Security Incite Rants

The Daily Incite - 7/7/09 - Life's Been Good

Mike Rothman — Tue, 07 Jul 2009 09:51:11 -0500

July 7, 2009 - Volume 4, #30

Good Morning:
So over the holiday weekend I'm driving out to do some errands (since what else are holiday weekends for but getting through the Honeydew list) and Joe Walsh's Life's Been Good comes on the radio. Oh yeah. "My Maserati does 185, but I lost my license - so now I don't drive." Awesome.

Then I look down and notice I'm wearing one of my various "Life is Good" shirts. And since I don't much believe in coincidence, I figure the fates are playing a trick on me and forcing me to take my foot off the gas for a few minutes and reflect a bit. Of course, this happens on Independence Day weekend in the US, so my first thoughts are how lucky I am to live in a place where I can be judged based on my accomplishments, not my dogma.

Then I proceed to go down the list. Family, friends, work, home, stuff, etc. "I have a mansion, forget the price - Ain't never been there, they tell me it's nice." Yep. Life's been good.

Of course, I can focus on the stuff that's not so good and unfortunately I spend a fair amount of time doing that. It's the way I'm wired and 40 years of that bad, ulcer inducing habit is hard to break. But I work every day at trying to appreciate what I have, not what I don't. "I can't complain, but sometimes I still do." Right. Life's been good.

As you dig in to the week ahead and the week after that, and you get kicked in the teeth a few hundred times. And you want to go Postal on your entire organization. And your family makes you crazy. And you gain 5 pounds. And you get a nasty case of indigestion. Just remember, there will be good times and bad times. The deal is to handle both with grace and style.

"It's tough to handle this fortune and fame. Everybody's so different, I haven't changed." If that's the case, you're doing it wrong. You are always changing - by definition. But YOU dictate the terms of that change. Every day, with every action you take.

Have a great day. And thanks to Joe Walsh, who's words prove timeless over and over again.

Photo: "Life is Good" originally uploaded by Bob.Fornal
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Practice (or suffer the consequences) - Fascinating post here by Schwartz's Marc McClellan pointing to an article about how the US military trains for every possible circumstance, even having to fight without a network. Obviously those in commercial land don't have the resources to literally practice for every possible combination, but you need to ensure your incident/crisis response capability is up to snuff. And that you practice regularly and seriously. Remember, the time to find out your IR plan sucks is not during an incident.
Key questions to getting started - Jack Danahy of Ounce Labs put together a decent byline for ebizQ on which questions to ask to "avoid security suffering." That language has some Buddhist undertones, so I figured he'd be talking about being in the now and not worrying about what you can't control. But alas, it was just common sense stuff like making sure you know what you are trying to protect and why you are worried about securing it. Though I like to see common sense in print because in the day to day battles, we tend to forget that many of our issues could be addressed with a little dose of common sense.
OWASP cloud survey - Boaz goes over some results from an OWASP survey about cloud computing. The results are predictable. Most organizations that say "cloud" are really talking about "SaaS." There isn't any additional security budget for those doing computing in the cloud. Most troubling (though not at all surprising) is that most organizations are just rushing headlong into SaaS/cloud (yes, Hoff I use the terms interchangeably to piss you off) without really understanding the security ramifications. Until there is a high speed collision, it's not going to change. But again, as a practitioner you can at least ask the questions of your ops folks and make sure you are on record saying that it's important to think about security. Then you have ammo to present your case at your next set of job interviews.
The enemy is us (or how to break in an intern - Shrdlu style) - I love fictionalized stories that are really grounded in the truth, but by fictionalizing them we can laugh. Instead of cry. Shrdlu posts a masterpiece on how to "defeat management" by leveraging Sun Tzu and a Taser. Since most of us need a laugh or two a day to stay sane - make this one of them.
Yes Scarlett, someday you'll be dead - Hopefully it's no time soon, but the Mogull does a great job of making sure you know what to do in the unlikely event of your untimely demise. Especially given that you are a security person and probably encrypt all of your stuff. The rest of the non-paranoid world probably has it a bit easier in that their survivors just log into their computer, open Quicken and they are done. Everything is there. Us security folks wouldn't dream of making it that easy. But Rich makes the right points about storing everything in a secure password/notes vault (I use 1Password for that) and sending that file, along with instructions on how to open it to your executor/lawyer. Now let's hope none of us have to use those instructions any time soon.
Digital security helps long term competitiveness? - Uh, most of the time I agree with Bejtlich. But I think he's a bit off the reservation with this post on how digital security can help long term competitiveness. He riffs off a speech from GE's CEO about the need to continue investing in R&D to be a sustained winner in any market. And then wraps that back into a treatise on why securing intellectual property is important to maintaining that competitiveness. To be clear, if a competitor wants to steal your stuff and is willing to organize a coordinated effort, they are going to do it. In fact, Richard's entire team is dedicated to responding to that inevitability. But I think it's a stretch to align security and long term competitiveness. For the simple reason that you could be protecting the next Segway.

Last week's Tweets of Note

I enjoyed Tweeting during the Gartner show last week. Got to provide my real time feedback to what the Big G was up to and got responses from my peeps as well. So that was most of my Twitter action, though yesterday I did pick out a few clips of note to highlight.

Made it to #gartnersecurity. Will be tweeting interesting tidbits. Not good start. No carpet in hall for breakfast. Budget cuts, I guess.
Dilbert nails how vendors deal with the online lynch mobs. http://bit.ly/VyBmD #ihatemarketing
Big message from #GartnerSecurity keynote. Security folks have to change. Really! Does this really helps practitioners fending off bad guys?
Now a panel of CIO, CISO,auditor and admin. Like watching a therapy session. Trying too hard to find a purpose. #gartnersecurity
Impedance mismatch at #gartnersecurity. These guys look 5-10 YEARS out. Practitioners look out 5-10 minutes. #manageexpectations
Dept of redundancy dept. CISOs need "soft skills," getting to yes. Comms skills. Business acumen. Should give out P-CSO. #gartnersecurity
@jasonmoliver same crap I've been talking about for years. Understand business. Communicate better. Accept that things will get worse.
According to king pescatore, new threats don't seem to be new at all. Which I kind of agree with. #gartnersecurity
Bot like things will be the main malware delivery vehicle for the next 2-3 years. Again I agree. #gartnersecurity #hateagreeingwithgartner
My conclusion on pescatore's nextgen threats? It's all about data security. But we'll focus on shiny widgets. Like always. #gartnersecurity
In the risk metrics and measurement at #gartnersecurity. Another content free session. Disappointing. Definitely not @arj (Andy Jaquith) level.
Metrics are hard. Would be much more interesting to hear what others are doing. Or of all horrors, a big end user profile. #gartnersecurity
Jeff Wheatman: "can't do a balanced scorecard for security" - challenges in the benefit line. #masteroftheobvious #gartnersecurity
Bad news is good for media business. Until the point of fatigue. http://bit.ly/zqOKK
User session at #gartnersecurity is awesome. A real crisis story. Kudos to presenter for sharing. #informationsharingisgood4u
"Doing the right thing is good for you in the long run." <- true dat. #instantgratificationisnotgratifying #gartnersecurity
MSSP selection session at #gartnersecurity one of most useful of the day. Specifics on how to frame rqmts and strngths/weakness of providers
Bad case @gartnersecurity fatigue. Flapping lips in cybercom panel not helping. Time to go home.
Epiphany alert. Security pros too busy resetting firewalls then learn sec101. So most sessions @ #gartnersecurity for interns-level folks.
Cisco session @ #gartnersecurity is insultingly basic. Olechowski should scream at someone for making him do this pitch.
OMG. Nicolett mentioned eIQ in his session at #gartnersecurity. Now I can die a happy man.
Total awesomeness: Sturgeon's law. 90% of anything is crap. I challenge you to find exceptions. http://bit.ly/csuhu's_law
Congrats to #LogMeIn, another successful tech IPO. Let the floodgates open! #1999liquidityisback-NOT! http://is.gd/1p3Pm
Scathing analysis of insider dealing on the Entrust private equity buy-out... #mgmttriestoscrewsshareholders http://is.gd/1p3Zk
webroot is very focused on cloud. Though most of business is consumer. Again going after SYMC/MFE on their turf. GLWT http://is.gd/1pb16
IDaaS is the new new thing. Skeptical that folks would send identity info to cloud, but I've been consistently wrong. http://is.gd/1pbbP
Rasmussen makes Grumpy Pete and @stiennon look like low self-esteem poster boys. http://is.gd/1pbiH #selfimportancesyndrome-bigtime
Does anyone really believe Enterasys grew NAC revenues 300%+? http://is.gd/1pbAP #getmesomeofthatfuzzymath
Quote from Fake Steve about Apple smart phone dominance: "The iPhone is our castle, but the App Store is our moat." http://is.gd/1pW5M

The Daily Incite - 6/29/09 - Under Construction

Mike Rothman — Mon, 29 Jun 2009 07:51:39 -0500

June 29, 2009 - Volume 4, #29

Good Morning:
Being my first day back from a week of R&R, I thought I'd share some random thoughts. The first has to do with a trip back to my old stomping grounds in VA I took recently. It was like going to a high school reunion and seeing that most of the folks there looked terrible. The area was a mess with construction everywhere.

