Securosis

Research

Defining Failure

Given the hard time we have defining success in the security field, you’d think we must have at least a firm handle on failure. But that isn’t entirely the case. As both an entrepreneur and a security guy, I may have a different perspective on failure, which influences how I look at pretty much all our business activities. I read a lot of VC and entrepreneur blogs, not because I want to raise money – in fact I’d rather hook my soft targets to a car battery than take outside investment. But I need to learn about how folks are screwing things up and try not to do that. Don Dodge’s short post, Failure is just experience on the way to success resonated with me. He talks about failing fast and the idiocy of the failure is not an option mantra. Of course, if lives hang in the balance, I’m good with doing whatever is humanly possible to avoid failure. But for a business? Give me a break. It creates a culture of risk avoidance, always a recipe for failure over the long term. Look at pretty much all big companies – they have this in spades. Their size and inertia may offset their lack of innovation for years, but ultimately these companies hit the wall because they get too big to remain nimble. So what? How does this help you do security better? Well, there is one crystal-clear failure in security: the breach. That means something failed and data was compromised – simple. You try hard to respond effectively and move on. But let’s talk about another type of failure. That’s the failure of a tactic, control, or product. You do all sorts of things that aren’t working – in many cases you know it’s not working. Let’s just pick on SIEM for a few minutes. Some organizations get tremendous value from SIEM, but I’ve met with countless other companies which do not. Not many stand up, own the project failure, and move on to something else that might work better. Failure needs to be an option These folks believe failure is not an option. They see tremendous political capital locked up in the tactic they decided on, and won’t risk looking bad by admitting failure. They’d rather keep throwing good money after bad, and wasting major resources that could be better used elsewhere to save face in the political meat grinder. Most of the time they also fail agonizingly slowly. Many of these science projects require a significant amount of integration and professional services, further driving up the price and pushing out the timeline. I get that sometimes an initiative can have a happy ending even if things look pretty bleak during part of the process. But realistically, more often than not, it doesn’t get better. At least until you find your next gig. But this isn’t the real driver for this dysfunction. There is very little incentive for small cogs in big wheels to stick their necks out and declare failure before they are forced to. Best case, you draw down your credibility. Worst case, you cost yourself a job before you needed to. Do you really wonder why most folks just sit on failure until the rotten fish stench becomes un-ignorable? Or why it usually takes a regime change to address all the hidden turds that were studiously being ignored, at significant cost to the organization? Failing Gracefully What can you do about it? If you work in an organization where failure is frowned upon, keep making deposits in the credibility bank and hope you have enough credit, then make a careful decision exactly when to admit the failure. Hoping the project will recover is not a strategy for success. These ongoing train wrecks represent sunk costs, so focus on cleaning these messes up as quickly as possible while keeping your job. Looking forward, you can change things, and that’s what you need to focus on. You need to manage your projects a bit differently. See how you can break larger initiatives down into smaller ones, with defined exit points. Reduce financial and resource risk, and allow yourself some leeway to determine whether you are on the right path. Have a Plan B, if your best-laid plans end up being wrong. If you are interviewing for a new gig, understand how the organization handles failure. Ask for anecdotes and stories about projects that went south. Did anyone live to tell the tale? Or are they all urban legends because all the bodies are buried throughout the organization? Ask how success is defined, and whether a similar amount of effort is spent on defining failure. Go in with your eyes open, and don’t have what sales folks call happy ears when you don’t get answers you like. I do believe failure is your friend. Maybe that’s my own confirmation bias talking, because I have failed more than most. But regardless of your job role, you can embrace failure and do your job better for it. Really. Share:

Share:
Read Post

Cybersecurity’s RICO Suave: Assessing the Proposed Legislation

With some fanfare, the US executive branch (the White House) unveiled a proposal for cybersecurity legislation “focused on improving cybersecurity for the American people, our Nation’s critical infrastructure, and the Federal Government’s own networks and computers.” At first glance, it’s more of the same. Which is not much. A lot of it is voluntary, which means it won’t happen. Like government assistance to industry, states, and local governments when a breach happens. Sounds a lot like the scariest statement you can hear: “We’re from the Government, and we’re here to help.” I guess there is some value to understanding the process to engage the feds, especially if you plan to use APT in your PR spin. There are also some ideas on voluntary information sharing, which would be great. Again, if it happens, but there are many pesky details to figure out before you can actually share information safely, as I discussed in the Benchmarking series. The section on Protecting Federal Government Computers and Networks is also more of the same. Update FISMA. Yawn. Give DHS more flexibility to hire security folks in a competitive market. Good luck with that. They also want to give DHS purview over all the federal IPS devices protecting civilian computers. That’s great news for investors in IPS companies, as it means the feds will continue buying IPS forever. You thought it was hard to kill a technology in your shop? Imagine if you needed an act of Congress to change your architecture. (Note: I am aware there is some flexibility in what is called an ‘IPS’.) Guess the IPS lobbyists are better than the AV lobby, as they didn’t get mentioned specifically. The feds are also embracing the cloud and want to put some language in there to prevent specific states from mandating where a data center is built. Good luck getting that through Congress. The Fact Sheet also talks about privacy issues and consulting “privacy and civil liberties experts,” while requiring approval of the Attorney General to implement the cybersecurity program. This will ensure folks are doing the right thing, right? That makes me feel comfy, since the AG always has our best interests in mind (PATRIOT Act, anyone?). What could possibly go wrong? Not sure this is change we can believe in. With one exception. We all like the new National Data Breach Reporting requirement (it’s about time!), and the ability to use RICO to prosecute computer criminals. Accepting that a lot of computer crime is driven by organized crime factions, which are typically prosecuted through RICO, is progress. Treble damages are no fun, nor are 20+ year jail terms. If you believe in penalties as a deterrent for crime this is good news. And something I think they will have very little trouble getting passed. But let’s be clear about the reality. This is just a legislative proposal. Now the fun begins, where lobbyists, special interests, and all the other wackiness kicks in to water this down before it becomes a law, and to bolt about $10 billion worth of pork onto it. You’ve got to keep the locals happy, no? I know, I’m a little cynical. I’m glad Howard Schmidt is keeping busy with press releases, but this new proposal will have no short term and limited mid-term (2-3 year) impact. Like the changes resulting from the 2009 Cyberspace Policy Review. Right – there were none. In the computer security world, being two days behind the times is a killer. Legislation is 5 years behind on a good day. And that’s being kind. Unless you sell IPS – then you are probably pretty happy. Share:

Share:
Read Post

Thoma Bravo Trips the Wire Fantastic

With the global economy apparently warming and lots of IPOs hitting the Street, it was a bit surprising to see TripWire opt for a buyout by Thoma Bravo, as opposed to continuing with their IPO plans. But I found an article by the local Portland OR Business Journal which explained things a bit. Basically, TripWire is growing at 20%/year, but that does not create a lot of buzz on the Street compared to monster growth stories like Groupon. They also mismanaged expectations a bit last year when they issued the S-1, by talking about hitting $100MM in 2010 revenues, then missing their target (hitting $86MM on the top line). It’s ancient history, but ask SourceFire about not hitting investor expectations when going public. So the stock was likely to languish and that’s not good for anyone. Clearly their investors were tired (having been with the company since 1997), so something had to give. The private equity buyout by Thoma Bravo provided liquidity for the investors (and some founders/early employees) and the runway to continue building the company. Thoma Who? You probably haven’t heard of Thoma Bravo before. They are a buyout firm, specializing in tech companies. You may know a couple of the companies in their security/IT management portfolio: Attachmate (which just acquired Novell after swallowing NetIQ a few years ago), SonicWall, Entrust, LANDesk, and now TripWire. It’s a pretty broad portfolio of mature companies that aren’t really leaders in their respective spaces. That’s why they got bought out in the first place, but these mature companies generate significant revenue, which can be milked and perhaps used to buy other assets. You all know the game in private equity, right? They acquire assets (usually using a mix of equity and debt), clean things up either by fixing operations or merging with other companies to gain scale, and then take the asset public again or sell it to a strategic buyer. If it works out, they generate tremendous returns using the leverage of the equity/debt mix. If you buy an asset like Chrysler (as Cerberus did), that might not work out. But if you look at the Forbes 400 of really rich folks, quite a few specialize in buyouts. So evidently it can be a pretty good model. Thoma’s security portfolio is pretty comprehensive and they have the pieces to compete against some of the bigger players in the space. But only if the various companies are integrated to some degree. Thoma has not talked about any larger strategy in the security market but don’t assume they have one. Maybe they just see a couple companies that can operate more efficiently and at some point provide a decent return on the investment – we will see. Market Impact The fact that the deal was announced as a standalone may mean they plan to leave TripWire alone, especially since the Business Journal story reports that Thoma tends not to mess with its companies. If so there will be little to no impact on existing TripWire customers. Given the market opportunity in security this seems like a mistake to me. Moving forward, security is all about reducing the complexity of protecting a very complicated environment. Having 5 standalone security companies does not reduce complexity for customers, wasting any leverage TripWire could provide with Thoma. If you believed in TripWire as a long-term, sustainable standalone company, this approach is fine. Personally, I think there are only a handful of sustainable, standalone security companies, and TripWire isn’t one of them. So over time I hope they fold into a more comprehensive offering. For the time being, TripWire keeps doing their thing, looking for smaller tuck-in acquisitions and trying to grow to the next level. That just seems like a horrible waste of assets. Folks like McAfee and Symantec have spent years assembling large portfolios of products to package into solutions for customers. Thoma Bravo now controls a significant security portfolio, and with a few more strategic acquisitions (such as monitoring, endpoint protection, and professional services/integration) they could have enough to legitimately compete with Big Security. That assumes competing with Big Security is the end goal, and I’ve been around way too long to think I understand the strategy of any financial buyer. I know the motivation (generate return on investment), but there are plenty of ways to skin that cat. Share:

Share:
Read Post

Incite 5/11/2011: Generalists and Specialists

Looking back over 30+ years, I realize my athletic career peaked at 10. I played First Base on the Monsey Orioles (“Minor League”). Our team was stacked, and we won the championship. I kept playing baseball for a few more years but my teams never made it to the championship, and when the bases moved out to 90 feet my lead feet became the beginning of the end. But it’s okay – I was pretty good with computers and in chess club too. Yep, I was fitted for my tool belt pretty early. When I grew up, you played baseball in the spring. Maybe soccer or football in the fall (and yes, I know they are the same thing outside the US). Some kids also played basketball or hockey over the winter. But now the choices are endless. The new new thing is lacrosse. It seems very cool and is clearly competing with baseball for today’s kids. But the variety is endless. I live in the South, where you can play tennis 10 months a year, and many kids do. My girls dance. There are martial arts and gymnastics. Some kids pick up golf early too. The Boss and I have tough decisions to make every year, because the kids literally don’t have time to do even a fraction of what is available. But this begs the question: generalist or specialist. Some kids play travel baseball. They don’t have time to do much else, so they (or their parents) decide to specialize on one sport. The twins are 7, so we don’t have to push them one way or the other quite yet, but our 10-year-old seems to love dance. She had better, because two days a week and showcases cost a fortune, and don’t leave much time for her to do anything else (while still doing well in school). At some point the kids have to choose, don’t they? Maybe yes, maybe no. The genetic reality is that none of my offspring are likely to play professional sports. I can’t categorically rule it out, nor will I do anything to discourage their dreams. It’s cute to see the boy talk about being a football player when he’s big. But the realist in me says the odds are long. Aren’t they better off becoming well-rounded athletes, able to compete in multiple endeavors, rather than just focusing on one skill? To me it all comes down to passion. If the kids are so passionate about one activity that they have no interest in anything else, I’m good with that. On the other hand, if they can’t make up their minds, they can dabble. They are young. It’s fine. They’ll need to understand that dabbling won’t make them exceptional in any one activity – at least according to Malcolm ‘Outliers’ Gladwell – but that’s okay. As long as they learn the game(s), understand how to contribute to a team, be good sports, and grok the importance of practice, it’s all good. We don’t choose their paths. We just expose them to lots of different options, and see which appeal to them. Do you see where I’m going with this? Many folks feel they need to choose between being a generalist or a specialist in their careers. For us security folks, it means being a jack of all trades, or a master of one. Odds are, given the complexity of today’s IT environment, you can’t be both. There is no right or wrong answer. Sure it’s a generalization, but specialists tend to work in big companies or consulting firms. Generalists are more common in smaller companies, where everyone needs to wear many hats. The worst thing you can do (for your career and your happiness) is not choose. Don’t hate the job you just fell into, with no idea why you’re there or what’s wrong. If some of your tasks make you nuts, you should at least a) know why and b) have chosen that role and those tasks. But the only way to find the role for you is to try both ways. Like we’re doing with the kids – they can try lots of things and eventually they may choose one. Or not. Either way, they’ll each choose their own path, which is the point. Photo credits: “Blocway Paving Specialist Van” originally uploaded by Ruddington Photos Incite 4 U How many SkypeOut minutes can you buy for $8.5 billion? That’s right, sports fans, Microsoft is buying Skype for $8.5B (yes, billion). For a long time we security folks didn’t quite get Skype, so we tried to block it. Then it showed up on mobile devices, and that basically went out the window. The simple fact is that many companies harness cheap telecom to communicate more effectively throughout their far-flung empires. Given Skype’s inevitable integration into all things Microsoft, for those of you that haven’t figured out this VoIP thing the time is now. Like anything else, it’s about doing the work. You know: model the threats of letting certain folks use Skype. Understand the risk, and then make a decision. With a couple hundred million users, you’d think Skype was already mass market. But I suspect you ain’t seen nothing yet. So dust off that policy manual and figure out whether you want/need/can afford to enforce constrain Skype, and how. – MR Ask me nice: George Hulme’s recent post on Making An Application Security Program Succeed raised a couple good points, but reminded me of another angle as well. Rafael Los points out that secure code development is not part of the everyday development job, and developers trail IT management in preparedness and understanding. Gunnar reminds us that we need to keep expectations in check – SDLC is new to development organizations, and your best bet is to pick one or two simple goals to get things started. My point is that if you’re not a developer, you’re an outsider. An outsider telling developers how to do their job is doomed

