|
Security Incite Rants
http://securityincite.com/blog/mike-rothman
Security Incite Rants strives to inform, educate, and provide a unique (and at times controversial) perspective on the information security business.
en
http://www.securityincite.com/bloghttp://www.geronimollc.com/geronimo/SILogo144.gifSecurity Incite RantsThis is an XML content feed. It is intended to be viewed in a newsreader or syndicated to another site, subject to copyright and fair use.
The Daily Incite - 10/7/08 - Deal: Symantec buys MessageLabs
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/416803138/the-daily-incite-10-7-08-deal-symantec-buys-messagelabs
<div id="topcontent" style="text-align: center">
<img src="http://www.geronimollc.com/Geronimo/DailyInciteTopBanner2.jpg" alt="Today's Daily Incite" style="width: 448px; height: 107px" />
</div>
<div id="leftcontent">
<h2>October 10, 2008 - Volume 3, #81 </h2>
<p>
Good Morning: <br />
The Big Yellow is at it again and this time they better bring a Big
Yellow Teapot. On Wednesday, they announced a <a href="http://biz.yahoo.com/iw/081008/0441201.html" target="_blank">$695 million deal to acquire MessageLabs</a>
and go "all in" on the email and web SaaS space. It's kind of an
interesting deal and there are a lot of nuances, but overall it's very
reflective of Symantec's acquisition strategy. Here are some initial
thoughts on the deal.<img src="http://www.pragmaticcso.com/Images/big-yellow-teapot.jpg" style="border: 0px solid ; width: 240px; height: 180px; float: right" alt="High tea in Symantec-land" vspace="10" hspace="10" /><br />
</p>
<ol>
<li>This deal is not a surprise to me (<a href="http://securosis.com/2008/10/08/symantec-buys-messagelabs/" target="_blank">as it was to Adrian</a>). MessageLabs
has been shopped around pretty much since the Google/Postini deal hit a
while back. It was never a matter of it, it was when and who.<br />
</li>
<li>Symantec's M&A strategy seems to be to spend a lot
of money and get the perceived "leader" in the space. This deal is
EXPENSIVE. Paying 5x revenue for a 20% growth rate company is a big
number. I'm sure MessageLabs wasn't about to settle for a smaller
number than Postini and there may have been other bidders to raise the
stakes. But by any measure (especially in this economy), it's an
expensive deal.<br />
</li>
<li>Symantec needed a better services strategy, so there are a
lot of go 2 market synergies. And MessageLabs used a lot of Brightmail
technology under the covers, so there is some technical synergy as
well. <br />
</li>
<li>If a company wants to be a real, long term player in
security, they need to have the ability to offer their stuff as a SaaS
offering. McAfee is pretty weak in this respect and the MessageLabs
deal makes SYMC rather strong. Of course, whether the field figures out
how to position the gateway product vs. the service remains to be seen,
but customers are demanding flexibility in how they deploy and Big
Security must deliver.<br />
</li>
<li>Clearly Symantec didn't think they could build it
themselves and grow it fast enough to make a difference, or they would
have bought a much smaller player and driven it through the global
channels. John Thompson has deep pockets and is going to flex them.
Which is good for all those security vendors that have grown too "big"
to get a deal done easily. </li>
</ol>
<p>
Overall, I think it's a decent deal, but at that price they
need to execute well. Of course, M&A execution isn't exactly
Symantec's strong suit. But ultimately, the Big Yellow needed to have a
story for SaaS and MessageLabs gives them a lot to build on. And the
rest of the independent email security players should be a bit
concerned. The number of legitimate exits is decreasing by the day.<br />
<br />
The last one standing is not a good place to be. Have a great
weekend. <br />
<br />
<small>Photo: "<span style="font-style: italic">Big
Yellow Teapot</span>"
originally uploaded
by <a href="http://www.flickr.com/photos/unloveable/2388661262/" target="_blank">unlovable</a></small><br />
<br />
<small>Technorati: <a href="http://technorati.com/tag/information%20security" rel="tag" target="_blank">Information
Security</a>, <a href="http://technorati.com/tag/CSO" rel="tag">CSO</a></small>,
<small><a href="http://www.technorati.com/tag/Security%20Mike" rel="tag" target="_blank">Security
Mike</a>, <a href="http://www.technorati.com/tag/Internet%20Security" rel="tag" target="_blank">Internet
Security</a></small><br />
</p>
<table style="width: 481px; height: 276px; text-align: left; margin-left: auto; margin-right: auto" border="0" cellpadding="5" cellspacing="2">
<tbody>
<tr>
<td style="text-align: center; width: 208px"><a href="http://www.pragmaticcso.com"><img src="http://www.pragmaticcso.com/Images/P-CSO-Cover-170w.jpg" style="border: 0px solid ; width: 170px; height: 259px" alt="The Pragmatic CSO" /></a><br />
<span style="font-weight: bold"></span><span style="font-weight: bold"></span><br />
<span style="font-family: Arial"></span></td>
<td style="text-align: center"><span style="font-weight: bold">The
Pragmatic CSO: </span><br style="font-weight: bold" />
<span style="font-weight: bold">Available Now! </span><br style="font-weight: bold" />
<br style="font-weight: bold" />
<span style="font-weight: bold">Read the Intro and
Get </span><br style="font-weight: bold" />
<span style="font-weight: bold">"5 Tips to be a
Better CSO"</span><br />
<br />
<a href="http://www.pragmaticcso.com/" style="font-weight: bold" target="_blank">www.pragmaticcso.com</a></td>
</tr>
</tbody>
</table>
<br />
<h1>Incite 4U</h1>
<p>
Please be patient as I evolve the format of TDI to something
that
will work, given I can spend a lot less time on it during the week.
Having a day job kind of puts a crimp on these fun, little hobbies.
Today I'm going to try a hybrid format. Let me know if you think it
sucks.<span style="font-weight: bold"></span><span style="font-weight: bold"></span><span style="font-weight: bold"><br />
</span>
</p>
<div style="margin-left: 40px">
<ol>
<li>Got NoScript? You better, since <a href="http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html" target="_blank">Jeremiah and RSnake's click-jacking vector
is now documented by Big J himself</a>. The reality is, this is
just another way to pwn your stuff. It's novel, but we are going to see
a lot more novel stuff. The world is going to get a lot harder for a
security person before it gets easier, and that puts a premium on
making sure you can recover from incidents quickly and effectively.<br />
<br />
<a href="http://www.riskbloggers.com/jimreavis/2008/09/security-budgets/" target="_blank"></a></li>
<li>Enterprises overpay for AV? <a href="http://www.networkworld.com/news/2008/092908-enterprises-overpay-for-antivirus-software.html" target="_blank">Say it ain't so, Gartner</a>.
Evidently they think so, but the reality is more about bundling than
anything else. Today's suites are not your grandfather's AV suite.
There is a bunch of crap (that you probably don't need). It's more like
an Office suite than anything else. Add more crap to maintain the price
points, even if customers don't need the extra crap. So yes, negotiate
hard and maybe even move to a <a href="http://www.apple.com" target="_blank">real computing platform</a>, but at
the end of the day you'll pay with a smile. Because it costs too much
to not have it, even though it's not perfect.<br />
<br />
<a href="http://www.secure-elements.com/news/SE_Fortinet_Announcement.htm" target="_blank"></a></li>
<li>Mitnick talks about protecting his own data, just in case
someone <a href="http://www.networkworld.com/community/node/33470" target="_blank">realizes you are a convict and a hacker and
wants to give you a hard time in airport security</a>. These
aren't bad tips, especially the idea of having all your relevant data
replicated somewhere else (I prefer to replicate to various machines on
my own network and a backup service in the cloud), and yes, you should
be encrypting your hard drive.<br />
<br />
<a href="http://www.astaro.com/newsroom/press_releases/astaro_enters_dedicated_mail_security_market" target="_blank"></a></li>
<li>Let's go over this again. COMPLIANCE <>
SECURITY. And bogus compliance definitely does not equal security. <a href="http://www.scmagazineus.com/Was-Forever-21-wrongly-certified-PCI-compliant/article/118739">Forever
21 may have been wrongly granted the PCI rubber stamp</a>, but
ultimately it doesn't matter. Even compliance organizations will get
nailed. Hopefully they'll be able to figure it out quickly and notify
me even faster, so I can contain my own damage. Though I do think this
is another data point to how important it is for the PCI poobahs to get
that quality program in place and to start holding QSA's accountable
when they blatantly screw up.<br />
</li>
<li>Pay per use investigations? Hmmm. <a href="http://biz.yahoo.com/bw/081006/20081006005643.html?.v=1" target="_blank">Verizon is using EnCase on a pay-per-use
basis</a> and I guess Guidance is being creative in getting their
software sold. You'd think a company as big as VZ would be doing
investigations all the time, and they'd be able to use EnCase as a key
part of their investigations team, so bounding it's use wouldn't make
sense. But I guess Guidance will take what they can get.<br />
</li>
<li>Qualys adds <a href="http://www.qualys.com/company/newsroom/newsreleases/usa/?view=20081001" target="_blank">web app scanning to their PCI "compliance"
offering</a>. It's about time, but the real question is how
functional is the app scanner. Is it ScanAlert (meaning a joke) or is
it AppScan. And ultimately, a bunch of the apps are compromised using
good old human ingenuity, so does this really make a difference? I'd
say yes because even low hanging fruit tastes good to hungry attackers.<br />
</li>
<li>Websense <a href="http://biz.yahoo.com/iw/081002/0439783.html" target="_blank">finally releases an DLP endpoint agent</a>.
Right on time. They also integrate the DLP and web security gateway
about 2 1/2 years after acquiring Port Authority. At least there is
some urgency over there to maintain technical innovation.<br />
</li>
<li>This is pretty old post on the VZ Security blog (yes, the
former TruSecure/CyberTrust guys), but it's rock solid. It's about <a href="http://securityblog.verizonbusiness.com/2008/09/26/security-roi-time-to-think-differently/" target="_blank">how to justify security ROI</a> and
acceptance of the reality that is a big cow patty. The point is
summarized here: "You need to revalue your environment and show how,
without these components, the risk you’re presented with
outweighs the cost of bringing it up to snuff." Amen, though you are
still making up your numbers to figure out the economic impact of the
risk, at least this post positions the right way to think about it.<br />
</li>
<li>Stuart King talks about the need to <a href="http://www.computerweekly.com/blogs/stuart_king/2008/10/itsecurityisdead.html" target="_blank">think about security within the context of
business</a>. And the reality that not all controls need to be
expensive. He's absolutely right and reflects the reality that many
folks are still stuck in 1990's thinking (throw a product at it and the
problem goes away) and even more recent thinking (check the compliance
box and the problem goes away). But the problem is not going away
because it's a fundamental business problem.<br />
</li>
</ol>
</div>
<br />
</div><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=dF8LM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=dF8LM" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=33VXM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=33VXM" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=Fgu7M"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=Fgu7M" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/416803138" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/the-daily-incite-10-7-08-deal-symantec-buys-messagelabs#comments
Daily Incite
Fri, 10 Oct 2008 08:17:35 -0500
Mike Rothman
1031 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/the-daily-incite-10-7-08-deal-symantec-buys-messagelabs
Career Advice from the POPE
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/414799985/career-advice-from-the-pope
<p>
As I mentioned Monday, I'm now <a href="http://feeds.feedburner.com//blog/mike-rothman/holy-crap-i-took-a-job" target="_blank">another vendor puke</a> - working for <a href="http://www.eiqnetworks.com">eIQnetworks</a> to help security professionals do their stuff better. Given the flexibility, limited stress, and very comfortable economic prospects of continuing Security Incite, why on earth would I take a job?<br />
<br />
<img src="http://www.pragmaticcso.com/Images/pope-room.jpg" align="right" vspace="10" width="240" height="180" hspace="10" />Basically, a number of things came together - the first being my own restless soul. As I look back through my career, about every 2-3 years I've decided to do something else. Not always with another company, but I've changed my job responsibilities on a fairly regular cycle. It's been about 3 years since I left my last "job" and I was definitely looking to do something else.<br />
<br />
Not a job, mind you. But to pretty radically change what Security Incite did and what it offered.<br />
<br />
Then I got a call from an old friend and mentor, who asked me to come in and do some consulting in his new shop. So I did, and I guess the rest is history.<br />
<br />
But I didn't take the decision lightly, I actually agonized about this more than I have any other career decision in my life. After I took a step back, I built a set of attributes on which I'd evaluate the job and the decision. Basically I went to visit the P.O.P.E.