Given the congestion in the Northern Virginia area, any work they do is both necessary and required, but the place was in tatters. You can remember the good old days when the cheerleaders were cool and everyone had their best days ahead. Or you can focus on the fact that as time goes on, some areas (or people) wear better than others.

Or you could focus on the fact that in one way or another we are all under construction. So you can appreciate what was, think about what's to come and understand whatever it is is just fine for right now. See, I told you - random stuff.

The Boss was quite kind to me when we were away and let me plow through a number of books. And no, I didn't read the latest marketing manifestos. I wanted some diversionary drivel, and I got it. First I read two of Daniel Silva's books from the Gabriel Allon series (The English Assassin and The Confessor). Good stuff. Fast paced, good plot. Not enough graphic hand to hand combat, but the plot complexities made up for it.

Next up, I read Raymond Khoury's The Last Templar. This was basically a Dan Brown rip-off, which they made into a mini-series. The concept was intriguing, but the execution was a bit hollow and far-fetched. I know all thriller novels are far-fetched, but last few action scenes in this one stretched my imagination. Finally I tackled Harlen Coben's Deal Breaker, which was a total change of pace and dealt with a sports-tinged plot of intrigue. It was decent, a bit predictable, but Coben is pretty funny - so it was a decent read.

Next we can also wish a freaky farewell to the King of Pop. Here is a great article about his early days at the world famous Apollo Theater. I read a number of places and my own family spent a bunch of time talking about the clear similarities between Michael Jackson and Elvis. But being in that kind of burning spotlight for decades definitely warps things, so I can only hope he finds the Dancing Machine in the great beyond. Though many folks never can say goodbye...

Have a great day.

Photo: "Under_Construction_Sign" originally uploaded by uberbeam
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Only having time to cover maybe 4 or 5 interesting posts a week has forced me to be pretty selective. Overall I think this is a good thing. But I'm sure none of you are bashful and will let me know if it sucks.

Cybercom is da shizzle - No, I have no idea what a shizzle is, but it was interesting last week to get the formalization of the US DoD's cyber-defense initiatives under a common banner. To be lead by the head of the NSA, but not within the NSA. Uh-huh. Anyhow, I do think that leverage is good and setting a common policy is good. Can you truly centralize anything with 15,000 separate networks and 7 million + devices, no frackin' way. But at least setting a set of guidelines isn't a bad thing. Though it'll be interesting to see how cyber-com differs in reality from NIST'.
The real auditing Top 10 list - The man known only as Shack has a wonderfully snarky analysis of the Top 10 things auditors aren't telling you, and it's dead on. Basically audit (and PCI assessment for that matter) is a very competitive business, which means it's all about cutting costs. So you'll see the bait and switch (#3) and also the auditor may likely back down if you yell loud enough. Unless you get the know it all (#9) or the one worried about being the next Arthur Andersen (#10) and then figure out how to go over the auditor's head. Of course, snark aside - there are cases where the audit can be productive and where you can treat the auditor as a peer, which is the Pragmatic way. Though to get to a productive place, you need to understand where the auditor is coming from.
Skeptics anonymous meeting at 10 - The Mogull has had too much time to think. And that's with a newborn. Maybe if there is a next go around, he (and the lovely Mrs. Mogull) can have twins so he doesn't have time to think all skeptical and stuff. But his series on Skepticism in security rung very true to me because part of every job is to make decisions with less than perfect data and we have to be skeptical about stuff. But that result in the business thinking us security folks are just "Dr. No" and that isn't productive over time. So I'd love folks to be more skeptical and get all New School and share data and be more scientifically rigorous, but we need to tread carefully. Because any credibility we are building taking a "Yes, but" position (as opposed to a NO! position).
CISO = DoDo bird? - Funny, there are a lot of folks questioning the long term viability of the senior security staffer position. I've certainly been one of them for a long time. Here are the Gartner Security show this week (follow my updates via Twitter @securityincite) and the first keynote is about how the CISO needs to evolve. And Shrdlu has a good post about how to evolve as a CISO, especially given there are very few formal education programs for a senior security folk. Again, I have to default to being Pragmatic. We are BUSINESS PEOPLE and that means we need to learn more about the business. Maybe spend a week in a factory. Or in the field with sales folks. Or in the customer support group. We need to have a firm understanding of how the business works and then we'll better understand how to protect it. So don't expect anyone (not even the pirates from SANS) to provide a curriculum to gain skills. The answer is right in your own house, you just have to get out of your easy chair to get it.

Last week's Tweets of Note

Since I was off last week, I didn't do a whole lot of tweeting. But here is the stuff I pointed out. I'll be more active this week...

Rothman (w/ @eiqnetworks hat on) does podcast with TechTarget's Andy Briney on SIM market. http://is.gd/12CbQ
If you are vendor, you must follow @crankypm. She speaks the truth about how the sausage is made. And it ain't pretty. http://is.gd/12CgF
Don't be too happy. It's politically incorrect (even with $36MM burning a hole in your pocket). Tom Peters rant: http://is.gd/13qJ1
CSO role changing? Techie to business exec. http://is.gd/13rk2 Remember Deming: It's not necessary to change. Survival is not mandatory.
No, you look great in that MooMoo. But if not, link from a TDI reader on a good eating plan from Texas Tech. http://is.gd/13rwJ
IM Logic deal was such a success, #SYMC needed to launch a new IM Security Service. Back to 2004! http://is.gd/13rLS #lovetimemachine
Cisco launches Flip Video Sharing Service. http://is.gd/13suI #watchuglypeoplescrewing
Not much rumble about start-up Dasient. Seems like a feature to me. Other opinions? http://bit.ly/acNnG
Off to do @andrewsmhay favorite SIEM panel with 5 other vendors. Should have had hemlock with lunch. http://bit.ly/iyzEI
Heartland picks Voltage to build end to end crypto thing. Hopes this will subdue class action vultures. Not so much. http://bit.ly/rPnJi
Been banging my head against wall for 90 minutes. Made a mess in conference room. #SIEMcast
Google "considers" tightening web app security. http://is.gd/15nci <- Quick response, but a grin fookng nonetheless.
RT @shrdlu: Checkpoint is advertising something called "WHALE pricing." <- Maybe they can call it "SUCKER pricing"
I look at this post from @paperghost and I don't feel bad that idiots that fall for this crap get pwning they deserve. http://is.gd/15yhT
June Fortune Cookie Advice from Matthew Rosenquist (http://is.gd/15zq2): Think strategic. Act competitive. Be secure. <- Kumbaya.
Bad career advice from @mmurray @ljkush? Not Machiavellian enough. Feed boss hemlock and step over body on way to top! http://is.gd/15A52
The real Grumpy Pete tries to take on Bejtlich relative to ROSI. This does not end well. http://is.gd/15FcX
Mastercard initiates QSA stimulus package (on-site for L2 merchants). Methinks they'll all be qualified. (via @mckeay) http://is.gd/15Ftv
My fathers day present is the realization that my kids will be able to work it out in therapy.
Schneier shows the pre-cursor of the great Internet commerce backlash. If fraud is this prevalent folks will just stop. http://is.gd/19Cc5

The Daily Incite - 6/15/09 - RIP DDL

Mike Rothman — Mon, 15 Jun 2009 09:08:37 -0500

June 15, 2009 - Volume 4, #28

Good Morning:
I have to admit that when I read earlier this month that Dom DeLuise has passed away, I was a bit saddened. Of course, I didn't know him - but I certainly remember the laughter he brought to me during my childhood years. You had to love him in Cannonball Run and the Mel Brooks' classics Blazing Saddles and History of the World: Part 1. He always seemed like he had a love of life. Maybe that was his persona, but I chose to believe it back then.

