Research

We have written a lot about Oracle’s acquisition of Secerno: the key points of the acquisition, the Secerno technology, and some of the business benefits Oracle gets with the Secerno purchase. We did so mainly because Database Activity Monitoring (DAM) is a technology that Rich and I are intimately familiar with, and this acquisition shakes up the entire market. But we suspect there is more. Rich and I have a feeling that this purchase signals Oracle’s mid-term security strategy, and the Secerno platforms will comprise the key component. We don’t have any inside knowledge, but there are too many signals to go unnoticed so we are making a prediction, and our analysis goes something like this: Quick recap: Oracle acquired a Database Activity Monitoring vendor, and immediately marketed the product as a database firewall, rather than a Database Activity Monitoring product. What Oracle can do with this technology, in the short term, is: “White list” database queries. Provide “virtual patching” of the Oracle database. Monitor activity across most major relational database types. Tune policies based on monitored traffic. Block unwanted activity. Offer a method of analysis with few false positives. Does any of this sound familiar? What if I changed the phrase “white list queries” to “white list applications”? If I changed “Oracle database” to “Oracle applications”? What if I changed “block database threats” to “block application threats”? Does this sound like a Web Application Firewall (WAF) to you? Place Secerno in front of an application, add some capabilities to examine web app traffic, and it would not take much to create a Web Application Firewall to complement the “database firewall”. They can tackle SQL injection now, and provide very rudimentary IDS. It would be trivial for Oracle to add application white listing, HTML inspection, and XML/SOAP validation. Down the road you could throw in basic XSS protections and can call it WAF. Secerno DAM, plus WAF, plus the assessment capabilities already built into Oracle Management Packs, gives you a poor man’s version of Imperva. Dude, you’re getting a WAF! We won’t see much for a while yet, but when we do, it will likely begin with Oracle selling pre-tuned versions of Secerno for Oracle Applications. After a while we will see a couple new analysis options, and shortly thereafter we will be told this is not WAF, it’s better than WAF. How could these other vendors possibly know the applications as well as Oracle? How could they possibly protect them as accurately or efficiently? These WAF vendors don’t have access to the Oracle applications code, so how could they possibly deliver something as effective? We are not trying to be negative here, but we all know how Oracle markets, especially in security: Oracle is secure – you don’t need X. All vendors of X are irresponsible and beneath consideration. Oracle has purchased vendor Y in market X because Oracle cares about the security of its customers. Oracle is the leading provider of X. Buying anything other than Oracle’s X is irresponsible because other vendors use undocumented APIs and/or inferior techniques. Product X is now part of the new Oracle Suite and costs 50% more than before, but includes 100% more stuff that you don’t really need but we couldn’t sell stand-alone. OK, so we went negative. Send your hate mail to Rich. I’ll field the hate mail from the technologists out there who are screaming mad, knowing that there is a big difference between WAF policies and traffic analysis and what Secerno does. Yes and no, but it’s irrelevant from a marketing standpoint. For those who remember Dell’s “Dude” commercials from the early 2000s, they made buying a computer easy and approachable. Oracle will do the same thing with security, making the choice simple to understand, and covering all their Oracle assets. They’d be crazy not to. Market this as a full-featured WAF, blocking malicious threats with “zero false positives”, for everything from Siebel to 11G. True or not, that’s a powerful story, and it comes from the vendor who sold you half the stuff in your data center. It will win the hearts of the security “Check the box” crowd in the short term, and may win the minds of security professionals in the long term. Do you see it? Does it make sense? Tell me I am wrong! Share:

Hey everyone, As mentioned the other day, I’m currently putting together a big data security survey to better understand what data security technologies you are using, and how effective they are. I’ve gotten some excellent feedback in the comments (and a couple of emails), and have put together a draft survey for final review before we roll this out. A couple things to keep in mind if you have the time to take a look: I plan on trimming this down more, but I wanted to err on the side of including too many questions/options rather than too little. I could really use help figuring out what to cut. Everyone who contributes will be credited in the final report. After a brief bit of exclusivity (45 days) for our sponsor, all the anonymized raw data will be released to the community so you can perform your own analysis. This will be in spreadsheet format, just the same as I get it from SurveyMonkey. The draft survey is up at SurveyMonkey for review, because it is a bit too hard to replicate here on the site. To be honest, I almost feel like I’m cheating when I develop these on the site with all the public review, since the end result is way better than what I would have come up with on my own. Hopefully giving back the raw data is enough to compensate all of you for the effort. Share:

Endpoint Security is a pretty broad topic. Most folks associate it with traditional anti-virus or even the newfangled endpoint security suites. In our opinion, looking at the issue just from the perspective of the endpoint agent is myopic. To us, endpoint security is as much a program as anything else. In this paper we discuss endpoint security from a fundamental blocking and tackling perspective. We start with identifying the exposures and prioritizing remediation, then discuss specific security controls (both process and product), and also cover the compliance and incident response aspects. It’s a pretty comprehensive paper, which means it’s not short. But if you are trying to understand how to comprehensively protect your endpoint devices, this paper will provide a great perspective and allow you to put all your defenses into context. We assembled this document from the Endpoint Security Fundamentals series posted to the blog in early April, all compiled together, professionally edited, and prettified. Special thanks to Lumension Security for licensing the report. You can download the paper directly (PDF), or visit the landing page, where you can leave comments or criticism, and track revisions. Share:

They say the grass is always greener on the other side, and I guess for some folks it is. Most private companies (those which believe they have sustainable businesses, anyway) long for the day when they will be able to trade on the public markets. They know where the Ferrari deal is, and seem to dismiss the angst of Sarbanes-Oxley. On the other hand, most public companies would love the freedom of not having to deal with the quarterly spin cycle and those pesky shareholders who want growth now. Two examples in the security space show the pendulum in action this week. First is Tripwire’s IPO filing. I love S-1 filings because companies must bare their innards to sell shares to public investors. You get to see all sorts of good stuff, like the fact that Tripwire has grown their business 20-30% annually over the past few years. They’ve been cash flow positive for 6 years, and profitable for the last two (2008 & 2009), although they did show a small loss for Q1 2010. Given the very small number of security IPOs over the past few years, it’s nice to see a company with the right financial momentum to get an IPO done. But as everyone who’s worked for a public company knows, it’s really about growth – profitable growth. Does 20-30% growth on a fairly small revenue base ($74 million in 2009) make for a compelling growth story? And more importantly for company analysis, what is the catalyst to increase that growth rate? In the S-1, Tripwire talks about expanding product offerings, growing their customer base, selling more stuff to existing customers, international growth, government growth, and selective M&A as drivers to increase the top line. Ho-hum. From my standpoint, I don’t see anything that gets the company from 20% growth to 50% growth. But that’s just me, and I’m not a stock analyst. Being publicly listed will enable Tripwire to do deals. They did a small deal last year to acquire SIEM/Log Management technology, but in order to grow faster they need to make some bolder acquisitions. That’s been an issue with the other public security companies that are not Symantec and McAfee – they don’t do enough deals to goose growth enough to make the stock interesting. With Tripwire’s 5,400 customers, you’d figure they’ll make M&A and pumping more stuff into their existing base a key priority once they get the IPO done. On the other side of the fence, you have SonicWall, which is being taken private by Thoma Bravo Group and a Canadian pension fund. The price is $717 million, about a 28% premium. SonicWall has been public for a long time and has struggled of late. Momentum seems to be returning, but it’s not going to be a high flyer any time soon. So the idea of becoming private, where they only have to answer to their equity holders, is probably attractive. This is more important in light of SonicWall’s new push into the enterprise. They are putting a good deal of wood behind this Project SuperMassive technology architecture, but breaking into the enterprise isn’t a one-quarter project. It requires continual investment, and public company shareholders are notoriously impatient. SonicWall was subject to all sorts of acquisition rumors before this deal, so it wouldn’t be surprising to see Thoma Bravo start folding other security assets in with SonicWall to make a subsequent public offering, a few years down the line, more exciting. So the pendulum swings back and forth again. You don’t have to be Carnac the Magnificent to figure there will be more deals, with the big getting bigger via consolidation and technology acquisitions. You’ll also likely see some of the smaller public companies take the path of SafeNet, WatchGuard, Entrust, Aladdin, and now SonicWall, in being taken private. The only thing you won’t see is nothing. The investment bankers have to keep busy, don’t they? Share:

There’s nothing like a crisis to bring out the absolute stupidity in a person… especially if said individual works for a big company or government agency. This week alone we’ve had everything from the ongoing BP disaster (the one that really scares me) to the Israeli meltdown. And I’m sure Sarah Palin is in the mix there someplace. Crisis communications is an actual field of study, with many examples of how to manage your public image even in the midst of a major meltdown. Heck, I’ve been trained on it as part of my disaster response work. But it seems that everyone from BP to Gizmodo to Facebook is reading the same (wrong) book: Deny that there’s a problem. When the first pictures and videos show up, state that there was a minor incident and you value your customers/the environment/the law/supporters/babies. Quietly go to full lockdown and try to get government/law enforcement to keep people from finding out more. When your lockdown attempts fail, go public and deny there was ever a coverup. When pictures/video/news reports show everyone that this is a big fracking disaster, state that although the incident is larger than originally believed, everything is under control. Launch an advertising campaign with a lot of flowers, babies, old people, and kittens. And maybe some old black and white pictures with farms, garages, or ancestors who would be the first to string you up for those immoral acts. Get caught on tape or in an email/text blaming the kittens. Try to cover up all the documentation of failed audits and/or lies about security and/or safety controls. State that you are in full compliance with the law and take safety/security/fidelity/privacy/kittens very seriously. As the incident blows completely out of control, reassure people that you are fully in control. Get caught saying in private that you don’t understand what the big deal is. It isn’t as if people really need kittens. Blame the opposing party/environmentalists/puppies/you business partners. Lie about a bunch of crap that is really easy to catch. Deny lying, and ignore those pesky videos showing you are (still) lying. State that your statements were taken out of context. When asked about the context, lie. Apologize. Say it will never happen again, and that you would take full responsibility, except your lawyers told you not to. Repeat. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike Rothman on Tabnapping at SC Magazine. The Network Security Podcast, Episode 199. Rich presented on Data Breaches for whitehatworld.com; it should show up on their archive page soon. Favorite Securosis Posts Rich: NSO Quant: Monitor Process Map. These Quant projects keep getting bigger each time we do one, but it’s nice to do some real primary research. Adrian Lane: The Hidden Costs of Security. Mike Rothman: Understanding and Selecting SIEM/LM: Correlation and Alerting. We are working through the SIEM/Log Management research. Check it out and provide comments, whether you agree or disagree with our perspectives. Other Securosis Posts The Public/Private Pendulum Keeps Swinging. White Paper Released: Endpoint Security Fundamentals. Thoughts on Privacy and Security. Incite 6/2/2010: Smuggler’s Blues. On “Security engineering: broken promises”. FireStarter: In Search of… Solutions. Favorite Outside Posts Rich: Inside the heart of a QSA. As much as we complain about bad PCI assessors are, the good ones often find themselves struggling with organizations that only want a rubber stamp. The bad news is there are very few jobs that don’t end up being driven by rote over time. That’s why I like security – it is one of the few careers with options to refresh yourself every few years.. Pepper: Android rootkit is just a phone call away. It’s actually triggered by a call, not installed by one, but still very cool – in a bad way. Adrian Lane: Detecting malicious content in shell code. Mike Rothman: Windows, Mac, or Linux: It’s Not the OS, It’s the User The weakest link in the chain remains the user. But we can’t kill them, so we need to deal with them. Project Quant Posts DB Quant: Secure Metrics, Part 1, Patch. NSO Quant: Monitor Process Map. DB Quant: Discovery Metrics, Part 4, Access and Authorization. DB Quant: Discovery and Assessment Metrics, Part 3, Assess Vulnerabilities and Configuration. Research Reports and Presentations White Paper: Endpoint Security Fundamentals. Understanding and Selecting a Database Encryption or Tokenization Solution. Low Hanging Fruit: Quick Wins with Data Loss Prevention. Top News and Posts MS plans 10 new patches. Sharepoint and IE are the big ones. Cyber Thieves Rob Treasury Credit Union. Ukrainian arrested in India on TJX data-theft charges These incidents go on for years, rather than days or even months. iPhone PIN code worthless Rich published on this a long time ago, and while it was a known flaw, the automounting on Ubuntu is new and disturbing. Previously it looked like you had to jailbreak the iPhone first. Viral clickjacking ‘Like’ worm hits Facebook users. ATM Skimmers. Another installment from Brian Krebs on ATM Skimmers. 30 vs. 150,000 Adam teaches Applied Risk Assessment 101. Trojan targets Anti-Phish software. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Michael O’Keefe, in response to Code Re-engineering. Re-engineering can work, Spolsky inadvertently provides a great example of that, and proves himself wrong. I guess that’s the downside to blogs, and trying to paint things in a black or white manner. He had some good points, one was that when Netscape open sourced the code, it wasn’t working, so the project got off to a slow start. But the success of Mozilla (complete rewrite of Netscape) has since proved him wrong. Once Bill Gates realized the importance of the internet, and licensed the code from Spyglass (I think) for IE, MS started including it on every new release of Windows. In this typical fashion, they slowly whittled away at Netscape’s market share, so Netscape had to innovate. The existing code base was

