This week, our question is courtesy of Allen:

… As a long time Mac user and an inspiring security professional (i am in the process of completing my CISSP certification), I found this article on Macworld’s web site to be very fascinating. If you could please comment on this on your web site and/or on your podcast would be very grateful.

The article in question, located here, is a very odd interview with Michael Barrett, PayPal’s chief information security officer.

Michael argues that the main reason Safari is less secure is its lack of anti-phishing features or support for Extended Validation SSL certificates. For you non-geeks, those are extra, higher cost, digital certificates that highly trusted websites can buy to prove they are who they say they are. A few snippets:

“Apple, unfortunately, is lagging behind what they need to do, to protect their customers,” Barrett said in an interview. “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.”
…
Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari’s lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site.

When it comes to fighting phishing, “Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that’s it,” he said.
…
Still, Barrett says data compiled on PayPal’s Web site show that the EV certificates are having an effect. He says IE 7 users are more likely to sign on to PayPal’s Web site than users who don’t have EV certificate technology, presumably because they’re confident that they’re visiting a legitimate site.

Over the past few months, IE 7 users have been less likely to drop out and abandon the process of signing on to PayPal, he said. “It’s a several percentage-point drop in abandonment rates,” he said. “That number is… measurably lower for IE 7 users.”

This is complete and utter bunk. I’d like to reference an article at Dark Reading, on anti-phishing, and this one about a Harvard/MIT study:

APRIL 13, 2007 | The lock-and-key icon was broken. The site-authentication image was not there. A security message popped up, warning that the site was not properly certified.

And still, more than half of them entered a password and tried to log in.

That’s the bottom-line finding of a new study from researchers at Harvard University and MIT, who conducted a live test of banking users to measure the effectiveness of browser-based authentication and anti-phishing features earlier this year. The research is scheduled to be presented at the IEEE Symposium on Security and Privacy next month.

PayPal is completely off base- I highly doubt the lack of anti-phishing features correlates in any material way to Safari users dropping out of the sign in process. The level of assumptions in those statements is ridiculous.

Now, let’s look at Safari. The truth is, based on talking with security researchers. that IE7 on Vista is more fundamentally secure than Safari. I’m not sure about Firefox, but suspect it is also probably more fundamentally secure. But that almost doesn’t matter- the real world risk, today, of using Safari is extremely low. That could change instantly, at any given time, and probably will, but until then I feel comfortable using it for most of my browsing needs.

A bigger hole with Mac (or PC) browsing is QuickTime, which is in the midst of some rough times from a security perspective. But QuickTime runs in any browser, not just Safari.

My overall take? Most users don’t understand or care about anti-phishing notifications built into their browsers. Safari does lack security features available in competitors, and has had a few vulnerabilities this year, but real-world risk is low for now. Support for extended validation certificates is a nice to have feature, but probably won’t improve Safari security for the average user in any material way.

Not that we shouldn’t keep the pressure on Apple to keep strengthening the OS and browser, but I’d prefer they put more effort into sandboxing and other anti-exploitation defenses than little green borders when I visit someone willing to cough up an insane amount of cash to Verisign.

Technorati Tags: Apple, Mac, PayPal, Phishing, Security

It seems that every time I write the next part of this multipart series I find myself apologizing for taking too long between posts. I swear I have a good excuse this time- with the whole doctor sticking cameras into my shoulder, shaving out bits, cutting tendons and tying them to new places, putting in plastic anchors, and sewing torn parts of muscles together thing. I’m 11 days into my recovery and while the days are fine, despite learning not to use my arm for the next three months, the nights… let’s just say I fear the nights. I think I’m getting closer to figuring out the right combination of drugs, body position, and pillows that will let me get a little closer to some functional sleep.

But business is good, I’m gaining a little more productivity every day, and… enough about me.

In today’s post we’re going to delve deeper into Database Activity Monitoring. We’re going to talk about alerting, workflow, and reporting.

In my previous post we discussed central management, including policy creation. One of the key advantages of DAM over passive auditing and logging solutions is the ability to define policies for active alerts and manage remediation. While policies are mostly deployed in a passive mode (alerting only) some products also support active blocking, which we will cover in a future post.

