Securosis

Research

Balancing the Short & Long Term

Our pal Eddie Schwartz was named CSO of RSA earlier this week, presumably with a big role at the mothership (EMC) as well. The Tweeter exploded with congratulations, as well as cautions about the difficulty of the job, given the various shoes that will inevitably continue to drop resulting from the April breach. Believe you me, Lockheed and L-3 are the tip of the iceberg. Also think about Sony, which has been subjected to an ongoing hacker mauling the likes of which we had not seen before. The sad tale is being documented in real time at attrition.org. Crap, they even made owning Sony a verb (sownage). That’s never good. Sony recently named a fellow to fix it, and he faces the same challenge as Eddie. How do you drive consistent awareness and behavioral change to protect information in an organization of tens of thousands of people? You had better have a plan, and not a short-term one. There are no quick fixes for a situation like this. Why can’t Sony and EMC just write a few checks and fix it? Wouldn’t that be nice? But as my stepfather says, “If it’s a problem you can solve with money, it’s not a problem.” Guess what? This is a problem. Shrdlu’s recent missive really illuminates the difficulties in getting everyone to march to exactly the same drum. As she says, it takes a long time (think years, not months) to effect that level of change. As if that were the only issue facing these guys, the situation would be manageable. Sort of. Unfortunately it’s not that simple, because we live in a short-term world and both of them need to play find the turd, – I mean, perform a risk assessment, to understand where the other soft targets reside. Then they need to monitor those resources and watch carefully for signs of attack. Like sharks smelling blood, it won’t take long before the next wave of hungry attackers surround the wagons, as is happening now with Sony. That’s the short term plan. But we all know the short term has a funny way of consuming all the resources, forever. You know, life is a series of short-term fires which need to be dealt with. Long-term plans never mature (and often aren’t even made). This is what separates the organizations which recover from breaches from those which don’t. So the art is to pay attention to the short term without losing sight of long-term goals. Yeah, easier said than done. Sony, RSA/EMC, Epsilon, Lockheed, and all the other organizations showing up in the 24/7 media cycle have a great opportunity to capitalize on their short-term pain to implement long-term structural changes. Will they do it? I have no idea, but we’ll know soon enough by keeping an eye on the front pages. The media is good like that. Share:

Share:
Read Post

Incite 6/8/2011: Failure to Launch

Shipping anything is pretty easy nowadays. When someone buys the P-CSO, I head over to the USPS website, fill out a form, and print out a label. If it takes 5 minutes, I need more coffee. Shipping via UPS and FedEx is similarly easy. Go to the website, log in, fill out the form, print out a paper label, tape it to the package, and drop it off. I remember (quite painfully) the days of filling out airbills (in triplicate) and then waiting in line to make sure everything was in order. As many of you know, Rich and Adrian are teaching our CCSK course today and tomorrow. It’s two days of cloud security awesomesauce, including a ton of hands-on work. I did my part (which wasn’t much) by preparing the fancy Securosis-logo USB drives with the virtual images, as well as the instructor kits. I finished that up Sunday night, intending to shippthe package out to San Jose Monday morning. So I get onto FedEx’s site (because it absolutely positively has to be there on Tuesday) and fill out my shipping form. Normally I expect to print the label and be done with it. But now my only option is to have a mobile shipping confirmation sent to me. What the hell is a mobile shipping confirmation? Is there an app for that? I read up on it, and basically they send me a bar code via email that any FedEx location can scan to generate the label right there. Cool. New technology. Bar codes. What could go wrong? I take my trusty iPhone with my shiny barcode email to the local FedEx Office store first thing Monday morning. The guy at the counter does manage my expectations a little bit by telling me they haven’t used the mobile confirmation yet. Oh boy. Basically, FedEx did send a notice to each location, but they clearly did not do any real training about how the service works. The barcode is a URL, not a shipping number. The folks at the store didn’t know that and it took them about 10 minutes to figure it out. It was basically a goat rodeo. The FedEx Office people could not have been nicer, so the awkward experience of them calling a number of other stores, to see if anyone had done it successfully, wasn’t as painful as it could have been. But the real lesson here is what I’ll tactfully refer to as the elegant migration. Maybe think about supporting multiple ways of generating a shipping label next time. At least for a few weeks, while all the stores gain experience with the new service. Perhaps do a couple test runs for all the employees. Why not give folks a chance to be successful, rather than forcing them to be creative to find a solution to a poorly documented new process while a customer is standing there waiting. When we launch something new, basically Rich, Adrian, and I get on the phone and work it out. It’s a little different when you have to train thousands of employees at hundreds of locations on a new service. Maybe FedEx did the proper training. They may have asked folks to RTFM. Maybe the service has been available for months. Maybe I just happened to stumble across the 3 folks out of thousands who hadn’t done it before. But probably not. – Mike Photo credits: “RTFM – Read the F***ing Manual” originally uploaded by Latente Incite 4 U Better close those aaS holes: The winner of the word play award this week is none other than Fred Pinkett of Security Innovation. In his post Application Security in the Cloud – Dealing with aaS holes, Fred does a good job detailing a lot of the issues we’ll deal with. From engineering aaS holes (who aren’t trained to build secure code), to sales aaS holes who sell beyind their cloud’s capabilities, to marketing aaS holes (who avoid good security practices to add new features or shiny objects), to management aaS holes (folks who forget about good systems management practices, figuring it’s someone else’s problem), there are lots of holes we need to address when moving applications to the cloud. Fred’s points are well taken, and to be clear this is a big issue we address a bit in the CCSK curriculum. Folks don’t know what they don’t know yet, which means we’ll be trying to plug aaS holes for the foreseeable future. – MR Payment shuffle: Will interoperability and commerce finally push the adoption of smart cards in the US? Maybe, or at least the card vendors hope they will, with European travelers starting to have troubles with mag stripe cards. It’s not like this hasn’t been tried before. I remember reading about Chip and PIN (CAP) credit cards in 1997. I remember seeing the first US “Smart Card” advertised – I think by Citi – as a security advantage to consumers in 1999. That didn’t go over too well. Consumers don’t much care about security, but you already knew that. Europe adopted the technology a decade ago, but we have heard nothing in the US consumer market since. Why? Because we have PCI, which is the panacea for everything. Haven’t you heard that? Why improve security when you can pass the buck. Yup, it’s the American way. – AL Closing the window: Last night RSA released a new letter to their customers about their breach, and the attack on Lockheed and other defense contractors. Lockheed confirmed in a New York Times article that information stolen from RSA was used to attack them. Fortunately Lockheed managed to stop the attack. If I wasn’t out in California to teach the CCSK class this week I’d probably write a more detailed post because it’s definitely a big deal. There is now no doubt that customer seeds were stolen. And whoever stole them (IPs linked back to China) used the seeds to attack at least three major defense contractors simultaneously, less