I also remember his role in the movie Fatso. That one was hard for me to watch back in 1980 because well, um, I was fat. When he went through the binge scene and his inability to get a handle on it, I understood. All too well.

Of course, the movie has a happy ending and Dom's character gets the girl and realizes that it's all about love and that his love for someone else can fill the place of his love of food. Most of the time characters in movies aren't like you. As much as I like to think I'm just like Indiana Jones or Captain Kirk or Tyler Durden, I'm not.

But I was the Fatso character, and seeing that movie gave me hope. Until I cracked open that bag of semi-sweet chocolate morsels anyway.

I've been working to address those lifelong demons for the past few years. I'm happy to say I'm making progress. It's a battle every single day, but as I realize what's important and what makes me happy and try my best to do that every day - I find the need to mow through a pizza or bag of chips minimizes.

It's also why I totally got into the Biggest Loser show on TV this past season. The Boss and I used to watch the last few episodes of each season, but this year we saw every single one (thanks to the wonders of DVR). It was amazing to see the transformation of the contestants. Not just on the outside (which was unbelievable), but also on the inside. These are different folks after 6 months. You can only hope they've addressed their demons and can sustain the change.

Maybe it's wrong, but we also let the kids watch the show. Genetically, it's pretty likely they'll all have to be careful with their nutrition. But we've decided the messages shown prominently on the show about eating (you have to eat enough, but the right stuff - starving doesn't get it done) and exercise (you have to do it, and a lot of it) are important for them to learn at as early an age as possible. Obviously you don't want to go overboard and make them crazy, but you also can't expect them to get good habits by hoping.

So with that, have a great day. And I can only hope Dom D is enjoying his 20 course meal in the great cafe in the sky...

Photo: "Dom DeLuise's Stationary" originally uploaded by activitystory
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Follow me on Twitter:

@securityincite

I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

It's actually been kind of hard to choose what to highlight in the now "weekly" Incite. So I go to some old favorites and some of the guys that actually do some thinking in this business. Certainly not vendor hacks like me. Enjoy.

Understanding the "Phases of Compromise" - Bejtlich is at it again. Pushing us all forward with a series on how to not just understand, but communicate the specifics around incidents. Since he works for BFC (big freakin' company) now, communicating severity of incidents up the food chain is critical. So Richard first discusses a rating system, then rethinks this as it's more of a "classification" concept, and finally distills this into a discussion of the phases of compromise. We can noodle over the specifics of one classification vs. another, but in reality whatever tags you us are fine. Just use them and communicate what they mean, and be consistent. And feel lucky that a guy like Richard continues to share his perspectives for a great price.
Strategic customer is a two way street - I'm fascinated by the continued attempts of folks to want to feel special. This NetworkWorld article discusses whether it makes sense to look for a "strategic" security provider or focus on best-in-breed offerings? First of all, I don't know what best-in-breed means. But there's a bigger issue. Unless you work for BFC (big freakin' company) and you have a pipe to the vendor's CEO, you are not a STRATEGIC customer for the vendor. Thus, you shouldn't consider the vendor a strategic partner of yours. Sure, you can look to simplify your environment by using products from a select few vendors. But don't delude yourself about how "strategic" you are to the vendor. For the most part, they care about the next PO you generate, not much more. (Salesman nasty grams can be directed to feedback@screwoff.com)
Fight battles you can win - This post from Gunnar vents a bit about secure coding defeatism, and he's right but more than a little idealistic. We have to continue fighting to get developers to do the right stuff or life will NEVER get better. That being said, you are not going to get everyone on board in one fell swoop. Even if you have a senior mandate (unless you are MSFT). So look for "poster children," those developers that get it and want to do the right thing and are willing to stand up and say so. Make them successful, highlight their successes as an example (quick win) to the other developers. And be realistic about how long it will take to change. Inertia is a really hard thing to combat...
Letting the "market" give PCI some teeth - Le Mogull vents a bit here about making PCI better. I agree that PCI has been a good thing all things considered, but as we've all discussed, there needs to be real teeth and real accountability about these jokers that do QSAs. Of Rich's ideas, the one requiring merchants to publicly disclose when they change assessors is the most interesting. Clearly doing QSA's is a competitive business and that means unsavory folks will say what the merchant wants them to say and say it for a low price. If you hold them accountable for such shenanigans, then we have a fighting chance of making PCI better. And that involves pulling back the cloak of secrecy on failed assessments and changing assessors.

Last week's Tweets of Note

I'm still trying to figure out how to most effectively do this Twitter thang, but thus far it's been a mix of conversation, banter and some interesting links. I suspect most of you are not interested in the banter or conversation, so I'll just highlight the links I thought were interesting. Please note the links are shortened and if you click on them, it's on you. But that's the way Twitter rolls.

Today's Dilbert nails it (AGAIN). @arj this is the hamster wheel of CEO wealth. http://dilbert.com/strips/
Must check this out from Daily Show. Especially if you have g-parents in FLA. Watch the whole thing. http://is.gd/1023o
Palo Alto to offer traffic shaping. Awesome, that worked pretty well for Check Point 10 years ago. http://is.gd/102P5
For anyone in a VC funded co: http://is.gd/10356 (via @avc)
confidential snooping on the rise, says Cyber-Ark. The answer: more cyber-ark product - OF COURSE. http://is.gd/103hm
Awesome post by the Mogull. Very pragmatic. "All patients die...eventually." No one outruns the GriM reaper. http://bit.ly/13mRFL
Freeware AV taking share, but not because of price? Yeah right. http://bit.ly/qZtur
While everyone focuses on iPhone 3GS, I'm most excited about Snow Leopard. Finally will kill Entourage. All for $29. http://bit.ly/64ko5
Great video for all those dim marketers you deal with daily, including me. http://bit.ly/GCnRx (via @crankypm)
This is why location scares the crap out of me. No out of office messages. And I don't tell you where I am. http://bit.ly/Y5Z6e
This is one school superintendent you shouldn't mess with. Wonder if he used a @Beaker or @jeremiahg armbar? http://bit.ly/RWhLN
MFE trying to get back in the net security game. Just say "next generation" and "lower ops costs." That's the ticket. http://bit.ly/BcDie
Interesting backstory on Symantec/Brightmail. Enrique talks about planning the IPO, while working a Big Yellow Check. http://bit.ly/17jAbE
Steve Riley on proof of work systems to change spam economics. Until stupid people stop buying fr spam, nothing changes. http://bit.ly/dVbtx
Sec Spnd survey (MetroSITE Group March 2009). most see sec budgets coming down. Compliance main driver. Shocker! http://is.gd/Ybd6 (pdf)
Oh nos, now it's MSFT free AV going to take down SYMC and MFE. Again. Guess it must be a slow news week. http://is.gd/YQ9s
June issue of InfoSec Mag posted. Lead story on SIMs. http://is.gd/YQXg - Anyone else miss the hardcopy version? PDF just not the same...
RSA's new term: hyperextended enterprise. Sounds really painful. Results from @beaker armbar - http://is.gd/Z0YL
Move to DC: cost $$. Leave fancy job: $$$ Take cyber-security czar job: Not enough $$$ in world. @DennisF speculates. http://bit.ly/o3Fmf
Pr0n sites targeted by malware. Crap. Guess it's time for Mac AV. http://bit.ly/JQTgO
Long lost Rob Newby on crack. Encryption no closer now than before. #toodamnhardnotworthmoney http://bit.ly/P2BQB

Into Twitter Hell

Mike Rothman — Tue, 09 Jun 2009 10:02:38 -0500

As I mentioned yesterday, I've taken the plunge and decided to start Tweeting (@securityincite). Whatever that means. Basically there were a number of things that contributed to me being "late to the party," as a number of security twits (yes, that's what they liked to be called) reminded me.

