Friday Summary: June 11, 2010
This Monday’s FireStarter prompted a few interesting behind-the-scenes conversations with a handful of security vendors centering on product strategy in the face of the recent acquisitions in Database Activity Monitoring. The questions were mostly around the state of the database activity monitoring market, where it is going, and how the technology complements and competes with other security technologies. But what I consider a common misconception came up in all of these exchanges, having to do with the motivation behind Oracle & IBMs recent acquisitions. The basic premise went something like: “Of course IBM and Oracle made investments into DAM – they are database vendors. They needed this technology to secure databases and monitor transactions. Microsoft will be next to step up to the plate and acquire one of the remaining DAM vendors.” Hold on. Not so fast! Oracle did not make these investments simply as a database vendor looking to secure its database. IBM is a database vendor, but that is more coincidental to the Guardium acquisition than a direct driver for their investment. Security and compliance buyers are the target here. That is a different buying center than for database software, or just about any hardware or business software purchases. I offered the following parallel to one vendor: if these acquisitions are the database equivalent of SIEM monitoring and auditing the network, then that logic implies we should expect Cisco and Juniper to buy SIEM vendors, but they don’t. It’s more the operations and security management companies who make these investments. The customer of DAM technologies is the operations or security buyer. That’s not the same person who evaluates and purchases database and financial applications. And it’s certainly not a database admin! The DBA is only an evaluator of efficacy and ease of use during a proof of concept. People think that Oracle and IBM, who made splashes with Secerno and Guardium purchases, were the first big names in this market, but that is not the case. Database tools vendor Embarcadero and security vendor Symantec both launched and folded failed DAM products long ago. Netezza is a business intelligence and data warehousing firm. Fortinet describes themselves as a network security company. Quest (DB tools), McAfee (security) and EMC (data and data center management) have all kicked the tires at one time or another because their buyers have shown interest. None of these firms are database vendors, but their customers buy technologies to help reduce management costs, facilitate compliance, and secure infrastructure. I believe the Guardium and Secerno purchases were made for operations and security management. It made sense for IBM and Oracle to invest, but not because of their database offerings. These investments were logical because of their other products, because of their views of their role in the data center, and thanks to their respective visions for operations management. Ultimately that’s why I think McAfee and EMC need to invest in this technology, and Microsoft doesn’t. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s Dark Reading post: Massachusetts Data Privacy Standard: Comply Or Not? Rich quoted in Entrepreneur Magazine. Mike quoted in Information Security Magazine. Adrian quoted in Open Source Databases Pose Unique Security Challenges. Rich, Zach, and Martin on episode 200 of the Network Security Podcast. Favorite Securosis Posts Rich: Draft Data Security Survey for Review. It’s been a weird week over here, as all of our posts were nuts and bolts for various projects. I got some great feedback on this draft survey, with a few more comments I need to post, but it could also use more review if any of you have the time. Mike Rothman: FireStarter: Get Ready for Oracle’s New WAF. Oracle has a plan. But it’s a secret. Speculating about it is fun. David Mortman: FireStarter: Get Ready for Oracle’s New WAF. Welcome, Oracle, to the first WAFs club. Adrian Lane: One of our meatier Quant Posts: Configure. Other Securosis Posts Incite 6/9/2010: Creating Excitement. Draft Data Security Survey for Review. Friday Summary: June 4, 2010. Favorite Outside Posts Rich: Why sensible people reject the truth. While it isn’t security specific, this article from New Scientist discusses some of the fascinating reasons people frequently reject science and facts which conflict with their personal beliefs. As security professionals our challenges are often more about understaning people than technology. Mike Rothman: Not so much an “E” ticket. Magical ideas about how TSA can be more Mouse-like from Shrdlu. David Mortman: Google Changed Reputation and Privacy Forever. Adrian Lane: Raffael Marty wrote a really good post on Maturity Scale for Log Management and Analysis. Project Quant Posts DB Quant: Secure Metrics, Part 4, Shield. DB Quant: Secure Metrics, Part 3, Restrict Access. DB Quant: Secure Metrics, Part 2, Configure. DB Quant: Secure Metrics, Part 1, Patch. NSO Quant: Monitor Process Map. DB Quant: Discovery Metrics, Part 4, Access and Authorization. Research Reports and Presentations White Paper: Endpoint Security Fundamentals. Understanding and Selecting a Database Encryption or Tokenization Solution. Low Hanging Fruit: Quick Wins with Data Loss Prevention. Top News and Posts Microsoft, Apple Ship Security Updates via Brian Krebs. Mass SQL Injection Attack from our friends over at Threatpost. Good advice: Three things to harden OpenSSH on Linux. Is correlation killing the SIEM market?. Windows Help Centre Vuln and some commentary on disclosure. Digital River sues over data breach. IT lesson from BP disaster. AT&T leaked iPad Owner Data. This one correctly points out that it’s an AT&T breach, rather than pretending it was an Apple problem to scare up traffic. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. Usually when a comment starts with “This is a terrific idea …” it gets deleted as blog spam, but not this week, as the best comment goes to DMcElligott, in response to Rich’s Draft Data Security Survey for Review. This is a terrific idea. I am very curious about the results you see from this. My suggestions: In the regulation questions