Securosis

Research

Consumer Protection and Software

CNET is reporting that last week the European Commission is proposing consumer protection laws be applied to software. Mentioning specifically anti-virus and video game software, commissioners Viviane Reding and Meglena Kuneva have proposed that EU consumer protections for physical products be extended to software in an effort to protect customers and implying that consumers would use more and buy more if the software was better. “extending the principles of consumer protection rules to cover licensing agreements of products like software downloaded for virus protection, games, or other licensed content,” according to the commissioners’ agenda. “Licensing should guarantee consumers the same basic rights as when they purchase a good: the right to get a product that works with fair commercial conditions.” In reality I am guessing some politician took notice that few in the voting public are for crappy software. Or perhaps they took notice that anti-virus software does not really stop malware, spyware, phishing and viruses as advertised? Or perhaps they still harbor resentment for “ET: The Game”? Who knows. I had to laugh at Business Software Alliance Director Francisco Mingorance’s comment that “Digital Content is not a tangible good and should not be subject to the same liability as toasters.” He’s right. If your toaster is mis-wired it could kill you. Or if you used it in the bathtub for that matter. If people are not happy with a $45.00 piece of software, and no one died from its use, do you think anyone is going to prosecute? Sure, Alvin & the Chipmunks really sucked; caveat emptor! Even if you should find a zealous prosecutor, if something should go wrong with the software, who will get the blame? The vendor for producing the code? The customer for they way they deployed, configured, and modified it? How would this work on an application stack or in one of the cloud models? Was the software fully functional to the point in time specification, but the surrounding environment changes created a vulnerable condition? If anti-virus stops one virus but not another, should it be deemed defective? There is not enough time, money or interest to address these questions, so the legislative effort is meaningless. I appreciate the EC’s frustration and admire them for wanting to do something about software quality and ‘efficacy’, but the proposal is not viable. Granted there are the few software developers who look upon their craft to build the best the best possible software, but most companies will continue to sell us the crappiest product that we will still buy. The only people who will benefit are the lawyers who will be needed to protect their clients from liability; you think EULAs are bad now, you have seen nothing yet! Do not be surprised if you see the software quality bandwagon rumble through Washington D.C. as well, but it will not make security software better because you cannot effectively legislate software quality. Meaningful change will come when customers vote with their dollars. Share:

Share:
Read Post

Data Harvesting and Privacy

Someone has finally captured my vision of what a data centric society without privacy rights looks like. This video is really funny … and scary. Law enforcement and drug companies have been doing this for years. And even if it is not public knowledge, many insurance companies are doing this as well. Orwell had no idea how deep the rabbit hole goes. Share:

