To be fair, I don’t disagree with Richard as he describes the evolution of combining more and more functionality on one box.  It is hard to argue against the rise of both next gen firewalls and UTMs.  However, I am not sure that they are one and the same as Richard seems to claim. In Richard’s world view (which hasn’t seemed to change since he was at Fortinet) a UTM is what you make it. You can add anything to your firewall, put it anywhere and just keep piling on features. Eventually you wind up with what I call the GodBox. Richard would call it the ultimate UTM.  No matter what you call it, it doesn’t work.

I think if Richard is playing Hawking in his brief history of firewalls, I will play Leonard Susskind and postulate my own theory. Shimel’s theorem is that the more features and functions you add to one box, the more difficult it becomes to manage and actually use all of them. Eventually the GodBox sinks under the weight of its complexity.

Security vendors haven’t even mastered a good firewall management interface, let alone one that handles all that Richard would pile on the box. That is why vendors like Firemon have been so successful. What would wind up happening is people may buy GodBoxes for all that they can offer, but in practice would only use a small fraction of the what is advertised as being possible using the device.

This is much the same as in the move from IDS to IPS. While people were buying boxes labeled IPS, the overwhelming majority were using them primarily as IDS. They might have a rule or two turned on, but by and large they use these boxes as IDS still.

I would also caveat Richard’s view that switching and routing will be added to security devices so that deep packet inspection will take place at every network intersection. While doing so would be great, there is a price to be paid for all of that inspection, as well as a certain amount of redundancy in doing so. Most of all though I think Richard underestimates how hard it is to do switching/routing right.

Rather than security vendors matter-of-factly adding networking, it is more likely that vendors like Cisco, Juniper, Brocade add security to their existing network gear. Again though, Shimel’s Theorem applies; the more you pile on the box, the more complex, difficult it is to manage and the less likely that a meaningful percentage of the features will actually be used.

So while Richard has captured one path that firewalls have taken, I think to paraphrase Carl Sagan when it comes to the flavors and potential ways that firewall technology will be used in our networks, “there are billions and billions” of them. UTM is just one path in the Multiverse.

(PS-  I tried to post a comment on Richard’s blog, but I don’t think it is allowing comments. Its been a long time since I wrote a blog post disagreeing with Richard Stiennon. It feels like old times!)

PSS- my comment on Richard’s original post is now posted.

After seeing Wombat’s phishing Phil and Phyllis last time I checked in with them, I introduced my 12 year old son Landon to them. He did a science project based on phishing and educating his classmates (and their parents) about phishing and wound  up with a 3rd place county wide finish in his project.

I spoke to Joe Ferrara, CEO of Wombat about their new offerings. Moving beyond phishing the team now has training on smart phone use, social media and creating strong passwords and password security.  Of course they still have phishing and email security as well.  Also Joe and his expanded team have moved beyond some of the cartoon figures in phishing Phil to a bit more sophisticated look and feel.  You can sign up for free demos of the products on their web site.

Best of all for Joe and Wombat, the market is warming up to their" “making security training fun” approach. They recently announced that food giant Del Monte had chose Wombat for their security training program for employees. Joe is growing the team pretty quickly at Wombat. Between ramping up the sales team, as well as adding new modules and areas of training, Wombat is hopping right now.

It is good to see a security start up doing so well. Will keep watch on Wombat’s progress, but if you are in need of security training for your organization, you should give them a look.

This years meet up, our 6rh annual one promises to be our best ever.We of course have the 4th annual Social Security Blogger Awards (winners have already been voted and will be announced at the meet up), the first two Security Bloggers Hall of Fame members being announced, great entertainment and even more surprises in store. Of course the usual good food, drinks and camaraderie in a marketing free zone are still there.

Now we are working on another surprise for Security Blogger Meet up invitees.  Another invite to another exclusive event.  Can’t tell you more about that now, but will later.

So don’t wait a second longer. Go find your invite and RSVP now or don’t complain about not being able to attend. If you never received your invite and blog, write or podcast on security, write to Jennifer Leggio at mediaphyter@gmail.com to request yours. If you were silly enough to delete your invite without responding, shame you on you. You are SOL.  Well maybe if you write to Jennifer and tell the truth that you “accidently” deleted it, she may send you another one.

Anyway, don’t miss our best bloggers meet up yet.  Thanks to our great sponsors, this is one event you don’t want to miss!

When I first heard the story on Twitter and read the post they put up I have to say I was skeptical. Let me say right up front that RSA Conference sponsors the Security Bloggers Network and sponsors our Security Bloggers Meet up every year at RSA. On top of that I have found the conference team to be the most professional, on the ball group of folks to work with. They care about the security community and this just doesn’t sound like their style.

I reached out to a contact there to find out what the real story was behind this new B-Sides drama today. From what I can ascertain here are the facts:

RSA Conference has not denied a waiver to any sponsor that asked to sponsor B-sides also. In fact this is not the first year that RSA Conference has worked with B-Sides on this.

So I am not sure where this is all coming from. If the folks at B-sides have been told differently, I would like someone there to stand up and say so. Let’s have a great RSA Conference week. A week big enough for Security B-sides, Americas Growth Capital Conference, Cloud Security Alliance conference and all of the other great security stuff that takes place in San Fran that week!

In the bigger picture, B-sides is a great idea and I love watching it grow. But drama is not conducive to growing B-sides. I hope that this will not be a reoccurring pattern.