I’m really not a fan of relying on passive auditing for security; it’s often important, but with the tools we have today we can generate immediate alerts allowing us to contain security incidents before they spread, or even stop a multi-stage attack before completion. This is one key characteristic separating proactive security tools from simple monitoring/logging tools.

Alerts

Your DAM tools should support both active alerting and an incident handling queue, similar to DLP. These alerts take a few different forms, from email integration, to self-contained events, to communications with outside security tools (like SIEM) using anything from SNMP to syslog to proprietary integration.

Policies should support granular alerting based on conditions, such as thresholds. For example, detection of a single errant query might trigger a low level incident within the included incident handling system, while an incident involving an administrator or high count of credit cards is emailed to a security admin and dropped into the SIEM tool as a high alert.

Not to say you should rely on a SIEM or other external tool to manage your incidents; those tools will never contain the full context and investigative abilities of the dedicated DAM workflow. External alerts play a valuable role in escalating incidents and correlating with external factors, but the primary handling will tend to be managed within the DAM tool itself. Databases are complex beasts, and full understanding of what’s going on internally requires a dedicated tool.

Policy based alerts tend to fall into two or three interrelated categories which often overlap:

1. User activity: Incidents when a user takes an action that violates policy. It could be a user running a query on sensitive data, updating an existing financial transaction outside of an application, or an application running a query never seen before.
2. Attack activity/signatures: Some DLP solutions include pre-built detection for certain attack activity. This may be linked to vulnerability analysis, signature based, or heuristic (I’m sure some vendors will chime in with even more options).
3. System and administrative activity: Incidents involving administrative or internal system activity. E.g. new account creation, privilege escalation, DML/DDL changes, system updates. stored procedures, or other configuration changes. Think of these alerts as being focused on SQL (and non-SQL) outside of simple SELECT, INSERT, UPDATE, DELETE queries.

Workflow

Once an incident is created and any external alerts sent out, it should appear in an incident handling queue for management. This is similar to what we see in DLP and many other security tools, but optimized for database activity.

The queue should be visually well-designed to make critical information easier to find, and allow customization for different work styles and interests. Unlike DLP, it’s less important that the queue appeal to non-technical handlers since it’s far less likely that anyone without database and security knowledge will work directly within the system. For DAM, we tend to rely more on reports for the auditors, risk managers, and other non-security types.

Incidents should be easy to sort and include color coding for sensitivity and criticality. When you click on an incident, it should let you drill down into more details to assist the investigative process. Handlers should be able to assign, share, and route incidents to different users within the system. I’m a big fan of having a drop down field to change incident status right on the incident row. The system should also support role based administration, allowing you to assign specific handlers/administrators based on the policy violated, database affected, or other factors.

The basic workflow must allow for quick sorting, analysis, and investigation of incidents. Once an incident is detected, the handler can close it, add supporting investigative material, change the priority, assign it to someone else, or escalate it. To support investigations you should be able to correlate the current incident with other activity in that database by that user, violations of that policy across different systems, and other factors to help determine what’s going on. Since incident handlers may come from either a database or a security background, look for a tool that appeals to both audiences and supplies each with the information they need to understand the incidents and investigate appropriately.

My description has so far focused on database-only incidents, but some systems are now expanding into platform activity on the database host, or application activity.

Reports

As with nearly any security tool you’ll want flexible reporting options, but pay particular attention to compliance and auditing reports to support compliance needs. Aside from all the security advantages we’ve been talking about, many organizations initially deploy DAM to meet their database audit and compliance requirements. Pre-built report templates can save valuable time, and some vendors have worked with auditors from the major firms to help design their reports for specific regulations, like SOX.

Reports should fall into at least three broad categories: compliance and non-technical reports, security reports (incidents), and general technical reports.

That’s about it for alerts, workflow, and reporting. These features are pretty straightforward and similar to other security tools, yet dedicated specifically for databases. In our next post we’ll start talking about advanced features, like connection pooling, blocking, and change management.