</p>
<p>
No, I didn't really go see clergy to help me make the decision. Not that there's anything wrong with that, but it's not me. I tend to listen to my gut about big decisions and the following 4 buckets really helped my gut get some clarity. Perhaps these 4 topics will help you out in your next job search.<br />
<br />
<i><b>People</b></i><br />
<br />
Ultimately working for a company is all about the people. You spend an awful lot of time with these folks, so you better enjoy hanging out with them. Additionally, they better be good folks and able to do their job. The key question is can these folks get it done? Besides Jim Geary, eIQ has a number of other top notch folks. If the people weren't up to the task, there is no way I'd have joined the company.<br />
<br />
<i><b>Opportunity</b></i><br />
<br />
WIthout a market, it doesn't matter how good the people are. I've been there and done that. So the fact that I'd done more work on security management than probably any other topic was very helpful. I understood the customer problems, the issues with the existing products in the market and the fact that the space already supports at least two $100 million+ players, so there is a real opportunity there. <br />
<br />
<i><b>Product</b></i><br />
<br />
If the product sucks, it doesn't matter how good the people are, or how large the opportunity is. You aren't going to get there. So I took a detailed look at SecureVue, eIQ's enterprise-class security and compliance management product. It's been in the space for about 18 months, and is in use in quite a few large, enterprise class customers. These accounts are happy and eIQ is winning head to head deals against the biggest players in the space.<br />
<br />
More importantly, in my strategy role, I'll have a hand in pushing the product forward and making sure it continues to meet the needs of the largest customers and government agencies out there.<i><b></b></i>
</p>
<p>
<i><b>Exit</b></i><br />
<br />
Finally, if there are limited potential exits for the company, the capabilities of the people or the market or the product just don't matter. The good news is that there are still quite a few large IT vendors that do security and compliance management pretty poorly. Of course, we have a lot of work to do to add enough value to make a difference, but at some point many of the "Big Security" players will realize that their offerings are lame and need to bring on something better.<br />
<br />
eIQ has a lot of flexibility in looking at these strategic options a few years down the line. The company is entirely self-funded, thus far, so there aren't a bunch of pissy investors who have had their money tied up for 7 years and have little opportunity for liquidity any time soon.<br />
<br />
Of course, companies are not sold, they are bought. So we need to just keep executing on our plans and at some point down the road, we're confident a partner will come find us. But without that flexibility and the prospect of a liquidity event somewhere down the road, the opportunity at eIQ would be far less interesting.<br />
<br />
<b>Final thoughts</b><br />
<br />
I wasn't kidding when I said I agonized over this decision. I was really happy as a one-man band and doing quite well. But ultimately I fancy myself to be a builder and eIQ gives me the opportunity to build a strong strategy and marketing function. I'll be able to add a lot of value, almost immediately, and be able to work with some folks I really respect in a market space that I like.<br />
<br />
So from that standpoint, it's all good. But one final parting thought is that my three years doing Security Incite has liberated me from worry. I started with nothing and built something and was able to support my family. If need be, I can do it again. So I'm not scared anymore about being able to pay the bills.<br />
<br />
That confidence gives me the ability to take risks because even if it doesn't work out, I know I'll figure something out. Which is a good place to be.
</p>
<small></small>
<p>
<small>Photo: "<i>Pope's Blessing</i>" originally uploaded by <a href="http://www.flickr.com/photos/alykat/7317621/" target="_blank">alykat</a> </small>
</p><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=7HuXM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=7HuXM" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=IPS2M"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=IPS2M" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=4TfYM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=4TfYM" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/414799985" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/career-advice-from-the-pope#comments
Career
Incites/Observations
Wed, 08 Oct 2008 07:59:37 -0500
Mike Rothman
1030 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/career-advice-from-the-pope
The Daily Incite - October 7, 2008
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/413871619/the-daily-incite-october-7-2008
<div style="text-align: center" id="topcontent">
<img src="http://www.geronimollc.com/Geronimo/DailyInciteTopBanner2.jpg" style="width: 448px; height: 107px" alt="Today's Daily Incite" />
</div>
<div id="leftcontent">
<h2>October 7, 2008 - Volume 3, #80 </h2>
<p>
Good Morning: <br />
It's 5 AM as I sit down to write this, and the house is very quiet. I
like the quiet. It gives me time to think. To contemplate life, love
and happiness. You see, on my birthday, I try to take a step back and
think about the bigger picture. That's right, today I turn 40.
Actually, it doesn't feel a lot different than 39. And even scarier, I
can't really remember how I felt when I turned 30 or what we did.<br />
<img src="http://www.pragmaticcso.com/Images/happy-40-michael.jpg" alt="Happy B-Day to me..." style="border: 0px solid ; width: 240px; height: 180px; float: left" vspace="10" hspace="10" /><br />
Around the Jewish holidays I always revisit my goals. That will happen
on Thursday. I start with the big things I think I should accomplish
over a long period (say 10 years, for argument's sake), then I break
them down into a series of mid-term milestones and then an annual set
of tactics that will get me there.<br />
<br />
But that's not today. My birthday is about forcing me to take an honest
view of where I am and who I am. In the past, this was largely a
negative endeavor. I focused on who I WASN'T, not who I was. I focused
on what I DIDN'T have, not what I had. I was brutally honest about what
needed to change.<br />
<br />
It made me tired. And grumpy. So I'm not going to do that anymore. <br />
<br />
I've got it pretty good. Check that, I've got it very good. The Boss
loves me and so do my kids. I live a pretty nice lifestyle. Not
opulent, but comfortable. I enjoy what I do, so it doesn't really feel
like work (most days). <br />
<br />
We all have problems. Mine are manageable and that makes me pretty
lucky. Check that, very lucky.<br />
<br />
So it's a good day. I feel very optimistic about the next 10 years.
There will be bumps, bruises and unforeseen curves. But entering my
fifth decade, I'm pretty sure I'll be able to ride through the storms
and enjoy the sunshine. It's hard, since it's not my natural
perspective, but I'm trying to be a half-full type of guy. And on my
birthday, as I take a step back, I realize my cup runneth over. And for
that I'm grateful.<br />
<br />
Have a great day. I'm certainly going to. <br />
<br />
<small>Photo: "<span style="font-style: italic">Knitting
Themed Birthday Cake!</span>"
originally uploaded
by <a href="http://www.flickr.com/photos/mikewade/1696989447/" target="_blank">mikewade</a></small>
<small>(As you can see, I'm quite a knitter!)</small><br />
<br />
<small>Technorati: <a href="http://technorati.com/tag/information%20security" target="_blank" rel="tag">Information
Security</a>, <a href="http://technorati.com/tag/CSO" rel="tag">CSO</a></small>,
<small><a href="http://www.technorati.com/tag/Security%20Mike" target="_blank" rel="tag">Security
Mike</a>, <a href="http://www.technorati.com/tag/Internet%20Security" target="_blank" rel="tag">Internet
Security</a></small><br />
</p>
<table style="width: 481px; height: 276px; text-align: left; margin-left: auto; margin-right: auto" border="0" cellpadding="5" cellspacing="2">
<tbody>
<tr>
<td style="text-align: center; width: 208px"><a href="http://www.pragmaticcso.com"><img src="http://www.pragmaticcso.com/Images/P-CSO-Cover-170w.jpg" alt="The Pragmatic CSO" style="border: 0px solid ; width: 170px; height: 259px" /></a><br />
<span style="font-weight: bold"></span><span style="font-weight: bold"></span><br />
<span style="font-family: Arial"></span></td>
<td style="text-align: center"><span style="font-weight: bold">The
Pragmatic CSO: </span><br style="font-weight: bold" />
<span style="font-weight: bold">Available Now! </span><br style="font-weight: bold" />
<br style="font-weight: bold" />
<span style="font-weight: bold">Read the Intro and
Get </span><br style="font-weight: bold" />
<span style="font-weight: bold">"5 Tips to be a
Better CSO"</span><br />
<br />
<a href="http://www.pragmaticcso.com/" target="_blank" style="font-weight: bold">www.pragmaticcso.com</a></td>
</tr>
</tbody>
</table>
<br />
<h1>Incite 4U</h1>
<p>
Please be patient as I evolve the format of TDI to something
that will work, given I can spend a lot less time on it during the
week. Having a day job kind of puts a crimp on these fun, little
hobbies. Today I'm going to try a hybrid format. Let me know if you
think it sucks.<span style="font-weight: bold"></span><span style="font-weight: bold"></span><span style="font-weight: bold"><br />
</span>
</p>
<div style="margin-left: 40px">
<ol>
<li>Adrian Lane of Securosis is starting to look into the
SIM/SEM market and flex his "expert" muscles on SearchSecurity. <a href="http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1327864_tax312277,00.html" target="_blank">This piece</a> gives you some tips on
how to think about SIM, but keep in mind that you've got to know what
the "right" data is and that may change. So better to capture more data
than less up front and stay focused on how the tool will help you do
your job better.<br />
<br />
<a href="http://www.riskbloggers.com/jimreavis/2008/09/security-budgets/" target="_blank"></a></li>
<li>Will IPS ever hit the tipping point? Sorry, bad pun. <a href="http://www.networkworld.com/news/2008/092308-ips-survey.html" target="_blank">NetworkWorld covers some Infonetics data on
IPS usage in enterprises.</a> Most only block a small amount and
monitor the rest. Who cares? It seems like a dead argument to me. It's
still all about REACTING FASTER, which means getting intelligence from
the monitoring is far more important than actually blocking the 15% of
crap you know is bad. IPS is another data source, and as long as you
keep things in context, it's all good.<br />
<br />
<a href="http://www.secure-elements.com/news/SE_Fortinet_Announcement.htm" target="_blank"></a></li>
<li>Fonzie, you know Henry Winkler, <a href="http://booksaio.net/ebooks/categories/syngress-zen-and-the-art-of-information-security/" target="_blank">gives away a download</a> of his
latest Zen book on Information Security (file is a .rar). Oh, it's Ira
Winkler? Got it. That's OK, he's jumped the shark too.<br />
<a href="http://www.astaro.com/newsroom/press_releases/astaro_enters_dedicated_mail_security_market" target="_blank"></a></li>
<li>Stiennon calls Nokia getting out of the security appliance
business as <a href="http://www.networkworld.com/community/node/33336" target="_blank">"the end of an era."</a> I say it's
just market reality. They hadn't invested in the business, let everyone
else take their market share and now they'll be lucky to get a song and
a dance for the operation. That's what happens when you stop minding
the store.<a href="http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=164564" target="_blank"></a></li>
<li>To quote that old Clapton song - It's in the way that you
use it. <a href="http://riskmanagementinsight.com/riskanalysis/?p=447" target="_blank">Alex fights back against risk management
skeptics</a>, but ultimately all of these efforts are about
trying to figure out what to focus on. Some do it scientifically, some
do it by gut. And in the end we are all dead. So how about that? I
don't care what temple you pray at, just make sure you can answer the
question about what you are focusing on now, and why...</li>
<li>Blame will get you nowhere. Some researchers prove most
users are dimwits. <a href="http://www.emergentchaos.com/archives/2008/09/blaming_the_victim_yet_ag.html" target="_blank">Shostack says it's because the developers
aren't doing their job.</a> Everyone is right. But we are still
dead in the end. The real question is how do we defend ourselves given
1) users are dimwits and 2) developers aren't doing their job.</li>
<li>Tell Rich I'll sell his crystal ball back to him for $10.