Continuing my series of podcasts on all things Risk, I have another great one in this episode.  I am joined by an all star panel of HD Moore, CSO of Rapid7 and founder of Metasploit, Ron Gula, CEO and CTO of Tenable Network Security and Jody Brazil, founder and President of Firemon. With that kind of talent, this is not just another Risk Podcast!

The four of us discuss some common mistakes people make in risk management.  How vulnerability and pen testing figure into the Risk equation. We even manage to discuss scenario based risk management as exemplified in the Firemon Risk Analyzer. 

Having smart people on the show makes my job easy and fun. This was a very easy and fun podcast. I hope you enjoy!

Here are the finalists as nominate by our judges, Kelly Jackson Higgins, Bill Brenner, Larry Walsh and Wendy Nather:

Best Corporate Security Blog:

Fortinet Security Blog http://blog.fortinet.com/

Denim Group http://blog.denimgroup.com/

Trend Micro Cloud Security Blog http://cloudsecurity.trendmicro.com/

Veracode Security Blog http://www.veracode.com/blog/

Kaspersky Lab Blog https://www.securelist.com/en/

Sophos Naked Security Blog http://nakedsecurity.sophos.com/

Best Security Podcast:

Threat Post http://threatpost.com/en_us/podcast

The Network Security Podcast http://netsecpodcast.com/

Eurotrash Security Podcast http://www.eurotrashsecurity.eu/index.php/Main_Page

Pauldotcom http://pauldotcom.com/

Exotic Liability http://www.exoticliability.com/

The Southern Fried Security Podcast http://www.southernfriedsecurity.com/

You can also write in your podcast vote.

The Most Educational Security Blog:

Cognitive Dissidents http://blog.cognitivedissidents.com/

Tao Security http://taosecurity.blogspot.com/

F-Secure blog http://www.f-secure.com/weblog/

The New School Security Blog http://newschoolsecurity.com/

AppSecInc Blog http://blog.appsecinc.com/

Evil Bytes/John Sawyer http://www.darkreading.com/blog/archives/evil-bytes/index.html

The Most Entertaining Security Blog:

Rational Survivability http://www.rationalsurvivability.com/blog/

Andrew Hay's Blog http://www.andrewhay.ca/

Uncommon Sense Security/Jack Daniel http://blog.uncommonsensesecurity.com/

New School Of Information Security/Adam Shostack http://newschoolsecurity.com/

Naked Security http://nakedsecurity.sophos.com/

Securosis Blog http://securosis.com/blog

The Blog That Best Represents The Security Industry:

Krebs On Security http://krebsonsecurity.com/

Uncommon Sense Security http://blog.uncommonsensesecurity.com/

SANS Internet Storm Center http://isc.sans.org/

Securosis blog https://securosis.com/blog

The Single Best Blog Post or Podcast Of The Year:

Martin McKeay, Curing the Credit Card Cancer http://www.mckeay.net/2011/11/28/curing-the-credit-card-cancer/

Veracode Blog http://www.veracode.com/blog/2011/08/musings-on-custers-last-stand/

Moxie Marlinspike's ThoughtCrime Labs http://blog.thoughtcrime.org/authenticity-is-broken-in-ssl-but-your-app-ha

Idoneous Security http://idoneous-security.blogspot.com/2011/12/what-your-analyst-wishes-you-knew.html

The First Two Members Of The Security Bloggers Hall Of Fame: (please pick 2)

Adam Shostack (Emergent Chaos, New School of Security)

Brian Krebs (Washington Post, Krebs on Security)

Rich Bejtlich, Tao Security

Chris Hoff, Rational Survivability

Graham Cluley, Naked Security

Bruce Schneier, Schneier On Security

You can vote if you like, right now by clicking here. There is only a week left and most of the categories are very, very close.

Of course there are so many blogs and podcasts that inevitably some worthy ones don’t make the list. This year there has been some questioning of how we pick the finalists and questioning of why certain blog/podcasts were left out. I should say that it seems mostly centered in the podcast category.

As a result I have made a write in option available for qualified voters(more on that in a second) to write in their own selection for best podcast. So far I have a received a handful of write in votes.  That being said though, I wanted to go over how we pick the finalists and what the Social Security Bloggers Awards are all about.

First of all you should know that this year at RSA Conference we will be hosting the 6th annual Security Bloggers Meet up.  You can find out more about it at the RSA Conference blog for Bloggers Meet up, the Bloggers Meet up Facebook page and the Security Bloggers Network.

This is also the 4th year for the Social Security Bloggers Awards. Again you can read more about them on the links above. The idea behind the blogger awards was to recognize some of the leading bloggers in the security arena.  When I first came up with the idea I didn’t think people would get that excited about it.

In the first year of the awards we had judges nominate their choices for finalists (as we have every year since), then we let anyone who registered vote. Well it turned out like so many awards run by other organizations, nothing more than a popularity contest with some people trying to stuff the ballot box.  That was not the spirit that I envisioned with these awards.

The awards really grew out of the Security Bloggers Network which I started 6 or more years ago. While a blog or podcast does not have to be in the SBN to be considered or win an award, it was in that same sense of fostering a community among the security blogging space. 

So going forward I changed the voting for the awards. While our all star panel of judges still picked the finalists, voting was only open to security bloggers.  Each voter had to give their blog or podcast URL with their vote for us to verify. In this way it was an award “by the bloggers, for the bloggers”.  This of course drastically cut down the amount of votes cast, but made it a peer based award similar to the Screen Actor Guild SAG awards.  I thought that was pretty cool.