Share:
Read Post

Security: the Cloud Bogeyman

I clearly remember being a kid and scared there was a monster in my closet. I was pretty young, and all it took was my Mom wrapping a can of Right Guard in a “Monster Spray” label to allay my fears. My kids tend to get scared by stuff they can’t see as well, and movies like Monsters, Inc. haven’t done much to dispel the fear in today’s generation. When I went to sleepover camp, there were the stories of Cropsey to terrorize new campers, and the chain goes on and on. We continue to be scared by the stuff we don’t understand. It looks like the cloud falls into the same boat, as shown by the latest survey by Kelton Research sponsored by Avanade. No, I hadn’t heard of either of these shops either. But all the same, 25% say they’ve had a security breach with a cloud service and 20% are moving back to traditional on-premise apps. There, my friends, is the bogeyman, in full effect. Since we built the CCSK curriculum, your friends at Securosis have become immersed in many things relating to securing cloud infrastructure. In fact, Rich and Adrian will be teaching the course this week in San Jose to a packed house. We are also training the first set of instructors for the course, so expect to see it offered near you very soon. Which is a great thing, given our collective fear of the unknown. So here is the dark little secret of cloud security. It’s different, but not that different from securing your traditional environment. The reality is that most folks suck at security, and moving applications & infrastructure to the cloud is not going miraculously make them any better at it. If you are good at security on-premise, you’ll likely be pretty good when you move stuff to the cloud. That doesn’t mean you will automagically understand how all the pieces fit together, but the fundamentals are largely the same. There really are additional moving pieces, of course, and depending on where in the SPI stack you stake your cloud tent, you’ll need to think about more heavily instrumenting your applications for security and logging/monitoring. Identity changes a bit as well. And never forget that the entire environment (especially private cloud) remains immature and overly complicated. But since FUD (especially the Fear) is such a powerful motivator for buying security widgets you may or may not need, we’ll see lots of questions about how secure the cloud is. We’ll see plenty of Chicken Little behavior to convince you the cloud is not safe – unless you use this cloud security widget, of course. But – just as I tell my kids– if you are scared of something you need to understand it. It very well may warrant fear or terror. But until you understand what you are talking about your fear is not justified. So get educated on cloud stuff. Go take the course. Ask questions, focus on educating yourself and your organization, and then figure out how and how much cloud computing makes sense for you. Just don’t give into the fear of the unknown that will plague this technology for the next few years. It’s not that scary. Promise. Photo credit: “bogeymen everywhere 1” originally uploaded by Voyager10 Share:

Share:
Read Post

Incite 6/1/2011: Cherries vs. M&Ms

Queue up the Alice Cooper and get ready. Last Friday was the last day of school for the kids. That means school’s out for summer, and it’s time to get ready for the heat in all its glory. Rich and Adrian live in the desert (literally), so I’m not going to complain about temperatures in the 90s, but thankfully there is no lack of air conditioning and pools to dissipate this global warming thing. There are plenty of things about summer I enjoy, but probably best of all is being able to let my kids be kids. During the school year there is always a homework assignment to finish, skills to drill, and activities to get to. We are always in a rush to get somewhere to do something. But over the summer they can just enjoy the time without the pressure of deadlines. They spend days at camp, then head to the pool, and finish up with a cook-out and/or sleep-over. Wash, rinse, repeat. It’s not a bad gig, especially when you factor in the various trips we take over the summer. Not a bad gig at all. But enough about them – one of my favorite aspects of summer is the fruit. I know that sounds strange, but there is nothing like a fresh, cheap melon to nosh on. Or my favorite desert, cherries. Most of the year, the cherries are crap. Not only are they expensive (they need to fly them in from Chile or somewhere like that) – they just don’t taste great. Over the 3-4 months of summer, I can get cherries cheap and tasty. There is nothing like sinking my teeth into a bowl of cherries at the end of a long, sweaty day. Nom. It’s been said that life is like a bowl of cherries. I’ve certainly found that to be the case, and not because some days are the pits. It’s also that some folks always chase the easy path. You know, getting pre-pitted cherries. Or buying one of those pitting devices to remove the pits. In my opinion that basically defeats the purpose. Over the summer I enjoy moving a little more slowly (though not too slowly, Rich, settle down). And that means I like to enjoy my dessert. It’s not like grabbing a handful of M&Ms and inhaling them as quickly as possible to get to the next thing. It’s about taking my time, without anywhere specific to go. Really just taking a step back and enjoying my cherries. Hmmm. If I think a little broader, that’s a pretty good metaphor for everything. We spend most of our lives snacking on M&Ms. Yes, they are sweet and tasty, but ultimately unsatisfying. Unless you are very disciplined, you eat a whole bag quickly with nothing to show for it. Except a few more pounds on your ass. But I’d rather my life be more like a bowl of cherries. I have to work a little harder to get it done and I’ve learned to enjoy each pit for making me slow down. Although in the summer, my dessert takes a bit longer, in the end I can savor each moment. Not a bad gig at all. There is some food for thought. – Mike Photo credits: “Cherry Abduction” originally uploaded by The Rocketeer Incite 4 U Thinking about what “cyberwar” really means: Professor Gene Spafford wrote a pretty compelling and intriguing thought piece over the weekend about cyber war, whatever that means. One of his main points is that our definition is very fuzzy, and we are looking at it from the rear view mirror rather than through the windshield. Many folks joke about the security industry “solving yesterday’s problems tomorrow,” but Gene makes a pretty compelling point that these issues can impact the global standing of the US within a generation. One of Gene’s answers is to start sharing data about every intrusion right now, and I know that would make lots of us data monkeys very happy. There is a lot in this piece to chew on. I suggest you belly up to the table and start chewing. We all have a lot to think about. – MR Battle for the cloud: So you’ve heard of OpenStack, right? That amazing open source cloud alternative that’s going to kick VMware’s ass and finally bring us some portability and interoperability? Well I’ve spent a few weeks working with it, and have to say it’s a loooonnnnng way from being enterprise ready (long in Internet years, which might be a couple weeks for all I know). It’s rough around the edges, relies too much on VLANs for my taste, and the documentation is crap. On the other hand… it’s insanely cool once you get it working, and the base architecture looks solid. And heck, Citrix is going to use it for their cloud offering, and has already contributed code to support VMware’s hypervisor. Kyle Hilgendorf has a good post over on his Gartner blog about the battle for enterprise cloud dominance. Like Kyle, I’m “optimistically skeptical”, but I do think Citrix has way too much at stake to not offer a viable and compatible alternative to VMWare. – RM Payment pirates: A popular refrain from CEOs I have worked for was they did not want to spend money on training because employees would just leave and take new knowledge with them. They know they don’t own what’s in their employee’s brains, so they view educational investment as risky. Gunnar Peterson pointed out last week that it could be worse – you could not train employees, and have them stay! There is no loyalty between businesses and their employees. Companies replace employees like they were changing a car’s oil filter, paying for new skill sets because they prefer to or because they can’t retain good people. Employees are always looking for a better opportunity, taking their skills to another firm when they feel they can do better. That’s the modern reality. Last time