Share:
Read Post

Friday Summary – May 8, 2009

A lot of security related news this week in the mainstream press. What with Nuclear Secrets being a fringe benefit to eBay shopping. Other big names like McAfee exposing users to a CSRF and MI-6’s operations nixed on a missing memory stick. With security this bad, who needs Chinese hackers? What gets me is the simple stuff that gets missed. Unencrypted hard drives and memory sticks. WTF? Fighter jet plans and power grid control systems on networks, directly or indirectly attached to the Internet? Whoever thought that was a good idea needs to be discovered and fired. Anyway, enough negativity, and you don’t need to read my rants when there are this many good articles to read this week. The funniest thing I saw all week was from last night: Rich and I were having dinner, waiting for the 10:00 PM premiere of the new Star Trek movie, when Rich decided he was going to have some fun and do some ‘live #startrek’ tweets. Not real, but live. Rich was on a roll as we started to joke about plot lines and just making up character twists and throwing BS on Twitter. I must say, he has Trekkie cred, because he knows a heck of a lot more than I do about the entire genre. We were having a great time just making $%(# up. After dinner we went to the theater and got dead center seats! We were not 5 minutes into the movie when one of Rich’s tweets came alarmingly close to the real thing. Another 5 minutes, and Rich nailed another plot line. I am not going to say which ones, you will just have to go see the movie. Oh, and we both really liked it! A must-see for Star Trek fans. But for a little amusement, before you go to the movie, check Rich’s tweets. I know Rich said it last week, but I wanted to mention it again – if you’d like to get our content via email instead of RSS, please head over and sign up for the Daily Digest, which goes out every night. And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences Martin and Rich on the weekly Network Security Podcast. I did a series of three videos and an executive overview on DLP for Websense. It was kind of cool to go to a regular studio and have it professionally edited. The videos (each about 2 minutes long) and Executive Guide are designed to introduce technical or non-technical executives to DLP. It’s all objective stuff, and cut-down versions of our more extensive materials. Favorite Securosis Posts Rich: Adrian’s post on Oracle’s acquisition of Sun. I haven’t seen anyone else take this perspective! Adrian: Rich’s post on There are no Trusted Sites; the Security Edition. Poignant as always. Favorite Outside Posts Adrian: With all that free time on his hands, Chris has been turning out some good stuff. His post on Cloud Security Will NOT Supplant Patching is dead on the mark. Rich: Rsnake’s Silver Bullet Metric post. Top News and Posts Big news this week was the Torpig Hijack. The paper is long but filled with interesting details. Interesting developments between AdBlock creator Wladimir Palant and NoScript creator Giorgio Maone. Yeah, but so what? We know it is possible, and we know someone will be motivated by fame or fortune and do it again. The problem is someone will eventually do it well. Ryan Naraine’s coverage of the Google Chrome Security Flaws . Ron Gula of Tenable on understanding Vulnerability Assessment Results . I don’t know what the availability of this device is, but MiFi looks pretty cool!. Handy tip on disk wiping . The Marriage of Figaro, oddly sans frogs. New NERC standards. Naraine and Dancho on PowerPoint ZeroDay. Blog Comment of the Week This week’s best comment was from Nick in response to Spam Levels and Anti-Spam: Since the McColo shutdown we have seen a gradual rise in spam only returning to pre-McColo levels about a month ago. We are a small fish and only deal with about 20,000 emails per day including spam. But I have not been able to recognize the “return to normal” that everyone was talking about several months ago. I would actually estimate that after the shutdown, we have been sitting about 20% lower than usual, until this past month. Not including the first period of time after McColo. Share:

Share:
Read Post

Get the iPhone or Not?

It’s kind of Apple Day here. Rich has been stuck in a ‘Genius Bar’ time warp all morning with a handful of dead Mac minis (Probably died from processor envy when the new Mac Pro arrived). Despite the recession, if you lose your appointment slot, you are going to be waiting a long time, as the AZ Apple stores are always packed. I would gladly have switched places with him, as I have spent all morning trying to decipher alien runes AT&T iPhone pricing plans. My cell phone provider, QuestQwest, is dropping all its cellular services and I now need two new phones. I thought this would be an easy decision as everyone I know seems to have an iPhone. Most people I know in the security profession have had their iPhones for a year or more and they love them. They really like to show off their eye-candy apps and what a powerful mobile computer the iPhone really is. But if 95% of your use is going to be phone calls, is it worth it? As bad as the AT&T pricing is, the real issue is service. AT&T coverage and clarity sucks, or SUCKS, depending upon where in the country you live. I get phone calls from from friends and associates, usually someone I know who has some comment about how my recent blog post demonstrated a complete lack of knowledge, and I should really have done my homework prior to posting. And that person is really smart and is probably making really compelling arguments, but it comes across as a small child making motorboat noises while facing away from the phone. I can’t help myself and laugh out loud. My laughter and saying “Dude!” really pisse them off, but the it is really hard to hear! And this is just the Securosis side of things. My wife and I drive lots of places where a clear connection is critical, and might have a life-threatening need to reach out and speak to someone who can help. In cases like this, a cool gadget loses every time to a reliable call. I love all the Apple products I have purchased and will seriously consider the iPhone. But AT&T is not Apple, and when it comes down to it, service is the bulk of what I am paying for. I was really hoping the rumored Verizon branded iPhone Nano would happen as I could get the Apple product and have good coverage. I have been cruising Mac Rumors every day to see what’s new. We’ll see. There is a rumor that AT&T is dropping prices, which is nice, but Verizon is running a 2 for 1 sale on Blackberrys, which is even more compelling. I have another month or two of service before I have to make a decision, by which time the new iPhones should be out, and then I will make the decision. Share:

Share:
Read Post

Spam Levels and Anti-Spam SaaS

I was reading the Network World coverage last night of the McAfee Spam Report stating spam rates were down 20%. While McAfee’s numbers are probably accurate, my initial reaction was “Bull$#(&”, because I personally am not seeing a drop in spam. If the McAfee report, as well as Brian Krebs’ posts, show the totals are down, why am I getting a lot more spam, increasing weekly to the point where I am becoming actively annoyed again? I was wondering how much was due to the launch of the new Securosis web site, which was the ‘cat and mouse’ cyclical changing of spam techniques, and how much was an anti-spam provider not keeping up. I spent a couple of hours last night combing through Postini alerts, my internal junk folder, and the deleted spam that had made it to my inbox. What I found was a linear progression from the time we started with Postini until now, with increasing rates getting caught by my internal spam filter, and a corresponding linear increase getting into the Inbox. Not sure why I allowed this to capture my efforts on Cinco de Mayo, especially considering I have developed a really good margarita recipe that deserved some focused appreciation, but hey, I have no life, and the article grabbed my interest enough to go exploring. Anyway, I think that Postini is just falling behind the curve. We switched over September of 2008. My email address was broadcast when I joined Rich last July and I was surprised that there was not more spam. When we added the Postini service, no spam was getting through for a while, and every evening I would get my Postini status digest of the one or two spam messages it had intercepted. I still get these, and the digest always shows 1-2 emails captured. However, I am getting several dozen in my internal spam folder and another 15-20 in my inbox. And it is the old school blatant “Bank of Nigeria” and “Lottery Winner ” stuff that is sneaking in. Even the halfway well-executed Citibank/Chase/BofA Security alert phishing attempts are getting caught my my personal filters, so how in the world is this stuff getting through Postini? This is not the 97-99% percent blockage that I talked about in the past, and customers have reported to me. I just did a survey 9 months ago and it may already be out of date. It’s time to make a change. The beauty of spam filtering as SaaS is that we can change without pain. I am on the lookout for a 10 seat SaaS anti-spam plan. Got recommendations? I would love to hear them. Share your advice and I will share my margarita recipe. Share:

Share:
Read Post

Comments on Oracle’s Acquisition of Sun

On Monday at the RSA conference I learned that Oracle is purchasing Sun Microsystems. I was so busy/exhausted from the conference that I forgot about it until this week. This is pretty exciting! Whether it’s really a good or a bad thing depends upon your perspective. Technology-wise it’s a good match, but the corporate cultures are very dissimilar. I have spoken with a few current Sun employees who are really worried about what life will be like at the Big-O. However I heard very much the same concern from many PeopleSoft employees, and the catastrophic fallout anticipated as part of that merger never happened; with the current economic situation, it probably won’t happen this time either. I also have to say this is a much better fit, with Oracle being the acquirer, than it would have been with IBM or HP. The product lines are more complimentary than IBM’s or HP’s, and I suspect there will be fewer layoffs than if either of those companies had made the acquisition. Sun’s people may not like the culture, but I have been hearing complaints from current and ex-Sun employees for years that they were unable to win market share despite having really innovative technologies, and there will be a sense of pride in having the products you worked on effectively marketed and sold. When I worked at Oracle way back when, it was amazing to watch the sales dynamic that was going on. If the customer was making a $20M purchase of hardware and software, let’s say $17M of that was for the hardware. However, the customer’s motivation for the purchase was they needed a solid database platform. That meant the $3M Oracle purchase is what mattered to the customer, and how well Oracle performed on the hardware was the deciding factor in the purchase. This meant the smaller database software company held sway over the larger hardware vendors. For years Oracle has used this incredible leverage over their hardware partners and ‘squeezed’ them on pricing. Now Oracle is the huge company with great margins, but the market dynamic is really changing, and commoditization is moving right up the stack and squeezing their core business as well. It’s not just about the database any longer. Look no further than Cisco getting into the Server/Switch business and offering a unique take on virtualization and provisioning. Several people I spoke with at the RSA conference all said the same thing: Oracle needs to own more of the data center in the coming years if they want to continue their growth curve. I believe Mr. Ellison meant “We’ll engineer the Oracle database and Solaris operating system together. With Sun we can make all components of the IT stack integrated and work well.” quite literally, and it reflects Oracle’s long-term growth strategy. Bundling Solaris with whatever virtualization technologies are at their disposal, InfiniBand Switches, and a full array of servers, gives Oracle a chip-to-web-app presence in the data center that makes the LAMP stack look like a child’s toy. From a security perspective, Oracle now has some really compelling technologies at their disposal. Trusted Solaris is the most secure general purpose OS in the world. Sun’s data encryption and authentication/key management may not be best of breed, but they are solid products that could generate considerable revenue in the hands of Oracle’s professional service arm. And while it is really difficult to secure a JVM properly, it can be done, and the beauty of the Java programming language is that it flat out has the best object model I have ever used. I can properly encapsulate and protect objects, and the language syntax is far easier to read and analyze for coding and security flaws than C++ or other commonly used environments. If Oracle decides to knit these components together within their Data Vault variant of the Oracle database, you will have all of the elements for a very secure development environment. One of the rumors that I was hearing was that Oracle would kill off MySQL. This has been covered in some of the blogs as well. I personally think this is nonsense. MySQL is a very well-designed database. It is modular and cannot only be tuned like an Oracle database, but is instead configured more like a Linux kernel to meet the user’s specific needs. MySQL has a rabid following and what I am estimate at around 15 million installations around the world. When you couple this with the BEA pieces in place and the Java programming language and associated tools/platforms Sun has, you have a really phenomenal web application development suite. Oracle no longer has to ‘compete’ with MySQL – now they have a real answer to PostgreSQL (No, Oracle Lite fans, that was not the answer) without undermining their core database business. What Oracle really needs to do is provide a PL/SQL parser/pre-processor for MySQL, thus providing developers not only the option to use existing SQL/PSM, but the Oracle-specific procedural language most DBAs are familiar with. This would keep the existing MySQL users happy, and offer a migration path into the core Oracle database platform should they outgrow MySQL’s capabilities. Also keep in mind that Oracle purchased Innobase InnoDB, which is not really a database, but rather an underlying storage engine that is commonly used by MySQL. One of the cool things about MySQL is that you can configure it with different storage backends, such as clustering or ISAM. So Oracle owns MySQL and one of the commonly used storage technologies for it, and that platform has strong user affinity – now they just need to find a way to leverage that and make money from it. Letting that community wither and die just does not make sense. To me this looks like a very complimentary acquisition. Share:

Share:
Read Post

LogLogic acquires Exaprotect

Another interesting news item during the RSA show that I am just getting time to comment on is LogLogic’s announcement they have acquired Exaprotect. When LogLogic announced a partnership with Exaprotect a few months back, my initial reaction was “Who”? Actually, I had heard of the company, but knew very little about the technology. I had not heard any of the companies I speak with on a regular basis mention them, so I had not been paying very close attention to this small firm. When I went to Exaprotect’s website to see what products they offered, I really was unable to tell. It looked like a carbon copy of the LogLogic product benefits summary! It is amazingly difficult to understand what differentiates one product from another on corporate web sites when they are all attempting to cover the current market drivers, and do so at the expense of explaining what they actually do. The company is not very well known by those of you who do not follow this space closely, but they do offer a security event management product, along with a couple of other interesting pieces in the areas of configuration management and policy management. The reason this acquisition is important is two-fold. First, this is the removal of the last line of distinction between log management vendors and SEM vendors. ArcSight, LogLogic, eIQ Networks, Q1Labs, LogRhythm, NitroSecurity, and so on are all covering log management and security analysis. Granted, the degree to which each vendor provides the respective capability varies, and each has its own strengths. All in all, these systems collect disparate events, analyze the events in relation to some policy, and provide storage and reporting. The difference was the type of events collected, the speed with which the analysis was conducted, and the audience for the results. These distinctions were usually split down the middle, either near-real-time security response or a forensic analysis and event correlation. What we will see in the coming quarters is adjustment in vendor architectures for these offerings to be efficiently merged into seamless offerings, continuing to provide evolutionary updates to near-real-time and forensic offerings, and looking for ways to differentiate from their competitors. The second reason is that it spotlights the technical and value path this market segment is (and needs to be) headed down. The tough question, now that the vendors collect just about every relevant piece of security & operational data available, is what do you do with that data? How do you differentiate yourself? How do you provide the customer more value? Sure we are going to see new features appended to the core offerings, a la database protection, but the more important feature/functions will have to do with configuration management, business process verification, and policy management/enforcement. Configuration management provides the vendors with a big missing piece of preventative control and baselining of systems that are critical for most compliance efforts. It’s not that difficult to implement, fits nicely within a log management architecture, and offers value to several buying centers. Policy management, provided the vendors actually can take a business policy and automatically map that to the underlying data streams available, will also provide a huge leap in value to customers and speak to non-technical audiences. The final piece of the puzzle is a flexible analytics engine, so policy verification can be performed in an appropriate time-frame in the specific customer environment, in order to verify business continuity and efficacy. I use the word ‘verification’ because enforcement is not really the customer requirement, and more importantly blocking is not typically the appropriate way to remediate problems – the solution is often more complex. All three of these offerings show SEM moving up the stack and making sense of business processing and compliance in the business context. I look at the LogLogic acquisition as a step necessary to compete, not just the in basic SEM infrastructure of near-real-time event processing, but in all three of the evolutionary ways security event management is heading. That’s not an endorsement of the Exaprotect technology – I have not gotten my hands on it and could not tell you how well it works – but it does encapsulate the segment trends. I intend to delve into each of these trends in more depth. Share:

Share:
Read Post

RSA Recap