Share:
Read Post

Incomplete Thought: Existential Identities (or: Who the F*** are You?)

Do you ever think about how you could just disappear? Or become someone else? Maybe only I do that after reading one too many Jason Bourne novels. Given anyone’s ability, with a keyboard and an Internet connection, to become anyone (even Abraham Lincoln is spewing quotes on Twitter now), what does ‘identity’ mean now? In the future? And is your ‘identity’ singular, or will it become identities moving forward? This interview on NetworkWorld with a guy who specializes in making folks disappear was fascinating. Mostly because the approach is totally counter-intuitive. You’d probably guess it’s about hiding your identity or taking someone else’s. But it’s not – at least according to this guy who helps folks hide for a living. It’s about making it hard (if not impossible) to find you through disinformation, using tactics like manufacturing online identities with the same name and sending anyone trying to find you on a wild goose chase. Unless you have someone very motivated to find you personally, this should work like a charm. Think about that for a second. Maybe even think about it from my perspective. There are already a bunch of Mike Rothmans out there. I went to college with one. Yes, a guy with my name – even down to our common middle initial – ended up in the same class at the same college. And that’s without even trying. What if a bunch of new Mike Rothmans showed up? How would you know which one(s) was really me? Maybe I’m not a great example due to my attention whoring disorder – I want you to find me, at least online. But less public folks could likely disappear with little fanfare, leaving a myriad of false trails. So as The Who sang years ago, “Who the F*** are you?” False identities are created every day, with severe ramifications. Think about all those crazy parents creating Facebook identities to spy on their kids or make their kids’ rivals look bad. In this age of social networking, citizen journalism, and Twitter, identity matters but is increasingly hard to define – and even harder to verify. Some folks have been able to get verified Twitter accounts, which could then be hacked. We talked about identity verification and non-repudiation as this ecommerce thing caught fire a few years ago, and we basically forget about it and forced the credit card companies to take on most of the liability from it. Then they forced the merchants to eat it. Risk transference for the win. And now the media seems to fall hook, line, and sinker every time a “citizen journalist” creates a meme, which turns out to be just a front for some big nameless company driving its own agenda. Folks take seriously what they read on all these myriad communication vehicles, regardless of source. And everyone engaging in social networking contributes. As long as they don’t exhibit trollish behavior, it looks like most of us have no issue linking to them and including them as part of the conversation, even though we don’t know who they are. I know I do, fairly frequently. I’ve been struggling with my position on anonymous folks for years. I get that some folks cannot divulge their real names because it could cost them their jobs. But do I continue giving these unverified folks any airtime? And what do I tell my kids? I constantly harp on honesty and honorable behavior. But I’m trying to show them that not everyone holds themselves to the same ethical standards. It’s important they do not believe everything they read or hear. They need to do the work, and figure out what is real and what is not. What they want to believe and what they want to reject. Given this lack of identity, the problem is going to get worse. Where is identity going? How will we verify who is who? Do we even need to? What’s the significance for how we do security? At this point I don’t have any answers. I’m not even sure I know the questions. I know Gunnar and Adrian have been thinking quite a bit about how identity evolves from here. I plan to pick Gunnar’s brain at Secure360 this week, and plenty of other big brains. If you have given some thought to this, please let me know what you think in the comments. Share:

Share:
Read Post

Sophos Wishes upon A-star-o

In the security industry successful companies need have breadth and scale. Security is and will remain an overhead function, so end users must strive to balance broad coverage against efficiency to control, and hopefully reduce, overhead. Scoff as you may, but integration at all levels of the stack does happen, and that favors bigger companies with broader product portfolios. That trend drove Sophos’s rather aggressive move this morning to acquire Astaro, a UTM vendor. I won’t speculate on deal size, but Astaro did about $60MM on the top line last year and was profitable. They also were owned by the management team (after a recent buy-out of the investors), so there was no economic driver forcing the deal. So you have to figure Sophos made a generous offer to get it done. And congrats to Sophos for not mentioning APT in the deal announcement – not even once. At least the Europeans can show some restraint. Deal Rationale Get big or get out. It’s pretty simple, and given the deep private equity pockets (APAX Partners) that acquired Sophos last year, it’s not surprising for them to start making aggressive moves to broaden the portfolio. We believe Astaro is a good partner, given the lack of overlap in product lines, general synergies in the target market, and ability to leverage each other’s strengths. Let’s hit each of these topics. First of all, Sophos has no network security products. There are only two must-have mass market security technologies: AV and firewalls. If Sophos is going to be a long term player in the space they need both. The only overlap is in the content security space, where Sophos has email and web security gateways. But Sophos’ products are hardly competitive in that market so moving customers to Astaro’s integrated platform makes sense. We also like the value Sophos’ research team can bring to Astaro. Clearly reputation and malware analysis is valuable at all levels of the security stack, and Astaro can make their network security products better immediately by integrating the content into the gateway. Astaro brings a lot of customer intelligence to the table. By that I mean Astaro’s real time link to each gateway in the field and granular knowledge of what each box is doing, where it’s deployed, and what it’s running. That kind of intelligence can add value to endpoints as well. Both companies have also largely targeted the mid-market – although they each point to some enterprise accounts, the reality is that they excel with smaller companies. They’ll be strong in EMEA and Asia, but have their work cut out for them in the US. The ability to field a broad product line should help bring additional channel partners onboard, perhaps at the expense of less nimble AV incumbents. There are also some good cultural synergies between the companies. Both European. Both known for strong technology, and not such strong marketing. Given that both endpoint and network security are replacement markets, it’s usually about sucking less than the incumbent, and we think the bigger Sophos should be able to grow share on that basis. Achilles Heel Keep in mind that Sophos did one other deal of this magnitude, Utimaco, a couple years back, which turned into a train wreck. The real issue in the success of this deal isn’t markets or synergies – it’s integration. If they didn’t learn anything from the Utimaco situation this won’t end well. But current indications that they will leave Astaro as a stand-alone entity for the time being, while looking for good opportunities for integration, which would be a logical plan. The key will be to make both product lines stronger quickly, with limited integration. Check Point never did much with their endpoint offering because it didn’t leverage the capabilities of the perimeter platform and vice-versa. Sophos can’t afford to make that same mistake. We also hope Sophos locked in Astaro’s management for a couple years and would look to leverage some of that talent in bigger roles within Sophos. Competitive Impact Having offerings on both the endpoint and network gives Sophos a differentiated position, with only McAfee (of the big players) having products in both spaces. Given the need for mid-market companies to alleviate the complexity of securing their stuff, having everything under one roof is key. Will Symantec or Trend now go and buy a network security thingy? Probably not in the short term (especially given the lack of compelling choices to buy), but in the long run big security companies need products in both categories. Overall, we like this deal. The devil is in the integration details, but this is the kind of decisive move that can make Sophos one of the long term survivors in the security space. Share:

Share:
Read Post

Earth to Symantec: AV doesn’t stop the APT

If you read saw the press release title Symantec Introduces New Security Solutions to Counter Advanced Persistent Threats, what would you expect? Perhaps a detailed security monitoring solution, or maybe they bought a full packet capture solution, or perhaps really innovated with something interesting? Now what if told you that it’s actually about the latest version of Symantec’s endpoint protection product, with a management console for AV and DLP? You’d probably crap your pants from laughing so hard. I know that’s what I did, and my laundromat is not going to be happy. It seems someone within Symantec believes that you can stop an APT attack with a little dose of centrally managed AV and threat intelligence. If the NFL was in season right now, Symantec would get a personal foul for ridiculous use of APT. And then maybe another 15 yards for misdirection and hyperbole. To continue my horrible NFL metaphor, Symantec’s owners (shareholders) should lock the folks responsible for this crap announcement out of any marketing meetings, pending appeals that should take at least 4-5 years. From a disclosure standpoint, we got a briefing last week on Big Yellow’s Symantec Protection Center, its answer to McAfee’s Enterprise Policy Orchestrator (ePO). Basically the product is where ePO was about 5 years ago. It doesn’t even gather information from all of Symantec’s products. But why would that stop them from making outlandish claims about countering APT? Rich tore them into little pieces, politely rubbishing, in a variety of ways, their absurd claims that endpoint protection is an answer to stopping persistent attackers. He did it nicely. He told them they would lose all credibility with anyone who actually understands what an APT really is. The folks from Symantec thanked us for the candid feedback. Then they promptly ignored it. Ultimately their need to jump on a bandwagon outweighed their desire to have a shred of truth or credibility in an announcement. Sigh. Symantec contends that its “community and cloud-based reputation technology” blocks new and unknown threats missed by other security solutions. You know, like the Excel file that pwned RSA/EMC. AV definitely would have caught that, because another company would have been infected using the exact same malware, so the reputation system would kick into gear. Oh! Uh-oh… It seems Symantec cannot tell mass attacks from targeted 0-day attacks. So let me be crystal clear. You cannot stop a persistent attacker with AV. Not gonna happen. I wonder if anyone who actually does security for a living looked at these claims. As my boys on ESPN Sunday Countdown say, “Come on, man!” I’m sure this won’t make me many friends within Big Yellow. But I’m not too worried about that. If I were looking for friends I’d get a dog. I can only hope some astute security marketing person will learn that using APT in this context doesn’t help you sell products – it makes you look like an ass. And that’s all I have to say about that. Share:

Share:
Read Post

Incite 5/4/2011: Free Agent Status Enabled

Last weekend was a little oasis in the NFL desert that has been this offseason. It looked like there would be court-ordered peace, now maybe not so much. The draft reminded me of the possibilities of the new season, at least for a little while. One of the casualties of this non-offseason has been free agency. You know, where guys who have put in their time shop their services to the highest bidder. It’s not a lot different in the workforce. What most folks don’t realize is that everyone is a free agent. At all times. My buddy Amrit has evidently been liberated from his Big Blue shackles. Our contributor Dave Lewis also made the break. Both announced “Free Agent Status Engaged.” But to be clear, no one forced either guy to go to work at their current employer each day. They were not restricted (unless a heavy non-compete was in play) from taking a call from a recruiter and working for someone else. That would be my definition of free agency, anyway. But that mentality doesn’t appear to be common. When I first met Dave Shackleford, he was working for a reseller here in ATL. Then he moved over to the Center for Internet Security and we worked together on a project for them. I was a consultant, but he made it clear that he viewed himself as a consultant as well. In fact, regardless of whether he’s working on a contract or a full-time employee, Dave always thinks of himself as a consultant. Which is frickin’ brilliant. Why? Because viewing yourself as a consultant removes any sense of entitlement. Period. Consultants always have to prove their value. Every project, every deliverable, every day. When things get tight, the consultants are the first to go. Fail to execute flawlessly and add sufficient value, and you won’t be asked back. That kind of mindset seems useful regardless of job classification, right? Consultants also tend to be good at building relationships and finding champions. They get face time and are always looking for the next project to sink their teeth into. They actively manage their careers because no one else is going to do that for them. Again, that seems like a pretty good approach even inside an organization. Either you are managing your career or it is managing you. Which do you prefer? As happy as I am for Amrit and Dave as they embark on the next step of their journeys, I wish more folks would consider themselves perpetual free agents and start acting that way. And it’s not necessarily about always looking for a bigger and better deal. It’s about being in a position to choose your path, not have it chosen for you. -Mike Incite 4 U This is effective? I saw a piece on being an “effective security buyer” by Andreas Antonopoulos and I figured it was about managing the buying process. Like my eBook (PDF) on the topic. But no, it’s basically what to buy, and I have some issues with his guidance. Starting from the first, “never buy a single-purpose tool.” Huh? Never? I say you get leverage where you can, but there are some situations where you have to solve a single problem, with a single control. To say otherwise is naive. Andreas also talks about standards, which may or may not be useful depending on the maturity of what you are buying. Early products, to solve emerging problems, don’t know dick about standards. There are no standards at that point. And even if there are, I’d rather get stuff that works than something that plays with some arbitrary standard. But that’s just me. To be fair, there is some decent stuff in here, but as always: don’t believe everything you read. – MR Game over, man! Sony is on track to win the award for most fscked-up breach response of 2011. Any time you have to take your entire customer network down for two weeks, it’s bad. Telling 77 million customers their data might be compromised? Even worse. And 10 million of them might have had their credit cards compromised? Oh, joy. But barely revealing any information, and saying things like “back soon”? Heh. Apparently it’s all due to SQL injection? Well, I sure hope for their sake it was more complex than xp_cmdshell. But let’s be honest: there are some cultural issues at play here, and a breach of this magnitude is no fun for anyone. – RM ePurse chaser: eWallets are the easy part of mobile payment security. The wallet is the encrypted container where we store credit cards, coupons, signatures, and other means of identification. The trouble is in authenticating who is accessing the wallet. Every wallet has some form of an API to authenticate requests, and then return requested wallet contents to requesting applications. What worries me with the coming ‘eWallet revolution’ (which, for the record, started in 1996) is not the wallets themselves, but how financial institutions want to use them: direct access to point of sale devices through WiFi, Bluetooth, proximity cards, and other near-field technologies. Effectively, your phone becomes your ATM card. But rather than you putting your card into an ATM, near-field terminals communicate with your phone whenever you are ‘near’. See any problems with that? Ever had to replace your credit card because the number was ‘hacked’? Ever have to change your password because it was ‘snooped’ at Starbucks? Every near-field communication medium becomes a new attack vector. Every device you come into contact with has the ability to probe for weakness. The scope of possible damage escalates when you load arbitrary billing and payment to the phone. And what happens when the cell is cloned and your passwords are discovered through a – possibly unrelated – breach? It’s not that we don’t want financial capabilities on the phone – it’s that users need a one-to-one relationship with the bank to reduce exposure. – AL Mac users: BOO! A new version of scareware