Share:
Read Post

Sowing the Seeds of Token Panic

It was just a matter of time. After the EMC/RSA breach in March, the clock started ticking relative to the seeds being used to gain access to something important. According to Bob Cringely, that has now happened with a very large US defense contractor having their remote access network compromised. Since it had been a pretty slow news week (how long can we talk about the LinkedIn IPO?), now every beat reporter will write 10 articles on the impact of this new attack. It’s just a matter of time before we see picketing at RSA HQ, demanding new tokens for all. We’ll see the old timers talk about the good old days to time sharing. Security folks will be called before the executive team to discuss the exposure and whether the tokens are still worth a damn. Wash, rinse, repeat. We’ve seen this movie before. Now I don’t have any inside information about this new attack. But the reality of two factor authentication means you need both something you have and something you know. If 2FA is based on an RSA token (and the seeds were stolen), then the attackers have the token. But they don’t have the code (something you have) required to gain access. Unless the device was compromised separately using a different attack, mostly likely a key logger to capture the passcode. The loss of the seed does not compromise your network. But the loss of the seed and the passcode will. That’s an important distinction. Is the inevitable panic justified? Of course not. We are presumably dealing with APT, which means they will get into a network by whatever means necessary. Advanced or not. They got the seeds, and then compromised a device with remote access. Game over. They are in. Let’s just say a company tossed all their RSA tokens and brought in someone else. Guess what? Then the attackers would compromise a device already on the network, taking the 2FA out of play. And that’s really the point. Remember the words by any means necessary. Sure, RSA will likely have to stamp out millions of new tokens. Customers will demand no less. Yes, it will cost them money, but it’s a drop in the bucket for a company like EMC. Yes, issuing new tokens will stop this specific attack vector. But it will not stop this specific attacker. So panic all you want. They are still going to get in. Which underlines the key point in Cringely’s article. “The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it.” We’ve been talking about reacting faster and better for years. Significant network and system monitoring, and if you are specifically a targeted organization, network full packet captures are not options anymore. What should you do? Use the panic to your advantage. These are some pretty good data points to push through the funding for that full packet capture gear or a new network/systems monitoring service, eh? Or maybe the application white listing technology for those devices with access to critical stuff. Whatever the specific controls you need to add, strike while panic is cresting. Now that’s what I call making lemonade out of a bunch of lemons. Photo credits: “Panic!” originally uploaded by Memphis CVB Share:

Share:
Read Post

Incite 5/25/2011: Rapturing the Middle Ground

The sun rose today. As it has every day for a couple billion years. Though plenty of people thought they would not be around on Sunday for the sunrise. Yes, I’m talking about the Rapture. Either it didn’t happen or we all got left behind, which is fine by me – I still have stuff to do. You may think the whole concept is wacky, but I’m the last guy to criticize someone else’s beliefs. What you believe is your business. I’m certainly not going to try to convince you I’m right. Especially about matters of faith. But the Rapture preacher didn’t consider that he could be wrong. He dug in and didn’t leave any wiggle room. That didn’t work out very well. His followers awoke Sunday, confused and flabbergasted. Some haven’t paid their bills. Others took fancy vacations with money they didn’t have, figuring it would be the bank’s problem and they’d be laughing from heaven. These folks didn’t have a contingency plan. But you have to hand it to the preacher. He’s a true believer with a flexible and robust calendar. Some may snicker about the lunacy of the whole thing, but that misses the point. The real lesson is that even if you are a true believer you need to leave your options open. Even if you know you are right, it’s probably a good idea to think through the unfathomable scenario that you could be wrong. I know, it’s hard. None of us want to believe we are wrong, especially folks of conviction and passion. But in the face of overwhelming evidence (like waking up on Sunday) that you are indeed wrong, you need to be able to move forward. This remains a challenge for me too, by the way. I think in a pretty binary fashion. Right and wrong. Good and evil. Black and white, with very little gray. Though the gray area is increasing, which is kind of predictable. When you are young, you haven’t screwed up enough things to believe you could be wrong. Over time, you gradually realize not only your own limitations, but also that right/wrong is an interpretation. Now do a little homework to start using this lesson in practice. Look back to your last 2-3 arguments. Did you leave yourself an out? Did you respond poorly because you had no choice but to defend your position to the bitter end? Did you need to fall on your sword to save face? I’m all for taking a position and defending it passionately, but 20+ years in the salt mines have taught me to find the middle ground. Because most likely the sun will rise tomorrow, and you need to move forward. – Mike Photo credits: “Caught up in the rapture” originally uploaded by Analogick Incite 4 U Target Practice: Life is about relationships. Pretty deep but true. Whether you are talking about family, friends, colleagues, even people you don’t like, your reality is based upon the relationships you have with these folks. That’s true in security as well, as Chris Hayes points out. There is a good quote here: “IT and business executives are craving value-add from information risk management functions.” Which is true, so how can you add this value? By defining success and then delivering it. It’s not your definition of success – you need to agree with other folks on what security can do to further business objectives. Find the target. Hit the target. Then tell folks you hit the target. Easy as pie. – MR Hostage Situation: A Venafi study finds admins could hold data hostage from their employers if they chose to withhold encryption keys and passwords. To which I have to say “Well, duh!” Not everyone in an organization will have control over pieces of critical infrastructure, but you have to trust someone, so place control in the hands of a select few. This variety of insider threat rarely materializes, but is especially damaging when companies over-leverage key management solutions (so, for example, every key in the organization is stored in a single key server) or fail to implement separations of duties for key management. If you are worried about this type of scenario there are several things you can do: keep a master key stored off-premises so you can regenerate and rotate the working keys if an admin goes rogue. Think about separating duties for key management, so no single admin can take control of the key manager functions. Use different key servers for different applications or functions, minimizing the scope of potential damage. Do better background checks on your admins prior to employment, and have better employee departure processes to make sure all credentials and access points are changed as part of the termination process. Or maybe treat your employees better so they don’t get too pissed off – yeah, that last one’s probably not going to happen. – AL There is no control for stupid: A fact that is mostly glossed over by security folks is that all the technical controls in the world can’t protect a stupid user with access. That’s the point of George Hulme’s story, and it’s a good one. Yes, we have to make it hard for user stupidity to bring down valuable systems – hat’s what technical controls are for. But we also need to anticipate some number of self-inflicted wounds, and be able to quickly respond and recover. That’s what Reacting Faster and Better is all about. So whether it’s a human FAIL, technical FAIL, or an attacker that kicks your butt, it’s all the same in the end. You need to handle the issue. – MR Unless you are the lead dog, the scenery never changes: I love that concept. Most folks spend their life looking at someone else’s backside. Which is fine – not everyone can lead. But what does it mean? We all have our own ideas, but Bejtlich’s post defining Five Qualities of Real Leadership clarified a lot of the stuff

