Incite 5/26/2010: Funeral for a FriendBy Mike Rothman
I don’t like to think of myself as a sentimental guy. I have very few possessions that I really care about, and I don’t really fall into the nostalgia trap. But I was shaken this week by the demise of a close friend. We were estranged for a while, but about a year ago we got back in touch and now that’s gone.
I know it’s surprising, but I’m talking about my baseball glove, a Wilson A28XX, vintage mid-1980’s. You see, I got this glove from my Dad when I entered little league, some 30+ years ago. It was as big as most of my torso when I got it. The fat left-handed kid always played first base, so I had a kick-ass first baseman’s glove and it served me well. I stopped playing in middle school (something about being too slow as the bases extended to 90 feet), played a bit of intramural in college, and was on a few teams at work through the years.
A few of my buddies here in ATL are pretty serious softball players. They play in a couple leagues and seem to like it. So last year I started playing for my temple’s team in the Sunday morning league with lots of other old Jews. I dug my glove out of the trunk, and amazingly enough it was still very workable. It was broken in perfectly and fit my hand like a glove (pun intended). It was like a magnet – if the ball was within reach, that glove swallowed it and didn’t give it up.
But the glove was showing signs of age. I had replaced the laces in the webbing a few times over the years, and the edges of the leather were starting to fray. Over this weekend the glove had a “leather stroke”, when the webbing fell apart. I could have patched it up a bit and probably made it through the summer season, but I knew the glove was living on borrowed time.
So I made the tough call to put it down. Well, not exactly down, since the leather is already dead, but I went out and got a new glove. Like with a trophy wife, my new glove is very pretty. A black leather Mizuno. No scratches. No imperfections. It even has a sort-of new-car smell. I’ll be breaking it in all week and hopefully it’ll be ready for practice this weekend.
For an anti-nostalgia guy, this was actually hard, and it will be weird taking the field with a new rig. I’m sure I’ll adjust, but I won’t forget.
Photo credits: “Leather and Lace” originally uploaded by gfpeck
Incite 4 U
I want to personally thank Rich and the rest of the security bloggers for really kicking it into gear over the past week. Where my feed reader had been barren of substantial conversations and debate for (what seemed like) months, this week I saw way too much to highlight in the Incite. Let’s keep the momentum going. – Mike.
Focus on the problem, not the category – Stepping back from my marketing role has given me the ability to see how ridiculous most of security marketing is. And how we expect the vendors to lead us practitioners out of the woods, and blame then when they find another shiny object to chase. I’m referring to NAC (network access control), and was a bit chagrined by Joel Snyder’s and Shimmy’s attempts to point the finger at Cisco for single-handedly killing the NAC business. It’s a load of crap. To be clear, NAC struggled because it didn’t provide must-have capabilities for customers. Pure and simple. Now clearly Cisco did drive the hype curve for NAC, but amazingly enough end users don’t buy hype. They spend money to solve problems. It’s a cop-out to say that smaller vendors and VCs lost because Cisco didn’t deliver on the promise of NAC. If the technology solved a big enough problem, customers would have found these smaller vendors and Cisco would have had to respond with updated technology. – MR
I can haz your ERP crypto – Christopher Kois noted on his blog that he had ‘broken’ the encryption on the Microsoft Dynamics GP, the accounting package in the Dynamics suite from the Great Plains acquisition. Encrypting data fields in the database, he noticed odd behavioral changes when altering encrypted data. What he witnessed was that if he changed a single character, only two bytes of encrypted data changed. With most block ciphers, if you change a single character in the plaintext, you get radically different output. Through trial and error he figured out the encryption used was a simple substitution cipher – and without too much trouble Kois was able to map the substitution keys. While Microsoft Dynamics does run on MS SQL Server, there are some components that still rely upon Pervasive SQL. Christopher’s discovery does not mean that MS SQL Server is secretly using the ancient Caesar Cipher, but rather that some remaining portion Great Plains does. It does raise some interesting questions: how do you verify sensitive data has been removed from Pervasive? If the data remains in Pervasive, even under a weak cipher, will your data discovery tools find it? Does your discovery tool even recognize Pervasive SQL? – AL
Blame the addicts – When I was working at Gartner, nothing annoyed me more than those client calls where all they wanted me to do was read them the Magic Quadrant and confirm that yes, that vendor really is in the upper right corner. I could literally hear them checking their “talked to the analyst” box. An essential part of the due diligence process was making sure their vendor was a Leader, even if it was far from the best option for them. I guess no one gets fired for picking the upper right. Rocky DeStefano nails how people see the Magic Quadrant in his Tetragon of Prestidigitation post. Don’t blame the analyst for giving you what you demand – they are just giving you your fix, or you would go someplace else. – RM
Compliance and security: brothers in arms – It’s amazing to me that we are still gnashing our teeth over the fact that senior management budgets for compliance and doesn’t give a rat’s ass about security. Also nice to see Anton emerge from his time machine trip back to 2005, and realize that compliance doesn’t provide value. Continuing the riff on AndyITGuy’s rant about compliance vs. security, we have to eliminate that line of thinking. Compliance and security are not at odds. It’s not an either/or proposition. Smart practitioners buy solutions to security problems, which can be positioned and paid for out of the compliance budget. When pitching any security project to senior management, you’ve got no shot unless you can either show how it increases the top line (pretty much impossible), decreases spend (hard), or helps meet a compliance mandate. So stop thinking compliance is the enemy. It’s your friend – your rich friend who needs to pay for all your security stuff. – MR