Given <a href="http://securosis.com/2008/09/29/impact-of-the-economic-crisis-on-security/" target="_blank">his projections of the impact of the
financial crisis</a> are right on the money, he doesn't need it
and therefore there isn't much value. Personally, I think the crisis is
only going to accelerate the underlying market dynamics. All of these
things were well underway for a long time. And the Travelocity gnome is
a cool dude. He's showing up at my party this weekend and bringing the
40 year old scotch.</li>
<li>Kick them when they are down, according to my favorite
Taoist. <a href="http://taosecurity.blogspot.com/2008/09/is-experience-only-teacher-in-security.html" target="_blank">The idea of having plans in the can and then
pulling them out after an incident</a> (when the manager will be
more receptive) seems a bit disingenuous to me. Of course, that's how
it works in the real world. You won't get funding until there is some
urgency. But to not evangelize and talk about why something is
important (even if you know the likelihood of success is small) is the
wrong approach. If you are already on record saying the organization
needs to do something, and then an incident happens to create the
urgency, then you are in a good position. Not to say "I told you so,"
but to act as the cavalry to get things fixed up.</li>
</ol>
</div>
<br />
</div><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=n8AoM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=n8AoM" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=08fCM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=08fCM" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=eEfmM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=eEfmM" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/413871619" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/the-daily-incite-october-7-2008#comments
Daily Incite
Tue, 07 Oct 2008 09:48:25 -0500
Mike Rothman
1029 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/the-daily-incite-october-7-2008
Holy Crap! I took a job...
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/412751632/holy-crap-i-took-a-job
I'm constantly amazed by life's little surprises. If you would have told me I'd take a job before the end of 2008, I'd have laughed. But only after calling you a number of things I wouldn't say to my kids.<br />
<br />
<img src="http://www.pragmaticcso.com/Images/old-time-clock.jpg" align="right" vspace="10" width="240" height="192" hspace="10" />It's true. <a href="http://www.eiqnetworks.com/news/eIQ_Geary_and_Rothman.shtml" target="_blank">I've been named Senior Vice President of Strategy and Chief Marketing Officer of eIQnetworks</a>. I've rejoined forces with Jim Geary, one of the co-founders of SHYM to work with the existing team and take eIQ to the next level. <br />
<br />
No, I wasn't expecting this. No, I wasn't looking for a job. No, I didn't "need" to. Yes, I'm probably nuts for taking another vendor job. But a number of pretty cool things came together and compelled me to make this move.<br />
<br />
I should always remember that "never" is a very long time. Given my short attention span, the idea of "never" doing anything again is pretty silly.<br />
<br />
First things first, you may not have heard of <a href="http://www.eiqnetworks.com" target="_blank">eIQ</a>. We (wow, it's weird to refer to a vendor as "we") provide a security management platform that transforms the way security, audit and compliance professionals do their jobs. Our product set fits very cleanly into my world view of how security management needs to evolve and what the products in the space need to do.<br />
<br />
Yep, I've pretty easily slipped my slick marketing hat back on, eh?<br />
<br />
<b>Security Incite will live on!</b><br />
<br />
Obviously, I can't continue to parade around as an "independent" analyst. So as of today I'm no longer President and Principal Analyst of Security Incite. I think I'll just call myself Chief Blogger. That's right, I'll still blog right here and do my usual "no bull" analysis of what's happening in the security space.<br />
<br />
I'm also going to evolve the Daily Incite to a more reasonable format for a part time "hobby." No it won't be daily (but I'm too lazy to change the logo), but that shouldn't be a surprise because it hasn't happened daily in about two years. I'll probably do 2-4 snippets twice a week or so. I'll also continue to do at least one detailed post a week based upon what I'm seeing in my travels and working with customers.<br />
<br />
I'm not going to talk (much) about eIQ on the Security Incite blog, though tomorrow I will dig a bit deeper into my rational for making this move. Obviously I'll disclose when any of my posts would/could be influenced by my employer or slam my competition. Surprisingly enough, we're launching <a href="http://eiqviews.wordpress.com/" target="_blank">a blog at eIQ</a>, so add that to your <a href="http://feeds.feedburner.com/eIQviews" target="_blank">feed reader</a>. Myself and a few of my colleagues will be blogging about security and compliance management over there.<br />
<br />
Part of my job as SVP, Strategy is to be very visible in the community. So I'll be doing a lot of speaking engagements, trade show appearances, and meeting with enterprise customers. If you are interested in having me come speak to your group, I'm game - just drop me a note. I'll even bring a few Pragmatic CSO books to raffle off.<br />
<br />
I'm humbled and grateful that all of you have joined me on this journey for the past few years. You've challenged my positions, told me about what is really happening out there, and become good friends. As I move into this new role, I hope you'll stick with me as I continue to poke fun at idiocy, fight mediocrity, and try to make a difference in how security professionals do their jobs.<br />
<br />
At some point, I expect to open shop again as an analyst because I really do love the role. But until then, I hope you are still able to enjoy the Incite of yet another vendor puke. <br />
<br />
<small>Photo credit: "<i>old time clock</i>" originally uploaded by <a href="http://www.flickr.com/photos/mbtrama/2456237870/" target="_blank">mbtrama</a></small><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=KzQcM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=KzQcM" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=NbV1M"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=NbV1M" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=zkTQM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=zkTQM" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/412751632" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/holy-crap-i-took-a-job#comments
eIQnetworks
SI Announcements
Mon, 06 Oct 2008 07:19:25 -0500
Mike Rothman
1028 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/holy-crap-i-took-a-job
Crazy Consolidation Will Continue
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/408561528/crazy-consolidation-will-continue
<p>
They say it's very healthy to laugh a good, hearty laugh every single day. I try to do that, and thankfully we all have Stiennon to give us fodder at least once a week. <a href="http://www.networkworld.com/community/node/33391" target="_blank">His latest missive had me howling</a>. Though I'm sure he didn't mean it to be so funny, his piece on the McAfee/Secure Computing deal was exactly that.
</p>
<p>
You see, Stiennon fancies himself as a contrarian. Yet, most of the time he's seems to be a contrarian to be a contrarian. Clearly the "IDS is dead" call has been totally merged into his DNA and he's not capable of viewing anything within any other prism. In fact, it seems Stiennon's MO now is to not say anything unless he has something contrarian to say.
</p>
<p>
Listen, if I made a ballsy call like IDS is dead, then I'd probably be wanting to relive it every working day for the rest of my career. 5 years later we are still talking about it. Or at least Richard is. Indulge me for a second and let's visualize a phone call to Richard's office.
</p>
<p>
<img src="http://www.pragmaticcso.com/Images/tull-living-in-the-past.jpg" align="left" vspace="10" width="200" height="197" hspace="10" />(ring, ring)<br />
Stiennon: Hello, this is Stiennon. Did you know that IDS is still dead? What can I do for you? How about a keynote speech?
</p>
<p>
Caller: Hi Richard. This is 2008 calling.
</p>
<p>
Stiennon: Huh? What do you mean you are 2008?
</p>
<p>
Caller: I'm 2008. The year. And I was calling to tell you that maybe you should think about living in the now. I'm not feeling any love from you. I just got off the phone with 2003 and he's pretty pissed that you won't let him rest. He wants to fade off into the sunset, and you won't let it go. Maybe read some Eckhard Tolle or something.
</p>
<p>
Stiennon: Yeah, I'll get right on that. How about I speak at your New Year's Eve party? Or is do I need to talk to 2009 about that? I can talk about the cyber-threat of upper Bolivia...
</p>
<p>
Of course, I'm kidding here. It's easy to poke fun at Richard. Probably as easy as it is to poke fun at me. Richard also seems to want to take credit for telling McAfee to go buy some stuff way back when. I wonder if he told them to run the Entercept technology into the ground? It sounds like some of the stuff we hear from Presidential candidates. Remember that Gore invented the Internet and McCain was behind the Blackberry?
</p>
<p>
Though he does make some decent points about the fact that McAfee has been a bit schizo about the network security business. But as I mentioned <a href="http://feeds.feedburner.com//blog/mike-rothman/deal-mcafee-gets-more-secure" target="_blank">in my post on the deal</a>: times are different now and these times call for a different set of offerings to bring to the market. And the price was right.
</p>
<p>
If you used Richard's yardsticks of a good deal: Growth companies with little overlap, or a large channel engine buying technology to feed the beast - you'd miss a key strategy that works when the markets are either plateauing or maybe even contracting. That's the market consolidation strategy. Of course, Richard is very vocal about how stupid consolidation is, but it's a fact of life.
</p>
<p>
There is no doubt that Secure bungled the CyberGuard deal. In fact, it ended up killing the company. They didn't really execute crisply on the CipherTrust deal either and you end up having to sell to McAfee for a song and a dance when you screw up. But that doesn't mean that someone else can't make sense of it and make the deal work.
</p>
<p>
Fact is, we are going to see a lot of deals over the next 18 months. There are no IPOs and there won't be anytime soon. There will be a few good, high multiple deals, but not many. And there will be a LOT of deals that don't hit either of Richard's deal qualifiers. But they'll be cheap and not paying a lot can make even a bad deal on paper into a good deal for shareholders.
</p>
<p>
<img src="http://www.pragmaticcso.com/Images/no-exit.jpg" align="right" vspace="10" width="240" height="161" hspace="10" />And the reality is things are likely going to get a lot tighter on the VC front, so many of those companies still trying to find their markets are going to die on the vine. With limited exits possibilities, the VCs are going to be very selective about who they allow to continue living.
</p>
<p>
Actually, Richard's strong grasp of history (at least the history he wrote) will come in handy. I suspect 2009 will look a lot more like 2001 than anything else. Very little funding, tight budgets, and a big hangover resulting from some investment bankers partying like it's 1999.