Share:
Read Post

End Users, Fill out Our Security Marketing Content Survey

We got great response to our Categorizing FUD post. Obviously many of you are as frustrated with marketing idiocy as we are. So let’s band together to prove to the vendor community that some of their security marketing tactics hurt them more than they help. We put together a little survey to get your opinions on the value of a number of different kinds of marketing content, to help understand how you use these tools and whether these tactics negatively impact your perception of the vendors using them. With this analysis, we can go back to the vendors and poke them in the eye about the stupid stuff they do. If you want your opinion heard, and are an end user, please head over the survey and fill it out. It should take less than 10 minutes. Although we have no way to enforce this, we’d prefer only folks directly involved in buying security products for end user organizations respond to the survey. The questions are structured to help understand how these different content types impact perception of vendors, which is why the survey is more appropriate for end users. Direct link: http://www.surveymonkey.com/s/SecurityMarketingContent Thanks for your help. Share:

Share:
Read Post

Planning vs. Acting

I’m all for thought leadership. Folks driving our security thinking and activities forward benefit from it. Josh Corman is one of those leaders. He’s a big thinker – he can suspend disbelief and reality long enough to envision a different outcome, and make his points with passion. I’m also all for action. As a CEO I worked for once told me, “Nothing gets done until someone sells something to someone.” In security that means at some point the controls have to be implemented, the flanks monitored, and the attacks defended. Dave Shackleford gets things done. Quickly. He thinks fast. He talks fast. He’s always moving. He’s like the Tasmanian Devil. These two got into a Tweet ‘fight’ (whatever that means) last week over Josh’s CSO article The Rise of the Chaotic Actor, Understanding Anonymous and Ourselves. Dave sat down long enough to bang out a response, Less Talk, More Action. I had nothing better to do on a flight home, so why don’t we investigate the gray area between them. Some aspects of both their positions make sense to me. And some don’t – depending on agenda and perspective. Josh is an analyst. He’s not hands-on anymore. If he hacks anything, it’s in his spare time, which I know is limited. We analysts cannot spend 60% of our time fixing things like Dave. There is too much pontificating to do. We have to influence behavior by writing thought provoking pieces to shake folks out of their day-to-day misery, into thinking a bit more strategically and broadly. That’s what Josh’s piece was about. He makes the case that, once again, our adversaries’ motives are changing – to defend against them we need to understand the new reality. But Dave has a good point too. Time spent obsessing about how to defend against a collective like Anonymous is time not spent on more active work, such as patching systems, training users, and implementing new controls. Shack points out that if we could spend 10% more time doing things, we probably wouldn’t be quite so screwed. And we are screwed, as the fine folks at Verizon Business point out every year in their DBIR. As usual, the truth is somewhere in the middle, depending on who you are and what you are responsible for. You don’t always think strategically, and you can’t always be doing things. Dave did toss that into his post. Security architects need to understand the current threats and how to evolve defenses. Those folks need to pay attention to Josh. For them, the chaotic actor is important. But there are many more practitioners doing poor jobs on fundamentals. A lot more. No matter the size of their company, these folks suck at security. They can’t even walk, so asking them to ponder the dynamics of running a world class 200m race is stupid. That’s Dave’s point. These folks need to fix the steaming piles of their security programs before they worry about Anonymous, or anyone else for that matter. A script kiddie can take them down, so a nation state is off the radar. As usual, when you push a targeted message like Josh’s widely – such as through CSO Magazine – you are bound to annoy people. When Dave gets annoyed he tends to fire with both barrels, which I certainly appreciate. I know someone like that. To be clear, most folks working on security should spend more time letting Dave teach them the fundamentals, rather than having Josh expand their viewpoints. I think that was Dave’s point. My point is that it’s up to you to understand whether you should be thinking strategically or tactically at any given moment. There are times and places for both. Fail to recognize your situation and choose the right response, and you will become just another statistic on Kushner and Murray’s survey. You know, the one tracking the average tenure of security folks. Share:

Share:
Read Post

Incite 5/18/2011: Trophies

As mentioned last week, I’ve been mired in the twins’ baseball/softball playoffs the past 2 weeks. That ended Saturday, with the Rothman clan going 1-1 in championship games. XX2’s team lost a close game and took the runner-up trophy. The Boy’s team eked out a win after dominating the league most of the year to take home the victory. It’s funny, you’d think there would be angst and disappointment coming from the girl, and happiness emanating from the boy. But that wasn’t exactly the case. Both reacted pretty similarly: they loved their trophies and were a little disappointed the season was over, so they won’t be playing any more. I get that they are only 7, and the very American need to win hasn’t yet taken root. And I hope it never does. Both teams made it to the championship game, so they got extra trophies. The Boy’s championship trophy had maybe 3 inches on the runner-up trophy. But they were both very proud to get the extra hardware, and so were we. It’s funny – both games went down to the wire. Both were somewhat impacted by poor officiating. And both games had parents or coaches (or both) in an uproar about mistakes made by 14-15 year-old kids making about $15 per game to umpire. The kids couldn’t care less. Sure they had a little trouble understanding why they were called out or why a run was allowed to score when it didn’t make sense. But they got over it within seconds. Some parents were still stewing two innings later. Part of me feels like I’m getting soft, and that focusing on just doing well, as opposed to winning and beating the competition, will hurt my kids later on. Plenty of kids are being trained by their folks to step on the throat. Maybe those kids will win the game of life, whatever that means. I just know how unsatisfied my quest for victory left me. And it wasn’t like my parents pushed me to win at all costs. I was born with that drive and have had to spend years slowly retraining myself to focus less on winning and more on doing what I love, which will likely always be a work in progress. So far it seems my kids are happy to focus on the trophy and not the win. Maybe that will change and then I’ll have a decision to make. Do I discourage that behavior? I’m not sure, but I doubt I would actively interfere with their desire to win. I had to learn the lesson myself the hard way, and I suspect my kids will likewise need to figure it out themselves. I am not bashful about sharing my experiences, so when they ask I’ll provide my opinion. But ultimately they’ve got to figure out whether the trophy will be enough. Photo credits: “Trophies” originally uploaded by TexKap Incite 4 U Are devices or (lack of) performance killing AV? I’ll preface this entire discussion with the disclaimer that the rumors of AV’s demise are wildly premature. But we in the know all understand that AV isn’t the way to deal with today’s threats. Which is why I chuckled when I read about how Google’s Chromebook may finally kill AV. Ha! Unless some smart Google engineer has figured out how to stop corporate inertia in their 20% unstructured time, or to remove AV from all the compliance mandates, I don’t see Chromebooks killing off AV. To be clear the Chromebook is more a mobile device than a conventional computer. And if they allow plug-ins or other persistent software to run (and I don’t know how they could avoid it), malicious code will still threaten to them. But like iOS devices and even Android (to a point), it’s tough to do this in a weaponized, self-propagating fashion. So it gets back to a point we have been making for quite a while. The issues arising from the increasing mobility and consumerization of the workforce are more system and device management issues than security issues. – MR Lasso the SaaSo: Many organizations want to move various operations to SaaS providers, but balk both at the complexity of managing users and at giving up control of their data. We see two types of solutions appear. Some help manage user credentials and integrate accounts with internal directories, and others are inline proxies to encrypt/tokenize data or limit functionality. Hoff talks a bit about VMware’s move into this area. I suspect the money is on the user management side, and have very mixed feelings on the data protection/encryption products. Sure, you can encrypt customer info and store the token or encrypted value in Salesforce.com, but the more data you block Salesforce.com from processing the less useful it is. And these things are inline proxies which reduce mobility. Back to the VPN, everyone! Seems like the sort of thing people will buy and discard. – RM Compliance Rolling: I got a kick out of Dejan Kosutic’s Management’s view of information security – he captures the essence of the issue. It’s just that his clean prose presents a politically correct version that misses the semi-hostile management displeasure for anything security. Kinda like your defeated resolve when finding you have an incurable disease. In management discussions, I find “Is it really necessary?” really means something more like “Are you sure legal said there was no loophole?” I translate “Does it fit into our company strategy?” to “If we can’t get rid of it, then let’s market it as an advantage.” And I hear “How can we decrease costs?” as “Where can we cut corners and still be compliant?” He’s right that management does not want to invest in security, and Dejan has the right discussion points, but the language is never this civil. It’s more like wrestling with a hostile adversary. – AL There is no answer (singular): I sat in on my friend Ron Woerner’s leadership presentation at Secure360 last week, and

