco shop, unless you use Cisco VOIP phones they just don't work so well on your Cisco network. Take wireless as another example. Aruba gear in a Cisco shop is a real nightmare.  Now does Cisco purposely make it harder for another vendor's gear to work with their switches? I will leave it to you to decide. The real problem as I see it is when does lock-in become so prohibitive that it crosses over to monopolistic. When it does, we don’t live in a world of corporate saints, so you can’t expect them to do what is best for customers and not for themselves.

Lori also points out that standards are so supposed to alleviate some of that angst. But as Lori says that ain’t a panacea either.  Even within standards there is too much “embracing and extending” that renders them greatly diminished.  Try making 802.1x switches from different vendors work together as a great example.

I was on my Google Feedburner page today updating my settings to go to my hotmail address (that is the subject for another blog, moving your email address at all of the accounts you have) when I came across what is for me a new feature in the stats section. They have a world map showing distribution of subscribers to my blog feed.

I guess I just always assumed that the bulk of my readers were in the US. This despite the fact that while at StillSecure we would constantly see more web leads come in from the rest of the world then from the US (having an international strategy can be the subject of a blog on another day). So I was surprised that actually about half of my subscribers actually come from outside the US.  After reflection I came to realize that this is how it should be.  Need to stop thinking US centric and remember it is a world wide web like the name says.

While I am at it, I think that is an important lesson to learn for many US companies.  Many companies I have spoken to have the “first we will make it here attitude” and then go international. In today’s economic reality, you can’t afford to just ignore more then half of your potential market. Yes language and time barriers present a problem, but not insurmountable by any means.  In this regard maybe companies that are not US based have an advantage.  Internationalization and penetrating “foreign” markets such as the US is a must for them because many of their home markets would be too small to sustain the business.  Anyway, food for thought on this cold Friday the 13th down in Florida.

During last Black Hat I wrote about an interview I did with a couple of researchers from Panda Security about rogueware. It really opened my eyes to just how big a problem the fake AV and malware problem is. Like a 500 million dollar problem! But two posts over the last few days have brought this home to me again.

First was an article on the McAfee blog about a new rogue malware plot that actually looks and feels like the McAfee product. It is called McCatte and if you were a consumer who was not familiar you would be fooled without a doubt. Here is what this nasty little program does according to McAfee:

The rogue software offers several “features”:

It displays fake warning messages and “Safety Center Alert” pop-ups

It flashes icons that appear in the system tray

It hijacks the browser’s homepage to a site that mimics McAfee’s site

And that’s not all–MaCatte Antivirus 2009 will block currently installed or downloaded anti-virus software. It will redirect your browser to various misleading websites, including the rogue program’s homepage, www.macatte.com.

Once installed, MaCatte Antivirus will start automatically when you boot Windows. Then it will scan your computer and display numerous infections, but will not remove them until you first purchase the program.

The McAfee blog then talks about the cost of McCatte, which is $99. More than the the cost of McAfee itself. Forget the cost, comparing this rogue ware to legitimate anti-malware solutions gives it far more legitimacy than it deserves.

But can you imagine your favorite non-security savvy friend or family member having to deal with this?  It could be a nightmare for them. It could even be a nightmare for a tech savvy user like Larry Dignan over at ZDNet. Somehow he was infected with some rogueware and it was opening so many porn and Viagra windows on his desktop he could not get to anything else to remove it.

Ironically his McAfee software was useless in protecting him. It just did not recognize the rogue ware. Larry grew so frustrated that finally gave in and agreed to pay McAfee 90 for a paid tech support call. Except McAfee dropped the ball (what a surprise) and was never even able to get someone on the phone with him despite taking his money.  Luckily he was able to get Kaspersky installed on his machine and it recognized the nasty rogueware and removed it.

But it just goes to show you that this stuff is nastier then ever! BTW according to the ZDNet article Ryan Narriane says that Vista and Windows 7 would never have let the rogue programs install themselves.  That is good to hear.