</p>
<p>
<small>Bottom photo credit: "<i>No Exit</i>"originally uploaded by <a href="http://www.flickr.com/photos/braheem/2143069796/" target="_blank">braheem</a></small>
</p><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=qX0IM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=qX0IM" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=zYxxM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=zYxxM" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=YUSIM"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=YUSIM" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/408561528" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/crazy-consolidation-will-continue#comments
Incites/Observations
Wed, 01 Oct 2008 14:52:19 -0500
Mike Rothman
1025 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/crazy-consolidation-will-continue
The Daily Incite - September 29, 2008
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/406225450/the-daily-incite-september-29-2008
<div id="topcontent" style="text-align: center">
<img src="http://www.geronimollc.com/Geronimo/DailyInciteTopBanner2.jpg" alt="Today's Daily Incite" style="width: 448px; height: 107px" />
</div>
<div id="leftcontent">
<h2>September 29, 2008 - Volume 3, #79 </h2>
<p>
Good Morning: <br />
It doesn't seem to be common knowledge, but we are in the midst of a
gas shortage in northern ATL. I suspect it's all over the metro Atlanta
area, but I can only speak for the 10 mile radius I scoured on Friday
trying to get gas for my car. I must have passed 15 different stations
that had no gas before I got lucky. A friend called with a tip on a
station that just got a delivery and had gas. So I dutifully waited in
line for about 40 minutes and filled up. Thanks to the iPhone, I could
still be reasonably productive - but still, that's 40 minutes I'll
never get back.<br />
<img src="http://www.pragmaticcso.com/Images/no-gas.jpg" style="border: 0px solid ; width: 240px; height: 160px; float: left" alt="No Gas for U" vspace="10" hspace="10" /><br />
We also got lucky last week when the Boss went to go fill up the van.
She dropped the kids off at school and only had to wait 10 minutes at a
local shop. I just drove by that specific station and the line is
around the corner to get into both entrances. It's basically a mess.<br />
<br />
Of course, it's great when the government is very supportive of the
plight of the citizens. Our own esteemed Gov. Purdue thinks the
shortage is "<a href="http://www.ajc.com/metro/content/business/stories/2008/09/25/gasgov.html" target="_blank">self-induced</a>."
Evidently he hasn't
tried to fill up recently. It doesn't seem easy to govern with your
head up your ass, but I guess he's trying.<br />
<br />
I was talking to my Mom over the weekend and we talked about the 1973
gas crisis. Obviously I was very young, but I still remember Mom
loading my brother and I into the Volvo station wagon at 5 AM to go
wait in line to fill up. I guess those were scary times, but 5 year
olds don't really understand that. I guess what goes around, comes
around and here in the ATL it's coming around. <br />
<br />
Tight supplies are being caused by the fallout from Hurricane Ike.
Evidently a significant portion of refining capacity is still offline
or ramping back up slowly. It reminds me that we are still very very
dependent on fossil fuels to drive the economy. And as those fuels wane
or become more expensive or are increasingly controlled by unfriendly
parties - our economy is at risk. Sure we've got to work through this
mortgage mess on Wall Street. But energy is clearly the biggest issue
we (as a global community) face over the next 10 years.<br />
<br />
We are doing our part by not doing unnecessary driving this week until
supplies loosen up. Even though I don't need a new car, I'm seriously
thinking about putting my name on a waiting list for a hybrid. Maybe
this time I'll actually do it. And as soon as they come out with a
hybrid van, we are there. Sure it's a bit more money up front and the
direct payback in terms of dollars is a bit suspect. But it's hard to
put a price on the heartburn we suffer from driving around on E, hoping
the next service station has fuel (and you won't have to wait in line
for a
couple of hours) before we run out of gas and have to walk home.<br />
<br />
And before I forget, Happy Birthday to my kid brother. His birthday was
over the weekend. We had a lot of fun hanging out with the kids running
around and creating havoc. As tough as things are, you've got to take
the time to celebrate the good times. And to step back and enjoy the
ride a bit. Sometimes it's hard, but you need to make a specific focus
to make it happen.<br />
<br />
Have a great day and I should be back on Wednesday, since tomorrow is a
holiday for me. L'Shana Tova to all observing tomorrow. <br />
<br />
<small>Photo: "<span style="font-style: italic">No
Gasoline</span>"
originally uploaded
by <a href="http://www.flickr.com/photos/eschipul/2853415571/sizes/s/" target="_blank">eschipul</a></small><br />
<br />
<small>Technorati: <a href="http://technorati.com/tag/information%20security" rel="tag" target="_blank">Information
Security</a>, <a href="http://technorati.com/tag/CSO" rel="tag">CSO</a></small>,
<small><a href="http://www.technorati.com/tag/Security%20Mike" rel="tag" target="_blank">Security
Mike</a>, <a href="http://www.technorati.com/tag/Internet%20Security" rel="tag" target="_blank">Internet
Security</a></small><br />
</p>
<table style="width: 481px; height: 276px; text-align: left; margin-left: auto; margin-right: auto" border="0" cellpadding="5" cellspacing="2">
<tbody>
<tr>
<td style="text-align: center; width: 208px"><a href="http://www.pragmaticcso.com"><img src="http://www.pragmaticcso.com/Images/P-CSO-Cover-170w.jpg" style="border: 0px solid ; width: 170px; height: 259px" alt="The Pragmatic CSO" /></a><br />
<span style="font-weight: bold"></span><span style="font-weight: bold">The
Pragmatic CSO: </span><br style="font-weight: bold" />
<span style="font-weight: bold">Available Now! </span><br style="font-weight: bold" />
<br style="font-weight: bold" />
<span style="font-weight: bold">Read the Intro and
Get </span><br style="font-weight: bold" />
<span style="font-weight: bold">"5 Tips to be a
Better CSO"</span><br />
<br />
<a href="http://www.pragmaticcso.com/" style="font-weight: bold" target="_blank">www.pragmaticcso.com</a><br />
<span style="font-family: Arial"></span></td>
<td style="text-align: center"><span style="font-weight: bold">Get Your Special Report: <br />
<big style="font-style: italic">6 Easy
Steps to Protect Your Identity</big><br />
and<br />
get access to Security Mike's Portal today<br />
<br />
<a href="http://tdi.securitymike.com">www.securitymike.com<br />
</a><br />
<a href="http://tdi.securitymike.com"><img src="http://www.securitymike.com/Images/Book-3D-smaller.jpg" alt="Security Mike's Guide to Internet Security" style="border: 0px solid ; width: 178px; height: 236px" /></a><br />
</span></td>
</tr>
</tbody>
</table>
<br />
<h1>Top
Security News</h1>
<p>
<span style="font-weight: bold"><a title="TSN1" name="TSN1" id="TSN1"></a>And in this corner the white list...</span><br />
<span style="font-style: italic">So what? </span>-
Larry Seltzer takes in a <a href="http://www.eweek.com/c/a/Security/Mark-Russinovich-On-The-Future-Of-Security" target="_blank">video
interview of Mark Russinovich</a>
(yes, the Sony rootkit guy and one of the big brains pushing
Microsoft's security strategy) and questions the viability of white
lists. To paraphrase Larry, white lists are cool if you can shove a
policy down a user's throat (like most corporates can), but they are
useless for consumers. To be fair, Larry does say he hopes he's wrong
because he buys into the concept of executing only authorized
applications. Amazingly enough (especially if you ask the Boss), this
situation isn't black and white. The reality is there is a continuum
and we need to understand that. Even in the corporate world, there need
to be gradations of lock-down, which treat different groups
differently. Since the finance team is dealing with very important
data, their devices should be locked down tighter than some other
group. Same goes for consumers. They should have options to
incrementally enforce greater levels of lockdown. You can sort of do
that through different browser configuration and parental controls, but
it's hard and requires a lot of pieces, and any savvy kid is going to
be able to get around it. There is definitely a place for white lists
in your security arsenal, but you need to make a choice as to how
strictly you enforce them (and subsequently how much clean up you are
willing to do).<br />
<small>Link to <a href="http://securityincite.com/TDI-2008-09-29#TSN1">this</a></small><br />
<br />
<a title="TSN2" name="TSN2" id="TSN2"></a><span style="font-weight: bold">Who are you? What are you doing
in my house?</span><br />
<span style="font-style: italic">So what? -</span>
I love those movies where the main character wakes up and is in a
totally strange place, surrounded by "family" that he doesn't even
know. Lots of silliness tends to ensue and then the person wakes up and
realizes it's been a dream. They learn some heavy lesson and become a
better person. You wonder if the folks at IBM look around what's left
of ISS and wonder what the hell happened? Most of my contacts at ISS
are gone. That's actually to be expected, since it takes a different
kind of person to survive and thrive in a Big Blue culture. But what's
more interesting is how two years after the deal, the ISS group is
trying to become relevant again. <a href="http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332042,00.html" target="_blank">Now
they are making product announcements
and talking about how security fits into IBM's overall strategy</a>.
Time flies when you are having fun, no? But two years of fun?!? That's
what makes me chuckle about these big deals. How can any semblance of
integration, which takes two years, be something to cheer about? IBM
dropped $1.3 billion on the deal and as a result ISS has all but
dropped off the radar. Of course, I'm sure they show up in a lot of
deals that just go to IBM (and wouldn't be seen by a guy like me), but
still. $1.3 Big is a lot to spend to wait around for a couple of years
to figure out which end is up. <br />
<small>Link to <a href="http://securityincite.com/TDI-2008-09-29#TSN2">this</a></small><small><br />
</small><span style="font-weight: bold"><br />
</span><a title="TSN3" name="TSN3" id="TSN2"></a><span style="font-weight: bold">Microsoft rides a paper surfboard
to the top of the Wave</span><br />
<span style="font-style: italic">So what? -</span>
The Forresters checked out a bunch of data sheets and decided Microsoft
was "top of the NAC heap." Not sure if they used those words, but
that's what <a href="http://www.networkworld.com/newsletters/vpn/2008/091508nac1.html" target="_blank">Tim
Greene says were the results of
Forrester's NAC wave</a>. That kind of finding is pretty
laughable. There is no question that Microsoft will be a player and
they will absolutely own the agent that checks desktop device
integrity. But to think they've got something that is enterprise-ready
is a bit strange to hear. Even better, they put in a disclaimer saying
the study isn't based on "units sold or performance tests," but how
well the products will "meet the challenges of a set of real-world
deployment situations." At least Gartner's ability to execute rating is
based largely on company revenues and product sales. So basically this
was an RFP process. And Microsoft prepared the best response. Great.
People that really buy products understand that a good RFP response
gets you into the bake-off. That's when things like "performance tests"
start to matter. That's why I find it ridiculous that vendors get
judged on this qualitative crap. Ultimately customers only care about
whether a product can solve its problem, not whether the vendor gives
GOOD RFP. Smart customers understand these types of reports can maybe
provide a little perspective on identifying the long list of vendors to
chat with. But to base a buying decision on it is irresponsible.<br />
<small>Link to <a href="http://securityincite.com/TDI-2008-09-29#TSN3">this</a></small><small><br />
</small><br />
<span style="font-weight: bold"><br />
</span><span style="font-weight: bold">The Laundry
List</span>
</p>
<div style="margin-left: 40px">
<ol>
<li>Security budgets are still all over the map. Jim Reavis
does a seriously unscientific poll and finds predicting budget impact
to be a shot in the dark. I'm still standing by my thinking that the
next 18 months will be bumpy - even for security folks. - <a href="http://www.riskbloggers.com/jimreavis/2008/09/security-budgets/" target="_blank">Risk
Bloggers</a></li>
<li>I'd say Fortinet breaks out the wallet again, but it's
likely a change purse. They acquire Secure Elements and become firmly
established as the first guys to call in a fire sale. - <a href="http://www.secure-elements.com/news/SE_Fortinet_Announcement.htm" target="_blank">Secure
Elements release</a></li>
<li>Astaro tries to out-barracuda Barracuda with a $499 email
security appliance, which includes encryption. Keep a lookout for their
new billboard and radio campaigns. Maybe they can get Astro from the
Jetson's to be their corporate spokes-dog. - <a href="http://www.astaro.com/newsroom/press_releases/astaro_enters_dedicated_mail_security_market" target="_blank">Astaro
release</a></li>
<li>John Sawyer reminds us that Fort Knox isn't secure, if you
leave the door open through a faulty configuration. Same goes for
firewalls.