Technorati Tags: Database Activity Monitoring, Tools

Today, Mark Curphey posted about Tenets of Effective BPM. He lays out five high level principles for doing business process management. This is really great stuff. It’s so good, in fact, that I’m going to quote a huge chunk of his post here:

1. Understand and Documenting the Process

Effect: Implement a Structured and Effective Information Security Program

2. Understand Metrics and Objectives

Effect: Understand Success Criteria and Track Effectiveness

3. Model and Automate Process

Effect: Improve Efficiency and Reduce Cost

4. Understand Operations and Implement Controls

Effect: Improve Efficiency and Reduce Cost

Effect: Fast and Accurate Compliance and Audit Data (Visibility)

5. Optimise and Improvement

Effect: Do More With Less

Effect: Reduce Cost

Notice that none of the above is specific to security, but if you apply them you do get security and compliance benefits. Also, you recover cash for use with other projects without having to ask for more cash, which always makes you more popular with the CIO and CFO. Perhaps most importantly, this type of behavior enables you to demonstrate that IT Security is taking on a business oriented focus, which is good for your career and for raising the exposure of InfoSec at the executive level. It’s like the old maxim, dress for the job you want to have; you have to act like the executive you want to be treated as.

Securosis is *very* pleased to announce that Debix is providing a year of free credit protection to three lucky readers.

Those of you who read this site and listen to the Network Security Podcast know that I’m a big fan of preventative credit protection instead of just passive monitoring. I’ve been using Debix for a few months now and am extremely pleased with the service. Normally I never pick one vendor over the other, but there are only two providers in this market, and LifeLock has a sordid history.

Debix works by placing a fraud alert on your credit report with all three agencies. They automatically renew these every three months, and instead of listing your personal information all calls to open new credit on your account are routed to the Debix call center, which then tracks you down on different contact numbers. Any time someone contacts a credit agency to try to open an account in your name, you get a phone call to authorize it. It’s anti-exploitation for your credit history. To back this up, you get $25,000 of identity theft coverage and recovery services.

They also add you to the national Do Not Call list and opt you out of pre-screened credit offers.

Here’s how the contest will work-

1. In the comments, tell us a story of how you’ve been a victim of fraud. Real stories only, and you have to use an email address you check, even if it’s just an anonymous Gmail account.
2. It can be any type of fraud, humorous or serious, from card skimming to identity theft.
3. The Securosis staff (Dave, myself, and Chris, even though he doesn’t know it yet) will pick the three winners, announce them on the site, and privately connect you with our contact at Debix to get your account started.
4. Our families are excluded, as are those of my friends who are essentially family (sorry, have to be fair). Tom is excluded since he made fun of the blog today and called me a slacker (okay, you can submit under a random email as long as I can’t figure out it’s you).
5. This is limited to the US, since that’s the only place it works.

I’m really excited about this opportunity and we’ve been working on it for a couple of months. Debix is a great service and cheaper than most of the credit monitoring out there.

So get running in the comments. We’re looking for real examples of how fraud has hurt you in your past.

(Full disclosure- Debix is providing the award but is not otherwise sponsoring this contest. I currently have a free Debix trial that was provided before we came up with the contest, but have no business relationship with them).

Technorati Tags: Debix, Fraud, Identity Theft, Contest

Boy- never get shoulder surgery if you can avoid it. Although I can type, the pain, lack of sleep, and other restrictions probably have me down to 50% productivity. No fun when you work for yourself. Trying to not use my right arm for any lifting, pulling, pushing, or reaching for the next 3 month swill be an interesting prospect.

This week on the podcast Martin and I get caught up and cover a wide range of news items- from the encryption news last week, to the CLEAR airport security scam.

As always, the episode is available at netsecpodcast.com.

Technorati Tags: Network Security Podcast

Even in my drug-addled state last week it was hard to miss the cold boot encryption attack released by Ed Felten and the Princeton Center for Information Technology Policy. This is some seriously impressive work with major implications, but despite all the articles I’ve seen there has been little information on how to evaluate and mitigate your personal or organizational risk.

That’s where I come in.

I’m not going to assume you know a lot about file and media encryption, so we’ll start with en explanation of how, and why, the attack works. Then we’ll evaluate the risk and discuss mitigation strategies. I’ll close with some suggestions for vendors to close out this vulnerability. And yes, this works on a Mac with FileVault.