Well it has been too long. I am happy to welcome Mitchell Ashley back as the co-host of the podcast. It sort of felt like Martin and Lewis getting together (or for some of you younger folks, Cheech and Chong). Anyway I am happy to have Mitchell back doing the show with me. We work well together. In tonights episode we talk about a few topics:

1. Is the CISO role really best suited to a consulting gig

2. Microsoft releases a free AV product - Security Essentials

3. Microsoft's Forefront for Exchange is released

4. I am not at StillSecure and neither is Mitchell. It doesn't make sense to call the show StillSecure, After all these years. What should we call it? That brings us to the naming contest. A free T-shirt and appearance as a guest to the person who suggests the new name for the podcast. You can leave a comment or email me at ashimmy (at) hotmail dot com

Hope you like the show and we will try to do them much more regularly now!

The Alan and Mitchell Show back at it again!

Alan & Mitchell's Podcast

I kind of rushed my post this afternoon as I was on my way out the door when I saw the news on the HP ProCurve 3Com deal. I was trying to say that some may think that HP is trying to buy the pennant here.  Hey as a Yankee fan, I say there is nothing the matter with that!  But having had a chance to think some, there are some other interesting angles that this deal presents us with. Here are my top 5:

1. Where does this leave the “strategic” relationship between HP and McAfee. With Tipping Point coming along as part of 3Com you would have to assume that Little Red just took a back seat.  Frankly it doesn’t surprise me one bit. McAfee has been busy running around announcing similar strategic partnerships with lots of other network infrastructure and similar partners. As I was reading many of them, they just seemed like Barney type of announcements to me. I kept thinking that I would not hold my breath waiting for some actual integration to take place. This pretty much will put this relationship in the purple dinosaur bucket. Unless HP in a Stienbrenner pique of inspiration actually buys McAfee, I don’t see a bright future for these two working together.

2. ProCurve’s ONE ecosystem.  Many of the ProCurve ONE partners are actually security vendors. Companies like Fortinet, SonicWall, Air Tight and the rest of the ONE partners in security (including McAfee) will all be taking a back seat to Tipping Point.

3. The future of the tech industry. Here is my Ashimmy far out scenario pick and I am giving it to you for free.  This is going to help set up the battle of the goliaths.  My prediction is that IBM is going to buy Juniper. Unlike Cisco who never buys companies they OEM from, IBM does. If they see some traction with the Juniper stuff, they may well swallow them up. Next comes Brocade. I say that either HP or IBM may still buy them, but a dark horse is Oracle.  Then we will see a real battle between Cisco, HP and IBM.  Cisco may be further along in things like set top boxes and video, but they don’t have the feet on the street consulting that HP and IBM do.  These three will rule the tech world like never before, with Microsoft and Oracle playing second fiddles.

4. The rest of the ethernet switch competitors? The clock is ticking on them every day now. They need to find an quick exit or face being more marginalized then ever.

5. The forces of security and network convergence march on!

You have to admire the guys at HP.  Fresh off some monster acquisitions, news just broke that they are buying 3Com for 2.7 billion to give their ProCurve team a shiny new toy to play with for Christmas.  3Com finally finds a buyer that isn’t Chinese and the Feds won’t choke on.

This should have the folks over at Cisco taking notice.  Of course lets see if they can digest the beast without killing any mojo that was left there.  Good for ProCurve!

Over the last year I have been following two companies in what I called the firewall management space. Secure Passage, whose CEO appeared on the podcast and Tufin Technologies, which I have been getting to know through Liz Safran of Looking Glass PR.  I actually met with the Tufin team at the Gartner Security Summit this past summer up in DC. I was impressed with both companies and think both companies bring a needed solution to market.  Today’s enterprises and MSPs have to be able to manage multiple firewalls from multiple vendors and it has to go beyond just inserting a rule across the board.  One question I had was how each of them would broaden the amount of different firewall solutions they could manage.  Having a product in this category that only did Checkpoint and Juniper, might be OK for a sub-section of the market, but would ultimately limit the opportunity for either of them.