First, I'm always late. For those that associate with me personally, there is "Rothman time," which is usually 10-15 minutes behind everyone else. I've been working on that, but it's a struggle. And the Boss is worse. "Boss time" is usually 15 minutes behind me.

Second, I was scarred as a young boy when my Mom dropped me off at a birthday party 2 hours early. She had to work - the nerve of her. It was a surprise party, so not only wasn't the birthday boy there, no one was there. I had to hang out with the kid's Mom for 2 hours. It was gruesome and painful and to this day, I'll drive around the block 50 times rather than show up 5 minutes early.

Third, I was never an early adopter. My house was the last house to get cable TV in the early 80s. By the time I got Atari, my friends all had Intellivision. Right, I got the Commodore 64 after everyone had an Apple IIc. We didn't have a lot of money, so I didn't get all the cool toys, and I realized it's not so bad - given 95% of shiny objects end up in the trash bin within a week. And with today's multi-tasking, ADD ridden, texting, Ritalyn taking kids, it's getting even worse.

So I don't have a Wii. And my oldest just got a DS. Bah humbug. I tell them to go read books or play in traffic. I didn't have no stinkin' DS. Or even the ticker on CNN to keep my attention for hours at a time.

Practically (dare I say Pragmatically), it's very hard for me to do full Daily Incite's more than once per week. So I'm figuring when I see interesting articles, then I can tweet about them and keep my analysis/commentary to 140 characters. I know many of you will appreciate that.

140 characters is good for me. That's kind of scary. Not much real estate. My first boss in research, a wild man named Joaquin Gonzalez , would thump me like a drum when I went into "flowery prose" mode. The worst insult he had for someone (OK, maybe not the worst, but close) was to say they wrote like a consultant. He told me good writing is dry, "dry like a martini." Why say it in 5000 words, when you can say it in 1000? Now I need to make the point in 140 characters. That is a good exercise for the verbose.

For those of you still resistant to Twitter, congrats. You are a later adopter than me, and that is pretty impressive. I'll highlight my Tweets in at least one post per week, so you'll know what I'm thinking - though not in real time.

So I'll see many of you in the Twittersphere, which is as stupid a word as blogosphere. You can find me at http://www.twitter.com/securityincite or @securityincite for you twits out there.

Calling myself a twit. I'm sure my Mom is tickled. Probably as tickled as me telling the surprise birthday party story (for the zillionth time).

Photo credit: "Twitter is down (the street.)" Originally uploaded by monstro.

The Daily Incite - 6/8/09 - Truth or Dare

Mike Rothman — Mon, 08 Jun 2009 16:08:01 -0500

June 8, 2009 - Volume 4, #27

Good Day, y'all:
The Boss was having a GNO (girl's night out) yesterday, so being the lazy slug that I am - I decided to take the kids out for dinner. That went fine, especially since I didn't force the boy to eat anything besides french fries. Some (I mean most) days it's just easier to give in than to dig in and cause many tears and heartbreak for those unlucky enough to sit by us. I'm waiting for social services to drop by any day now, especially when I force the kid to eat chicken nuggets or a different brand of cheese stick (he's partial to the Shrek cheese sticks).

Seriously. But this kid has the constitution of Gandhi, so I have no doubt he'd go on a hunger strike if we don't make the 20 minute drive to the one Super Wal-Mart in the metro Atlanta area that actually carries those damn cheese sticks. I'm all for the hunger strike because we could certainly do with the extra $5 or $6 of groceries the kid actually consumes each week. Yet the Boss isn't there yet, so we continue to negotiate.

But that's not even what I wanted to talk about. On the ride home the girls are bantering about some nonsense or other, and all of a sudden my oldest blurts out "Truth or Dare." I almost drove the van off the road I was laughing so hard.

Clearly the kids are growing up way too fast. I remember back to my high school days and "Truth or Dare" certainly had a less than innocent connotation. Of course, I had to live vicariously through my friends because I had no rap and I wasn't invited to play in those cool games.

But the last thing I expected to hear was my 8 year old wanting to play this game. Where did she learn about the game? And obviously she didn't know about the "less than innocent part," at least I hope so. Yes, I'm coming to grips with the reality that I will be the Dad that is cleaning the shotgun when the first few suitors come to visit my girls. Hopefully will word spread and I can return the shotgun to Wal-Mart.

And while I'm there, I may as well pick up some of those Shrek cheese sticks. A boy can't exist on chicken nuggets and Oreo cookie yogurt alone, now can he?

Have a great day.

Photo: "Let's Play Truth or Dare" originally uploaded by loser
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

It's a cold day in hell. That's right, I just opened up a Twitter account. I suspect this isn't the first time someone will call me a twit, but at least now it's legit. I'll explain why (after 18 months of being VERY resistant to the idea) in more detail tomorrow, but in the meantime you can follow me @securityincite. I'm still trying to figure out how the damn thing works, but I'll likely be doing daily updates there, so check it out. I'll start in earnest tomorrow. And without further ado, here is some Incite.

That's right, one hell of a job - One of the great things about being at META back in the day was the battles we'd have about our research positions. Though it's not the same, seeing the debate on BlogInfoSec about whether security is the worst it's ever been (and whether we practitioners categorically are delusional about the job we are doing) kind of reminds me of those research meeting battles. I have to side with Sam DeKay here since the times are different now and comparing what we accomplish now (for a given investment) with what we accomplished back in the days before firewalls is a bit of an apples to rutabaga type of comparison. That being said, we have a lot of work to do, but it's not necessarily work on protecting things - it's work on the perception of security's value to the muckety-mucks.
Fighting off the Botnets - Interesting article on NetworkWorld about defending against botnet-based denial of service attacks. There are a few options, including some services that you can buy and some other techniques that you can do on your own network. The most interesting (to me anyway) is the idea of using Cisco's reputation filters. Back from my anti-spam days I saw the value of reputation and as it gets embedded in the network it will be a good thing. But the reputation is only as good as the data used to determine someone's reputation. The fact that you saw an IP address scrawled on the stall at a concert probably should automatically disqualify someone from sending you an email. Though it's probably not an insignificant data point. It would be interesting for Cisco (and the other reputation providers) to be transparent about how these reputations are determined. But there is a fat chance of that happening.
Defining your priorities - Gunnar is right on the money in discussing (and expanding on James McGovern's expansion of Gunnar's information security focus post) enterprise security priorities. He takes James' principles and does a good job of explaining and clarifying. Though I do want to make the point that ARCHITECTURAL priorities are much different than OPERATIONAL priorities. There is no doubt that auditors drive a lot of architecture and some tactical projects. But we as practitioners also have to pay attention to how we prioritize our operational responsibilities. You have a list and what needs to get done each day? That is one of the most important decisions you will make. I'm good and appreciate high level thinking, but we can't forget the tactical ways we decide what to focus on. In many cases, a broken operational prioritization is much more damaging than a broken architectural prioritization.
Why the SDL is like Seinfeld - I'm a big fan of quick wins. In fact, with today's CNN-based ticker at the bottom, multi-tasking, ADD ridden society, if you can't get a quick win, you usually don't get to keep playing. The guy who runs NBC said that Seinfeld wouldn't have been given the time to develop if it had been introduced in 2007, as opposed to 1989. Sad, but true. So Jeremiah talks a bit about how to get a quick win, and amazingly enough it has to do with vulnerability assessment + WAF (which is one of Big J's specialties, or that of his company anyway). Interestingly enough, there is a disincentive to do the right thing, which is to build software correctly in the first place. The SDL doesn't show value quickly enough, and therefore is a risk for CISO's to push for it. As they are casting for the SDL-Seinfeld web show, you've got to love Shostack to play Kramer. A little hair gel and the likeness is uncanny.