Share:
Read Post

Standards: Should You Care? (Probably Not)

I just wrote up my portions of tomorrow’s Incite, and talked a bit about the importance of standards in product selection. But it’s hard to treat cogently in 30 words, so let me dig into it a bit more here. Mostly because of prevailing opinion on the importance of standards, and to what degree standards support should be a key selection criteria. From the news angle, our pals at the Cloud Security Alliance are driving down the standards path, recently partnering with the ISO to get some standards halo on the CSA Guidance. Selfishly, I’m all for it, mostly because wide acceptance of the CSA Guidance means more demand for the CCSK certification. That means more demand for CCSK training, which Securosis is building. So from that perspective it’s all good. (Note: Our next CCSK training class will be June 8-9 in San Jose, taught by Rich and Adrian.) But if I can see through my own selfish economically driven haze, let’s take a step back to understand where standards matter and where they don’t. Just thinking out loud, here goes: Mature markets: Standards matter in mature markets and mature products. In these, you will likely need to support a heterogeneous environment, because buying criteria are more about price/TCO than functionality. So being able to deal with standard interfaces and protocols to facilitate interoperability is a good thing. Risk averse cultures: Yes, this goes hand in hand with mature markets. Most risk-averse organizations aren’t buying early market products (before standards have gelled), but when they do, if a product does support a “standard,” it reduces their perceived risk. This is what the CSA initiative is about. Folks want legitimacy, and for many people legitimacy = standards. I’m hard pressed to find other situations where standards matter. Did I miss one (or many)? Let me know in the comments. As I tried to describe, standards don’t matter when dealing with emerging threats, where people are still figuring out the best way to solve the problem. Standards also don’t matter if a company tends to buy everything from a single vendor – assuming the vendor actually integrates their stuff, which isn’t a safe assumption (ahem, Big Yellow, ahem. Cough. Barf.) And vendors tend to push their proprietary technology through a standards process for legitimacy. Obviously if the vendor can say their technology is in the process of being standardized, it reduces perceived risk. But the unfortunate truth is that by the time any technology works its way through the standards process, the game has already changed. Twice. So keep that in mind when you are preparing those fancy RFPs asking for all kinds of standards support. Are you asking because you need it, or to reduce your risk? Or maybe just to give the vendor a hard time, which I’m cool with. Share:

Share:
Read Post

Incite 4/27/2011: Just Write

All I wanted to do on Monday night was go to sleep. I had a flight in the morning and thought it would be a good idea to get some rest. So I sit down with the Boss and we catch up on the day, discuss some tactics to deal with issues the kids face, and I’m ready to hit the rack. Then I notice she’s watching a movie called One Week (Netflix streaming FTW) where basically a guy is given a week to live and sets off on a cross-Canada jaunt on a motorcycle to discover himself, meet some interesting people, and do stuff that happens in movies. Movie trap, awesome. 90 minutes later, we start discussing the movie and she asks me point blank, “what would you do?” Crap, hate that question. I start thinking about the right answer, and then unconsciously I blurt out, “I’d write. A lot.” Wow. I’m given a week (or whatever) to live and my first thought is to write. Not travel. Not do exciting things. But write. Huh. She then asks why. I respond that I’ve been to lots of places. I’ve done some fairly interesting things. So, I don’t have a great desire to see places or check items off some bucket list. Of course that doesn’t mean I don’t want to see more places and do more things. But if I had to really prioritize given a very limited amount of time, I’d focus on teaching – which for me means writing. I like to think I’ve learned a bunch of stuff (mostly by screwing it up), and I’d want to document that. I figure my road rash and stories would be useful to my kids. But maybe other folks too. Or maybe that’s just my arrogance talking. I’d write about the stuff I’ve screwed up. I’d write about the stuff I’ve done right. I’d write about the stuff I’d do differently (which wouldn’t be much, by the way). I’d focus on the importance of relationships, and the unimportance of collecting things. And I’d make sure the people I care about had something to remember me. I’ve got a face made for radio, so I’d write. Then I thought about how lucky I was. If I had a week to live, I’d write. Which, by the way, is pretty much what I do every day. I try to impart some wisdom through each week’s Incite. And our other research all strives to relay the perspectives we build through our travels, hoping it’s all useful to someone. The topics would be a bit different with a different sort of deadline – pun intended. But the tactics wouldn’t. Very interesting. Then something utterly profound happened. My wife said, “You know, you don’t have to wait to get a death sentence to write that kind of stuff.” Holy crap. She’s right. Sure, life gets in the way, but those are just excuses. Obviously I’ll need to work around my day job a bit, but what the hell am I waiting for? Just write. I think I will. It’s going to be an interesting summer. -Mike Photo credits: “Seven Days” originally uploaded by Laurie Pink Incite 4 U Security = Money (again): It appears that investor interest is swinging back to security. I guess that’s inevitable, if you wait long enough. A couple weeks ago Bit9 raised $12.5MM and Verdasys raised another $15MM. That kind of money, primarily from existing investors, typically means they think they’ll get good multiples on the investment. They invest much less when they are just trying to keep a company on life support. And it even seems the IPO market could be receptive to security deals. TrustWave filed an S1 with the SEC this week and you’d expect a couple of the other high profile start-ups or private equity buyouts from the last few years to test the waters at some point. The fundamentals for continued growth in security remain good. The question is whether smaller companies can sustain growth long enough to find an upstream partner, since that’s how this movie ends regardless of whether there is an IPO somewhere in there. Some will, most won’t, and the pendulum will swing back and forth. It always does. – MR Someone needs a carder’s union: I’m going to be pretty annoyed if there isn’t any NFL this fall, and I know Mike will too. I couldn’t give a crud about baseball, but I do enjoy my Sunday football. But I have to respect the rights of the player’s union, even if I don’t like their (or the owners’) tactics. I’m not the biggest fan of unions, but can admit that in certain industries we still need them. Take carders (the credit card fraudsters). One poor bloke plead guilty to fraud involving $36M in transactions. That’s a pretty good take, right? Well, he only earned somewhere around $150K, which is only .4%. That’s a downright crappy margin. He’d be better off opening a convenience store, where at least the margins are 2-5%. Plus he has to make reparations for at least some of the $36M lost to fraud. Seriously, dude – call the Teamsters. No way would they put up with .4%, and maybe they could get you some health and retirement benefits. – RM I see you: I was not surprised that MLB programming on Apple TV would not allow me to view certain games, but I was surprised that my location was not based on my registered address – instead it’s based upon the Apple TV’s uplink IP address (assigned by the ISP). Geolocation from IP and gateway has certainly been a hot feature for service providers over the last couple years, with vendors such as PayPal factoring location into fraud detection. This capability continues to evolve, with Northwestern University recently claiming they can pinpoint user locations within half a mile. Their methodology uses a combination of known locations/IP addresses of major landmarks and government buildings, then compares

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.