Each year I try to bring some fresh blood into the judges pool to get new views on what the best blogs and podcasts are.  I also refine and add new categories to hopefully better represent the market. But no matter what is done, there are always going to be some people who feel left out.

So for next year I am already thinking of how we can do this differently. I am open to suggestions. But I will reserve the right on behalf of myself and the bloggers meet up organizing committee to choose what we think is the best method. I want to keep the awards free from ballot box stuffing.

In the meantime I want you all to know that I and many others appreciate all of the great content that the security industry turns out in blogs and podcasts. Thanks to all of you for creating and consuming it. Being nominated or even winning an award is not the payback for why we do this, it is educating and joining in the conversation that keeps us doing it.  So please keep blogging and podcasting!

So before we get to our nominees, a word from our sponsors:

Actually a few other things to mention first as well:

1. Our judges - The nominees for the Social Security Blogger Awards are made by our blue ribbon panel of judges.  We did not announce their names before hand this year to limit the "lobbying" that they have been subjected to in the past. But now that the nominations are public, they are open to be influenced by food, liquor, baubles or other means.  Seriously a huge thank you to our judges:

Kelly Jackson Higgins

Bill Brenner

Larry Walsh

and special guest judge:

Wendy Nather

2. Eligibility - In years past anyone associated with organizing the bloggers meet up was DQ'ed from being nominated. Frankly that was silly. The fact is that Rich, Martin, Jen and Jeanne (my organizing committee fellow members), don't have a lot to do with the awards.  So the only one not eligible for any awards is me. It isn't fair to keep good blogs and people down.  Also judges could not nominate their own work, but other judges could nominate someone who is judging.  So for instance, Wendy Nather was nominated by another judge unbeknownst to her.

3. New Category - This year we are adding a new category for Security Bloggers Hall of Fame. I will be adding this to the Security Bloggers Network Site after RSA. This category is sort of a lifetime achievement award for security bloggers.  But it doesn't mean they are on their last leg.  This first year we are going to add two bloggers to the Hall of Fame.  In future years we will add one new blogger a year.

4. Who can vote - Again, I did not want to go through the ballot box stuffing that we had a few years back. So only security bloggers and podcasters can vote. If you write on security and have a URL to prove it, you can vote. Me and my election commission members will be going through each vote by hand, so please don't even bother trying to game this. Don't ruin a fun event with bad form.

OK with that out of the way, here are the nominations for the 2012 Social Security Bloggers Awards:

Best Corporate Security Blog:

Fortinet Security Blog http://blog.fortinet.com/

Denim Group http://blog.denimgroup.com/

Trend Micro Cloud Security Blog http://cloudsecurity.trendmicro.com/

Veracode Security Blog http://www.veracode.com/blog/

Kaspersky Lab Blog https://www.securelist.com/en/

Sophos Naked Security Blog http://nakedsecurity.sophos.com/

Best Security Podcast:

Threat Post http://threatpost.com/en_us/podcast

The Network Security Podcast http://netsecpodcast.com/

Eurotrash Security Podcast http://www.eurotrashsecurity.eu/index.php/Main_Page

Pauldotcom http://pauldotcom.com/

Exotic Liability http://www.exoticliability.com/

The Southern Fried Security Podcast http://www.southernfriedsecurity.com/

The Most Educational Security Blog:

Cognitive Dissidents http://blog.cognitivedissidents.com/

Tao Security http://taosecurity.blogspot.com/

F-Secure blog http://www.f-secure.com/weblog/

The New School Security Blog http://newschoolsecurity.com/

AppSecInc Blog http://blog.appsecinc.com/

Evil Bytes/John Sawyer http://www.darkreading.com/blog/archives/evil-bytes/index.html

The Most Entertaining Security Blog:

Rational Survivability http://www.rationalsurvivability.com/blog/

Andrew Hay's Blog http://www.andrewhay.ca/

Uncommon Sense Security/Jack Daniel http://blog.uncommonsensesecurity.com/

New School Of Information Security/Adam Shostack http://newschoolsecurity.com/

Naked Security http://nakedsecurity.sophos.com/

Securosis Blog http://securosis.com/blog

The Blog That Best Represents The Security Industry:

Krebs On Security http://krebsonsecurity.com/

Uncommon Sense Security http://blog.uncommonsensesecurity.com/

SANS Internet Storm Center http://isc.sans.org/

Securosis blog https://securosis.com/blog

The Single Best Blog Post or Podcast Of The Year:

Martin McKeay, Curing the Credit Card Cancer http://www.mckeay.net/2011/11/28/curing-the-credit-card-cancer/

Veracode Blog http://www.veracode.com/blog/2011/08/musings-on-custers-last-stand/

Moxie Marlinspike's ThoughtCrime Labs http://blog.thoughtcrime.org/authenticity-is-broken-in-ssl-but-your-app-ha

Idoneous Security http://idoneous-security.blogspot.com/2011/12/what-your-analyst-wishes-you-knew.html

The First Two Members Of The Security Bloggers Hall Of Fame: (please pick 2)

Adam Shostack (Emergent Chaos, New School of Security)

Brian Krebs (Washington Post, Krebs on Security)

Rich Bejtlich, Tao Security

Chris Hoff, Rational Survivability

Graham Cluley, Naked Security

Bruce Schneier, Schneier On Security

OK, there you have it. Your 2012 Nominees for the Social Security Blogger Awards. You can vote if you like, right now by clicking here

Let me say from the outset that I don’t consider myself a B-sides insider and have only even attended a few B-sides events. The early ones were a bit too edgy for me. However, I have followed the growth of b-sides closely. I have been very proud of the way Mike, Jack Daniels and others have really taken these events up a notch.