The Daily Incite - 6/1/09 - The GriM Reaper

Mike Rothman — Mon, 01 Jun 2009 11:25:50 -0500

June 1, 2009 - Volume 4, #26

Good Morning:
They say the Grim Reaper gets us all. Today Dr. Death visited our pals at GM in Detroit. OK, not really Dr. Death, but his main henchman for business - Captain Bankruptcy. It's not like this wasn't expected, and (in my opinion) it will be healthy for the longer term viability for GM. It's hard to be competitive when a multi thousand dollar entitlement albatross what weighing down every car GM sold.

The idea is that bankruptcy will allow GM to sell assets, rewrite contracts (especially with the unions) and restructure to be competitive. As a guy who drives GM cars when I rent, but wouldn't buy one myself - I think the economic situation was one piece of it. They also need to be more nimble and build products that folks want to buy.

But the bigger issue here is the concept of periodic renewal. If you remember back to the mid-80's, the concept that GM would go bankrupt was absurd. But then foreign automakers came in and built a better product more efficiently. And 20 years later, GM is on the verge of going away, if they can't change things very quickly. Basically every company must fight to not get stale and doing the same things year after year breeds mildew.

It reminds me of when I was doing an internship at Mobil Oil (when Mobil still existed) back in college. I was living at home and taking a bus to a train into New York City. The commute took me about 90 minutes a day and amazingly enough some of the folks doing that same commute did so for 30+ years.

These folks were tired and most seemed pretty beaten down to me. It's not hard to imagine that after 30 years of commuting 90 minutes each way, you'd be a bit stale. Now there are a lot of reasons that folks do the same stuff every day, but no one has a reason to let themselves get stale. In our business, where I can tell you the bad guys are anything but stale, complacency and losing vigilance will kill you.

So we can take a message from our friends in Detroit. If we aren't undertaking a process of constant renewal, things will get ugly and most of us don't have the option of a Government bail-out.

Have a great day.

Photo: "Demolition means progress" originally uploaded by churl
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

Better and better every day, every week. Imagine that, an Incite for two weeks in a row and I'll be starting to embrace "social media" more effectively this week, that I think will be a good thing. Stay tuned for that.

Obama says cyber-security is important - The big news on Friday was the publishing of the 60 day cyber-security review that took 120 days to complete. I know that counting is hard in Washington DC. But the message was a good one. Byron Acohido did a nice job of summarizing the key points, though every tech book and most of the blogging community wrote something about it. But there is a big difference between words and action. Over the next 120 days, in order to maintain any kind of momentum, there needs to be a clear and defined action plan for how we get to achieve the President's 5-point plan. It's not going to happen by itself, or just because Obama says so. We should all be cautiously optimistic and also prepare a set of talking points for senior management to understand if/how the new initiatives will impact your organization.
Metrics on the brain - When times get tough, the tough get counting. Isn't that how the saying goes? In security, counting has always been hard (as I've written about a million times), but we are making steady progress towards understanding what to count and then counting it. Dark Reading covers both how the fine folks at the Center for Internet Security have published their initial consensus-based security metrics work, as well as Project Quant - which is being driven by the Mogull. CIS puts forth 20 interesting metrics (well mostly metrics, some are a bit hard to really quantify) and it's a good start. Remember, some metrics will be operational in nature and some more focused on quantifying our value up the stack. The more substantiation we can have for the security team, the more likely we'll be able to stay around, especially if things remain economically tough.
Should we call them VeriSell now? - VeriSign continues to dismantle the house that Stratton built, now selling the MSS business to SecureWorks. Given VeriSign's focus on seemingly selling renewable low-value thingys to mostly smaller companies (like domain names and SSL certs), selling the MSS business makes sense - even if they had to take a $100+MM bath on the transaction. This also gives SecureWorks the leg up as the biggest of the independent MSS providers and they did it for a reasonable price. Of course, now the fun work begins of moving the existing VeriSign business to it's MSS platform to gain the economies of scale, but if you aren't getting bigger in this business - you are getting smaller.
Predict this Dave... - It's never too late to poke fun at vendor mumbo-jumbo. Back at RSA, McAfee's Dave DeWalt unveiled a vision called "predictive security," which probably resides in the same bunker as the Holy Grail. I know, I know - I'm objecting to the words again as opposed to the concept of evaluating a crap load of data to figure out what is actually happening out there. But as my Dad the lawyer always tell me, the words are important. Mining data you are gathering from the field is NOT predictive. It's reactive. The concept is that by having this data, you can see patterns emerging and draw conclusions FASTER. But that is not PREDICTING anything, is it? And the astronomy and meteorology analogies are interesting because I wouldn't say weathermen have a great track record of really getting it right. Though I guess "faster reactive security" isn't really a catchy marketing term.
Picking that QSA - Chris Hayes provides a good structure to evaluate a QSA in this post. Too many folks don't realize that picking a QSA is just like picking any other kind of service provider, and given the number of these folks that are popping up, it's a very competitive market on the verge of commoditizing. Of course, that means buyer beware must prevail to make sure you are getting adequate value, while minimizing cost. Also make sure anyone you talk to is well aware of the PCI Council's quality initiative (pdf) and challenge them on it. Some folks want a PCI assessor to just give them the rubber stamp, but that is being pretty short sighted. They can and should point out issues that need to be addressed, before the bad guys force the issue.

The Daily Incite - 5/28/09 - Swine Paranoia

Mike Rothman — Thu, 28 May 2009 11:32:40 -0500

May 28, 2009 - Volume 4, #25

Good Morning:
So I'm on a flight a couple of weeks ago, and the guy next to me starts coughing. No, not a "cough cough." It was like he was hacking up a friggin' lung. Thankfully there was the air sickness bag to catch the nastiness. Normally, I don't think twice about that, besides to check my sleeves and make sure nothing escaped the dude's tissues. But with the Swine Flu going around, of course, that's the first thought I have.

So I start calculating the numbers. There have been a couple of hundred cases of the flu in the States. That makes the chance that I'd be sitting next to a carrier roughly... .0000001%. Some days I'm thankful for the mathematician in my that runs numbers and probabilities and uses those rationalizations to continue to function.

Now that threat is averted, I bury myself in another 50 games of Flood-It, perhaps one of the most addictive iPhone games. I really need to stop downloading these games. I probably should be writing TDI posts instead, but what fun is that?

Right when I'm lulled into a sense of Coke Zero complacency, the guy in front of me starts coughing that same cough from the guy next to me. Could it be? Could it be spreading that quickly? Then I feel that little tickle in my throat. Oh crap, I have it too?

Not even the mathematician can help now. I break out Word and start working on my will. I figure I'll stop by the hospital on the way home and see how bad the damage is. I play this game for another 15 minutes. Then I realize, all of this stuff is in my head. So I think about being in the wilderness and taking deep breaths. The air is clean and crisp. There are no bubonic plague carriers in breathing distance. It's all good.

Until the guy behind me goes into a coughing rage... Basically, I'm screwed. Have a great day.

Photo: "ZOMG!!! Swine Flu!!!!" originally uploaded by Amanda-Ruth
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

I know. I suck. The best laid plans seem to get derailed by, well... life. Between sales meetings, day job responsibilities, and all the other crap that piles up on my plate, TDI has taken it in the shorts. So next week I'm going to recalibrate a bit and try to take a different perspective on it. I appreciate your patience.