Give me a Q and an A, and that spells FAIL? – They say it takes years to build credibility, and a minute to lose it. IBM is dealing with some of that in the security space after distributing infected USB sticks at a trade show. I don’t even know what to say. No one thought to actually test the batch of tchotchkes? Even if only to make sure the right content was there? But let’s not focus on the sheer idiocy of IBM here, but on what to do to protect yourself and your organization. First, turn off AutoRun – since that is how most USB stick malware will get executed. Second, don’t be a USB whore. Just because it’s shiny and has the logo of your favorite vendor doesn’t mean you should stick it in your machine. Have a little self-respect, will ya? Maybe the AV vendors (all of whom have detected this malware since 2008) can position themselves as the morning-after pill for promiscuous USB use. Or device control software can be positioned as a USB condom. Ah, the possibilities are endless. – MR
That’s not a bus – it’s a steamroller – I talked with a client this week, who was struggling to maintain security controls while adopting cloud computing. They are moving to a hosted email system, but in the process may lose their DLP solution. It’s a problem they could have planned around, but decisions were made without security involved at the right level. Another client had a similar issue where they traded off their DLP so they could switch to cloud-based web content security. DanO over at Techdulla raises some similar issues as he reminds us that no matter what we think, security folks will likely be held responsible, even if the data has been shipped to the cloud. Steamrollers and buses are easy to dodge, but only if you keep your eyes open and spot them early enough. – RM
Digging a grave for Brightmail? – We don’t publish a lot on anti-spam technologies, even though email and content security are core coverage areas for us. It is just not very interesting to discuss the meaningful differences between 99.2% and 99.6% effectiveness, or what it means when vendors swap positions from month to month depending upon the spam technique du jour. It is an unending cat-and-mouse game between spammers and new techniques to detect and block email spam, and things fluctuate very quickly. That said, every now and again we run across something interesting, such as Symantec Brightmail Gateway Decertified by ICSA labs, because they dropped below 97% effectiveness. It is actually big news when a major email security vendor “stops meeting one or more requirements, or is no longer in daily testing”. But as I have not seen an EOL announcement, it looks like this is a rather passive-aggressive way of notifying customers that they are moving away from supporting Brightmail anti-spam and moving forward with MessageLabs’ service based solution. Unless of course the Brightmail anti-spam
guyteam was on vacation this week, and they accidentally fell below 97% success, but I am betting this was at least half intentional. It’s still somewhat surprising, as I assumed there were still a handful of ASPs using the Brightmail engine. It will be interesting to see how Symantec covers this in press releases in the coming weeks. – AL
Roland Garros it ain’t: the IT certification racket – I’ve ranted about the value of certifications a lot. But I never miss the opportunity to poke fun at the entire certification value chain. Case in point: Etherealmind’s observation about the joke of CCIE certification. Most vendor certifications fall into the same category. It’s about passing the test so the VAR can say they have X% staff certified, or the IT shop can show proficiency with their key vendors. Unfortunately most of the training isn’t designed to actually teach anything, it’s designed to get students past the test. As Rich said about security awareness training we need a no security professional left behind program to ensure folks doing things are actually competent. I know – details, details. But it won’t happen – as long as hiring managers focus on who has the paper rather than what they know, it’ll be the same old, same old. – MR
As the Product Manager for Symantec Brightmail Gateway, I would like to build on the comment by Jack Walsh from ICSA Labs:
- Symantec Brightmail Gateway has been one of the top-performing products in the ICSA Labs benchmark for effectiveness and accuracy. For the last six months, our product has been testing at well over 99% effectiveness in the ICSA Labs benchmark, and there was no drop in performance that led to our de-certification.
- Symantec chose not to renew its commercial testing contract with ICSA Labs in April 2010. The only reason for our de-certification was that, without a testing contract in place, Symantec Brightmail Gateway was no longer part of the daily testing required by ICSA Labs.
Interested parties can also view Symantec
By Angelos Kottas
Mike, I may have to get Joel to jump in here and call you criminal or something ;-) yes, standards come later and with NAC frankly I don’t think anyone gave a damn about NAC standards (not anyone buying it anyway). I think people did use that as an excuse not to buy, but that was just an excuse, the real reason was I guess they didn’t find it compelling enough. But that doesn’t stop me from bashing Cisco on NAC, it is just too ingrained in my Pavlovian psyche.
By Alan Shimel
Oh brother Alan. You give Cisco too much credit and customers too little. Again, if there was really a market for “NAC” then customers would have found solutions to their problem. From Cisco or not.
This is not like Intel or Microsoft, who did behind the scenes bundling and tying, which really was anti-competitive.
Standards don’t drive markets. Standards emerge after markets are well established. If you think that earlier industry-wide standardization of NAC would have made a difference, then you are still recovering from your own road rash—whether you admit it or not.
By Mike Rothman
Mike I just love it when I am on the other side of a disagreement with you and I have Joel Snyder on my side ! ;-) Hot dog! But that aside, what Cisco did was wrong. They spread FUD beyond the point of reasonableness, used their monopolistic network infrastructure position to lock others out and stonewalled industry wide efforts at standardization. The last time a company did that the Justice Department had them on anti-trust violations.
By Alan Shimel
@Jack - Thanks for the note! We saw your de-certification notice before seeing anything from Symantec.
By Adrian Lane
Number 7 in your list is probably there due to a note on the ICSA Labs website that I added yesterday. As the ICSA Labs Anti-Spam Program Manager, I added the note to say that the product was decertified. This is a true statement. The note generally explains that folks in the anti-spam testing program - in order to remain anti-spam certified - must continue to meet both all of the testing requirements and be in daily testing. Not doing either or both of these things leads to decertification. That said, it would be untrue to say that Symantec’s product was ever less than 97% effective. In fact if you look at our spam data center page, you will see that they’ve done quite a lot better than that:
Let me know if you have any questions and take care,
Network IPS and Anti-Spam Program Manager
By Jack Walsh