Also from running the Security Bloggers Network and Bloggers Meet up and Awards at RSA these past years, I have a little experience with some of this type of stuff.

Rather than be constrained to 140 characters, I wanted to get my thoughts down here in long form. Call me old fashioned.

1. It is not easy setting up an organization as a non-profit, especially if you have never done it before. The smart thing is to hire a lawyer and accountant and let them deal with it, but that costs money too. It is especially harder if this is not your full time gig.

2. Running any organization including delegating responsibility and authority is also something that if you have not done it before is not easy.

3. Most sponsors for b-sides don’t sponsor because it is a non-profit. They sponsor to be associated and reach the attendees. Non-profit or not, they write off the sponsorship as marketing expense. I don’t think they take a tax write off as a charitable donation. In fact I have checked this with at least one sponsor of a b-sides event and the non-profit status was not an issue to them at all.

4. I know Jack Daniels and tend to believe him that the dollar amounts mentioned in the blog post are erroneous. I am waiting to see Mike Dahn’s response today and fully expect the facts around this to come out.

5. Running the bloggers meet up and awards we take in 20k to 30k a year for the party from sponsors. We don’t say we are a non-profit and we are not. However, we spend every cent every year on the party and awards(and sometimes poor Rich Mogul winds up with a tax liability). We are not transparent with the funding, but no one has ever asked frankly, including the sponsors. I would assume it is probably similar with B-sides.

6. I understand the echo chamber of Twitter, but 140 characters doesn’t give enough room for depth. Instead it shrieks loudly. Multiply that by the amount of people tweeting and it takes on a mob feel. Lets give pause and let Mike respond and let the facts come out.

7. I hope as a result of this B-sides will come out of it bigger and better than ever with a wider, deeper management team.

7. We have a great community in InfoSec, lets celebrate it at this time of year!

Happy Hanukah, Merry Christmas, Happy New Year and any other holiday you celebrate. Love your fellow man and give them the benefit of the doubt before rushing to judgement.

I am joined on this episode of the Security.Exe Podcast by some experts in risk.  I have Alex Hutton, formerly of Verizon and now a top risk officer at a top 25 financial institution, Ben Tomhave (@falconsview) of LockPath and finally last but not least, Jody Brazil of Firemon.

Of course as most of you know I have been looking at risk an awful lot lately as part of working with Jody and the Firemon guys around their Risk Analyzer product. But getting a few really smart people to talk about a concept is a great way to learn. I learned a lot listening to the folks on this episode. I think you will too!

I am thinking of expanding this discussion into perhaps a panel for a conference talk. Let me know what you think.

Enjoy!

https://365.rsaconference.com/blogs/security-blogger-meetup/2011/12/16/its-that-time-of-the-year

Christmas is just a week or so away, New Years is just around the corner.  You know what is next? Of course you do, it is RSA Conference Week and with that the 6th Annual Security Bloggers Meetup!   Can you believe it has been a whole year since we last gathered in San Francisco? More than that, can you believe this is the 6th annual Security Bloggers Meetup?  Of course the 4th annual Social Security Blogger Awards will be presented as well.

Our little get together has certainly grown since Martin McKeay, Rich Mogull and I talked about getting together with a few bloggers way back when. Of course it couldn't have gotten to where it is today without all of the hard work of Jennifer Leggio who does so much of the heavy lifting.  Add to the mix the tireless effort of Jeanne Friedman of RSA Conference and you have one hard working organizing committee.  We literally meet year round planning this event, lining up sponsors, entertainment, etc.

Speaking of sponsors, we are very proud to have a great mix of old and new sponsors for this years event.  Returning are RSA Conference, Qualys, Fortinet, Barracuda Networks and Core Trace.  Joining the mix this year are new sponsors Sourcefire and Akamai.  Thank you to each and everyone of them for allowing us to put this event on this year!

Well invites or more appropriately this year, registration requests are going out today. We are doing things a little differently this year. If you were on our list you will receive an event registration request. You need to follow the link and register for the event.  Let me warn you up front, you need to give your name, email address and blog URL.  Each registration will be reviewed by a live human (how quaint) and approved or disallowed. The usual no marketing/PR please rules apply.  Of course it is not that we don't love marketing/PR people, it is just that we built a tradition of a party by the bloggers, for the bloggers with the bloggers only.

If you think you should get a registration request but have not received one yet (check your spam folder, sometimes they get stuck there), please email Jennifer at mediaphyter@gmail.com. She will get one right out to you.

A couple of other things about this years event:

1. The Social Security Blogger Awards are back for their 4th year.  We will announce finalists for voting right after January 1. Our judges are already hard at work making their nominations.

2. Interesting entertainment and activities during the party

3. Hopefully same great food and drink

4. STILL THE BEST GROUP OF PEOPLE YOU WANT TO MINGLE WITH IN THE SECURITY INDUSTRY!

So don't wait, due to space we have to limit the number of people we can register to attend. If you got your invite, head on over and register now!

On behalf of Jennifer, Jeanne, Martin, Rich, myself and our sponsors, thanks and  can can't wait to see you!

https://365.rsaconference.com/blogs/security-blogger-meetup/2011/12/16/its-that-time-of-the-year

Christmas is just a week or so away, New Years is just around the corner.  You know what is next? Of course you do, it is RSA Conference Week and with that the 6th Annual Security Bloggers Meetup!   Can you believe it has been a whole year since we last gathered in San Francisco? More than that, can you believe this is the 6th annual Security Bloggers Meetup?  Of course the 4th annual Social Security Blogger Awards will be presented as well.