You can't boil the ocean - Though the Incite lawyers are hard at work on the cease and desist order for Rich to stop using the term "Pragmatic" anything, he makes a really good point in discussing the Pragmatic Data Security Cycle. Most things security fail miserably when we try to cover everything. There is just too much, so part of success is knowing where and how to bound all of these key initiatives. Hopefully Rich (and Adrian) will be fleshing out how to actually do this in subsequent research because it's like learning Mandarin for lots of folks. We know we should do it, but it's really hard.
SMARTS gets smart about ConfigureSoft - The deals keep coming fast and furious. Yesterday, EMC announced the acquisition of ConfigureSoft for a undisclosed sum, though I'd be surprised if it was more than 2.5-3x trailing revenues. Most interesting to me is that it was EMC's Resource Management Group (which is built around the SMARTS system management technology) that did the deal, not RSA. Configuration management is more about operations than security - always has been. So having the EMC mother ship drive this deal is an indication of that.
Finding the next gig - Great post on the Security Catalyst site by Bill Pennington about how to stand out from the crowd during a job search. Getting an audience is the first step and Bill outlines the way he likes to be approached, which is great advice and probably very similar to many hiring managers out there. I very rarely use headhunters because I don't have to. I usually know the folks I like for a position, and if not, then the interesting one's tend to figure out how to find me. Though this is only the front end of the battle, and there is also some good pointers about how to research a company you are interviewing with. If you don't have a crisp idea on how you are going to help, forget it.
The future's so bright, you don't need shades - Is there a longer term future for the CISO? Or does the position go the way of the dodo bird? Boaz wonders how many larger organizations really need one? I'd posit that big companies NEED a CISO, but the CISO doesn't need to have an organization. I still believe someone needs to be the "conscience" of the organization, to evangelize and persuade the operational teams and business units that security is important. This person needs to own the "program" and set the standards for what is acceptable and what isn't. What they don't need is an empire. There is no reason that firewall changes shouldn't be owned by the network team, and database security shouldn't be owned by the data center team (or DBA team if you have one of those).
Security budgets take a hit? No kidding... - I think the security industry for the most part has a bad case of happy ears. For the past few months (even though I haven't been writing, I've been reading), a lot of folks continue to maintain that budgets will be stable, maybe even increasing a bit. Sorry, that's a load of crap and I've been saying that for a while. Everything is being scrutinized by big companies, and that includes security. The Deloitte folks did a survey finally proving that. It was restricted to media, telecom and tech companies, but I'd be willing to be it's pretty consistent across the other verticals as well (besides maybe the Fed space). I do think security will recover first, when things start really getting better - but to think there would be no budget impact of the financial implosion and recession is just silly.
Heartland regains PCI Compliance - Hurray for Heartland, who is once again PCI compliant. Until they aren't. To these guys credit, they acted decisively and addressed the shorter term issues that allowed the data breach. But to be clear, this doesn't mean they are secure. It just means they have done the bare minimum, until the Standards Council decides to either re-write the rules or get into the time machine and change things. It's easy to always be right when you have a time machine at your disposal.

Later than Hay: Incite's RSA 2009 Wrap-Up

Mike Rothman — Wed, 06 May 2009 11:08:30 -0500

Andrew Hay thought he'd be the last to post a wrap-up of RSA. How wrong you are my friend? There is no boundary to the lameness originating at Incite HQ nowadays. But enough of the self-inflicted beatdowns. Personally RSA was great this year. It's always great to see so many old friends, make some new ones and basically plug back into the security collective after spending lots of time in the wilderness over the past 6 months.

But that isn't really the right point to make. What were my general impressions of the big show this year? It gets back to the point that perception is reality. Always has been, always will be.

It's been entertaining to see what the pundits have been saying about this years RSA. Ahead of the show I made a statement about the show being indicative of the strength of the industry (link). Well I don't have much more clarity 3 weeks later, which is pretty indicative of the state of the industry. A few guys like Oltsik were largely pretty negative. Ogren and Stiennon were positive. And Pescatore (Post 1, Post 2) was right in the middle.

Me? I'm not as dour as Oltsik, but less optimistic than Pescatore. And Stiennon enjoyed too much of that vendor happy juice. Way too much. He's as excited as a 15 year old girl at a Jonas Brothers concert, which is horrifying.

Here were a few things of note that I noticed:

Since when is authentication cool? There were a lot of new vendors showing multi-factor authentication. I kind of figured I stepped into a time machine.
Less attendance is not a good thing. I saw a bunch of folks rationalizing the crappy attendance by saying there were fewer t-shirt hunters and more "buyers". Meh. We had our share of decent conversations, and our booth was packed for most of the show. But it's not like in past years, no amount of happy juice can get you there.
Compliance is just there. In past years, we saw everyone talking up their compliance capabilities. I didn't get the impression that was a key theme this year. It probably has to do with the fact that EVERYONE says it, so it's as good as no one saying it.
The death of TLA. That's right the three-letter acronym seems to be dead. Very little about DLP and NAC. Not too much on GRC also (since no one knows what the hell it means, it's a good thing). PKI? No where to be found. Thankfully SIEM is a four letter acronym, eh?
New UTM vendors. WHAT? I saw a few new companies hawking UTM like devices. Wow. Good luck with that.
Everything as a service. Yes, much of the conversation was around SaaS and the nebulous cloud. I have a lot to say about that, but it'll wait until later this week.

But most of all, I heard data points on both sides of the industry health discussion. If you wanted to hear happy thoughts, someone would tell you a happy thought. If you wanted to hear about the end of civilization, more than a few Chicken Little's were in the house.

The thing that I was most aware of was the underlying fear. Most of the folks I talked to thought things were getting better. But they weren't really sure. It was kind of like they were trying to convince themselves things were getting better. And if they clicked their heels together 3 times, they'd be taken back home. I've long said that optimism is good, but that doesn't mean it's justified or real.

Folks on the user side weren't sure if their projects were going to be funded, or if they'd even have a job when they got back. Not all of them, but a lot of them still were operating under a cloud of uncertainty. The vendors put on their happy faces and talked about how the 2nd half of the year looked strong. Of course, looking strong and being strong are totally different things, now aren't they?

Personally, I think the strong will be stronger and the one's that suck will suck more. Darwin is at work here. Some companies are announcing strong results and clearly taking share (see McAfee). Others, not so much (see SonicWall). The business environment is clearly accelerating the strengthening and weakening of many companies.

Even if we've hit the bottom from a macro standpoint (which a lot of folks are saying now), it makes me think we've still got some bumpiness ahead. For whatever that's worth.

Most Entertaining Acceptance Speech

Mike Rothman — Fri, 24 Apr 2009 14:31:46 -0500

I'm honored, flattered and totally undeserving of winning the "Most Entertaining" blog award at the Social Security Awards at RSA this year. Given I was late to the event (and Rich had to spoil the surprise by sending me a 911 text to get my behind to the Blogger meet-up), and Alan got a bit long in the tooth in giving out the awards, and my total shock at winning much of anything - I was a little at a loss for words. Which is the first time I can remember that happened.

And even if I was my usual loudmouth self, the looks from the folks at the party made it clear I was the only thing standing between them and another cocktail. That's a bad place to be, so I kept my comments intentionally short.

I didn't get a chance to say thanks to a lot of folks that made this possible. However undeserving I am, the people around me enable this. So let me send thanks to:

The Boss - Yes, without the Boss to keep me honest and focused, none of this happens. She takes care of many things, so I can do what I do. And she supports me and loves me, even when I make that hard to do. I also know that she'll kick my ass if I don't thank her first. Every time someone gets up at an awards show and forgets to thank their spouse, she goes on a tirade. I won't make that mistake.
The munchkins - Though I don't view what I do as very entertaining, my kids sure are. So thanks to Leah, Lindsay and Sam - who give me an infinite amount of material to write about. They also teach me something new every day. It's great to see things from their perspective, which keeps me young (even though I look old).
My blogging peeps - Yes, the blogging community is integral to the success of all of us. There are too many to thank individually, so I'll just say thanks to everyone. We challenge each other, give each other a hard time, and make the end product much better. Incite is written by me, but it's clearly a joint production.
The bad guys - Everything is relative. Without dark, there is no light. Without bad guys, we don't understand what is good. So we can't do what we do unless they are doing what they do - as objectionable as that is. So we can get mad at "the bad" or we can be thankful that they keep us employed, keep raising the bar and ultimately give us a lot to talk about.
You - I've always said that I write for myself and I'm just lucky that other people find (entertainment) value in it. That was true at one time, but not anymore. Many people that came to my panels or the booth specifically to tell me they enjoy the Incite. Many also said they wish I had time to write more. Wow. It's a humbling experience and I coudn't thank those folks enough.