- <a href="http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=164564" target="_blank">Dark
Reading blog</a></li>
</ol>
</div>
<h1>Top
Blog Postings </h1>
<p>
<span style="font-weight: bold"><a title="TBP1" name="TBP1" id="TBP1"></a>Vulnerability <> Risk</span><br />
Let's focus on PCI a bit, since within a week DSS 1.2 will be "live"
and of course, anyone that want to do credit card business must comply.
Rich talks a bit here about what's required to perform a real "scan"
that the auditors will accept. Many IPS devices will actually block a
number of the scan techniques, which may force the customer to open
ports and/or turn off their IPS to let the scan run. Let's get back to
the idiocy of counting vulnerabilities. A vulnerability is only
important IF it can be EXPLOITED. If the IPS is going to block it, then
who cares? What am I missing here? Let's say the vuln could be
exploited by launching the attack from inside the network (and then
presumably avoiding the IPS). Great, then the scanner should be able to
run from the inside of the network to mimic real-life attack vectors.
What is so hard about this? Turning off your defenses to complete a
test and check a box for an audit is just plain dumb. And an assessor
that pushes a customer to do this is bordering on negligent. Hopefully
the PCI groups emerging quality assurance efforts will make sure this
kind of stuff doesn't happen. <br />
<a href="http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/" style="font-weight: bold" target="_blank">http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/</a><br />
<small>Link
to <a href="http://securityincite.com/TDI-2008-09-29#TBP1">this</a></small><br />
<br />
<a title="TBP2" name="TBP2" id="TBP2"></a><span style="font-weight: bold">Do as I say or do as I want?</span><br />
Remaining on the PCI topic, Anton brings up a great point about how
prescriptive something like PCI (and every other regulation) can/should
be. Ultimately the choice is between telling someone exactly what to
do, even though that may not be relevant for their environment (like AV
on Linux). Or saying you need to "protect private data," but not offer
specifics as to what that means and leaving it up to the customer to
screw it up. It's a tough call, but over the past 10 years we've shown
that just focusing on the outcome desired (as HIPAA, GLBA, and SoX do)
is not a recipe for success. Not by a long shot. Of course, PCI is a
bit overbearing and it's getting more so every time they have a
meeting,
but I'd have to say on balance - having more detailed guidance has been
much more useful than not. At least folks know which boxes they should
be checking. <br />
<a href="http://chuvakin.blogspot.com/2008/09/is-pci-dss-prescriptive.html" target="_blank" style="font-weight: bold">http://chuvakin.blogspot.com/2008/09/is-pci-dss-prescriptive.html</a><br />
<small>Link
to <a href="http://securityincite.com/TDI-2008-09-29#TBP2">this</a></small><small><br />
</small><br />
<a title="TBP3" name="TBP3" id="TBP2"></a><span style="font-weight: bold">That's right, no one wants to buy
encryption</span><br />
I'm not sure what they are saying most of the time, but the Voltage
blog certainly does post a lot of stuff. Yet this post resonated with
me because it's reflecting a lot of the anecdotal evidence I've been
tracking for a while. No one cares about encryption. It's not that they
don't want to protect their data - they do. But they don't really want
to delve into the details of how it happens. They want it "built-in."
If they look at a SaaS offering, they want it to be secure, their data
encrypted and they don't want to worry about it. When they buy
applications or have an integrator build them, security should be a
feature. Maybe it's encryption, maybe it's not. The customer shouldn't
really care. If full disk encryption is important for mobile employees
(and it is), they want it built into the endpoint suite. Again, they
don't want to worry about it or manage it. Looks like Jim Bidzos had it
right all those years ago. Encryption is a tool kit, design-win type of
business. The success is based upon having more folks build the
encryption into their solutions, than getting customer to bolt it on
after the fact. Transparency is still in vogue, especially when
thinking about encryption. <br />
<a href="http://superconductor.voltage.com/2008/09/whats-going-on.html" target="_blank" style="font-weight: bold">http://superconductor.voltage.com/2008/09/whats-going-on.html</a><br />
<small>Link
to <a href="http://securityincite.com/TDI-2008-09-29#TBP3">this</a></small><small><br />
</small><br />
</p>
</div><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=Iq1aL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=Iq1aL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=u1OqL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=u1OqL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=prpiL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=prpiL" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/406225450" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/the-daily-incite-september-29-2008#comments
Daily Incite
Mon, 29 Sep 2008 07:24:25 -0500
Mike Rothman
1024 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/the-daily-incite-september-29-2008
Pragmatic CSO Podcast #23 - Picking the Right Product
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/402827805/pragmatic-cso-podcast-23-picking-the-right-product
<p>
<img src="http://www.pragmaticcso.com/Images/troll-nose-pick.jpg" style="border: 0px solid ; width: 110px; height: 240px; float: right" alt="I guess picking noses is like picking products." vspace="10" hspace="10" />
</p>
<p>
This week we'll focus on the 2nd half of Step 6: Buying
Security Products, which get down and dirty in picking the product.
We've already engaged with a long list of potential vendors (we
discussed that last week) and now it's time to figure out what will
work for you.
</p>
<p>
Next we do a bake-off and actually test the products under
real world conditions. Then we develop our short list (based on
products that can meet the need), then we get to negotiate. Get out
your bat because that's what you'll be using. Finally the selection
should be obvious if you've done the other steps correctly.
</p>
<p>
If you didn't get the <a href="http://securityincite.com/BSP-teaser" target="_blank">Buying
Security Products ebook</a>,
you can sign up for the Daily Incite email newsletter. If you read TDI
via a blog feed, just send me an email and I'll forward the guide over
to you. <br />
</p>
<p>
Running time: 6:56<br />
<br />
Intro music is Jungle and to close the show I bust out a classic from
the Pure Funk age called "Pick Up The Pieces" from the Average White
Band. Yes, you remember it. Yes, you love it. Get funky! <br />
</p>
<p>
Direct Download: <a href="http://media.libsyn.com/media/pragmaticcso/23_Pragmatic_CSO_Podcast_23.mp3" target="_blank">23_Pragmatic_CSO_Podcast_23.mp3</a><br />
<br />
<img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" style="width: 32px; height: 32px" alt="Subscribe" /><a href="http://feeds.feedburner.com/P-CSO-Podcast" target="_blank">Subscribe
in a reader</a><br />
<br />
Photo Credit: <a href="http://www.flickr.com/photos/62348225@N00/188679191/">haledavid1@msn.com</a>
</p><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=MnqZL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=MnqZL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=eeotL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=eeotL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=RLGZL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=RLGZL" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/402827805" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/pragmatic-cso-podcast-23-picking-the-right-product#comments
P-CSO Podcast
Thu, 25 Sep 2008 09:06:52 -0500
Mike Rothman
1023 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/pragmatic-cso-podcast-23-picking-the-right-product
The Daily Incite - September 24, 2008
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/401819418/the-daily-incite-september-24-2008
<div id="topcontent" style="text-align: center">
<img src="http://www.geronimollc.com/Geronimo/DailyInciteTopBanner2.jpg" alt="Today's Daily Incite" style="width: 448px; height: 107px" />
</div>
<div id="leftcontent">
<h2>September 24, 2008 - Volume 3, #78 </h2>
<p>
Good Morning: <br />
I remember when I was a kid, one of the "crazy" things we used to do
were crank calls. You know, call someone up and call them a name. Or
dial the phone at 2 AM and just let it ring. Or call them and say the
pizza will be delivered in 15 minutes, thanks for the order. Silly
stuff like that. We even took advantage of three way calling phones to
put together some ad hoc conference calls. We'd call the really cute
girl and then connect her to the not so cool guy. They didn't have a
lot to say to each other. Those were a lot of
laughs. <br />
<img src="http://www.pragmaticcso.com/Images/monkey-talk.jpg" style="border: 0px solid ; width: 240px; height: 160px; float: left" alt="Hello. I'm monkey. Your pizza is ready." vspace="10" hspace="10" /><br />
And then called ID became available. And the *69 service to ring back a
number that just called. I'm sure it was quite a surprise to the first
few crank callers that got a call back from an irate parent about a
call at 2 AM. OK, that gig is done. A casualty of technical innovation.<br />
<br />
Now it seems that simple hacks are also done. Since they have allegedly
identified the Gov. Palin email attacker, through of all things, a
proxy log - it's a lot more dangerous to do simple pranks nowadays. Of
course, hacking into the email account of a vice presidential candidate
is more than just a simple prank, the outcome is the same.<br />
<br />
You can run, but you can't hide. Unless you live in Estonia, that is.
Script kiddies be warned, unless you fancy a visit from the FBI at an
inopportune time (is there an opportune time for a visit from the
FBI?), you better improve your obfuscation techniques. Attackers always
leave a trail, the question is does the trail lead to your dorm room,
or somewhere it would be very hard to track. Like Estonia. <br />
<br />
But that's not even the point. They'll make an example out of this
Palin email attacker, and they should. It'll be a deterrent for all of
the novices that realize they are out of their league. Not in
attacking, almost anyone can do that. But not getting caught. <br />
<br />
Will something like this public execution deter the general increase in
Internet fraud that we've seen? I say nope, not by a long shot. The
reality is the risk-reward equation is still heavily weighted in favor
of the bad guys. Especially in Estonia. It's prohibitively expensive to
prosecute them and it's incredibly lucrative for them to continue
stealing. How do you think that ends?<br />
<br />
Right, don't leave anything to chance. Monitor your bank accounts and
credit cards almost daily. Use
strong passwords (and probably a password manager) on the accounts that
matter, like your financial accounts, web mail, and ecommerce sites.