Both companies told me they planned to expand coverage.  Tufin was attempting to do so in a scalable manner by building out a platform that would then make it easier to “plug in” new devices in a rapid manner.  Today they announced that using this Tufin Open Platform (TOP), they have plug ins available for 12 new devices and manufacturers equipment. That in and of itself is cool, good to see them expand.  But what I thought was worthy of writing about was the fact that they are moving beyond firewalls and are  providing security management for switches from most of the leading vendors as well.  This moves them into a whole new market.  The Tufin system has great change management and logging and auditing of what they call security life cycle mangement.  I think the expansion beyond firewalls really positions them to make a move in the market with a great network convergence story.  With so little new in security it seems, I am happy to see a company actually doing something.

I have been speaking to a lot of folks over the last few months about what I think is missing or is needed in the security market.  I have heard a consistent fact pattern. It is the familiar does management really give a crap about security or is it all about just passing the audit.  Last week I had a chance to read a heartfelt lament from AndyIT Guy. It is titled “the tale of an unsatisfied security professional”.

I have corresponded with Andy over the years, but I don’t think I ever met him him in person. But it doesn’t make a difference. Reading Andy’s story it is the security everyman's story.  On the whole, security folks are a passionate, dedicated lot who really do want to make sure that nothing bad happens on our watch.  For the most part we know what needs to be done from a process, policy and technology perspective. The problem is getting the budget and support internally to make it happen.  For too many of us the auditor is our best friend.  They won’t listen to us, maybe they will listen to him – is the plan of attack.

Even at the CISO level where you supposedly speak the exec language, it doesn’t work that way.  So many CISO’s I have spoken to feel like they get a 6 month to a year honeymoon where management feels they have hired someone for big bucks and lets let him do what he has to.  A good CISO can put the policies, processes and technologies in place in that time frame.  Perhaps even turn it over to some lower level people to care take. But that is where the honeymoon usually ends. Management feels they have done enough to feed the security/compliance monster.  The CISO is a drain on expenses and he or she is always asking for the next shiny widget or saying you can’t do something that will make someone’s job easier and earn more revenue. 

From there the road is predictable. It is pretty much as Andy describes. So if someone were smart they would recognize this. Perhaps you are better off coming in as a CISO with a short term mandate to put the process, policies and technology in place and then handing it off to a caretaker and move on to the next gig. I have seen similar business models with CIOs for hire. If someone were smart a consulting type business built around that may in fact be just what the security doctor ordered.

I like to cook. I love to grill too.  Down here in Florida with the warm weather we grill year round. I probably grill 2 to 3 times a week when I am home.  For most of my adult life I have always had Weber grills.  Weber makes a fine product and on average my Weber grill lasts 6 or 7 years. In fact since moving to Florida I have only had one grill, a Weber.  Finally about 15 months ago my trusty old Weber gave up the ghost. I was sad, but knew it didn’t owe me any money, I had gotten more than my fair share out of it. 

I forgot what happened but I wound up in Lowes instead of Home Depot looking for my next grill. The sales person at Lowes did a masterful job of showing me the shiny new Char Broil commercial series grill.  All stainless steel, 4 burners and a side burner.  It was just a little over half the price of the Weber. The sales guy told me they were built to last and he had one himself.  You would think I know better than to listen to a sales guy.

Anyway here I am about 14 months later. The shiny stainless steel is still shiny. But the guts inside the grill, the burner, ignitions, heat shields, etc are all rotted and rusted hulks.  This in spite of the fact that I bought the custom grill cover and keep the grill covered whenever its not in use.

I called Char Broil to see if it paid to buy the replacement parts or better yet if they would do anything for me as a customer. After punching through a few dial 1 for this, 2 for thats, I was able to get a live person on the phone and she spoke English natively. I thought wow their customer service seems to be better than their products (I know a few companies like that). 