You can probably see why I kept my comments at the Blogger meet-up short. I suspect someone would have bounced a cue ball off my head if I rambled on like this at the event.

I wasn't quite sure what this blogging thing was about 3 years ago, but I ended up making a whole bunch of very good friends, building a business, and progressing along the road to happiness. After a brief detour, I recognize that continuing to write is very important to me.

So that's what I'll do.

RSA 2009: Art says Kumbaya

Mike Rothman — Tue, 21 Apr 2009 12:12:51 -0500

After getting out of the first two keynote speeches here at RSA, I have a few quick observations. First, I'm glad no one is alllowed to smoke in the keynote hall. RSA's Art Coviello and Symantec's Enrique Salem were so wooden reading off the teleprompters during their keynotes, even the slightest spark would have set them and the entire building ablaze. And neither of them announced anything of substance. Nothing really on new products, just some horse crap about the need to operationalize things and build an eco-system.

It seems the theme of Big Security at this year's RSA show is Kumbaya.

That's the message from Art and Enrique today. To combat the threat of the bad guys and "win," the industry needs to collaborate and organize. Personally I think this is a veiled response to the success of McAfee's SIA program. Neither announced a formal partnering program, but it's just a matter of time. If you can't beat them, copy them. That's the way of Big Security.

Here's the thing about "collaboration." End users don't care about whether the vendors work together. They just want their problem to be solved. They are frustrated that they aren't any more secure today (and probably less secure) than they were 6 years ago. And with the economic collapse, customers don't have the ability anymore to throw money at the problem and deploy technologies that have limited success and go thru the motions to put another widget in place. That game is over.

So all this stuff about collaboration is noise. It's to distract everyone that Big Security isn't getting it done. They aren't solving the problem. Basically the answer is what I've been saying for a long time (yes, before I went out and got a day job). You aren't going to get ahead of the threat. You need to react faster and contain the damage when you get hit (and you will).

I'm not saying we need to give up. Or stop trying to do the right thing. I'm saying we need to be realistic. Implementing a policy management environment to encompass the entire technology stack, as Art suggests, isn't realistic. Sorry to burst Art's bubble, but customer's don't have enough breadth or visibility to even dream about protecting the entire ball of wax.

It's good keynote fodder, but for the most part it's just more hot air.

PS: I posted a piece on the eIQ blog this AM about whether we should even both to try to "win" the battle against the bad guys: http://blog.eiqnetworks.com/2009/04/21/can-we-win/

RSA 2009: The Acid Test

Mike Rothman — Mon, 20 Apr 2009 08:59:45 -0500

For the first time in a long time, I'm not sure what to expect from this year's RSA conference. The early anecdotes indicated it may be a pretty weak showing this year. Then lately I'm hearing north of 15,000 people will attend. Perhaps they are including everyone in a 5 block radius of the Moscone Center in SFO, but that's neither here nor there.

To me, the health of the security industry will be gauged this week. Of course, everyone puts on their happy faces and basically lies their respective asses off. "Sure, business is great." "Scaling is our big problem." Blah blah blah. In this kind of economy, every company has issues. The question is how big the issues are.

So why did I think the conference was going to be weak? Basically because every other event I've been to since the economic meltdown has been mediocre at best, a total cluster-F at worst. End users have largely been keeping their heads down, not taking time to mingle at conferences. Basically, we've been trying to survive. RSA is the biggest dog in the security conference field, but still will folks get on a plane to see the sights?

Then I got the speaker notifications. I'm doing four panels and a peer to peer session. Now, I've certainly got an inflated opinion of my speaking abilities. And I've done sessions at the last 5 or so conferences that have gotten decent reviews. But to get 4 panels? Definitely means the gene pool of presenters is a bit thin this year.

On the other hand, lots of companies have been announcing decent earnings. Some have thrown in the towel (like Entrust), but quite a few are holding their own. It'll be interesting to see the tone at the AGC (America's Growth Capital) conference on Monday to get a feel for the market.

I'll be at the conference all week, though as you can imagine, my schedule is pretty jammed packed with day job responsibilities, speaking gigs, and the like. If you can attend the sessions, my speaking gigs are:

Tuesday @ 1:30 PM: STAR-105: Is SaaS the Future of Enterprise Security?
Tuesday @ 4:10 PM: BUS-107: Security Groundhog Day (this was the best panel last year - don't miss it)
Wednesday @ 9:10 AM: NET-202: Using SaaS to Solve the Network Management and Security Challenge
Wednesday @ 10:40 AM: P2P-203A: More Security with Less Monday and Fewer Resource (peer to peer session)
Thursday @ 9:10 AM: BUS-302: Which Security Tools take Priority in a Challenging Economic Environment

So as you can see, I've got a full speaking plate. And my sessions indicate what are clearly the two major themes of this year's show. SaaS and navigating the turbulent economy. Both are kind of related, but as in year's past when you heard about NAC or GRC or DLP, you'll hear about the conference theme until your ears bleed. This year, SaaS will be the most hated term by Thursday.

Hope to see you at the show, if you are here. Check out one of my sessions or swing by eIQ's booth (#2058) and pick up a log data is not enough t-shirt or hat. You'll also be able to see the 2nd half of the "Don't be like Dick" video.

Log Data is Not Enough [Gratuitous Promotion]

Mike Rothman — Wed, 15 Apr 2009 11:58:30 -0500

<Gratuitous Promotion>
As much as my evaluating priorities has been taking up a lot of my time, I have been pretty busy doing my day job at eIQ. Today we relaunched our web site (http://www.eiqnetworks.com), with the objective to explain what we do and how we do it a lot more effectively. Candidly I got tired of hearing the same feeback from friends and colleagues. eIQ looks cool, but what do you guys do again?

The hope is that our new site explains that more crisply.

Additionally, we launched a new project we've been working on called Log Data is Not Enough. We've got a website (http://www.logdataisnotenough.com) which shows a funny video about a data breach and it's impact on the organization, as well as a number of other tips to make sure you are not like Dick. The first portion of the video is posted now and next week at RSA, we'll be previewing the second half, as well as an additional set of videos featuring someone you know pretty well, in character of course.

So check out http://www.eiqnetworks.com and http://www.logdataisnotenough.com.

</Gratuitous Promotion>

Evaluating Priorities

Mike Rothman — Tue, 14 Apr 2009 09:48:57 -0500

First off, I want to thank the many of you that sent me notes wondering if I'm OK. Of course, there is always Shimmy, who constantly shows his Photoshopping skilz. I'm just fine, actually I'm great. And that's what I want to talk about today.

For a long time, I've been counseling readers, friends and clients about the need to constantly evaluate your priorities, pretty much every day. If you are in a security role, you understand how important this is. There are always new attacks, new devices, new applications, and users that do stupid things to keep us busy.

If you don't make sure you are working on the highest priorities, you are wasting time and not providing value to your organization. And in this kind of economy, none of us can afford that.

So basically I'm eating my own dog food and about a month ago decided to evaluate my personal priorities. I only have 24 hours a day and I wanted to make sure I was spending it in the most effective way. Turns out, I drew the conclusion that I needed to focus - for the first time, in a long time - on myself.

I've started spending 1-2 hours a day on personal development. That could mean a lot of things and I'm not necessarily going to go into great depth. Suffice it to say I'm focusing on improving myself, both on the outside and the inside.

Alas that means I don't have as much time as I used to for the Daily Incite. As I get into a better rhythm of juggling my personal, family and job priorities, I hope to return to a 2-3 times a week frequency on the blog.

In the meantime, I'll be looking into doing a little bit of link publishing through a service like de.licio.us or something similar. Basically I'll be able to post some interesting content, add a quick comment (in Incite style) and have it automagically published to the blog and posted to the email list.

Thanks for your patience.

Photo credit: Alan Shimel

Application Security is a Journey, Not a Destination

Mike Rothman — Wed, 11 Mar 2009 13:45:24 -0500

March 11, 2009 - Volume 4, #24

Application Security is Journey, Not a Destination

Good Morning:
Long time readers of my ramblings can remember the seemingly zillions of times I've mentioned the importance of application security. Not only are your applications the path of least resistance for the bad guys, we also suffer from a distinct lack of visibility in terms of what's actually happening within the application.