Teach your friends and family to do the same types of things. Apply the
REACT FASTER doctrine to your own personal lives. They'll catch some of
the bad guys (especially if they live in the US), but there are always
another 10 to fill the wake of the last one.<br />
<br />
That's just the way it goes. <br />
<br />
Have a great day. <br />
<br />
<small>Photo: "<span style="font-style: italic">0898
Hot Monkey Talk</span>"
originally uploaded
by <a href="http://www.flickr.com/photos/lemur/742218355/" target="_blank">lemur</a></small><br />
<br />
<small>Technorati: <a href="http://technorati.com/tag/information%20security" rel="tag" target="_blank">Information
Security</a>, <a href="http://technorati.com/tag/CSO" rel="tag">CSO</a></small>,
<small><a href="http://www.technorati.com/tag/Security%20Mike" rel="tag" target="_blank">Security
Mike</a>, <a href="http://www.technorati.com/tag/Internet%20Security" rel="tag" target="_blank">Internet
Security</a></small><br />
</p>
<table style="width: 481px; height: 276px; text-align: left; margin-left: auto; margin-right: auto" border="0" cellpadding="5" cellspacing="2">
<tbody>
<tr>
<td style="text-align: center; width: 208px"><a href="http://www.pragmaticcso.com"><img src="http://www.pragmaticcso.com/Images/P-CSO-Cover-170w.jpg" style="border: 0px solid ; width: 170px; height: 259px" alt="The Pragmatic CSO" /></a><br />
<span style="font-weight: bold"></span><span style="font-weight: bold">The
Pragmatic CSO: </span><br style="font-weight: bold" />
<span style="font-weight: bold">Available Now! </span><br style="font-weight: bold" />
<br style="font-weight: bold" />
<span style="font-weight: bold">Read the Intro and
Get </span><br style="font-weight: bold" />
<span style="font-weight: bold">"5 Tips to be a
Better CSO"</span><br />
<br />
<a href="http://www.pragmaticcso.com/" style="font-weight: bold" target="_blank">www.pragmaticcso.com</a><br />
<span style="font-family: Arial"></span></td>
<td style="text-align: center"><span style="font-weight: bold">Get Your Special Report: <br />
<big style="font-style: italic">6 Easy
Steps to Protect Your Identity</big><br />
and<br />
get access to Security Mike's Portal today<br />
<br />
<a href="http://tdi.securitymike.com">www.securitymike.com<br />
</a><br />
<a href="http://tdi.securitymike.com"><img src="http://www.securitymike.com/Images/Book-3D-smaller.jpg" alt="Security Mike's Guide to Internet Security" style="border: 0px solid ; width: 178px; height: 236px" /></a><br />
</span></td>
</tr>
</tbody>
</table>
<br />
<h1>Top
Security News</h1>
<p>
<span style="font-weight: bold"><a title="TSN1" name="TSN1" id="TSN1"></a>Truth? Who needs that...</span><br />
<span style="font-style: italic">So what? </span>-
For liars, the lies aren't really lies. They are "spin." We are seeing
a lot of that type of crap emanating from the Presidential election (on
both sides) and it seems we still see it in our own little technology
world. <a href="http://www.networkworld.com/community/node/32651" target="_blank">Susan Hanley rails against this kind of crap
on her NetworkWorld blog.</a> Sometimes I'd like to have a
conversation like I have with my kids. The reality is kids don't think
you are any smarter than them. They can't really because the idea of
smarter or dumber is an abstract concept. So they figure they can just
pull the wool over your eyes and you'll smile and be happy. Of course,
they don't realize I pulled the same stunts when I was a kid. But at
some point, you grow out of that. At some point you realize that the
person on the other side of the conversation isn't dumb and by
"spinning" a version of the "truth" that may not be so truthful, you
not only alienate them - you piss them off. But it's like the old
Cabletron pricing model (why are you three times more expensive?
Because 10% of the customers just pay it and we discount for everyone
else), they figure a certain percentage of customers won't know the
difference and they'll just accept the spin as fact. Personally, I find
that perspective appalling and do my best to call it out with great
vengeance and furious anger those who would attempt to poison and
destroy my brothers. <br />
<small>Link to <a href="http://securityincite.com/TDI-2008-09-24#TSN1">this</a></small><br />
<br />
<a title="TSN2" name="TSN2" id="TSN2"></a><span style="font-weight: bold">Premature chasmuluation</span><br />
<span style="font-style: italic">So what? -</span>
Great observations here from <a href="http://www.darkreading.com/blog.asp?blog_sectionid=327&doc_id=164144" target="_blank">Tim Wilson on the dichotomy between what
problems customers need to solve today vs. what problems much of the
vendor world is talking about</a>. To use yet another political
analogy, the house is burning down and all we talk about is lipstick on
pigs. He's exactly right and in a lot of cases the media is responsible
for this. Fact is, the media gets paid based on page views now. Most of
the technology magazines are thin and many others have just gone away.
Everything is online nowadays and that means it requires page views to
monetize. No one wants to hear about the burning house because everyone
knows it's burning. It's not interesting anymore. So the media covers
the stuff that is new, maybe sexy, and certainly interesting (like
virtualization security) REGARDLESS of the fact that very very few
people actually have the problem. You also have another dynamic here
which is technology M&A. Emerging vendors need to make their
products interesting, and deceive the buyers (acquirers, not
enterprises) into think there is a market for the product. Then they
can get a big valuation and make market development into the acquirer's
problem. And the final factor, most of the folks truly in the trenches
don't listen to a lot of the vendor babble. They are too busy getting
their ass handed to them every day. <br />
<small>Link to <a href="http://securityincite.com/TDI-2008-09-24#TSN2">this</a></small><small><br />
</small><span style="font-weight: bold"><br />
</span><a title="TSN3" name="TSN3" id="TSN2"></a><span style="font-weight: bold">Finally, they got the memo - make
endpoint security invisible</span><br />
<span style="font-style: italic">So what? -</span>
It's the fall, so that means many of the AV vendors update their
endpoint security suites. You know, they need to put a new box out and
increment the year to justify the extra $50-75 per desktop they need to
collect to keep themselves fat, dumb and happy. Of course, the past few
years have been problematic because most customers have started to
notice that their PCs are increasingly sluggish and that makes them
unhappy. They don't want to know the AV is working, they don't want to
know it's there, and they certainly don't want their machine to bog
down every time they open an application. Moreover, they don't want to
be interrupted when they are doing something and they don't want to
approve everything they are trying to do. Basically they want
transparency Until they don't (which is when they are under attack).
Finally it seems the Big Yellow was listening, <a href="http://ptech.allthingsd.com/20080917/symantec-rewrites-its-security-suite-to-curb-nuisances/" target="_blank">according to Walt Mossberg anyway</a>.
And I tend to believe Walt because he's NOT a security guy. He's a tech
user and he's much more interested in user experience. This is good
news for Symantec, since reducing the nuisance factor will become a big
differentiator - absolutely in the consumer space and I also suspect
for business users as well.<br />
<small>Link to <a href="http://securityincite.com/TDI-2008-09-24#TSN3">this</a></small><small><br />
</small><br />
<span style="font-weight: bold"><br />
</span><span style="font-weight: bold">The Laundry
List</span>
</p>
<div style="margin-left: 40px">
<ol>
<li>This is why Cisco has such market share. They've got their
own fanboys that save their shekels to buy equipment for a lab to get
more Cisco certifications. - <a href="http://www.networkworld.com/community/node/32901" target="_blank">Cisco
Subnet blog (on NetworkWorld)</a></li>
<li>Words you live to regret. Evidently Websense sees the
economy as a "non-recession." Help me understand the upside of that
kind of statement. Especially after the class action attorneys go after
them when they miss. - <a href="http://finance.yahoo.com/tech-ticker/article/67545/What-Financial-Crisis%3F%3A-Websense-Safe-Behind-Techs-Teflon-Curtain%2C-Says-CEO" target="_blank">Tech Ticker</a></li>
<li>Imprivata gets two patents on biometrics, maybe they are
looking at a Tumbleweed-esque go to market strategy. Except no one
really cares about biometrics. - <a href="http://biz.yahoo.com/bw/080922/20080922005118.html?.v=1" target="_blank">Imprivata
release</a></li>
<li>Oracle updates their GRC offering, but forgets to mention
what the thing does (at least in the release). It's Oracle, just trust
them.
- <a href="http://biz.yahoo.com/prnews/080922/aqm090.html?.v=54" target="_blank">Oracle
release</a></li>
</ol>
</div>
<h1>Top
Blog Postings </h1>
<p>
<span style="font-weight: bold"><a title="TBP1" name="TBP1" id="TBP1"></a>Incident response SCRUM</span><br />
No, this isn't some new game coming from down under. This is a very
interesting idea from Cutaway regarding building incident response and
disaster recovery plans using a structured development process. I'm a
huge proponent of making sure the incident response plan is documented
and practiced (Chapter 8 of the P-CSO), but it's the documented part
that is a challenge for most security professionals - especially given
the number of other fastballs flying at their heads at all times. Don's
idea is to use a system development lifecycle to identify the right
folks, get their requirements, and then figure out the best way to
achieve those requirements. It seems pretty straight forward, and in
concept it is. But doing it in practice is a lot harder. But not as
hard as cleaning up the mess after you've bungled the incident
response. <br />
<a href="http://www.cutawaysecurity.com/blog/archives/320" style="font-weight: bold" target="_blank">http://www.cutawaysecurity.com/blog/archives/320</a><br />
<small>Link
to <a href="http://securityincite.com/TDI-2008-09-24#TBP1">this</a></small><br />
<br />
<a title="TBP2" name="TBP2" id="TBP2"></a><span style="font-weight: bold">Think like a billionaire!</span><br />
Adam doesn't like that many folks recommend that good guys think like
bad guys. It's too hard. We don't know what the bad guys are thinking.
Adam suggests they try to think like a professional chef to get a feel
for the futility of that kind of approach. How about we think like a
billionaire, which is similarly remote? He makes a good point, but it's
really a play on words. The concept of thinking like an attacker isn't
so much to try to get into their dysfunctional heads, it's to USE THEIR
TECHNIQUES. So you need to understand the tools they use and learn how
they use them, and then you have a chance to defend yourself. Not to
put words in Adam's mouth, but it sounds like he is really asking for
is better educational tools to train the next generation of security
professionals. Foodies have the Food Network, where if they watch long
enough, they kind of can get an idea of how to "think like a
professional chef." We don't have the Security Channel, so we've got to
do something else to more effectively train personnel. <br />
<a href="http://www.emergentchaos.com/archives/2008/09/think_like_an_attacker.html" target="_blank" style="font-weight: bold">http://www.emergentchaos.com/archives/2008/09/think_like_an_attacker.html</a><br />
<small>Link
to <a href="http://securityincite.com/TDI-2008-09-24#TBP2">this</a></small><small><br />
</small><br />
<a title="TBP3" name="TBP3" id="TBP2"></a><span style="font-weight: bold">Rich needs to read the Black Swan
(and so do you)</span><br />
The Mogull condemns most risk quantification in this post, mostly
because the Financials can figure out how to do it (and they have a lot
more at "risk" than us security pukes), so therefore it can't be done.
Rich is right on a lot of these points, but ultimately a lot of the
issue has more to do with the reality that we CANNOT predict outliers.
Every security professional should read <a href="http://www.amazon.com/Black-Swan-Impact-Highly-Improbable/dp/1400063515" target="_blank">The Black Swan</a>. Yes, it's hard to
get through. Yes, your eyes will bleed at times. But it really
solidified in my mind the reality that we cannot predict the next
successful, wide-spread attack, so you have to plan for that. The sin
of the Financials is that they didn't foresee a total meltdown of the
sub-prime business. It was an outlier and they didn't plan for it and
now the US taxpayer will be footing the bill. You couldn't assign a
probability to this kind of occurrence, but it did happen which makes
Rich question the ultimately value of trying to quantify risk. The
Black Swan approach assumes nothing and forces you to know how to react
when an unknown happens. And that's how we live to fight another day.