Our little get together has certainly grown since Martin McKeay, Rich Mogull and I talked about getting together with a few bloggers way back when. Of course it couldn't have gotten to where it is today without all of the hard work of Jennifer Leggio who does so much of the heavy lifting.  Add to the mix the tireless effort of Jeanne Friedman of RSA Conference and you have one hard working organizing committee.  We literally meet year round planning this event, lining up sponsors, entertainment, etc.

Speaking of sponsors, we are very proud to have a great mix of old and new sponsors for this years event.  Returning are RSA Conference, Qualys, Fortinet, Barracuda Networks and Core Trace.  Joining the mix this year are new sponsors Sourcefire and Akamai.  Thank you to each and everyone of them for allowing us to put this event on this year!

Well invites or more appropriately this year, registration requests are going out today. We are doing things a little differently this year. If you were on our list you will receive an event registration request. You need to follow the link and register for the event.  Let me warn you up front, you need to give your name, email address and blog URL.  Each registration will be reviewed by a live human (how quaint) and approved or disallowed. The usual no marketing/PR please rules apply.  Of course it is not that we don't love marketing/PR people, it is just that we built a tradition of a party by the bloggers, for the bloggers with the bloggers only.

If you think you should get a registration request but have not received one yet (check your spam folder, sometimes they get stuck there), please email Jennifer at mediaphyter@gmail.com. She will get one right out to you.

A couple of other things about this years event:

1. The Social Security Blogger Awards are back for their 4th year.  We will announce finalists for voting right after January 1. Our judges are already hard at work making their nominations.

2. Interesting entertainment and activities during the party

3. Hopefully same great food and drink

4. STILL THE BEST GROUP OF PEOPLE YOU WANT TO MINGLE WITH IN THE SECURITY INDUSTRY!

So don't wait, due to space we have to limit the number of people we can register to attend. If you got your invite, head on over and register now!

On behalf of Jennifer, Jeanne, Martin, Rich, myself and our sponsors, thanks and  can can't wait to see you!

It is Christmas time, so you know RSA Conference is not far away. If RSA is almost here, you know that is almost time for the annual Security Bloggers Meet up and Social Security Bloggers Awards. 

All of the plans have been made, the judges selected and the finalists will be announced after New Years.  As in years past all security bloggers are eligible to vote. But you will have to give your name, email and blog address.

Last years categories will return this year:

Best Corporate Security Blog

Best Security podcast

Most educational security blog

Most entertaining security blog

Security Blog that best represents the industry

The single best security blog post of the year

Additionally this year we will elect the first two members of the Security Bloggers Hall of Fame!

I will announce our judges and other information between Christmas and New Years.  This year all blogs are eligible except mine and the judges. Also be on the lookout for save the dates going out soon if you are on our list. If you are not on the list, send an email to info@securitybloggersnetwork.com or leave a comment requesting an invite. You must blog on security and no marketing/PR stuff please!

In my post yesterday I mentioned that one company that I thought is doing product  reviews right was NSS Labs.  Well Rick Moy of NSS Labs wrote me last night, having read my post.  The NSS Labs folks have had a look at what was publicly available.

Vik Phatak, CTO of NSS Labs has a blog post up on the subject here. More importantly Vik and team have put out a more complete analysis of problems they see with the way this study was conducted and some issues in Google’s behavior. You can read the analysis here.

It is a very interesting read and you should take a look for sure.  It certainly raises some questions about what went on with this browser study and calls into question some very questionable practices by Google. 

It just proves that product reviews are a dirty business and why any reader has to look at and weigh all factors in deciding how much faith to put in them.

Image via Wikipedia

My friend Bill Brenner has a post up on his Salted Hash blog today about a recent browser security study done by Accuvant LABS. The study shows that Google Chrome was the safest browser tested. Like Bill, I use Chrome too and agree with the Accuvant study.

The problem for Bill is that the study was sponsored by Google, the makers of Chrome. The fact that they paid for this study in Bill’s mind and in many other people’s minds calls the legitimacy of the entire study into question. Even if it is correct, it just doesn’t sit well with Bill.

Frankly I have the same problems with most product reviews, bake offs, analysis reports, etc. I have written about this before as well. In my mind it is a big reason why no one seems to pay attention to product reviews anymore.

It doesn’t make a difference if it is an “independent lab” doing the testing, a magazine’s testing department, industry awards or an analyst firm analyzing the market, the first thing I look at is who is paying for it. Sometimes finding out who is paying for it is not so easy or transparent either.

To be fair, some firms like Securosis for instance will say upfront that some research they are doing is being financed by a paying customer. Such was the case when Mike, Rich and Adrian did a dive on “fact based security security metrics”. The boys said upfront and at the bottom of the page that they thanked Red Seal for sponsoring the research.

Now does that mean that everything they wrote was for the benefit of Red Seal? I know Rich, Mike and Adrian too well to believe that. But it does give me pause when I read the report to remember that fact.

But I will say that over time I have come to soften my attitude on this issue (I must be getting old). For me it is a case of forewarned is forearmed and I take that disclosure in terms of evaluating how much weight to give the research. The same way a juror has to weigh the testimony of a witness depending on their believability.

In the case of Bill’s browser study, same thing. The chances that Google had a heavy hand in the study by Accuvant is pretty low, but it is something to consider. That is just the way it is.