Limited visibility is quite a problem, since a big part of my security philosophy revolves around REACT FASTER, which is basically understanding what's happening in your environment and knowing quickly when something is funky (like an attack or compromise). Well, it's hard to do that when we don't really have any instrumentation in the application to tell us.

So, for a change, we security folks are flying blind. Right, that doesn't end well.

The answer for application security is two-fold. There is a somewhat tactical path, which involves a penetration test to figure out what is obviously broken. This is the "fingers in the dam" approach because odds are there will be a number of problems that can't be fixed and every time you change the application, you introduce more issues.

Another tactical measure is something like a web application firewall (WAF). Of course, the hyperbole of WAF vendor hyperbole would lead you to believe a WAF will block today's attacks and tomorrows and is really a strategic answer. Let's be clear - it's not. Not because a WAF isn't important, especially for common attacks like SQL*Injection, which can ruin your day. But there are always logic flaws in your applications and it seems the bad guys have a real knack for finding them.

So what's the strategic answer? You've got to build security into the application. FROM DAY ONE. That's right, as I referred to yesterday, this is mostly a process problem and a people issue. Technology is kind of besides the point. But how? I talk to very few folks that don't want to build secure software. They just don't know how, and they can't really quantify the impact of doing so.

But that is gradually changing. A few friends of mine (Brian Chess of Fortify, Gary McGraw and Sammy Migues of Cigital) have published a guide called the BSI-MM (Build Security In - Maturity Model) that's actually based upon (are you sitting?) the actual experiences of some large companies that have been doing this strategically for a while. Companies you may have heard of like Microsoft, Adobe, EMC and Google.

The concepts are presented within a "maturity model" for software security, which indicates the kinds of processes used to build code and make sure it's not a steaming pile of FAIL. There are twelve practices, each broken down into multiple steps. And this isn't going to happen overnight. In fact, the entire thing may not happen ever in its entirety. But the document gives you the perspective to understand how the process can work.

Like any other methodology, you have to figure out what parts are applicable for your organization, both technically and politically. Application security is a collaborative process and requires significant buy-in and sponsorship from an executive with enough mojo to push the agenda and enforce the impact of the process changes. Doing this right requires organization commitment, reorganization and incentives to encourage the right behavior. These are hard pills to swallow for many organizations, which is why software security is such a mess.

Personally, I have high hopes for this research. Most organizations remain skeptical and reticent about implementing a secure software process because they don't really understand the benefits, nor the long term impact of shipping secure code. By following these organizations over time and benchmarking their results, it can give evangelists and big thinkers some data to prove the value of building security in.

And we all know that the only thing that really shuts up a skeptic is data.

Have a great day.

Photo credits: “365/25” originally uploaded by teachingsagittarian

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

The Daily Incite - 3/10/09 - Crayon Appreciation Day

Mike Rothman — Tue, 10 Mar 2009 08:27:47 -0500

March 10, 2009 - Volume 4, #23

Good Morning:
For all the toys, gadgets and gizmos we've gotten for the kids, it's usually the simple mundane and classic stuff that they really gravitate to. For example, we have a room full of assorted toys, games and the like. The kid's stuff used to be all over the house, but we've made a concerted effort to contain it to one or two rooms as they've gotten older. So what do they play with?

Crayons. That's right, good old fashioned Crayolas. We've been tightening the belt a bit at Chez Incite, so when the Boss brought home a little carousel with a couple hundred crayons in it and a bunch of 11 x 17 coloring books, I was a bit steamed. Sure it wasn't a lot of money, but the kids have a bunch of stuff they don't play with - why buy them more?

The fact is, I had a point. We are very careful, but I still get the feeling that my kids are spoiled and don't appreciate how good they have it. They want for nothing. If they need it, they get it. Even if they don't need it, a lot of the time they get it. And don't get me started on controlling the grandparents, who believe they have a license to spoil.

But after a weekend with the new crayons and coloring books, I have to admit that the Boss made a good purchase. My boy especially loves to color. The focus and intensity he brings to the task is amazing. He painstakingly colors every square millimeter on these 11x17 pictures. It doesn't hurt that the coloring books are from Star Wars and the Incredibles (two of his favorite movies). He can sit and color for hours at a time.

And then I remembered, part of the issue with many kids (mine included) is that they multi-task too much. They don't learn the discipline of focus. Getting them to sit down and finish the 11x17 drawing forces them to pay attention and be diligent about their craft. There are lots of lessons we try to teach our kids, and I forgot that crayons can help teach those lessons.

So I dub today "crayon appreciation day." Have a great day.

Photo: "Crayon Fence" originally uploaded by laffy4k
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

#3 on the jobs you don't want to have list... - Clearly that would be Federal Cybersecurity czar. Probably right behind athletic cup tester and right in front of grease trap cleaner. Thanks to Adrian, who posted a quick update over the weekend, Beckstrom resigned after about a year on the job. It seems the NSA got in the way of almost everything he tried to do. Byron Acohido does a great interview with Beckstrom here as well on his new-ish blog. The take-aways here? The idea of coming up with a coordinated Federal cybersecurity process is pretty much a non-starter. These folks are professional beaurocrats and you think they are going to let some entrepreneurial soul get in the way of their 3 hour lunches? So we'll continue to get "guidance" from NIST and each agency will continue to blaze their own trail. Which given the scope of the US Government and the different requirements of the different agencies may not be an entirely bad thing. As opposed to trying to coordinate everything, maybe it's time to decentralize a bit and then give FISMA (or something like it) more teeth.
Technology is only the third stool - It's been said security is about people, process and technology. Though we in the industry seem to continue searching for magic bullets, potions or anything else that will give us a leg up on the bad guys. Yet, that mentality hasn't worked for the past 10 years and it's not going to work moving forward. Neil MacDonald over at Gartner makes that point on his blog, talking specifically about application security. He's right. Tools can help, but fundamentally it's a process and a people issue. And until we figure that out as an industry, things aren't going to get much better. I'll have more to say on that tomorrow.
PCI + Virtualization = ??? - Clearly given the drive towards virtualizing everything, there is a big hole in the PCI-DSS regarding what you can and can't do relative to virtualization. So the PCI Standards Council spun up a virtualization working group to figure it out. This is a good move, but the proof is always in the pudding. Will they put some real controls in place? Or will it just be more of the same? Of course, a bunch of vendors are praying they do a 6.6 redux and mandate a virtualization security widget. That's not likely, but these folks can hope, no? And more importantly, when will they force adoption of these guidelines? Virtualization is happening today and I suspect many organizations aren't doing it in the most "secure" fashion, whatever that means. Which will entail a retro-fit of the infrastructure. Retailers and banks don't like retro-fitting much of anything, especially in a global recession. So we'll see what kind of tight rope Russo & Co will walk on this one.
Cisco jumps on the email security SaaS bandwagon - I guess when you are Cisco, you don't need to be on the cutting edge. At least when it comes to mature markets and technology. About 3 years after everyone else, Cisco's IronPort group finally announces a hybrid offering encompassing appliances and services for email security. To be clear, most of the time trying to sell both appliances and services is a recipe for failure. Some companies do boxes well and some do services well. Not many do both well. But that's neither here nor there, the point is that customers will choose the right deployment model for their operational requirements. And the vendors need to figure out how to do both well, but only if they want to address the entire market.
Dumping on the CAG - Standards are tough, especially when there are no teeth there. It seems the industry has looked at the CAG (Consensus Audit Guidelines) and decided consensus sucks. That's because it usually does. Dan Philpott at the Guerrilla CISO blog talks a bit about why the CAG has become the Hindenburg of security guidance. But to be clear, anyone trying to develop the Rosetta Stone for security is going to have similar problems. I think everybody acknowledges that FISMA needs to be improved, and give some credit to the folks behind CAG (Gilligan and Paller) for getting some discussion going. But ultimately publishing a white paper and a set of slides doesn't not accountability make. Without teeth, a standard is pretty much useless.