<br />
<a href="http://securosis.com/2008/09/17/the-fallacy-of-complete-and-accurate-risk-quantification/" target="_blank" style="font-weight: bold">http://securosis.com/2008/09/17/the-fallacy-of-complete-and-accurate-risk-quantification/</a><br />
<small>Link
to <a href="http://securityincite.com/TDI-2008-09-24#TBP3">this</a></small><small><br />
</small><br />
</p>
</div><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=6G2wL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=6G2wL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=2UzXL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=2UzXL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=dFtcL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=dFtcL" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/401819418" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/the-daily-incite-september-24-2008#comments
Daily Incite
Wed, 24 Sep 2008 08:58:11 -0500
Mike Rothman
1022 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/the-daily-incite-september-24-2008
Deal: McAfee gets more "Secure"
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/400009169/deal-mcafee-gets-more-secure
<p>
McAfee is proving itself to be the most astute buyer out there in security land. For less than $500 million, <a href="http://biz.yahoo.com/prnews/080922/aqm127a.html?.v=1" target="_blank">they acquired Secure Computing this morning</a> and are now back in the network security business. Pete Lindstrom goes through the <a href="http://spiresecurity.typepad.com/spire_security_viewpoint/2008/09/what-goes-around-comes-around.html" target="_blank">weird chronology</a> and I'm thankful that there are other guys in this space as long as I've been - so I don't have to remember everything.<br />
<br />
<img src="http://www.pragmaticcso.com/Images/fish-eat-fish.jpg" align="left" vspace="10" width="240" height="180" hspace="10" />Secure Computing has been struggling. You only need to look at the stock chart over the past year to see that. They were caught in no-man's land. Not big enough to do real deals (Securify is not a real deal), but too big to be nimble or easily acquired. Not at close to a billion dollar valuation (which is where they were only a few months ago) anyway. But at half a billion, a deal become just a matter of time.<br />
<br />
<a href="http://www.stillsecureafteralltheseyears.com/ashimmy/2008/09/mcafee-takes-se.html" target="_blank">Alan points out</a> that things started to turn to the negative for Secure once they bungled the CyberGuard acquisition. And before that deal was even through the alimentary canal, they totally over-leveraged themselves with the CipherTrust deal. McNulty got tossed and Dan Ryan (the new CEO) was faced with rebuilding. The stock got hammered and basically it was going to be a long steep climb back up.<br />
<br />
Then McAfee came a knocking, and getting out is probably exactly what the board and the executive team saw as the only feasible option. It seems Dan Ryan is going to stick around and "run" the network security business, and we'll see how much (and who) else decides to stick around.<br />
<br />
What's in it for McAfee? Well besides buying more revenue at a good value, they are also filling out the product line. Beside IntruVert (the enterprise IPS product), McAfee had very little exposure to the network security market, so there is very little overlap. Secure brings a bunch of firewalls/UTM devices and the email security gateway (CipherTrust's IronMail).<br />
<br />
But the real gem here is Webwasher. McAfee's product in the web gateway space was poor and Secure's is a market leader, and this market continues to grow at a decent clip. McAfee will also try to make a big deal about TrustedSource (Secure's content reputation service), but it's not that novel anymore. Everyone has a reputation service nowadays.<br />
<br />
For a long time, UTM and other network security words were counter to McAfee's positioning. But ultimately how can you say you are a legitimate enterprise security provider without having competitive offerings for securing the network? I could make the same case for Symantec (after they moved their gateway business over to Juniper a few years back). Basically you can't, so the pendulum will keep swinging back and forth, as technologies get spun out and subsumed again.<br />
<br />
The channel synergy will be pretty good as well. Secure was having a hard time keeping enterprise-class sales folks, so having a lot more to sell and being more competitive will certainly help both retain and recruit better folks in the field. McAfee may also be able to revive the CyberGuard business, given it's mid-market distribution engine. Existing McAfee reps and channels get access to new product lines that can only broaden the value they offer for customers.<br />
<br />
And let's not forget the US Feds. They are spending money like it's going out of style, or had been anyway before the Treasury wrote a trillion dollar check over the weekend. Secure had a good position in the Government market and McAfee is pretty strong there too. Definitely synergies in one of security's growth markets.<br />
<br />
Of course, synergy on paper doesn't mean a lot until integration and execution happens. Secure Computing proved that many times, so the jury is really out on this deal, but given the price and lack of product overlap - it looks pretty good at first blush.
</p>
<p>
<small>Photo: "Fish eat fish" originally uploaded by <a href="http://www.flickr.com/photos/clara/17335055/" target="_blank">clara </a></small>
</p>
<p>
</p><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=uidNL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=uidNL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=3YXLL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=3YXLL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=JpYpL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=JpYpL" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/400009169" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/deal-mcafee-gets-more-secure#comments
Deals
McAfee
Secure Computing
Mon, 22 Sep 2008 12:57:35 -0500
Mike Rothman
1021 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/deal-mcafee-gets-more-secure
Pragmatic CSO Podcast #22 - Homework for Buying Security Products
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/395190337/pragmatic-cso-podcast-22-homework-for-buying-security-products
<p><a href="http://www.cafepress.com/cp/moredetails.aspx?productNo=3318604&pr=F&showbleed=false&colorNo=-1&tab=1"><img src="http://www.pragmaticcso.com/Images/dog-ate-homework.jpg" hspace="10" vspace="10" alt="The dog ate my homework. I swear." style="border-color: initial; width: 180px; height: 240px; float: right; border-width: 0px; border-style: solid" /></a></p><p>As we jump into Step 6: Buying Security Products, it makessense to understand what kind of homework we are going to have to doprepare for the process. This is homework you need to do, so I don't want to hear any excuses about the dog eating your homework. Remember, it's easy to buy something, it'shard to buy the right thing at the right time for the right price.</p><p>So this week we discuss the first 4 steps of the BuyingSecurity Products process I published back in 2006. The first step isto understand the business drivers for your project, then you assemblethe team, then you educate YOURSELF on the market (don't let thevendors educate you), and only then are you ready to engage with a longlist of vendors that can potentially meet the need.</p><p>If you want to check out the <a href="http://securityincite.com/BSP-teaser" target="_blank">BuyingSecurity Products ebook</a>, you can sign up for the Daily Inciteemail newsletter. If you read TDI via a blog feed, just send me anemail and I'll forward the guide over to you. <br /></p><p>Running time: 7:14<br /><br />Intro music is Jungle and I finish it up with the Beatles "Can't buy melove" because at the end of the day that little statement should keepeverything in context. <br /></p><p>Direct Download: <a href="http://media.libsyn.com/media/pragmaticcso/22_Pragmatic_CSO_Podcast_22.mp3" target="_blank">22_Pragmatic_CSO_Podcast_22.mp3</a><br /><br /><img src="http://www.feedburner.com/fb/images/pub/feed-icon32x32.png" alt="Subscribe" style="width: 32px; height: 32px" /><a href="http://feeds.feedburner.com/P-CSO-Podcast" target="_blank">Subscribein a reader</a><br /><br />Photo Credit: <a href="http://www.flickr.com/photos/iirraa/198311258/">iirraa</a></p><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=WkVIL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=WkVIL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=BErRL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=BErRL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=V3NDL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=V3NDL" border="0"></img></a>
</div><img src="http://feeds.feedburner.com/~r/SecurityInciteRants/~4/395190337" height="1" width="1"/>
http://securityincite.com/blog/mike-rothman/pragmatic-cso-podcast-22-homework-for-buying-security-products#comments
P-CSO Podcast
Wed, 17 Sep 2008 08:22:49 -0500
Mike Rothman
1020 at http://securityincite.com
http://securityincite.com/blog/mike-rothman/pragmatic-cso-podcast-22-homework-for-buying-security-products
The Daily Incite - September 16, 2008
http://feeds.feedburner.com/~r/SecurityInciteRants/~3/394241445/the-daily-incite-september-16-2008
<div style="text-align: center" id="topcontent">
<img src="http://www.geronimollc.com/Geronimo/DailyInciteTopBanner2.jpg" style="width: 448px; height: 107px" alt="Today's Daily Incite" />
</div>
<div id="leftcontent">
<h2>September 16, 2008 - Volume 3, #77 </h2>
<p>
Good Morning: <br />
I have to admit, the fall is my favorite part of the year. It wasn't
always that way, but in Atlanta - the fall is just awesome. Of course,
it's mid-September and it's still 80+ degrees. So fall doesn't really
start for another month. But the weather is temperate (as opposed to
the summer), the kids are back in school and their routine, and of
course, it's football season. <br />
<img src="http://www.pragmaticcso.com/Images/golf-ball-submerged.jpg" alt="How'd the golf ball get there?" style="border: 0px solid ; width: 240px; height: 180px; float: left" vspace="10" hspace="10" /><br />
Have I mentioned that I love football. Of course, when the Giants start
2-0, it's a great start. But seeing Dallas and Philly pound each other
into submission last night, I realize how difficult the NFC East is
going to be this year. Dallas was lucky to pull that one out. I had no
intention of watching the game, I had a
lot to do - but I was fixated on seeing each team decimate the other's
defense. It's what pro football is all about.<br />
<br />
September also brings my annual golf trip, which is the end of this
week (so I may not post on Thursday). Which is kind of a joke because
I'm not really a golfer. I chase
the ball around for 4 days, competing in the high handicap group and
basically waiting for the beer cart to swing by. Once we are mercifully
done with the round, then we get to drink some more. Sometimes I just
like to make sure my liver knows I'm still here.<br />
<br />
Last year, everyone was great in giving me all sorts of tips for folks
that don't golf too much. Take a shorter backswing, keep your head
down, don't leave that double bogey putt short, I heard lots of stuff.
Thanks for that, but ultimately it doesn't really help. I just hope my
game stays together long enough to win a couple holes for my team.<br />
Unfortunately, I'll contribute a bunch of golf balls to the rewash
foundation. Those are the balls that end up in the drink, like the
picture above shows. The club hires some divers to collect the balls
from the water hazards and then they sell your own balls back to you at
half price. It's kind of like being married. <br />
<br />
Though this year I did decide to buy a new set of clubs. I've been
playing my old Hogan Magnums for about 20 years. No joke, I got them in
college. So I went down to Costco and bought the Nicklaus club package.
13 clubs, a bag, and a bunch of head covers for $249, and they make my
old clubs (which were top of the line in 1988) look like hickory
sticks.