But for Bill and the other doubting Thomas’s out there, what is the alternative?

One alternative is what Rick Moy and the guys at NSS Labs are doing. They have turned this equation on its head. They make their money from the end user, so the vendors being tested have little to no influence.

As Bill says just because Google paid for it doesn’t mean the study is wrong, but it does give you something else to consider. But since no one wants to do these tests or studies for free, someone has to pay and that is the truth of it.

Rich said “lets face it, the security blogger’s community isn’t what it used to be”. While I don’t disagree with Rich, I went back and looked at some of the numbers and some of the security blogs. While Rich is right, we don’t see as many as blog posts from the community as we used to, I think we all agree that Twitter probably plays a significant role in that. In fact the Tripwire 25 most influential people in security list seems pretty skewed towards twittter users. But that being said, there are still plenty of security blog posts being posted. The SBN feed is still fresh with lots of new posts every day.

One thing I do see is many of the posts come from corporate security blogs rather than individuals. Many of the corporate blogs don’t develop the personality that a good personal blog does. More importantly what has changed is another thing Rich brought up. We don’t comment anymore. We don’t blog back anymore.

People are blogging and putting their 2 cents into the conversation, but no one is repsonding. Oh, maybe they respond on twitter, on but it doesn’t make it into the blog. Blogging has always been and will always be a two way street. A blog should be a multi-party conversation with the blogger putting forth his ideas and others responding. They can agree, disagree, or concur, but they put their thoughts into the conversation.

One of the great things about reading a hot blog post was following the thread of comments, that was where the real action took place. Whether it was a Rothman post on Security Incite/Securosis or Tom Pcatek on Matasano, a good threat with 50 comments kept you reading for more.

Now maybe Twitter is where blog comments have gone and some of the discussion. Can we have a plug in that captures the real time of twitter comments and discussions back to the original blog post? Doesn’t sound too hard.

How about writing a blog post in response to another blog post? That is part of carrying on the conversation as well. Need something good to blog about? Go look at what your community is writing and join in.

Adam Shostack over on Emergent Chaos has a post up about Threat Modeling as a result of a conversation he had with Wendy Nather, who has her own good blog post about “what your analyst wishes you knew” (and she is not talking about your psychoanalyst either).

I am going over to both of those blogs and adding my voice to the conversation. I already tweeted Wendy’s post, but I realize that is not enough. If we are going to keep the Security blogging community strong and vibrant we have to add our voice on blogs.

What about you? Are you ready to rejoin the conversation?  If so, head over to your favorite security blog and join in.  Or better yet, write a blog in response to someone else’s blog.  It starts with you and you and you.

Most of us in the information security industry long ago recognized that we could not eliminate every risk and threat to our data and networks. Instead we have tried to manage that risk to acceptable levels, with acceptable being in the eye of the beholder. An entire information security risk management industry has sprung up over this time. But, have we missed the boat on risk? Has the risk management space been hijacked by the vulnerability management crowd?

We have settled on a formula for risk being:

Risk (R)= Threat (T) x Vulnerability (V)

But is that the correct formula to use? Are there other factors that need to be considered?

I am joined on this podcast by Jody Brazil, President of Firemon and Gary Fish, CEO of Firemon to discuss these questions in light of Firemon's new Risk Analyzer product.

Risk Analyzer offers a new way to look at risk using risk based scenarios. Introducing concepts such as reachability, exposure and asset value into the equation, it gives us a better measure of risk. Risk Analyzer also gives us another way of prioritizing different risks to make us more efficient.

As many of you know, I have been working with Firemon for a few months and have watched Risk Analyzer develop. The folks at Firemon have taken a great engine that was developed at the MIT Lincoln Labs and developed some great front end features to make this a complete product. I am very excited by what it offers and I think you will be too.

Have a listen as I discuss this with Jody and Gary.

Also be advised that there was a clicking in the recording (which we obviously didn't know about when we recorded this). I have done my best using my not very considerable sound engineering skills to remove it. It is still there, but it is the best I can do and I thought the quality of the conversation was much more important than the quality of the sound.

Enjoy!

Also RSA Conference will be here before you know it and we are already planning on the next Security Bloggers Meet up and the Social Security Blogger Awards.  We will be announcing and sending out save the dates soon!

Reprinted from my Network World Blog

Security costs too much for many organizations, is open source security the answer?

Having been in the infosec world for more than 10 years, I have learned the hard way that there are some real issues around effective security for everyone.  One of them is that security is hard and seems to be getting harder. As a result security is also very expensive.  So expensive that only the largest of organizations who put a high value on securing their assets can afford it.  In fact some studies show that large organizations spend on average of about 3.5 million dollars a year on security.  Frankly, even that is not enough given the current state of cybersecurity.  But even assuming that number is adequate, who has 3.5 million to spend today?

The fact is that most organizations live "below the security poverty line".  One of my friends in the infosec world and someone who many follow is Wendy Nather, director of research for enterprise security at the 451 Group.  Wendy has real world experience as a CISO at both private and public organizations. She is extremely bright and dialed into the infosec scene.  She co-authored a report titled "Security Below the Poverty Line".  Wendy's research shows that most organizations don't have anywhere near the resources required to do security right. 

I actually wrote a follow on to Wendy's report on Secure Cloud Review (another place I blog) titled, "Brother Can You Spare A Dime: Life Below The Security Poverty Line". In it I detailed that like the real poor today, security poor organizations may make due on a "high carb" diet of security that lacks "protein". By that I mean they have minimal security that gets them "fat" but doesn't really do the job. Anyone who is working in security recognizes this as a real problem we all face.