What is the cold boot attack and how does it work?

All encryption systems need access to a key to encrypt and decrypt data. It doesn’t matter what you’re encrypting- a hard drive, file, database, or whatever, you need a key. When encrypting and decrypting data, because of how computer systems are designed, the key always passes through memory at some point. For smaller content this is a transient process and the key is only in memory for a short time (assuming the software is designed properly), but when you need constant access to data the key is kept in memory. This is nearly ubiquitous for full-disk encryption or file encryption systems that leave files open for read/write operations. It’s not something we worried about, because when you turn a computer off the RAM (memory for the non geeks) loses power and anything stored is lost. Thus we would password protect our encrypted systems so that even if they wake up from sleep mode, an attacker would have to reboot the system unless they had the key, confident this process would erase the key from memory and keep the data secure.

What the Princeton researchers demonstrated is that modern RAM doesn’t degrade immediately after power is removed. The contents of memory can persist from seconds to minutes, and that time extends when cold is applied to the memory. An easy way to do this is to just use a can of dust off spray.

That’s the first part of the attack- keeping the contents in memory after the system is shut down.

For the second part of the attack they use a special tool, which they haven’t made public, to recover memory contents from RAM. In the demo this tool is on a bootable USB drive, so merely rebooting the computer from this USB stick, ignoring the host operating system of the computer, allows them to scan memory and recover the encryption key. Additional work allowed them to recover a full key even if a few bits were lost as the memory degraded.

To execute the attack, the attacker opens the computer, sprays the memory with an upside-down can of dust off to cool it, then reboots off the USB device with their software for key recovery on it, thus recovering the keys and gaining access to the data.

If you use a boot password or something similar they perform the same attack, but remove the memory and place it into a different system for key recovery. Thanks to the cold spray you have more than enough time to pull this off.

Evaluating the Risk

There are no public tools for this attack but it’s only a matter of time. Your immediate risk is low, but don’t be surprised if tools appear reasonably soon. This is a serious vulnerability, with a probability of attack that only increases over time.

In other words, don’t panic, but keep your eyes open. Once a public tool appears it’s time to be more concerned.

The researchers outline how most current protection techniques only partially, if at all, mitigate this flaw. Since memory can be removed, BIOS locks and other restrictions are ineffective.

You are only at risk when your computer is powered on or in sleep mode and you lose physical control of it. Powering off your system begins the memory degradation process and you are safe within a few minutes.

Reducing Your Risk

The most effective method is to power off your system completely (not sleep or hibernate mode) when it’s at risk of physical loss. This is inconvenient, but I’m going to start powering off when I’m in higher risk areas (like airport security) and can’t maintain physical control of the system.

Which brings recommendation number 2- don’t let someone steal your computer. I personally maintain physical control over my system nearly all the time when it’s out of my home (and I have a pretty good security system there). At hotels is the greatest risk, and I do tend to power off when I’m out of the room. You sales guys should start getting into the habit of not using sleep mode when you leave your computer locked in a rental car. At least until the encryption and laptop vendors come up with alternative protections.

For those of you with very sensitive information, combine file and folder encryption for sensitive files with your whole disk encryption. A few vendors offer this (feel free to brag in the comments guys). Just close those sensitive files or images before entering sleep mode, and make sure they are password protected and not linked to your normal login credentials.

Also consider an encryption system that supports storing the keys on a smart card (not in memory). I don’t believe there are many practical options today, but expect to see them crop up thanks to this paper.

Finally, ask your vendor their plans to manage this risk. Today it’s not a big deal, but we don’t know if it will be 2 weeks, 2 months, or two years before public tools appear (and it’s safe to assume some governments have this by now — or more accurately, it would be unsafe and foolish to assume any government does note have this capability by now).

Thus, your overall risk is currently low but growing. You can reduce that risk through good habits and some additional software.

What Vendors Can Do

I don’t know to what degree this technique works on commercial encryption products, but vendors should evaluate the risk to their products and keep customers updated. Saying it isn’t a problem or the risk is low isn’t the right answer- you’ll lose customers that way. If you are working on a solution, let them know since the risk really is low for now.