Share:
Read Post

VMWare Buys Shavlik: One Stop Shop for Virtual Infrastructure?

The M&A train gathers steam in the security space. With Lumigent’s assets off the table, the TripWire buy, Sophos/Astaro, and RSA/NetWitness, it seems the busiest guys in town are the investment bankers. VMware has joined the parade by buying configuration management player Shavlik, ostensibly to facilitate the adoption of virtualization in the SMB market segment, though we believe that oversimplifies VMware’s ambition to be a one-stop shop for all things virtual infrastructure. This is actually an interesting deal, particularly considering GigaOm’s excellent VMware is the New Microsoft, Just Without an OS. Think about that for a second. As Microsoft started attacking the enterprise with LAN Manager and then more specifically Windows 2K, their success was accelerated by offering seamless management of the server(s). Enterprise customers scoffed at Microsoft System Manager because it wasn’t OpenView or UniCenter, but it provided small customers with what they needed to lay down a foundation of Microsoft servers. In the small business segment, seamless management is critical thanks to the limited IT resources. And that will be a gating factor to adoption of virtualization in small companies as well. So decisively taking that issue off the table is a smart move for VMware. The ability to claim some security goodness is a bonus. You have to tip your hat to Mark and the rest of the team at Shavlik. They built the company without outside investment by focusing on a core market and not straying from it, even as Shavlik’s more enterprise-focused competitors, such as BigFix (IBM) and ConfigureSoft (EMC), were taken out by big IT players. Shavlik stayed focused on Windows environments, adding anti-virus and power management to the mix within the same management construct. They also invested heavily in spinning a SaaS management service to appeal to small companies (under 100 employees). If you look at Shavlik from an enterprise standpoint, as many of us are guilty of, they don’t measure up. But as VMware looks to go downmarket with virtualization Shavlik is a great fit. But we still need to assess the technology within the context of the entire virtual infrastructure. On one side they might be planning on adding it to VShield Endpoint to enhance VM configuration and tracking – little things like making sure the instance you spin up was patched while in storage, and updates weren’t just applied to VMs running at the time. Or maybe they will skew this more towards managing virtual desktops. Or both. To assume they will only use Shavlik as a lever to get into SMB would be to downplay VMware’s grand ambition. With some R&D investment Shavlik’s technology could be extended to other platforms. And probably needs to be, because a technology like configuration management is core to managing this next wave of hybrid virtual/cloud data centers. VMware has plenty of options for integrating Shavlik, and most inevitably lead to impinging on the territory of its partners. Initially they won’t risk alienating HP, IBM, or EMC, who are significant partners for VMware. But at the end of the day all the Big IT players are competing to control the virtualization/cloud platform and infrastructure. VMware is clearly building itself out as a one-stop virtual infrastructure shop. It’s too early to see how it will fully play out, and a lot of organizations are using multiple virtualization and cloud providers to tackle different parts of the problem (servers, desktops, big iron, etc.). But ultimately, in most market segments, the player that provides the most effective platform will gain the largest market share. And that means they all need to field complete product lines. Which they will, keeping the investment bankers busy. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.