Wanted to post my highlights of the RSA show. Rich and I meant to post daily updates about our experiences during the show, but we were quite literally in meetings or gatherings from 8:30 AM until we went to bed each night. No chance of writing and posting from a secure connection. I have a stack of 70+ business cards sitting here on my desk, and I gave out almost all of the 200 I brought with me. I can barely remember talking to that many people over the course of the week. The weather was awesome. Warm. Actually, very warm. For those of you who don’t get to San Francisco too often, it was about 20 degrees hotter than it was supposed to be Sunday through Wednesday. Rich and I usually stay at a funky little hotel that is close to Moscone; it’s cheap and we are never in the rooms for very long. However the older hotels lack air conditioning. In fact, if you want to get cool air, you open the window. Sleeping in a 90 degree room with big city traffic outside your window does not make for a restful visit. When you combine 15 meetings a day on four hours of sleep, things begin to blur together. But both Rich and I had an awesome time, and spent the entire weekend recovering from sleep deprivation. Best Food: The Venrock party was held at ‘Two’, which is a nice little restaurant off Howard and somewhat hard to spot. The food was simple ‘Cowboy’ fare: barbequed tri-tip – carnitas like shredded pork and roasted chicken, but simply amazing. We were planning on going out to dinner but our plans were promptly discarded when we tasted the food. We ate until they took the trays away. I am going to have to go back there for dinner! Best Party: The Security Bloggers event, if for no other reason that there were so many interesting people there that I talked until my voice gave out. Good friends, good food, good drink, and good fun! Best Presentation: I am probably disqualified from this category, but I am putting out my nomination anyway. I was only able to attend a half dozen presentations, and I knew both the people on stage for my favorite, however there was one clear winner from what I saw. Rich Mogull and Chris Hoff on Disruptive Innovation simply rocked. Biased? Sure. Small sample size? Sure. But on a Friday morning, to fill a conference room and have no one leave is pretty amazing. To cover 160 slides in 50 minutes and make sense is astounding. When it becomes available on the RSA site, you tell me if it was not the best preso! Special mention goes to Brian Chess and Gary McGraw for another interesting Friday talk on secure coding and the release of the Building Security In Maturity Model. http://www.bsi-mm.com/ Attendance: Officially I was told that the numbers were off about 22%. Lots of the vendors along the edges of the exhibitor hall were complaining that they were not getting anyone by their booths, but I have seen that first hand in past years as well. What I did not see were the people with shopping bags loaded with tchotchkes and stuff – instead I saw people legitimately there to see what the vendors offered. Seemed like the people who had company budget to show up were there to learn from the sessions, visit a couple vendors they were interested in speaking with, and that was about it. Not many people looking for innovation, but their existing vendors to get better at what they do, or in some cases, what they are supposed to do. Biggest Surprise: How many of you knew Webroot has a complete email and web security service offering? I cover the space and I did not even know until this week. Kind of a strange time to start, but the service based offerings makes switching very easy to do. And if Postini’s ability to filter spam continues to slide, I think Rich and I will begin looking at other vendors. If we are, I will bet others would consider this as well. Favorite event: First annual Securosis Recovery Breakfast (which will be named The Disaster Recovery Breakfast in the future, thanks Mary Catherine) was a big hit. Jillian’s was really nice to us and gave us the entire restaurant. We had about 70 people show up. No screaming over the noise, no elbow to elbow crowds, lots of chairs and good food. It was different than anything I have been to at RSA, and I am glad Rich had the idea. Relaxing fun, so we will definitely do it again next year. Theme: Security. This may seem obvious to some of you, but it should not be. We have gone through previous years where every vendor was a one stop shop for solving your compliance problems, and we have seen every gadget and appliance marketed to us as the one and only solution for Governance, Risk and Compliance. I expected to see 500 vendors telling me how they could secure the cloud, but I only saw a smattering of that. While I know a very large percentage of revenue is derived from compliance spending, the message was back to security, and I think that is a good thing! The buyers are beginning to see that operational controls, compliance, and security are closely linked needs. Saddest Scene: It’s a security conference. We are security professionals. We read about how easy it is to hack wireless end points, and that man in the middle attacks are sometimes trivial for a skilled hacker, but common traffic sniffing is usually sufficient to gather user accounts and passwords. This is not a big secret. Yet there was always a group of people grouped around the wireless access points, gathering their email and checking their eBay bids. Are you freakin’ nuts? RSA needs its own “Wall of