I suspect we’ll see a couple of different approaches. Over time, this is something that will migrate into hardware- even just a small bit of RAM soldered to the board, probably integrated with some future, mythical, TPM. On the software side I have to believe there are ways we can reduce the risk- for example, flushing the active key from memory during sleep (while turning off hibernate, which writes memory to disk and is always bad anyway) and transitioning to a password protected temp key to access the primary key.

Hardware tokens/smart cards are another great option, assuming we can control active access to the key and you remember to unplug it. There are a lot of really smart engineers out there who will probably come up with fixes, at least for third party encryption tools, before this attack becomes widespread.

Conclusion

This is an impressive and serious attack we all need to take extremely seriously. You are at risk if you lose physical control of an encrypted system that is either powered on or in sleep or hibernate mode.

Turning off your system when it’s at greatest risk of loss or theft is a very effective mitigation, but it will be difficult to train average users to stop using sleep mode due to the convenience.

Using file encryption for sensitive content in combination with whole disk may also reduce the risk when done properly.

Talk to your vendor, and make sure they are REALLY not susceptible or have a roadmap to eliminate this method of attack. If they offer the protection, understand and implement the necessary configuration profile, which may not be the default.

Vendors: talk to your customers and get working on the problem if you are vulnerable. Recognize that hardware solutions are always longer term and you should really see if there is a way to offer protection within the software.

Me? I’m not too worried, but I have extremely good habits around the physical control of my laptop, and will now shut down more under certain circumstances. Since I have a fast Mac, rebooting isn’t all that bad anyway…

Technorati Tags: Cold Boot, Encryption, Key Management, Laptop Encryption, Vulnerability

I really don’t see the appeal of the whole drug thing. I’ve never been into recreational drugs other than alcohol, and even that I prefer in moderation. By “never been into” I mean never tried. Nope- didn’t hold it, didn’t inhale.

Last week after my shoulder surgery I was on reasonably heavy pain meds. I couldn’t think, couldn’t focus, couldn’t even read or watch a full length movie. I still had plenty of pain, barely slept, and definitely didn’t notice much happy in the little pills. Friday, after a client mentioned her husband bailed on the meds the first week, I went cold turkey during the days and almost immediately felt better. I still need a little at night to sleep, but boy am I glad to be off that stuff.

I’d like to say I’m tanned, rested, and ready for action, but I’m really pale (as always), tired, and gimpy. That said, it’s great to be back at work; one of the advantages of having a job you love.

Another advantage, for some of us at least, is that articles we write weeks or months earlier still get published even if we’re out of action. This month I wrote the DLP feature for Information Security Magazine. It’s all new content, although some of it will look familiar to any of you who read my DLP manifesto. On Wednesday I’ll be giving a companion webcast over at SearchSecurity.

Hopefully it looks good in print, I still don’t have a copy myself. Anyone have a copy to send to my mom?

Thanks again to everyone who supported (and continues to support) me through this surgery.

Just a quick update to say all is well, if a bit painful.

On Monday I had shoulder surgery to repair a moderate tear to my cartilage in the shoulder (the superior labrum, to be specific). Turns out the tear was a series of tears and I also managed to injure my rotator cuff. The 20 minute procedure took about an hour (still minor in the scheme of things) and my recovery will take a little longer than expected. The worst part is this week as I get past the initial pain, after that everything should be on track.

I want to thank Chris Pepper (who starts a new job in a couple of days) and Dave Mortman for keeping an eye on the blog and contributing new content. Hopefully I’ll be able to convince Dave to keep contributing after I’m back full time. Dave is one of those rare individuals who can combine the practical and the theoretical in security, and has held the management positions to actually execute his theories.

I’ll be taking it easy for another couple of days, but I’m past the hump and have a full schedule next week. Thanks for all the support, and we’ll be back to encryption, DAM, and all your favorite acronyms before you can say “Vicodin”.

It’s Wednesday, and if my doctor’s predictions are correct I might be in front of the keyboard for an hour at a time today. Odds are I’m now in a recliner, watching bad TV, staring wistfully at my Guitar Hero Les Paul leaning against the entertainment center. You may think you’ve won Slash, but once my recovery is complete I’ll be more powerful than you can possibly imagine.