Evidently Moore's Law has come to golf clubs as well. I can get a
decent set for 25% the price of just my irons years ago.<br />
<br />
Of course, I could have spent thousands on a new set of sticks. Between
the $500 drivers and the fancy irons, you can really splurge if that's
your thing. And I know a bunch of guys that do that. But for me, it's
all about good enough. Amazingly enough, I actually live a lot of the
crap I spew every day. I went to hit some balls at the range over the
weekend, and my new clubs are good enough. They are a lot more
forgiving than my old sticks and I suspect it's going to make my trip a
lot more enjoyable.<br />
<br />
And if not, there is always the drink cart. <br />
<br />
Have a great day. <br />
<br />
<small>Photo: "<span style="font-style: italic">Golf
in the deep...</span>"
originally uploaded
by <a href="http://www.flickr.com/photos/xoto/46833786/" target="_blank">asbjorn.hansen</a></small><br />
<br />
<small>Technorati: <a href="http://technorati.com/tag/information%20security" target="_blank" rel="tag">Information
Security</a>, <a href="http://technorati.com/tag/CSO" rel="tag">CSO</a></small>,
<small><a href="http://www.technorati.com/tag/Security%20Mike" target="_blank" rel="tag">Security
Mike</a>, <a href="http://www.technorati.com/tag/Internet%20Security" target="_blank" rel="tag">Internet
Security</a></small><br />
</p>
<table style="width: 481px; height: 276px; text-align: left; margin-left: auto; margin-right: auto" border="0" cellpadding="5" cellspacing="2">
<tbody>
<tr>
<td style="text-align: center; width: 208px"><a href="http://www.pragmaticcso.com"><img src="http://www.pragmaticcso.com/Images/P-CSO-Cover-170w.jpg" alt="The Pragmatic CSO" style="border: 0px solid ; width: 170px; height: 259px" /></a><br />
<span style="font-weight: bold"></span><span style="font-weight: bold">The
Pragmatic CSO: </span><br style="font-weight: bold" />
<span style="font-weight: bold">Available Now! </span><br style="font-weight: bold" />
<br style="font-weight: bold" />
<span style="font-weight: bold">Read the Intro and
Get </span><br style="font-weight: bold" />
<span style="font-weight: bold">"5 Tips to be a
Better CSO"</span><br />
<br />
<a href="http://www.pragmaticcso.com/" target="_blank" style="font-weight: bold">www.pragmaticcso.com</a><br />
<span style="font-family: Arial"></span></td>
<td style="text-align: center"><span style="font-weight: bold">Get Your Special Report: <br />
<big style="font-style: italic">6 Easy
Steps to Protect Your Identity</big><br />
and<br />
get access to Security Mike's Portal today<br />
<br />
<a href="http://tdi.securitymike.com">www.securitymike.com<br />
</a><br />
<a href="http://tdi.securitymike.com"><img src="http://www.securitymike.com/Images/Book-3D-smaller.jpg" style="border: 0px solid ; width: 178px; height: 236px" alt="Security Mike's Guide to Internet Security" /></a><br />
</span></td>
</tr>
</tbody>
</table>
<br />
<h1>Top
Security News</h1>
<p>
<span style="font-weight: bold"><a title="TSN1" id="TSN1" name="TSN1"></a>Freedom for unsolicited emailer -
shocker!</span><br />
<span style="font-style: italic">So what? </span>-
I'm not sure what Jeremy Jaynes paid his lawyers, but it's not enough. <a href="http://blogs.computerworld.com/extra_big_time_spammer_freed_on_appeal" target="_blank">Those guys got the VA Supreme Court to
overturn the states spam laws and thus overturn his conviction for
being a scummy email profiteer.</a> Whatever. Since I haven't
been in the email security business for a few years, I'm pretty
sanguine about the entire battle. Basically, people still click on
links, thus they are getting pwned, thus there is still a huge economic
benefit to sending unsolicited email. And until the economic benefit
abates, there will be no progress. Sure the good guys will continue
fighting the good fight and the bad guys will continue innovating and
finding new ways to compromise the respective inboxes of your
employees. Many of the bad guys now reside in places that are really
beyond the reach of global law enforcement, but now it's not even clear
there is a basis for law enforcement. Guess it's back to the same old
same old. <br />
<small>Link to <a href="http://securityincite.com/TDI-2008-09-16#TSN1">this</a></small><br />
<br />
<a title="TSN2" id="TSN2" name="TSN2"></a><span style="font-weight: bold">Yes, we need to keep fighting</span><br />
<span style="font-style: italic">So what? -</span>
Everyone has good days, where they think they can conquer the world (or
at least make a dent in their to-do list) and not so good days, where
you wonder why you even bother. Since I'm assuming you are human, then
this kind of thing is going to happen. The other inevitability of being
a security professional is that you are going to have to deal with
incidents. Yes, it will happen to you. <a href="http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=163675" target="_blank">It's a point that John Sawyer makes on his
Dark Reading blog.</a> We still have to protect the flanks,
educate the users, and do the best we can with the (limited) time and
resources we are given. BUT we also have to plan for the incident and
ensure we effectively and quickly contain the damage. Our job is to try
our best to prevent the incident, but it's also to make sure a small
incident doesn't become a major catastrophe. This is a hallmark of the
Pragmatic approach to security, and it's important. So make sure your
incident response plan is up to date and maybe schedule another
run-through of your process. Remember, you don't want to find a gaping
hole in the recovery process in the middle of an incident. <br />
<small>Link to <a href="http://securityincite.com/TDI-2008-09-16#TSN2">this</a></small><small><br />
</small><span style="font-weight: bold"><br />
</span><a title="TSN3" id="TSN2" name="TSN3"></a><span style="font-weight: bold">Getting back to poor man's DLP</span><br />
<span style="font-style: italic">So what? -</span>
OK, this is a <a href="http://www.networkworld.com/columnists/2008/090808insider.html">thinly
veiled vendor byline published in Network World (by Blue Coat's Tom
Clare)</a>, but it makes a couple of interesting points. I got an
earful from folks in the DLP space about my thoughts on "poor man's
DLP," basically the capabilities that come with your email and web
gateways that can check for very simple regular expressions and other
content matching algorithms. I maintain that for a lot of customers,
this is good enough to meet the spirit of the regulations and also to
address the most common data leakages. No, this probably won't wash for
a Fortune 50 class mega-enterprise. But Joey-bag-of-donuts and his PCI
requirements? Most likely. Now, if budget and time allows a more
comprehensive approach to DLP, then I'm all for it. But you are like
most of the unfortunate 5 million companies out there with no time and
no budget, then looking at a poor man's DLP may be a decent stop-gap
until you can be a bit more strategic, or the gateway vendors buy some
DLP technology and integrate it.<br />
<small>Link to <a href="http://securityincite.com/TDI-2008-09-16#TSN3">this</a></small><small><br />
</small><br />
<span style="font-weight: bold"><br />
</span><span style="font-weight: bold">The Laundry
List</span>
</p>
<div style="margin-left: 40px">
<ol>
<li>Have distribution channel, will travel. Cisco takes market
share lead in content security gateways, according to box counters at
Infonetics anyway. Though I'm surprised Symantec is still listed. When
was the last time you heard anything about Brightmail?
- <a href="http://www.networkworld.com/community/node/32519" target="_blank">Cisco
Subnet blog (on NetworkWorld)</a></li>
<li>Deal: Hat tip to Ferris for catching the sly Quest/Akonix
deal. Seems <a href="http://www.gartner.com/DisplayDocument?ref=g_search&id=750113" target="_blank">Gartner also caught it</a> at the
beginning of the month. Let's just say if it didn't even warrant a
press release from Quest (or investor disclosure), they put Akonix out
of its misery. It's about time, at least not all of the laws of
economics have been repealed by dumb VC money. - <a href="http://www.ferris.com/2008/09/15/quest-quietly-purchases-akonix/" target="_blank">Ferris
Research</a></li>
<li>Everyone jumps on the "intelligence in the cloud"
bandwagon. Now Blue Coat is talking about their service that looks at
150 million requests a day. Is that a lot? Does it matter? - <a href="http://biz.yahoo.com/bw/080915/20080915005046.html?.v=1" target="_blank">Blue Coat release</a></li>
<li>Not dead yet, Borderware announces the new new thing in
their security platform. Ready? It's DLP across email and web traffic.
Yup, poor man's DLP coming to a gateway near you.
- <a href="http://www.borderware.com/press/releases.php?action=v&id=212" target="_blank">Borderware
release</a></li>
</ol>
</div>
<h1>Top
Blog Postings </h1>
<p>
<span style="font-weight: bold"><a title="TBP1" id="TBP1" name="TBP1"></a>Yes, it's about influence</span><br />
Sometimes I wonder if I'm talking to myself. I know I'm not, but when
on those days when you are hibernating to finish a few writing projects
and the most insightful conversation you have is with the Starbucks
barista, it's nice to see something totally consistent with my
thinking. Stuart King says in one sentence, what takes me an entire
book to discuss. "<span style="font-style: italic">the
fact that organisations are beginning to see influencing and
negotiation skills as being just as, or more important, than the
technical knowledge that got most of us into security as a career in
the first place.</span>" Amen. Now to be clear, there
is still a real need for technical competence and the ability to
actually do things. But those folks don't have the senior security
professional title. It's all about persuasion and evangelism. You need
to be able to get the rest of the senior team on board with the
security program and to think a bit before they do. It's a constant
battle and done more over a 3 martini lunch than a keyboard, but that's
the way we security folks need to roll. <a href="http://www.amazon.com/How-Win-Friends-Influence-People/dp/0671723650" target="_blank">Dale Carnegie</a> here we come.<br />
<a href="http://www.computerweekly.com/blogs/stuart_king/2008/09/success-through-influence.html" target="_blank" style="font-weight: bold">http://www.computerweekly.com/blogs/stuart_king/2008/09/success-through-influence.html</a><br />
<small>Link
to <a href="http://securityincite.com/TDI-2008-09-16#TBP1">this</a></small><br />
<br />
<a title="TBP2" id="TBP2" name="TBP2"></a><span style="font-weight: bold">Looking out for #1</span><br />
Dre takes Jeremiah to task for spreading FUD and perhaps overstating
the value of application testing, as opposed to building applications
securely in the first place. Though Dre is well spoken and makes a lot
of points, there are truths to both sides of the argument. The reality
is there is NO PANACEA. Yes, the bad guys are scary, yes we are writing
a lot of new code - most of which will never be tested, and yes, that
means a lot of folks will be exposed. Dre is right that we can do a lot
of great work to fix our applications and it shouldn't take
years. But remember, as charitable as you are, you shouldn't
spend a lot of time worrying about them. Spend 99% of your time
worrying about YOU. If you do some application testing and if you even
make an initial lame attempt at secure applications, you'll be ahead of
a vast majority of the other folks out there. Remember, a skilled
attacker can beat you. Every single time. But most of the folks out
there are pretty lazy, so they are going to go after the paths of least
resistance. As long as you make it a bit difficult, the bad guys will
move on to the next target. Unless, of course, you work at a high
profile web property, then you are basically screwed and all bets are
off. Have I mentioned the importance of reacting faster lately?<br />
<a href="http://www.tssci-security.com/archives/2008/09/11/web-application-security-tomorrow/" style="font-weight: bold" target="_blank">http://www.tssci-security.com/archives/2008/09/11/web-application-security-tomorrow/</a><br />
<small>Link
to <a href="http://securityincite.com/TDI-2008-09-16#TBP2">this</a></small><small><br />
</small><br />
<a title="TBP3" id="TBP2" name="TBP3"></a><span style="font-weight: bold">Breaking into the security
business</span><br />
I have to say one of the most frequent questions I get from visitors to
securityincite.com is how to get into the business. That also goes for
my work with SearchSecurity as well. On one hand, given the skills
shortage we face in the security business, it's perplexing to me that
folks are having a hard time breaking in. But then I remember that most
HR departments don't think, they just do keyword searches to find lame
candidates on Monster. Let me point you to a new blog called Security
Wannabe, which goes into some of these career management issues. If you
don't have any relevant experience, then get some. Start volunteering
with local organizations that need help configuring their security. Do
some pen tests on your friends. Learn the vernacular, maybe take a few
courses and get a certification. And if you want to specialize, learn a
bit about application security. That's the future of this business and
we need all the hands we can get. <br />
<a href="http://securitywannabe.com/blog/2008/03/13/breaking-into-the-it-security-industry-for-fun-and-profit/" style="font-weight: bold" target="_blank">http://securitywannabe.com/blog/2008/03/13/breaking-into-the-it-security-industry-for-fun-and-profit/</a><br />
<small>Link
to <a href="http://securityincite.com/TDI-2008-09-16#TBP3">this</a></small><small><br />
</small><br />
</p>
</div><div class="feedflare">
<a href="http://feeds.feedburner.com/~f/SecurityInciteRants?a=iBeUL"><img src="http://feeds.feedburner.com/~f/SecurityInciteRants?i=iBeUL" border="0"></img></a> <a href="http://feeds.feedburner.com/~f/SecurityInciteRants | |