Share:
Read Post

Friday Summary – April 17 2009

The big news at Securosis this week was the launching of Project Quant! Not only are we excited about working with some of the team members at Microsoft, but we are going to be really pushing the boundaries of our Totally Transparent Research process. Rich has been furiously setting up the infrastructure all week to support the public discourse for the project, and he just got it finished in time for launch. We are grateful that there is a ton of interest out there as we have been getting numerous tweets and email on the subject, and well as a ton of press on the project from eWeek, Dark Reading, ZDNet, and Dennis Fisher at ThreatPost. Jeff Jones posted an announcement on his Security Blog, plus there is coverage by Peter Galli on Microsoft’s Port 25 blog as well! There won’t be a lot of content pushed out next week as we are crazy-busy next week, but this will be a full time effort come May. On the personal side, I got a couple phone calls again this week. You know, the “My computer is doing FOO, and it stopped working” phone call from friends and family. As sure as the sun rises in the morning, I got another call today from a friend who has their machine infected with some form of malware. IE is completely locked, and when they try to use it now, all they get is an advertisement to purchase AV and anti-malware! After a few hours of someone in the family browsing risky sites and downloading music from dubious locations, it looked like they had managed to get infected with something that was not going to easily surrender. It passed the Eye Chart test, but I was not convinced that it was (or was not) Conficker. The next question of course is “How do I fix it?” and my response is “stop doing what you did to get it infected in the first place!” The snappy retort does not make me very popular, but why fix it and have them do it again a week later? Almost immediately I feel bad for them and go ahead and fix it. Most of the people who call use their computer to run their business. This is how they make their living. They are hosed. They will lose two or three days of revenue and piss off their clients if they don’t get back up and running ASAP. Can the virus be removed without permanent damage? Maybe, maybe not. A fresh install is probably the only way to be sure you got it. Serious education on what not to do is what it would take to keep it from happening again. Any way you slice it, this is a painful process. There are a lot of commonalities across this group: They use IE 6.x on Windows. They do not make backups. They do not keep the original software media or software licenses. They use their machines for their business. Their machines run very slowly, and have for a long time. They browse -everywhere-. They have never met an email link they would not click. They download lots of applications and music. They install a lot of free Internet applications just to see what they are. They have never uninstalled a program. They do not run disk cleanup. They have Norton or McAfee. They have malware and adware on the machine. They do online banking. There is no password on the machine. The machine is multi-use by/for all family members. They have never looked at IE settings. They are unaware that there are other browsers. I feel bad half the time, because I cannot fix the problem without a re-install. When I do re-install, getting the computer to where it was before the infection is a full day’s work … spread out over a week or more. Man do I have sympathy for the corporate IT guys who have to put up with this for a living! “Where are my bookmarks?” “Why does the computer do this?” “I can’t print!” “Why is this over here when it used to be over there?” Part of me wants them to feel a little pain, in order for them to appreciate that performing every risky act on your computer has consequences, but what really needs to happen is some education for the home user. I have been on this topic for some time, and I feel fairly strongly about it. Enough so that I even bought “Security Mike’s Guide to Internet Security” when it was still vapo-bookware to loan to family members to raise their awareness. Not that they would have read it before their computer imploded, but it would be there for them as they waited for InstallShield to complete its tasks. I know that security professionals need to help not just the vendors and IT organizations who have security challenges, but the end users as well. I am going to be cherry-picking a bunch of our old posts and putting them into the new Research Library for end user assistance and tips. Certainly not our focus, but something we will continue to build. And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences: Martin and Rich on the weekly Network Security Podcast. Rich joined Amrit Williams of BigFix on the Beyond the Perimeter podcast. Favorite Securosis Posts: Rich: Our guest post from Marker Advisors on A Financial Analyst’s Perspective. Adrian: Pin Crackers post, raising some discussion points to Kim Zetter on the Wired Threat Level site in regards to “PIN cracking”. Favorite Outside Posts: Adrian: I liked Ronald McCarthy’s down-to-earth discussion of Ubuntu Security. Rich: Alex’s comments on Project Quant. Don’t worry Alex, we are all armed with ‘Multitools’ and chewing gum! Top News and Posts: An Examination of the Twitter Worm. The Verizion Data Breach report is out. It’s good. Read it when you get the chance, but some of the editorial posts are advised as well,

Share:
Read Post

Marshal8e6 Buys Avinti

eWeek is reporting that Avinti is being acquired by Marshal8e6 this week. There has not been a lot of news in this sector of late, but this one is a little different, so what exactly do we have here? A web security appliance vendor merged with an email security software vendor, buying another vendor who leverages virtual environments to isolate code behavior. Marshal8e6 is the recent merger of the Mail Marshal email security guys with 8e6, the web security firm. Avinti provides a sort of application Habitrail to monitor code in its natural habitat, watch how it works and (since I am already running with this analogy) spot the evil hamster at play. From Avinti CEO William Kilmer: “Essentially we have a network-based device that would run a series of virtual images that can actually mimic the user’s desktop environment,” Kilmer said in an interview with eWEEK. “We’ll open it up, actually run it, and look for process or look for different signals that would indicate that it’s a virus.” While this is an odd mixture of technologies, the trifecta makes sense for them. Most vendors offer a combined email security and web security offering, and customers expect as much. But with signature based detection of spam and malicious code nearing the end of its useful lifespan, alternative methods of detection are needed and being used. I think in the short term Avinti’s behavior based inspection provides Marshal8e6 a very minor competitive advantage amongst some of their mid-tier competitors, but in the long run the Avinti approach is what is more interesting- providing a flexible ‘playground’ to test or deploy multiple inspection techniques, and I imagine allow the customer to cascade multiple methods at once. It also allows them to scale services on the back end on an as-needed basis with cloud or virtual computing, so if the customer wants to run appliances (software or virtual) they will have the option. Marshal8e6 of course faces the challenge of implementing a unified system and policy management interface for the combined product; all three products needed a refresh regardless, but this will be critical for both keeping existing customers happy and also making the product easy to use. Smaller email/web security firms are in a very tough position given competition from the top vendors, but if they can provide enough breadth of functionality to meet expectations while continuing to innovate, they have a good chance to survive this market. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.