I wanted to speak to Wendy about what role open source security can play to raise organizations above the security poverty line.  The open source security community has always been an innovative and dynamic one. In just about every security area there is a viable open source project.  So could open source be the secret weapon in the war on security poverty? 

Wendy and I discuss just this and what her research shows.  You can listen to our 15 minute discussion below.  But let me give you some insight even if you don't listen to the podcast.  The costs of security are not only the hardware and software of the security products.  The human costs of security are equally expensive.  Even deploying open source security projects will take experienced, qualified security know how. That costs money, more money than many organizations can afford.  So open source in and of itself is not going to be a panacea here. 

There are other potential ways to address this problem. Outsourcing security is one way that can spread the cost of security over time. Buying security a slice at a time instead of the whole pie at once.  But again even security as a service so to speak can be more than some companies will budget for security. 

This is an age old problem that those of us in the security space no well.  Every survey done always indicates that security is in the top two or three priorities for every CIO.  However, when it comes time to pony up the money often times their arms are too short to reach their pockets.

Wendy Nather is a great person to learn from, please take the time to listen in and hear more pearls of wisdom from her in our discussion. Also, here is to a speedy and full recovery to Wendy, who was nice enough to record this with me just a few days before having some medical procedures performed. Good thoughts and prayers to you my friend! The security world will not be the same until you are back up to full speed!

Finally many thanks to The 451 Group for making a copy of Wendy's report available for free from the link in this post, it was previously only available to paying customers of the 451 Group.

Here is the description from Trainer:

Does the concept of “Crazy Good Client Satisfaction” seem natural to you?  If so, we should talk! Ready to take a strong group of PR executives and accelerate its growth?  This may be the job for you!  Growing wicked fast, Trainer Communications, is a national award-winning high tech PR and marketing agency seeking a seeking a rock star Director of our Security Practice. The perfect person for this position knows the ins and outs of vulnerability management to zero-day threats and CAs to access management and malvertizing plus can manage up to five account teams: ensuring all metrics, deliverables and deadlines are met; and instinctively keeps pushing themselves to deliver the next greatest thing in PR and marketing.

The person we are looking for will have the chops to be considered a technology insider in the security market, can counsel clients “on the fly,” can speak to the big picture while minding the details, and be fanatical about client satisfaction.  This person enjoys building and managing a team, and can evaluate the many new client opportunities that come into Trainer on a monthly basis.  We won’t keep you chained to a desk; our directors forge new partnerships with marketing and international PR companies, attend training to facilitate career growth, and routinely share their knowledge with team members and support the agency in bringing on new clients.

Not satisfied with status quo? That’s great – we significantly invest in training and development to ensure our team continues to grow. In fact, 50 percent of our Trainer team has been promoted in the last 18 months!

All About You!

• Agency history of managing a group of at least four accounts at once with strong client satisfaction
• Can immediately get an audience with at least three prominent analysts or thought leaders
• Has a reputation for being easy to work with – and has built loyal teams that will verify how they enjoyed working with this leader
• Has committed to memory two or three personal facts about their top five “go-to” reporters and can score media results for clients very quickly
• Understands the process for creating websites, sales enablement collateral, and direct email campaigns
• Has current connections to deliver phenomenal lead gen results
• Understands lead gen options, and can guide "newbie" clients through the process
• Likes to compete and has a awards, trophies, and credentials to show for it
• Is equally effective sharing opinions in an email, one-on-one, or presenting to a group

Trainer Communications is located in the heart of Silicon Valley East (Pleasanton-based headquarters) conveniently located near BART.  Trainer offers a no-politics culture, competitive compensation and an excellent benefits package.

If this sounds like something that is perfect for you, contact Trainer

Trainer Communications
5000 Hopyard Road
Suite 125
Pleasanton, California 94588
925.271.8200

hr@trainercomm.com

I know you think they must have had a really poor security department, suffered a breach and so finally security got the attention it deserved.  You would be wrong.  How did Parrish accomplish this feat?  Easily, he “marketed security” internally to the board and stakeholders at his company.

This is a topic I have written about over the years before.  Too many times we hear security folks lament the fact that they just can’t get management to take the threats seriously. They just don’t care enough to approve the budget and resources needed to do security right.

Usually these same people will turn their nose up at marketing types. The marketing and sales people are as reptilian as Queen Anna was in the V series to these folks.  Whether it be security vendors or not, often times security admins will want to take a long hot shower after spending time with marketing and sales types.  What a mistake!

The point Parrish makes is that you need to market security. In the case of security admins you have to market to your own buyers. The decision makers and purse holders at your own company.

Parrish gives a great example of seeing that apps were being downloaded that were not approved and presented a security issue.  But these rogue apps also were driving help desk call numbers through the roof.  So instead of talking about the security threat of these rogue apps he talked about buying technology that would thwart the downloading of rogue apps which would drive help desk calls down by X% saving Y$ per year.  That is the kind of message the business managers understood and they gladly approved the budget.

If you are going to sell (and as I have said before we are all sales people in one way or another) you have to understand your customer. What is it that keeps him up at night, what are his buttons.  So start thinking of your stakeholders internally as your customers and you have to sell them. Before the sale, you have to market to them.  Think like a marketing person and you just might get the security budget you need to make your job fun again.

Image via Wikipedia

First of all let me wish my condolences and sympathies to the family, friends and colleagues of Steve Jobs.  To say he was a visionary with a profound effect on the technology world for years to come, somehow comes up short to truly describe the genius of the man.

