A couple days ago I was talking with the masters swim coach I’ve started working with (so I will, you know, drown less) and we got to that part of the relationship where I had to tell him what I do for a living.

Not that I’ve ever figured out a good answer to that questions, but I muddled through.

Once he found out I worked in infosec he started ranting, as most people do, about all the various spam and phishing he has to deal with. Aside from wondering why anyone would run those scams (easily answered with some numbers) he started in on how much of a pain in the ass it is to do anything online anymore.

The best anecdote was asking his wife why there were problems with their Bank of America account. She gently reminded him that the account is in her name, and the odds were pretty low that B of A would be emailing him instead of her.

When he asked what he should do I made sure he was on a Mac (or Windows 7), recommended some antispam filtering, and confirmed that he or his wife check their accounts daily.

I’ve joked in the past that you need the equivalent of a black belt to survive on the Internet today, but I’m starting to think it isn’t a joke. The majority of my non-technical friends and family have been infected, scammed, or suffered fraud at least once. This is just anecdote, which is dangerous to draw assumptions from, but the numbers are clearly higher than people being mugged or having their homes broken into. (Yeah, false analogy – get over it).

I think we only tolerate this for three reasons:

  1. Individual losses are still generally low – especially since credit cards losses to a consumer are so limited (low out of pocket).
  2. Having your computer invaded doesn’t feel as intrusive as knowing someone was rummaging through your underwear drawer.
  3. A lot of people don’t notice that someone is squatting on their computer… until the losses ring up.

I figure once things really get bad enough we’ll change. And to be honest, people are a heck of a lot more informed these days than five or ten years ago.

  • On another note we are excited to welcome Gunnar Peterson as our latest Contributing Analyst! Gunnar’s first post is the IAM entry in our week-long series on security commoditization, and it’s awesome to already have him participating in research meetings.
  • And on yet another note it seems my wife is more than a little pregnant. Odds are I’ll be disappearing for a few weeks at some random point between now and the first week of September, so don’t be offended if I’m slow to respond to email.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

  • Gunnar: Anton Chuvakin in depth SIEM Use Cases. Written from a hands on perspective, covers core SIEM workflows inlcuding Server user activity monitoring, Tracking user actions across systems, firewall monitoring (security + network), Malware protection, and Web server attack detection. The Use Cases show the basic flows and they are made more valuable by Anton’s closing comments which address how SIEM enables Incident Response activities.
  • Adrian Lane: FireStarter: Why You Care about Security Commoditization. Maybe no one else liked it, but I did.
  • Mike Rothman: The Yin and Yang of Security Commoditization. Love the concept of “covering” as a metaphor for vendors not solving customer problems, but trying to do just enough to beat competition. This was a great series.
  • Rich: Gunnar’s post on the lack of commoditization in IAM. A little backstory – I was presenting my commoditization thoughts on our internal research meeting, and Gunnar was the one who pointed out that some markets never seem to reach that point… which inspired this week’s series.

Other Securosis Posts

Favorite Outside Posts

Project Quant Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to ken rutsky, in response to FireStarter: Why You Care about Security Commoditization.

Great post. I think that the other factor that plays into this dynamic is the rush to “best practices” as a proxy for security. IE, if a feature is perceived as a part of “best practices”, then vendors must add for all the reasons above. Having been on the vendor side for years, I would say that 1 and 3 are MUCH more prevalent than 2. Forcing upgrades is a result, not a goal in my experience.

What does happen, is that with major releases, the crunch of features driven by Moore’s law between releases allows the vendor to bundle and collapse markets. This is exactly what large vendors try to do to fight start ups. Palo Alto was a really interesting case (http://marketing-in-security.blogspot.com/2010/08/rose-by-any-other-name-is-still.html?spref=fb) because they came out with both a new feature and a collapse message all at once, I think this is why they got a good amount of traction in a market that in foresight, you would have said they would be crazy to enter…