And I’m not even on the meds yet.

Yesterday Mike and I talked about his 2008 predictions around network security. Today we’ll talk about my favorite area, information-centric security, and educating consumers.

This brings us to another step-child of the security world, Data Loss Prevention (DLP). You’re predicting a stall, although I’d argue it’s been stalled for years with only about $70M in revenue in 2007. What’s your unvarnished opinion of DLP- do you think it provides value other than preventing those accidental emails? What if we include content discovery?

You could probably make a case that the DLP business never even got started. The fact is it had the law of small numbers working in its favor. The entire market could grow at 80-100% when it was small. Now it’s a bit bigger and it’ll be a lot harder to show accelerating growth. Also combine that with the number of deals we saw last year and the fact that it does take time for small nimble start-ups to find their sea legs in the morass of a big security or storage player, and things look pretty dark for DLP in 2008.

Your second question is a bit more interesting. I do believe that there is value in the promise of DLP. We need to start thinking about the data and how it’s used and where it goes. I just don’t think the current deployment models really reflect the answer to the customer problem. Sure, if you are worried about an account number or a SS# being sent out, the existing products work fine. But they don’t give you persistent control of your data assets, and I think that’s really the problem that customers need to address. Unfortunately this may be the biggest problem in all of IT. There are no simple answers to solve that one.

DLP is one of the few tools that focus on data security, or “information-centric” security, depending on who you talk to. You do predict greater focus on database security in 2008, but what’s your opinion for the long haul? Will we migrate away from networks and hosts as the focus of security? Or is there too much momentum with too many big companies tied to our current model to expect changes anytime within the next 3-5 years?

Database security is a feature. If the databases weren’t so security tone-deaf, there wouldn’t be a need for this technology at all. But they are, so there is. Over time, a portion of the functions get subsumed into the DBMS, a portion into the security management platform (log analysis and monitoring) and some into the network (intelligently blocking direct database attacks). Though that is truly a long term vision. 5-7 years, best case. The existing database security market has a lot of running room as these other things fall into place.

I don’t think we’ll ever be able to neglect network and host security. A layered security model is really the only way to protect yourself from attacks we can’t even envision. That being said, we need to do a lot better job securing the data. The fundamental element of data, in terms of how it’s used and where it goes. As I mentioned before, that is a really big problem. Looking at the database traffic is a start. It’s not the long term answer, but it adds another layer of protection.

Last year you published the Pragmatic CSO. I think one thing that’s always made you stand out as an analyst is this focus on practicalities. I find myself recommending the book to someone almost weekly since there are so few just-get-it-done approaches to security. Why do you think we make our lives so much more complicated than they need to be, and what inspired you to finally write the P-CSO?

I wrote the P-CSO because I was frustrated. Security folks just don’t understand basic business realities and practices and it is hurting them. They can’t relay the value of what security does and they don’t understand how to play the game to get things done. If anything, I’ve screwed up a lot of things in business and I thought I could provide some perspective that someone who spent their entire career managing firewall rules could appreciate. Especially as they are about to get in front of the Board of Directors and tell them why they aren’t going to be the next TJX.

That’s the thing about the P-CSO. It’s not a technology book. It’s a philosophy book. How security professionals need to think about the business of security moving forward. I really believe it’s the difference between success and failure.

You’re trying to do something similar for consumers with Security Mike; how’s that project going?

Security Mike is going well, but I haven’t put the cycles behind it that it deserves. I’ll be spending a lot more time with that project throughout this year. Security Mike is a big idea. If we can train the consumers out there to protect themselves more effectively, we cut off the oxygen that the hackers breathe. Yes, that’s a long term goal, but you have to start somewhere. The first hundred, then the next thousand, then ten thousand. If we can remove the low hanging fruit, the economic model of Internet fraud changes. The bad guys need to work a lot harder to make the same income. That’s the vision.

Thanks a lot for your time today. One last question, is it true someone sent you a holiday card addressed to “Mike Rothman and The Boss”? How did THAT go over?