Given the craziness of my schedule, I don’t see a lot of movies in the theater anymore. Hard to justify the cost of a babysitter for a movie, when we can sit in the house and watch movies (thanks, Uncle Netflix!). But the Boss does take the kids to the movies because it’s a good activity, burns up a couple hours (especially in the purgatory period between the end of school and beginning of camp), and most of the entertainment is pretty good. Though it does give me some angst to see two credit card receipts from every outing. The first is the tickets, and that’s OK. The movie studios pay lots to produce these fantasies, so I’m willing to pay for the content. It’s the second transaction, from the snack bar, that makes me nuts. My snack bar tab is usually as much as the tickets. Each kid needs a drink, and some kind of candy and possibly popcorn. All super-sized, of course. And it’s not even the fact that we want to get super sizes of anything. That’s the only option. You can pay $4 for a monstrous soda, which they call small. Or $4.25 for something even bigger. If you can part with $4.50, then you get enough pop to keep a village thirst-free for a month. And don’t get me started on the popcorn. First of all, I know it’s nutritionally terrible. They may use different oil now, but in the portions they sell, you could again feed a village. But don’t think the movie theaters aren’t looking out for you. If you get the super-duper size, you get free refills of both popcorn and soda. Of course, you’d need to be the size of an elephant to knock down more than two gallons of soda and a feedbag of popcorn, but at least they are giving something back. So we’re been trying something a bit different, born of necessity. The Boss can’t eat the movie popcorn due to some food allergies, so she smuggles in her own popcorn. And usually a bottle of water. You know what? It works. It’s not like the 14 year old ticket attendant is going to give me a hard time. I know, it’s smuggling, but I don’t feel guilty at all. I’d be surprised if the monstrous soda cost the theater more than a quarter, but they charge $4. So I’m not going to feel bad about sneaking in a small bag Raisinettes or Goobers with a Diet Coke. I’ll chalk it up to a healthy lifestyle. Reasonable portions and lighter on my wallet. Sounds like a win-win to me. – Mike. Photo credits: “Movie Night Party” originally uploaded by Kid’s Birthday Parties Incite 4 U Follow the dollar, not the SLA – Great post by Justin James discussing the reality of service level agreements (SLAs). I know I’ve advised many clients to dig in and get preferential SLAs to ensure they get what they contract for, but ultimately it may be cheaper for the service provider to violate the SLA (and pay the fine) than it is to meet the agreement. I remember telling the stories of HIPAA compliance, and the reality that some health care organizations faced millions of dollars of investment to get compliant. But the fines were five figures. Guess what they chose to do. Yes, Bob, the answer was roll the dice. Same goes for SLAs, so there are a couple lessons here. 1) Try to get teeth in your SLA. The service provider will follow the money, so if the fine costs them more, they’ll do the right thing. 2) Have a Plan B. Contingencies and containment plans are critical, and this is just another reason why. When considering services, you cannot make the assumption that the service provider will be acting in your best interest. Unless your best interest is aligned with their best interest. Which is the reality of ‘cloud’. – MR It just doesn’t matter – I’m always pretty skeptical of poorly sourced articles on the Internet, which is why the Financial Times report of Google ditching Microsoft Windows should be taken with a grain of salt. While I am sometimes critical of Google, I can’t imagine they would really be this stupid. First of all, at least some of the attacks they suffered from China were against old versions of Windows – as in Internet Explorer 6, which even isolated troops of Antarctic chimpanzees know not to touch. Then, unless you are running some of the more-obscure ultra-secure Unix variants, no version of OS X or Linux can stand up to a targeted attacker with the resources of a nation state. Now, if they want some diversity, that’s a different story, but the latest versions of Windows are far more hardened than most of the alternatives – even my little Cupertino-based favorite.– RM Hack yourself, even if it’s unpopular… – I’ve been talking about security assurance for years. Basically this is trying to break your own defenses and seeing where the exposures are, by any means necessary. That means using live exploits (with care) and/or leveraging social engineering tactics. But when I read stories like this one from Steve Stasiukonis where there are leaks, and the tests are compromised, or the employees actually initiate legal action against the company and pen tester, I can only shake my head. Just to reiterate” the bad guys don’t send message to the chairman saying “I IZ IN YER FILEZ, READIN YER STUFFS!” They don’t worry about whether their tactics are “illegal human experiments,” they just rob you blind and pwn your systems. Yes, it may take some political fandango to get the right folks on board with the tests, but the alternative is to clean up the mess later. – MR Walk the walk – A while back we were talking about getting started in security over at The Network Security Podcast, and one bit of consensus was that you should try