Unfortunately that is where the good story  ends.  The rep on the phone told me these are actually very high maintenance grills (now they tell me).  Every few months you are supposed to take apart the whole bowl of the grill and soak the parts in soapy water (are they kidding me?).  You need to put a coating on the heat shields to keep them from rusting out. Then she tells me that if you close the cover when grilling it causes carbon to build up on the interior parts which accelerate the rust.  Sorry, but the warranty is just 12 months, you are two months out of warranty and by the way to replace all of these parts would cost more than a new grill.  Thanks for using Char Broil!

Yeah right.  Char Broil grills suck and if any sales person tries to sell you one, run as fast and as far as you can!

I was a bit shocked to read several articles last week about Cisco’s apparent decision to stop adding new third party device support into Cisco MARS SEIM product. When I first read Ellen Messmer’s Network World story I thought perhaps Jerry Skurla over at Nitro was blowing smoke trying to stir up some FUD around the future of the Cisco product.  But it looks like other SIEM vendors have been hearing the same things. On top of that Cisco’s own spokesman came out with less then a ringing endorsement of MARS future. 

Usually in cases like this, where there is smoke there is fire.  Sounds like we could see MARS become a casualty of Cisco having too wide a focus. Between set top boxes, video conferencing, servers and virtualization, something has to give.  Could be some of the security stuff is what it is. It would be a shame though. I thought MARS was one of the better pieces of the Cisco security line up. It made their IPS so much more useable. 

I am not Richard Dawson and this ain’t the Family Feud. But I don’t quite get the results as reported by Bill Brenner on CSO online and his podcast. According to Bill the economic downturn has led to companies spending less on outsourced security and doing more in house. This seems to be counter-intuitive and against all of the evidence I have seen. In fact most analysis I have seen says that the economic turmoil has led to a greater use of security outsourcing. Companies cannot afford the resources in house, full time and instead are saving costs outsourcing security.

If indeed they are spending less on outsourced security I would hypothesize that they are not forgoing spending money on outsourced security by doing it in house, but are actually foregoing spending on security all together. Of course they don’t want to say that, so instead say they are taking it in house and having existing resources handle it.  If those resources could handle it to begin with they would not have outsourced to begin with! The realities of the security market strike again.

It could of course also be specific to the questions asked. Perhaps with the great firewall management tools recently introduced like Tufin Technologies larger enterprises are taking more firewall management in house. But for the majority of the market I don’t see taking security in house and actually doing it as a key driver of saving money.

One thing Bill does say though that is worth repeating is that whether you in house or outsource security, you do not abdicate your responsibility for your company’s security.

No matter what happens the NY Yankees are . .  The Yankees. New ballpark - new pitchers, recession-depression, boom or bust, the Yankees just keep winning. Congrats especially to the core 4 of Jeter, Pettite, Posada and of course the incomparable Mariano Rivera.

For me this is the first time since 1978/79 (I know many of you weren’t born then) that my Steelers and Yankees were world champs at the same time. Thinking back to those years (I was in college) brought back many sweet memories. I hope it is a good omen for good things to come!

Bradford Networks fresh off of winning a best buy award in a NAC group test from SC Magazine, yesterday announced an ambitious new line up of solutions based on what they are calling their Adaptive Network Security (ANS) platform.  Network Sentry is the new line and here is what Bradford says it is all about:

1. Protecting the network from unauthorized and at-risk users and devices;
2. Ensuring that confidential network resources are protected;
3. Eliminating endpoint vulnerability;
4. Ensuring that security policies are established and enforced;
5. Maximizing existing investments in security systems and network infrastructure;
6. Provisioning, securing and managing user, device and guest access;
7. Detecting and profiling managed and unmanaged devices; and
8. Automating security actions and policy enforcement to unburden IT staff.

What you don’t see there is NAC or network access control though.  Many of these functions were already accomplished by their NAC Director and guest access NAC products.  But they are clearly choosing to distance themselves from the word NAC.  Hey, who can blame them? 

What remains to be seen is if Bradford has the breath and girth in the market to make this comprehensive vision actually pan out.  They have a great base in the edu market and this could be just the thing to move them beyond that.

Also some of the traditional knocks on Bradford’s NAC product seem to have been addressed in the new release. GUI, set-up and reports all claim to have been upgraded.  I haven’t spoken to anyone yet who has used it to say for sure. 

In any event seems like another vendor trying to move away from NAC. The problem is that many of those who have tried have already spent too much time and effort and didn’t seem to have the fuel necessary to achieve escape velocity. But with Bradford building on what they already have, lets hope it turns out different for them.  Good luck to them and we will have to keep watching.

I have not blogged for a few weeks now. When last I left you all I was in NYC reminiscing about returning home to the city.  The following week I celebrated my birthday.  On reflection I realized that this was the beginning of the 9th year of my life that I had given to making StillSecure a success.  In this day in age, 8 or 9 years at the same job or company is almost unheard of. After much soul searching I came to the conclusion that for the next decade of my life it was time to do something different.  So after speaking with board members and Raj Bhargava, StillSecure CEO, I am leaving StillSecure effective today.

I have had the chance to meet lots of people, do lots of different things and really play a meaningful role in building this company. For that I am very grateful.  The experience, the friendships and the memories will last me a lifetime.  But all good things come to an end and it is time for me to find the next adventure in my life.  I wish all of my friends at StillSecure good bye and good luck as they continue to to make StillSecure a great company.

What am I going to do next?  I honestly don’t know.  I am going to take a few weeks to spend time with my wife and sons (whom I have been too often away from over all these years).  I am going to clear my head and see what opportunities are out there. 

In the meantime I will continue blogging as I have in the past. Now no one can accuse me of being a “vendor puke” and I hope I can be objective. I am going to change the name of the blog to “the ashimmy blog” and the domain http://www.ashimmy.com already should work.  I will be redesigning as well over the coming weeks.  I also want to spend more time making the security bloggers network site more of a destination and resource for the security blogging community.

You can reach me at ashimmy (at) hotmail. com if you would like or of course leave a comment.

I hope you will all continue to find the blog as entertaining and useful as you have in the past.

thanks

Alan

I am up in NY this week attending the 2nd annual SC Congress.  This second iteration of the show is much better I am sure in large part because of lessons learned from last years event.  Instead of being in the cavernous Javits Center this years event is in the Sheraton Towers Hotel. It has a much warmer and sharper feel.  The event is also better attended.  Most of all the people at the show are not wearing the usual blue jeans and t-shirts. This is a NY show and the people are dressed for business. Most people are in sports jackets or suits.  The Haymarket/SC Magazine crew have put a ton of time and effort into this years show and it has paid off.  I will write more about the show at a later date, but I actually wanted to write about something else today.

Coming home to NY is coming home for me. You can take the boy out of NY, but you can never take NY out of the boy. Walking from my hotel to the show, virtually every street I go down recalls a different memory. Today walking back before dinner I passed a store front on 57th street that looked familiar. I stopped and looked hard and it came rushing back. It was now a French restaurant but that didn’t fool me.  Twenty-four or so years ago this was called the NY Deli. It wasn’t one of the best delis in town, but it had a special memory.  On our second date I had taken Bonnie out in NYC (she lived in Staten Island, so with me driving from Long Island it was easy to hop into the city) after a night of partying (we really did party back then) I took her into the NY Deli for a late night snack before driving her home to Staten Island.  Looking into the window at the table we sat at I remembered what it was like those many years ago.  How exhilarating it was to be falling in love, how life seemed so endless and boundless.  So much living has gone on since that night all those years ago.  Mostly good, but some not. Dreams come true and others given up. Can it really be that long?   Spending a few moments in front of that window my life flashed before me. As someone once said life is a journey, not a destination, but for me the destination of NY holds so many of the way stations in my own personal journey. It is good to be home.

I have written before that to many the Ethernet switching market is a fairy tale of Cisco and the seven dwarfs, except that these dwarfs really aren’t so little. Companies like HP, Brocade, Nortel, 3Com, Enterasys, Juniper, Force 10 are constantly biting at the heels of the Cisco monolith.

Recently, some of these have actually made solid progress. HP’s ProCurve network gear division claims to be solidly in the 2nd place slot and closing.  Foundry’s merger with Brocade created a viable competitor to Cisco across storage and Ethernet switching. 3Com has actually shown some signs of life recently in the international market.

Today though three articles caught my attention that show that it is still a wide and wacky world in the switch business. First comes word that Ciena is offering $521m for the assets of bankrupt Nortel. Hard to believe that once might Nortel has fallen so far. Next Extreme Networks, which has always had the rep of having great technology was hammered by the markets yesterday after releasing guidance that they will badly miss this quarter. They blamed the shortfall on supply chain problems.  Listening to that you would think they had all of these orders they were unable to fulfill that as a result were pushed our or cancelled.  Maybe that is true, but it just doesn’t seem so to me. I think there might be other issues at play there. Finally, the latest rumors are that Brocade is now shopping themselves and likely buyers are HP or Oracle. A sale to HP would certainly make for a powerhouse. I am not sure what Oracle would do in this market though.  Here is my prediction; look for IBM to get into this market soon.

One thing for sure though is that the constant jockeying for position to take on the still undefeated Cisco will continue.

In our house we watch sports a lot. My two sons 10 and 8 have become real sports junkies and whether it is football or baseball, basketball or hockey; if it is sports we watch it.  For a long time I have worried about the impact that all of those prescription drug commercials would have on the kids. It used to be that they were too young to realize what Viagra time or Cialis daily or 36 hours meant. I thought the more than 4 hour go the hospital thing would raise questions, but they never asked. 

Tonight while watch the exciting baseball play off game between the Tigers and Twins there was a commercial for that drug that helps with enlarged prostrate problems. You know the one, it talks about the symptoms of enlarged prostrate and how the drug helps but if a woman touches it they could have birth defects if pregnant.  Frequent and painful urination. Lovely commercial for family time! After the commercial my oldest son says to his brother “I don’t think I have any prostrate problems, I only get up at night to go the bathroom about once a month”.  Do I need my 10 year old telling my 8 year old this. Do I have to now explain to them what the prostrate gland is and that at his age, he shouldn’t have to worry about it.  Next am I going to have to answer my 8 year old when he tells me he thinks he has an erection for more than 4 hours!

I would rather not see these drug commercials on during family time or prime time sports shows with so many kids watching them. Is their a way of them being less graphic.  I guess I would rather see my kids sold on tastes great, less filling alcohol products.  How about some good government commercials asking you to write for information to some address in Pueblo, Colorado (you have to be my age to remember them)?  Am I the only one who is uncomfortable with these commercials?

This is a special edition of the StillSecure, After all these years podcast. I am joined by John Curry, director of customer security at StillSecure to discuss the latest, greatest version of StillSecure's Safe Access NAC product code named Mirror Pond.  Mirror Pond has won rave reviews from customers, media and engineers alike.  John tells why and what you can do with Mirror Pond.

WARNING: Listening to this podcast could change your attitude on how, when and why you should use a NAC solution. Listen at your own risk.

If you have any questions about the podcast, please write to podcast@stillsecure.com. If you have any questions about Mirror Pond, NAC or other StillSecure products, check out the StillSecure web site.

Mirror Pond - The best Safe Access NAC release yet!

StillSecure, After All These Years Podcast

VeriSign in what may be the final move of breaking up the house that Stratton Sclavos built, announced that it has sold its security consulting practice to AT&T. AT&T hopes to leverage its existing managed security service in combination with the security consulting services that VeriSign delivered to generate a high margin cash generating business. Frankly there is no reason it shouldn’t as the VeriSign consulting practice was a great high end security practice. It had been rumored and speculated that this deal was going down for months.  It comes on the heels of VeriSign selling off its own managed security service to SecureWorks back in May.

Actually since Sclavos left the helm of VeriSign they had announced that they wanted to divest themselves of 13 business units to retrench to their core business of SSL certs and domain registration management.  This last deal just about completes that strategy. While still a cash cow,it represents a rapid deflation of one of the real giants of the Internet era.  I guess what goes up does come down.

Believe it or not, we are already thinking about next years RSA security bloggers meet up.  The event gets bigger every year, more fun, but also more work.  This year promises to be no different.  At last years event we introduced the Social Security Blogger Awards.  It was supposed to be a little tongue in cheek and chance for some of the great bloggers in the security arena to get some recognition.  Well we had never run an award before and it turned into a big learning experience for us all.

For this years get together we would like to do the Social Security Bloggers Awards again.  However with some different rules.  We will accept blogs in an open nomination process. I am thinking that a select group of judges will narrow down the finalists. The finalists will then be voted upon by the members of the security bloggers network. This way rather than a popularity contest with all of the issues around it, it will be more of an by the blogger, for the blogger award.  Sort of the like Screen Actors Guild (SAG) where only SAG members vote.  What do you think? Do you have any suggestions to do this better?  I have to report back to the organizing committee on this, so if you have an idea please comment and let me know.

You have to give some points to Greg Young over at Gartner for boldness. Perhaps not since Rich Stiennon’s IDS is dead has a Gartner analyst taken such a bold and controversial stand.  Greg has called out the whole so called “enterprise UTM” space and by inference Fortinet as the leader of that bunch in this blog on the myth of enterprise UTM.  Greg seeks to debunk the 4 myths surrounding so called enterprise class UTM.

Most of it has to do with defining the enterprise. Frankly I think Greg doesn’t go far enough in his definition of enterprise. He seems to say that 1,000 employees is the magic number for a true enterprise. I think up to 5,000 employees is mid-market.  I define SMB as up to 500 workers.  501 to 5000 mid-markets.  While I agree with Greg that true enterprises will not be satisfied with UTM boxes, I do think that shops of 1,000 to 1,500 people can use a UTM type box and it will fill the bill.  I don’t think the latency that Greg talks about is what it was a few years ago.

Forget what I say though. It should be interesting to see what the Xie brothers (Fortinet co-founders) and some of the other enterprise UTM vendors have to say about what Greg has laid out.

When I am not flying around the world on StillSecure business. one of my favorite things to do is be involved with sports with my boys.  Not just my sons either. Since my oldest son Landon was 4 (he is now 10) I have been coaching him and my younger son Bradley in baseball, soccer and flag football. One of the things I like most about bringing people into my personal office at our Ft Lauderdale office is my wall full of plaques from each team I have coached. Watching people take in all of the plaques is always a proud moment for me. I truly do love coaching the kids. If I could I would do it full time.  I love watching these children grow over the course of a  short sports season into better players and more important into better people. When I see these kids even after I am not their coach they still come over and say hi and tell me what they are up to in their life. It is a great feeling. It is both a great privilege and a great responsibility teaching these youngsters about sports, sportsmanship and life lessons.

Tonight was one of those lesson times. My younger son Bradley’s flag football team the Mighty Giants (6 and 7 year olds), is really a special team.  From their first practice this team has just been a great mix of special kids who are eager to learn and play. We have spent many hours practicing and in all of our scrimmages and games we have won every encounter handedly, not even giving up any scores. There is nothing like building confidence, false or otherwise when your team blows out the other team every time you play.  This team really took on a swagger and it was fun to watch and see.  Tonight we played the other undefeated team in our league, the Jets.  I knew it was going to be a tough game. The coaches on the Jets besides being on the board of directors of our league, have also won the championship last year. The Jets play a tough brand of flag football and they beat our kids up pretty bad. Almost every boy on the team was crying at one time or another this game, having been hit, called names, kicked, etc.  The refs really missed some obvious calls, but that is no excuse, the other team was tougher than us. We won’t play the Jets again until the playoffs and then hopefully in the league Super Bowl. We have time to train the kids and hopefully have them better prepared.

After the game I gathered the kids together and told them all the right things a coach tells the kids.  Win or lose I was proud of them. We learn more from our losses than our wins and it makes us stronger. That the wheel turns and our turn will come.  Watching their bright little faces, wiping away their tears, telling them that the Sun is going to come up tomorrow and we will move on and get better, I could see their confidence returning. These kids learned a tough lesson today. You can’t win every game. There are people out there who can beat you. What I saw though that really got me excited was that rather than just resigning themselves to losing, they want to know what do we do to make sure we win next time. They are ready to practice and get better to make sure the next time we play that team the outcome is different. They aren’t going to quit and will do what they have to do to succeed.  That is exactly what I expect of these little men and their coach couldn’t be more proud of them!

Image of RSA Blog MeetUp 2009

I have not written lately about the Security Bloggers Network. The network continues to chug along adding new security blogs from around the world.  The feed is deep and rich with lots of great content on a daily basis.  We still have much work to do to make the site more valuable to both SBN members and readers, but there are never enough hours in the day. Anyway a couple of updates regarding the SBN:

1. The SC World Congress is about 3 weeks away. Both SBN bloggers and readers are eligible for special discounts to attend this show in NYC.  You can get all of the details in this earlier blog post I did on it.

2. Security Bloggers meet up for RSA Europe.  Our security bloggers meet up at RSA in San Francisco has become quite the event. Now for the second year a bunch of bloggers are organizing a European version of the meet up. If you are attending the European RSA show and would like to meet up with other bloggers email bloggermeetup@infosecramblings.com for details. Space is limited to just 50 bloggers, so please do so promptly if you want to be sure to attend.

3. Lijit search widget – Lijit is supporting the SBN website and feed. Their vision is that the Lijit search engine will power SBN wide searches. it is a valuable tool for all SBN members. If you are an SBN member you can get the widget at http://www.lijit.com/external/network_signup/sbn.

4. Social Security Bloggers Awards -  Believe it or not, we are already starting to plan next years RSA security bloggers meet up. I think we are going to take another try at the Social Security Blogger awards. This year we are thinking that voting for the awards will be open to SBN members. Making it sort of a an award by bloggers for bloggers, along the lines of the Screen Actors Guild (SAG) awards.  I would be interested in thoughts on that, so feel free to leave a comment with what you think on it.

Thats all for now, but stay tuned for more SBN news soon!

Some great info about how the threat landscape has shifted from OS based attack vectors to application based vectors in the new report from SANS, TippingPoint and Qualys. It was good to see Microsoft getting some credit finally for the work they have done around shoring up Windows and that the OS is no longer the primary focus of hackers.

Of course the report would not have been possible without the voluminous data provided by TippingPoint and Qualys. TippingPoint provided attack data from over 6,000 organizations they protect. Qualys provided vulnerability data from over 9 million customers computers.  Staggering numbers for sure.

Here is my question: How much does Qualys and TippingPoint really know about your network?  Does Qualys know which computers on your network have which vulnerabilities? How did they find out? I thought your vulnerability data, stored on their systems is encrypted and not even there own employees have access to it. Can you imagine if that data got into the wrong hands? Someone who had a list of which devices had which vulnerabilities on your network would certainly make it a bit easier to wreak havoc on your system, no?  I would hope that the data was collected with the permission and knowledge of their customers. But the fact that they know the vulnerability status of 9 million computers is a bit disconcerting. It is just too tempting. 

The lesson is make sure that not even your security vendor has this type of information which could give someone the keys to kingdom unless you are comfortable with that.