She loved it. The Boss has a great sense of humor. How else do you think she could live with a jackass like me?

Technorati Tags: Mike Rothman

Right now I’m probably lying in bed with some weird motorized ice pack strapped to my shoulder, and (hopefully) some pain meds running amok in my system.

I suspect most of you are a little more comfortable at the moment, but hopefully on fewer drugs.

Before diving under the knife, Mike Rothman agreed to an email interview. I’ve known Mike for something like 5-6 years now (I think). If you read this blog, the odds are pretty darn high you also read Mike’s Security Incite. It’s the best nearly-daily analysis of what’s going on in the security world. Rather than providing a simple list of links, Mike includes his own analysis on 3-4 news stories and 3-4 blog entries a day. Mike is also author of the Pragmatic CSO- a must-read for every aspiring security manager.

He’s also the crazy SOB that convinced me you can make it as an independent, so I might be a little biased in his favor.

Here’s the first half of the interview, and we’ll finish it off tomorrow…

Thanks for joining me today, Mike, especially since it’s actually a week before today, and right now I’m probably drugged up with my arm in a sling, sitting on the couch watching Knight Rider.

Who knew that the Rich Mogull has a time machine? If you patented that you really would be a Mogull. Anyhow, I hope you are feeling better and on your way to a speedy recovery.

[It seems Mike doesn't realize Knight Rider is coming back. What's old is new, Mike.]

Rather than having you talk about your past, I’d rather use this time to talk about some of your predictions for the future. Every year you publish your “Security Incites”, a mixed bag of predictions for the coming year. Some of them seem very specific and measurable, while others are, shall we say, a little fluffier. Is there a method to the madness?

In fact there is. I’m constantly synthesizing information. From everything I read, every question I get, every conversation I have. Through the year I am assessing and re-assessing my positions. I go back and revisit the Incites in July and December, and by February I have a pretty good idea how they should evolve for the next year. Then I sit in a dark room, meditate for a while, and the Incites just come to me.

The reality is that some of the Incites lend themselves to firm, quantifiable predictions and others not so much. Some I use to make a specific point that I think is important.

Let’s talk about a few of the predictions that really stand out (for me at least). You’re predicting that 2008 will be the year network security crosses the line and finally becomes just part of the network fabric. A lot of pundits have been predicting this one for years now- what’s going to make 2008 so special?

I believe that customers are voting with their dollars. They don’t want overlay solutions for network security anymore. They want their networking provider to get it right, and with the macro-economic headwinds a lot of folks expect, these customers are in no rush to roll out the technology. They have been willing to wait thus far and sooner or later the products from Big Networkers won’t totally suck. If anything, those folks are persistent and they throw a ton of money at it. They will get it right and I think 2008 is the year the security capabilities built into switches are good enough to meet most of the customer requirement.

In that same prediction you bring up Network Access Control, the red headed step-child of network security. You’ve been one of the more lukewarm voices on NAC; is it a failure of the technology? Or just the market reality that big vendors see this as a way for greater lock in?

To be clear, I don’t have anything against red-heads. :-) NAC’s issues in the market stem from two issues. First, it doesn’t solve a problem that customers think is important or urgent enough to solve. The big NAC vendors are talking about having maybe 1500 customers or something like that. And they are probably lying about that. Let’s take a market like anti-spam - which was a REAL problem - Barracuda sold to 30,000 companies in two years. If it was that big of a problem, more customers would be buying the solutions. It’s as simple as that.

The second issue has to do with expectations. The NAC vendors did themselves a huge disservice by promising the world to customers. They set an expectation they couldn’t possibly meet and now you’ve got customers that are disappointed and they are telling their friends to hold off until the technology matures. Who knows when that is going to happen?

So, will any NAC vendors survive on their own over the next, say, 3 years?

The NAC business will suffer a severe shake-out. Quite a few will get bought, with maybe the first 1 or 2 selling for a big multiple. And no, I don’t know which 1 or 2 that will be. We will see a lot more like Caymas, just going away. Or Vernier, which got out of the NAC business altogether. That’s life in the big city.

Come back tomorrow to hear Mike’s views on DLP, consumer security, and holiday card pranks.