I was catching up on my reading today, and this post by Richard Bejtlich reminded me of the tension we sometimes see between security and privacy. Richard represents the perspective of a Fortune 5 security operator who is tasked with securing customer information and intellectual property, while facing a myriad of international privacy laws – some of which force us to reduce security for the sake of privacy (read the comments). I’ve always thought of privacy from a slightly different perspective. Privacy traditionally falls into two categories: The right to be left alone (just ask any teenage boy in the bathroom). The right to control what people know about you. According to the dictionary on my Mac, privacy is: the state or condition of being free from being observed or disturbed by other people : she returned to the privacy of her own home. My understanding is that it is only fairly recently that we’ve added personal information into the mix. We are also in the midst of a massive upheaval of social norms enabled by technology and the distribution and collection of information that changes the scope of “free from being observed.” Thus, in the information age, privacy is now becoming as much about controlling information about us as it is about physical privacy. Now let’s mix in security, which I consider a mechanism to enforce privacy – at least in this context. If we think about our interactions with everyone from businesses and governments to other individuals, privacy consists of three components: Intent: What I intend to do with the information you give me, whether it is the contents of a personal conversation or a business transaction. Communication: What I tell you I intend to do with said information. Capability: My ability to maintain and enforce the social (or written) contract defined by my intent and communications. Thus I see security as a mechanism of capability. The role of “security” is to maintain whatever degree of protection around personal information the organization intends and communicates through their privacy policy – which might be the best or worst in the world, but the role of security is to best enforce that policy, whatever it is. Companies tend to get into trouble either when they fail to meet their stated policies (due to business or technical/security reasons), or when their intent is incompatible with their legal requirements. This is how I define privacy on the collection side – but it has nothing to do with protecting or managing your own information, nor does it address the larger societal issues such as changing ownership of information, changing social mores, changes in personal comfort over time, or collection of information in non-contracted situations (e.g., public movement). The real question then emerges: is privacy even possible? As Adam Shostack noted, our perceptions of privacy change over time. What I deem acceptable to share today will change tomorrow. But once information is shared, it is nearly impossible to retract. Privacy decisions are permanent, no matter how we may feel about them later. There is no perfect security, but once private information becomes public, it is public forever. Isolated data will be aggregated and correlated. It used to require herculean efforts to research and collect public records on an individual. Now they are for sale. Cheap. Online. To anyone. We share information with everyone, from online retailers, to social networking sites, to the blogs we read. There is no way all of these disparate organizations can effectively protect all our information, even if we wanted them to. Privacy decisions and failures are sticky. I believe we are in the midst of a vast change in our how society values and defines privacy – one that will evolve over years. This doesn’t mean there’s no such thing as privacy, but does mean that today we do lack consistent mechanisms to control what others know about us. Without perfect security there cannot be complete privacy, and there is no such thing as perfect security. Privacy isn’t dead, but it is most definitely changing in ways we cannot fully predict. My personal strategy is to compartmentalize and use a diverse set of tools and services, limiting how much any single one collects on me. It’s probably little more than privacy theater, but it helps me get through the day as I stroll toward an uncertain future. Share:

Continuing our discussion of core SIEM and Log Management technology, we now move into event correlation. This capability was the holy grail that drove most investment in early SIEM products, and probably the security technology creating the most consistent disappointment amongst its users. But ultimately the ability to make sense of the wide variety of data streams, and use them to figure out what is under attack or compromised, is essential to any security practice. This means that despite the disappointments, there will continue to be plenty of interest in correlation moving forward. Correlation Defining correlation is akin to kicking a hornet’s nest. It immediately triggers agitated debates because there are several published definitions and every expert has their favorite. As usual, we need to revisit the definitions and level-set, not to create controversy (though that tends to happen), but to make things easy to understand. As we search for a pragmatic definition, we need to simplify concepts to make subjects understandable to a wider audience at the expense of precision. We understand our community is not a bunch