While I was never a big Apple fan, you have to admire what he accomplished in two different stints at the company. You also have to admire his vision in buying Pixar from George Lucas and turning into yet another multi-billion dollar property.

While there are no shortage of tributes and homages to Jobs being written tonight. I wanted to go on a slightly different path. That path is to challenge the next Steve Jobs out there to go out and grab greatness.

That is right, there might be more than one next Steve Jobs out there, there are even a few not Steve Jobs out there. But take the lessons of Job’s life and his advice, go out and make it happen.

This country, this world, humanity needs more Steve Jobs. We need them to imagine, create and give us ideas and products which will make the world better. To advance the human experience in ways that make us all better.

With all of the heartfelt sympathy pouring out about Steve Jobs now, I hope it does inspire others to be the next Steve Jobs.

There is also another lesson in this all to early death of Steve Jobs. That is at the end of the day, death is the great equalizer. It makes no difference how much money you have, how much of a genius you are or even how much good you did for your fellow man.  We are all here at the grace of God. When he decides it is time to go, we have no say, we obey. That is at the end of the day the ultimate human condition that not even Steve Jobs could avoid.

As part of their relationship with the US Government, Fixmo offers mobile security solutions for free to government agencies.  Part of this is the Fixmo SafeZone. Fixmo SafeZone empowers the secure use of personal devices on a government networks by establishing a “secure container” on these devices. The organization controls the data and applications within the SafeZone, while employees control all their personal data and applications outside of this zone. This product was developed as a result of Fixmo’s CRADA with the NSA.

I am digging in trying to find out more about Fixmo, but for those who say innovation is not happening in security and that mobile needs to be more secure. Here is a new company that may be worth looking into!

Over the years I have always liked to watch at BlackHat/Defcon all of the lock picking stuff.  I wasn’t quite sure if it made sense for HackKid Con, but hey who am I to judge if people want their kids to learn to pick locks.

However, I just don’t see why we are seeing such large crowds around the lock picking table at the recent security shows I have attended.  I mean really. Is that what we as an industry should be putting our time and focus into?  At the same time we run around as Chicken Little about how hard and insurmountable our jobs are, we devote hours picking deadbolts and other locks?

Figuring that I am just an old crab (not a security curmudgeon mind you, that is reserved for old guys with long beards) I thought I would ask some folks what is with the locks? The variety of answers confirmed my thoughts.  Security people play with locks for the same reasons dogs lick themselves, that is because they can.

Here is a sample of some of the answers I heard:

1. Lock picking is sort of like security. It is about keeping people out from what you are trying to protect, so it is adjacent.

2. It keeps my kids interested in security and that is a good thing.  My kids need to know how these things work.

3. It is a great family fun activity

4. Security people love a good puzzle and picking locks is sort of like a good puzzle. It keeps us sharp

5. We fail so miserably at protecting our networks and data, it feels good to get a “win” when we pick a lock.

6. It is just a fetish and really has nothing to do with security at all (I respect the honesty)

So, as you can see the answers were a bit all over the map. This leads me to believe we are grasping at straws to justify our behavior.  So lets just say picking locks does not help us manage risk on our networks. But it feels good.

OK, now that we have that out of the way, why stop at locks?  Andrew Storm would like a Makers Fair at his security shows.  Misha Govshteyn would like a “foodie” table. Security shows are what we make of them.

This doom and gloom is contagious and becomes a self-fulfilling prophesy. I think while the challenges are certainly great, we should not forget where we came from.  I am reminded of a bit by the comedian Louis CK.

It is like the guy who complains about the WiFi not working on a plane.  Think about it. You are sitting on a huge hunk of metal, flying through the air at over 500 miles an hour at almost 40,000 feet altitude. The plane is directing an antenna at a satellite in space sending and receiving data at speeds that were unimaginable just 20 or 25 years ago even if you wired to a computer. Every once in a while it doesn’t work and you complain.  Hey guys we live in amazing times!

The same is true of IT in general. The speed of evolution (not revolution mind you) is staggering. Yes, the security industry has not been able to overtake the pace and is struggling to keep up, but we are running as fast as we can. 

Let us not forget that just 15 or 20 years ago there really wasn’t an information security industry to speak of. We have built and developed an awful lot in that time frame. I am not saying we need to rest on our laurels, but that half-empty glass is half-full too.

Another thing I hear at these shows is that the security industry is maturing and we crave better metrics to make better decisions and better strategies.  I agree with that, but for such a “mature” industry we are terribly self-centered. While security is the most important thing to us, in spite of the self-deluding analysis we receive, it truly is not the most important thing to business. The most important thing to business is profits, followed closely by revenue.  Dotted lines and potential liabilities are all fine and dandy. But at best organizations put a small (3% to 4%) of their budget into security.  If something only is taking 3 to 4 percent of your budget, it probably only gets 3 to 4 percent of your time and attention.

This is the sad truth that a “mature” industry like ours has to realize. Until the problems and threats are felt by the business owners to warrant more than 3 to 4 percent investment, we are not going to see a radical change.

So lets be more positive about what we can do. Lets take our small wins and build on them instead of ridiculing them. We have come a long way and yes we have a long way to go. The rest of IT and the world will not wait for us, they will continue evolving at the breakneck pace they have been. 

But setting attainable goals, taking our wins when we can and trying to keep people positive about the mission is I think a better strategy then preaching doom and gloom that the sky is falling, even if maybe some days it seems like it is.