of shrinking violets, so we welcome your comments and suggestions to make our research more relevant. Let’s get back to the end-user problem driving SIEM and log management. Ultimately the goal of this technology is to interpret security-related data to improve security, increase efficiency, and/or document security controls. If a single file contained all the information required for security analysis, we would not bother with the collection and association of events from multiple sources. The truth is that each log or event contains a piece of information, which forms part of the puzzle, but lacks context necessary to analyze the big picture. In order to make meaningful decisions about what is going on with our applications and within our network, we need to combine events from different sources. Which events we want, and what pieces of data from those events we need, vary based on the problem we are trying to solve. So what is correlation? Correlation is the act of linking multiple events together to detect strange behavior. It is the association of different but related events to provide broader context than a single event can provide. Keep in mind that we are using a broad definition of ‘event’ because as the breadth of analysis increases, data may expand beyond traditional events. Seems pretty simple, eh? Let’s look at an example of how correlation can help achieve one of our key use cases: increasing the efficiency of the security team. In this case an analyst gets events from multiple locations and device types (and/or applications), and is expected to figure out whether there is an issue. The attacker might first scan the perimeter and then target an externally facing web server with a series of known exploits. Upon successfully compromising the web server, the attacker sets up a new user account and start scanning internally to find more exploitable hosts. The data is available to catch this attack, but not in a single place. The firewalls see the initial scans. The IDS/IPS sees the series of exploits. And the user directory sees the new account on the compromised server. The objective of correlation is to see all these events come through and recognize that the server has been compromised and needs immediate attention. Easy in concept, very hard in practice. Historically, the ability to do near real time analysis and event correlation was one of the ways SIEM differed from log management, although the lines continue to blur. Most of the steps we have discussed so far (collecting data, then aggregating and normalizing it) help isolate the attributes that link events together to make correlation possible. Once data is in manageable form we apply rules to detect attacks and misuse. These rules are comprised of the granular criteria (e.g., specific router, user account, time, etc.), and determine if a series of events reaches a threshold requiring corrective action. But the devil is in the details. The technology implements correlation as a linear series of events. Each comparison may be a simple case of “if X=Y, then” do something else, but we may need to string several of these comparisons together. Second, note that correlation is built on rules for known attack patterns. This means we need some idea of what we are looking for to create the correlation rules. We have to understand attack patterns or elements of a compliance requirement in order to determine which device and event types should be linked. Third, we have to factor in the time factor, because events do not happen simultaneously, so there is a window of time within which events are likely to be related. Finally the effectiveness of correlation also depends on the quality of data collection, normalization, and tagging or indexing of information to feed the correlation rules. Development of rules takes time and understanding, as well as ongoing maintenance and tuning. Sure, your vendor will provide out-of-the-box policies to help get you started, but expect to invest significant time into tweaking existing rules for your environment, and writing new policies for security and compliance to keep pace with the very dynamic security environment. Further complicating matters: more rules and more potentially-linked events to consider increase computational load exponentially. There is a careful balancing act to be performed between the number of policies to implement, the accuracy of the results, and the throughput of the system. These topics may not immediately seem orthogonal, but generic rules detect more threats at a cost of more false positives. The more specific the rule, and the more precisely tailored to find specific threats, the less it will find new problems. This is the difficulty in getting correlation working effectively in most environments. As described in the Network Security Fundamentals series, it’s important to define clear goals for any correlation effort and stay focused on them. Trying to boil the ocean always yields disappointing results. Alerting Once events are correlated, analysis performed, and weirdness

A holy grail of technology marketing is to define a product category. Back in the olden days of 1998, it was all about establishing a new category with interesting technology and going public, usually on nothing more than a crapload of VC money and a few million eyeballs. Then everything changed. The bubble popped, money dried up, and all those companies selling new products in new categories went bust. IT shops became very risk averse – only spending money on established technologies. But that created a problem, in that analysts had to sell more tetragon reports, which requires new product categories. My annoyance with these product categories hit a fever pitch last week when LogLogic announced a price decrease on their SEM (security event management) technology. Huh? Seems they dusted off the SEM acronym after years on the shelf. I thought Gartner had decreed that it was SIEM (security information and event management) when it got too confusing between the folks who did SEM and SIM (security information management) – all really selling the same stuff. Furthermore, log management is now part of that deal. Do they dare argue with the great all-knowing oracles in Stamford? Not that this expanded category definition is controversial. We’ve even posted that log management or SIEM isn’t a stand-alone market – rather it’s the underlying storage platform for a number of applications for security and ops professionals. The lesson most of us forget is that end users don’t care what you call the technology, as long as you solve their problems. Maybe the project is compliance automation or incident investigation. SIEM/Log Management can be used for both. IT-GRC solutions can fit into the first bucket, while forensic toolkits fit into the latter. Which of course confuses the hell out of most end users. What do they buy? And don’t all the vendors say they do everything anyway? The security industry – along with the rest of technology – focuses on products, not solutions. It’s about the latest flashing light in the new version of the magic box. Sure, most of the enterprise companies send their folks to solution selling school. Most tech company websites have a “solution” area, but in reality it’s always an afterthought. Let’s consider the NAC (network access control) market as another example. Lots of folks think Cisco killed the NAC market by making big promises and not delivering. But ultimately, end users didn’t care about NAC – they cared about endpoint assessment and controlling guest access, and they solved those problems through other means. Again, end users need to solve problems. They want answers and solutions, but they get a steady diet of features and spiels on why one box is better than the competitors. They get answers to questions they don’t ask. No wonder most end users turn off their phones and don’t respond to email. Vendors spin their wheels talking about product category leadership. Who cares? Actually, Rich reminded me that the procurement people seem to care. We all know how hard it is to get a vendor in the wrong quadrant (or heaven forbid no quadrant at all) through the procurement gauntlet. Although the users are also to blame for accepting this behavior, and the dumb and lazy ones even like it. They wait for a vendor to come in and tell them what’s important, as opposed to figuring out what problem needs to be solved. From where I sit, the buying dynamic is borked, although it’s probably just as screwy in other sectors. So what to do? That’s a good question, and I’d love your opinion. Should vendors run the risk of not knowing where they fit by not identifying with a set of product categories – and instead focus on solutions and customer problems? Should users stop sending out RFPs for SIEM/Log Management, when what they are really buying is compliance automation? Can vendors stop reacting to competitive speeds and feeds? Can users actually think more strategically, rather than whether to embrace the latest shiny upgrade from the default vendor? I guess what I’m asking is whether it’s possible to change the buying dynamic. Or should I just quiet down, accept the way the game is played, and try to like it? Share:

Recently Michael Zalewski posted a rant about the state of security engineering in Security engineering: broken promises. I posted my initial response to this on Twitter: “Great explanation of the issue, zero thoughts on solutions. Bored now.” I still stand behind that response. As a manager, problems without potential solutions are useless to me. The solutions don’t need to be deep technical solutions – sometimes the solution is to monitor or audit. Sometimes the solution is to do nothing, accept the risk, and make a note of it in case it comes up in conversation or an audit. But as I’ve mulled over this post over the last two weeks, there is more going on here. There seems to be a prevalent attitude among security practitioners in general, and researchers in particular, that if they can break something it’s completely useless. There’s an old Yiddish saying that loosely translates to: “To a thief there is no lock.” We’re never going to have perfect security, so picking on something for being imperfect is just disingenuous and grandstanding. We need to be asking ourselves a pragmatic question: Does this technology or process make things better? Just about any researcher will tell you that Microsoft’s SDL has made their lives much harder, and they have to work a lot more to break stuff. Is it perfect? No, of course not! But is it a lot better then it used to be for all involved (except the researchers Microsoft created the SDL to impede)? You betcha. Are CWE and CVSS perfect? No! Were they intended to be? No! But again, they’re a lot better than what we had before. Can we improve them? Yes, CVSS continues to go through revisions and will get better. As will the Risk Management frameworks. So really, while bitching is fun and all, if you’re not offering improvements, you’re just making things worse. Share: