Research

As I’ve been digesting all I saw and heard last week at the RSA show, the major topic of wireless security re-emerged with a vengeance. To be honest, wireless security had kind of fallen off my radar for a while. Between most of the independent folks being acquired (both on the wireless security and wireless infrastructure sides) and lots of other shiny objects, there just wasn’t that much to worry about. We all know retailers remained worried (thanks, Uncle TJX!) and we saw lots of folks looking to segregate guest access from their branch networks when offering wireless to customers or guests. But WEP was dead and buried (right?) and WPA2 seemed reasonably stable. What was left to worry about? As with everything else, at some point folks realized that managing all these overlay networks and maintaining security is a pain in the butt. So the vendors inevitably get around to collapsing the networks and providing better management – which is what we saw at RSA. Secure Wireless Cisco puffed its chest out a bit and announced its Security Without Borders strategy, which sounds like someone over there overdosed on some Jack Welch books (remember borderlessness?). Basically they are finally integrating their disparate security devices, pushing the IronPort and ASA boxes to talk to each other, and adding some stuff to the TrustSec architecture. In concept, being able to enable business users to access information from any device and any location with a high degree of ease and security sounds great. But the devil is in the details, which makes this feels a lot like the “self-defending network.” Great idea, not so hot on delivery. So if you have Cisco everywhere and can be patient, the pieces are there. But if you work in a heterogeneous world or have problems today, then this is more slideware from Cisco. Wireless Security On the other side of the coin, you have the UTM vendors expanding from their adjacent markets. Both Fortinet and Astaro made similar announcements about entering the wireless infrastructure market. Given existing strength in the retail market, it makes sense for UTM vendors to introduce thin access points, moving management intelligence to (you guessed it) their UTM gateways. Introducing and managing wireless security policy from an enterprise perspective is a no-brainer (rogue access points die die die), though there isn’t much new here. The wireless infrastructure folks have been doing this for a while (at a cost, of course). The real barrier to success here isn’t technology, it’s politics. Most network folks like to buy gear from network companies, so will it be the network team or the security team defining the next wave of wireless infrastructure roll-out? Who Wins? My bet is on the network team, which means “secure wireless” will prevail eventually. I suspect everyone understands security must be a fundamental part of networks, data centers, endpoints, and applications, but that’s not going to happen any time soon. Rugged or not. This provides an opening for companies like Fortinet and Astaro. But to be clear, they have to understand they are selling to different customers, where they have very little history or credibility. And since the security market still consists mostly of lemmings, I suspect you’ll see a bunch more wireless security activity over the next few months as competitors look to catch up with Cisco’s slideware. Share:

To stir the pot a bit before the RSA Conference, I did a FireStarter wondering out loud if social media would ever replace big industry conferences. Between the comments and my experiences last week, I’d say no. Though I can say social media provides the opportunity to make business acquaintances into friends and let loudmouths like Rich, Adrian and myself make a living having on an opinion (often 3 or 4 between us). So I figured this week, I’d do a Top 10 list of things I can’t do on Twitter, which will keep me going to the RSA Conference as long as they keep letting me in. This is your life – Where else can I see 3 CEOs who fired me in one room (the AGC conference)? Thankfully I left my ice pick in the hotel room that morning. Everybody knows your name – Walk into the W Hotel after 9pm, and if you’ve been in the business more than a week, odds are you’ll see plenty of people you know. Trend spotting – As we expected, there was lots of APT puffery at the show, but I also saw lots of activity on wireless security – that was mildly surprising. And group conversations provided additional unexpected perspectives. Can’t do that on Twitter. Evasive maneuvers – To save some coin, I don’t stay in the fancy hotels. But that means you have to run the panhandler gauntlet between the parties and the hotel. I was a bit out of practice, but escaped largely unscathed. Rennaissance security folks – It seems lots of security folks are pretty adept at some useful skills. Like procuring entire bottles of top shelf liquor at parties. Yes, very useful indeed. Seeing the sights – I know Shimmy doesn’t like booth babes, but that’s his problem. I thought I took a wrong turn when I got to the Barracuda party and ended up at the Gold Club, though I was happy I had a stack of $1s in my pocket. Making new friends – The fine folks at SafeNet held a book signing for The Pragmatic CSO at the show. I got to meet lots of folks and they even got to take home copies. Can’t do that on Twitter either. Splinter conferences – Given the centralization of people that go to RSA, a lot of alternative gatherings happen during RSA week. Whether it’s BSides, Cloud Security Alliance, Metricon, AGC, or others, most folks have alternatives to RSA Conference panel staples. Recovery Breakfast – Once again, we held our Disaster Recovery Breakfast and it was the place to be on Thursday morning. A who’s who of security royalty passed through to enjoy the coffee, bloody mary’s, and hot tasty breakfast. Thanks to Threatpost for co-sponsoring with us. Elfin underwear – Where else can your business partner pull down his pants in front of 500 people and not get put in the slammer? That’s right, RSA. Check it out – it was really funny. So in a nutshell, from an educational standpoint I’m not sure spending a week at the RSA Conference makes sense for most practitioners. But from a networking and fun perspective, it remains the best week of the year. And thankfully I have 12 months to dry out and rest my liver for next year’s show. – Mike Photo credit: “Frank Chu Bsides SF” originally uploaded by my pal St0rmz Incite 4 U Ah, digging out from under the RSA mayhem is always fun. There was lots to see, many meaningless announcements, and plenty of shiny objects. Here is a little smattering of stuff that happened at the show, as well as a few goodies not there. AP(ressure)T Explained – As Rich pointed out, APT was in full swing last week at RSA and Richard Bejtlich has been calling out folks with extreme malice for this kind of behavior – which we all think is awesome. But to really understand the idiocy, you need to relate it to something you can understand. Which is why I absolutely loved Richard’s analogy of how martial arts folks dealt with a new technique based on pressure points. Read this a post a few times and it will click. Folks either jump on the bandwagon or say the bandwagon is stupid. Not many realize something new and novel is happening and act accordingly. – MR Patch Tuesday, Exploit Monday – You have to feel for the guys in the Microsoft security center. They line up their latest patch set, and some bad guys blow it by attacking unpatched vulnerabilities before Microsoft can include them in the latest release. I’m a big fan of the Patch Tuesday cycle, but that means anything released on “Exploit Wednesday” or even close to Patch Tuesday potentially has a month to run before Microsoft can fix it. MS is pretty good at releasing out of band patches if something is being widely exploited, and they’re the ones providing the warning, but it makes me long for the days when an 0day was so rare as to be nearly mythical. This latest attack hits IE 6 and 7 on various platforms, and you can mitigate with a content filtering gateway or an alternative browser, or by following some suggestions in the linked article (setting IE security zone settings to High). – RM Creating the Insecurity Index – If we know that your A/V and anti-malware only catch 20% of malicious code, or your firewall only blocks 20%, and your WAF only blocks 60% of application flaws, and so on, can we create some meaningful metrics on application security FAIL? Kind of a Mean Time Between Failure analysis for IT? I got to thinking about this when talking to Kelly Jackson Higgins at RSA about her post on Dark Reading regarding application testing, which found that 60% of applications they tested remained vulnerable. To me this is not a surprise at all, given that most adopt a security model to surround applications with add-on services and appliances to protect the application from the nasty attackers and viruses rather than fix the code itself. For most large organizations the amount of work necessary to fix

It is better to stay silent and let people think you are an idiot than to open your mouth and remove all doubt. –Abraham Lincoln Although we expected APT to be the threat du jour at RSA, I have to admit even I was astounded at the outlandish displays of idiocy and outright deception among pundits and the vendor community. Now, let’s give credit where credit is due – only a minority of vendors hopped on the APT bandwagon. This post isn’t meant to be a diatribe against the entire product community, only those few who couldn’t help themselves in the race to the bottom. I’m not claiming to be an expert in APT, but at least I’ve worked with organizations struggling with the problem (starting a few years ago when I began to get data security calls related to the problems of China-related data loss). The vast majority of the real experts I’ve met on the topic (those with direct experience) can’t really talk about it in public, but as I’ve mentioned before I’d sure as heck read Richard Beijtlich if you have any interest in the topic. I also make a huge personal effort to validate what little I say with those experts. Most of the APT references I saw at RSA were ridiculously bad. Vendors spouting off on how their product would have blocked this or that malware version made public after the fact. Thus I assume any of them talking about APT were either deceptive, uninformed, or stupid. All this was summarized in my head by one marketing person who mentioned they were planning on talking about “preventing” APT (it wasn’t in their materials yet) because they could block a certain kind of outbound traffic. I explained that APT isn’t merely the “Aurora” attack and is sort of the concerted espionage efforts of an entire country, and they responded, “oh – well our CEO heard about it and thought it was the next big thing, so we should start marketing on it.” And that, my friends, is all you need to know about (certain) vendors and APT. Share:

On the eve of perhaps the biggest conference we security folks have (RSA Conference), we wanted to bait the echo chamber a bit, and wonder what the future of conferences is – especially given the amount and depth of information that is available via blogs and social media. Interestingly enough, we don’t necessarily have a consistent opinion here, but we want to hear what the community has to say. Hypothesis: Security conferences continue to decrease in importance because the events don’t really help customers do their jobs any better. The Bad and the Ugly Weak sessions: In general, most sessions at any big conference are weak. Either poor content, poor speaking skills, or the double whammy of both, make most sessions intolerable – unless you dig making fun of the speaker on Twitter throughout the entire session. Vendor Shiny Objects: The expo floors have degraded to a combination of booth babes and bandwagon-jumping exhibitors who are just trying to capitalize on whatever the buzzword or attack du jour happens to be. The Good Relationship building: All the folks I talk to continue to value the networking and relationship building opportunities that can only be accomplished in a face to face environment. These shows provide an opportunity to compare notes and figure out if you are missing something. Personally, this is the #1 reason I go to RSA and Black Hat and other conferences. Trend watching: Clearly the “hallway track”, the show floor, and the conversations after hours provide guys like me with a good idea of what is hot and happening. Not necessarily what is working in the real world, but tracking trends is important too – especially for end users trying to make sure they aren’t losing too much ground to the bad guys. Getting out of the office: With the number of directions the typical practitioner is pulled when they’re setting at their desk, sometimes they need to get out to have a chance to focus. Going to a nice locale is only part of this, but also the ability to do a lot of research in a short time. Social Media Impact So the real question is: can you replicate the relationship building and trend-spotting aspects of great conferences via social media? If you Twitter, can you build relationships and stay in tune with what is happening out there? The answer is yes, but not entirely. Personally, interacting with folks via Twitter allows me to stay in touch much more frequently and interact on a less superficial level than grabbing a beer at the W during RSA. And via blogs, online media, and forums, focused end users can do the kind of research typically possible only at a big show in the past, with a level of objective commentary which was simply not available before. So overall, social media certainly has the basis to largely supplant conferences over the next few years. But as Rich pointed out during his review of this post, in a lot of cases social media can add impact to a conference. There is nothing like actually meeting someone you interact with through the ether, but the electronic interactions eliminates a lot of the “getting to know you” phase, because through social media you can familiarize yourself with the folks in your networks. And as Adrian mentioned, social media brings us back to an another advantage of attendance – conversations amongst small groups of folks, which gets lost in a crowd of 10,000 of your closest friends. Not So Fast Before we start shoveling the dirt on big security conferences, we need to look at the dark side of social media. Adrian actually calls it “anti-social media”, and he’s right. It seems vendors are working hard to screw up social media and make it basically an always-on trade show. Unfortunately, without the booth babes to make it tolerable. For example, many bloggers got hammered with LinkedIn spam in the now-infamous Rapid7 incident a few weeks ago. My Twitter stream is polluted by PR types basically just linking to press releases and other press coverage notes. I won’t friend work contacts on Facebook (for the most part) because it’s hard enough keeping up with all the folks from high school I don’t want to hear from. Unless folks figure out how to increase the signal to noise ratio, many of the social media networks will become as fun and as well attended as CSI. Yeah, I know that’s a low blow. Conference 2.0 So what should the organizers be doing to change this trend? Here are a couple ideas, which may or may not be interesting. At least they should get the conversation going. Get Small(er) Kill Keynotes (will you miss the hot air?) Community-driven content (like B-sides) More pragmatism and tactics, less pontificating in sessions The good news (for RSAC anyway) is that the show organizers recognize some of these issues and are working to address them. RSA specifically has been very welcoming to blogger types, and is experimenting with programs like the ESPP and Innovation Sandbox to add value. Over the past few years, there has also been a focus on improving the sessions through greater reviews and more oversight of presentation materials. This includes sending speaker scores from previous conferences to selection committee members in an attempt to eliminate crappy speakers from subsequent shows. But is it enough? What do you think? At some point will you bypass the big cons for the warm confines of social media? Share:

Rich, Mike, and Adrian keep pretty busy schedules at RSA each year, so we are likely to be quiet on the blog this week. If you happen to be at the show, here are the speaking sessions and other appearances we’ll be doing throughout the week. Hopefully you’ll come up and say “Hi.” Rich and Adrian don’t bite. Speaking Sessions STAR-106: Security Groundhog Day – Third Time’s a Charm – Mike and Rich (Tuesday, March 2 @ 1pm) EXP-108: Winnovation – Security Zen through Disruptive Innovation and Cloud Computing – Rich and Chris Hoff (Tuesday, March 2 @ 3:40pm) END-203: How to Expedite Patching in the Enterprise? A View from the Trenches – Rich (Wednesday, March 3 @ 10:40 AM) P2P-304A: Security Posture: Wading Through the Hype… – Mike (Thursday, March 4 @ 1pm) DAS-403: Securing Enterprise Databases – Adrian (Friday, March 5 @ 11:20am) Other Events America’s Growth Capital Conference: Mike will be roaming around the AGC conference for portions of Monday. The event is taking place at the Westin San Francisco on Market Street. You need an invite to this one. RSA Conference Experienced Security Professionals Program: All of us will be at this event (you need to have pre-registered) at the Moscone on Monday as well. Security Blogger Meet Up: Securosis will be at the 3rd annual Security Blogger Meet Up at the classified location. You need to have a blog and be pre-registered to get in. Securosis and Threatpost Disaster Recovery Breakfast: Once again this year Securosis will be hosting the Disaster Recovery Breakfast on Thursday, March 4 between 8 and 11. RSVP and enjoy a nice quiet breakfast with plenty of food, coffee, recovery items (aspirin & Tums), and even the hair of the dog for those of you not quite ready to sober up. PechaKucha (PK) Happy Hour: Rich will be presenting at the PK Happy Hour on Thursday, March 4 between 5 and 6:30 pm in the Crypto Commons. See if he can get through 20 slides in about 6 1/2 minutes. Fat chance, but Rich is going to try. Share:

And this is it: the final piece of the Securosis Guide to the RSA Conference 2010. Yes, there will be a lot to see at the show, and we hope this guide has been helpful for those planning to be in San Francisco. For those of you not able to attend, we’d like to think getting a feel for the major trends in each of our coverage areas wasn’t a total waste of time. Anyhow, without further ado, let’s talk about another of the big 3 themes, and the topic you love to hate (until it allows you to fund a project): compliance. Compliance Compliance isn’t merely a major theme for the show, it’s also likely the biggest driver of your security spending. While there’s no such thing as a compliance solution, many security technologies play a major role in helping achieve and maintain compliance. What We Expect to See For compliance, we will see a mix of regulation-focused messages and compliance-specific technologies: New Regulations/Standards: Over the past year we’ve seen the passing or increased enforcement of a handful of new regulations with security implications – the HITECH act in healthcare, NERC-CIP for energy utilities, and the Massachusetts data protection law (201 CMR 17.00). Each of these adds either new requirements or greater penalties than previous regulations in their industries, which is sure to get the attention of senior management. While PCI is still the biggest driver in our industry, you’ll see a big push on these new requirements. If you are in one of the targeted verticals, we suggest you brush up on your specific requirements. Many of the vendors don’t really understand the specific industry details, and are pushing hard on the FUD factor. Ask which requirements they meet and how, then cut vendors who don’t get it. Your best bet is to talk with your auditor or assessor before the show to find out where you have deficiencies, and focus on addressing those issues. The ‘Easy’ Compliance Button: While it isn’t a new trend, we expect to see a continued push to either reduce the cost and complexity of compliance, or convince you that vendors can. Rapid deployment, checkbox rules sets, and built-in compliance reports will top feature lists. While these capabilties might help you get off to a good start, even checkbox regulations can’t always be satisfied with checkbox solutions. Instead of focusing on the marketing messaging, before you wander the floor have an idea of the areas where you either need to improve efficiency, or have an existing deficiency. Many of the reporting features really can reduce your overhead, but enforcement features are trickier. Also, turning on all those checkboxes (especially in tools with alerts) might actually increase the time the tool eats up. Ask to walk through the interface yourself rather than sticking with the canned demos – that will give you a much better sense of whether the product can help more than it hurts. Also check on licensing, and whether you have to pay more for each compliance feature or rule set. IT-GRC and Pretty Dashboards: Even though only a handful of large enterprises actually buy GRC (Governance, Risk, and Compliance) products, plan on seeing a lot of GRC tools and banners on the show floor. Most of you don’t need dedicated IT-GRC tools, but you do need good compliance reporting in your existing security tools. Dashboards are also great eye candy – and some can be quite useful – but many are more sales tools for internal use than serious efforts to improve the security of your environment. Dig in past the top layer of GRC tools and security dashboards. Are they really the sorts of things that will help you get your job done better or faster? If not, focus on obtaining good compliance reports using your existing tools. You can use these reports to keep assessors/auditors happy and reduce audit costs. Just in case you are getting to the party late, you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, Endpoint Security, Content Security, Virtualization/Cloud Security, and Security Management. Share:

Two business days and counting, so today and tomorrow we’ll be wrapping up our Securosis Guide to the RSA Conference 2010. This morning let’s hit what the industry calls “content security,” which is really email and web filtering. Rich just loves the term content security, so let’s see how many times we can say it. Email/Web (Content) Security In case you missed it, every email security vendor on the planet offers web content filtering within their portfolio of products and – for better or worse – the combination is now known as content security. No other security market has embraced the concept of ‘the cloud’ and SaaS offerings as enthusiastically as content security providers. In an effort to deal with increasing volumes of spam and malware without completely overhauling all your hardware, vendors offer outsourced content filtering as a cost effective way to add both capacity and capability. Almost all vendors offer traditional on-premise software or appliances, fortified with cloud services (most refer to this as a hybrid model) for additional screening of content. What We Expect to See There are three areas of interest at the show relative to content security: Fully Integrated Platforms: As you wander the show floor at Moscone Center, we expect every vendor to say that their web and email security platforms are completely integrated. What this usually means is that your reports are shared, but cloud and appliance consoles are separate, as is policy management. It’s funny how the vendors have such a flexible definition of ‘integrated.’ If you are looking at migrating to a combined solution, you need to dig in to see what is really integrated and what simply shares the same dashboard, how your user experience will change (for the better), and how effective & clean their results are – end users get grumpy if their favorite web sites are classified as unsafe or they get spam in their inboxes. Hybrid Cloud Services: We expect every vendor to offer a ‘cloud’ service in order to jump on the cloud bandwagon. This may be nothing more that an anti-spam or remote web filtering gateway deployed on shared infrastructure as a hosted service. The quality and diversity of cloud services varies greatly, as does the level of security provided by different cloud hosting companies. Once you get past the hype of certifications and technobabble, ask the vendors what types of audits and third party security certifications they will allow. Ask what sort of financial commitments they will make in the event that they fail to live up to their service level agreements, and what their SLAs with the cloud infrastructure providers look like. Those two questions usually halt the discussion, and will quickly distinguish hype mongers rom folks who have really thought through cloud deployment. DLP Lite: As we’ll see in the Data Security section, DLP is hot again. Thus we expect to see every content security vendor offering ‘DLP’ or ‘Data Loss Prevention’ within their products, but in reality most only offer regular expression checks of network content. Yes, they’ll be able to detect an account number or a social security number, but that is only a sliver of what DLP needs to be. Content discovery and more advanced forms of content inspection (heuristic, lexical, cyclic hash, etc.) will be noticeably absent. Again, we recommend you challenge the content security vendor to dig into their discovery and detection capabilities and prove it’s more than regular expressions. Keep in mind that a trade show demo is probably inadequate for you to sufficiently explore the advanced features, so your objective should be to identify 3-4 vendors for deep dives after the show. For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, and Endpoint Security. Share:

Now that we are at the end of the major technology areas covered in the Securosis Guide to the RSA Conference 2010, let’s discuss one of the 3 big themes of the show: Virtualization and Cloud Security. Virtualization and Cloud Security The thing about virtualization and ‘cloud’ is that they really cut across pretty much every other coverage area. But given they’re new and shiny – which really means confusing and hype-ridden – we figured it was better to split out this topic, to provide proper context on what you’ll see, what to believe, and what is important. What We Expect to See For virtualization and cloud security there are four areas to focus on: Virtualization Security: The tools and techniques for locking down virtual machines and infrastructures. Most virtualization risk today is around improper management configuration and changes to networking, which may introduce new security issues or circumvent traditional network security controls. Focus on virtualization security management tools – especially configuration management that can handle the virtualization configuration, not just the operating system configuration and network security. Be careful when vendors over-promise on network security performance – you can’t simply move a physical appliance into a virtual appliance on shared hardware and expect the same performance. Security as a Service: A variety of new and existing security technologies can be delivered as services via the cloud. Early examples included cloud-based email filtering and DDoS protection, and we now have options for everything from web filtering, to log management, to vulnerability assessment, to configuration management. Many of these are hybrid models, which require some sort of point of presence server or appliance on your network. Security as a Service is especially interesting for mid-sized enterprises, since it’s often able to substantially reduce management and maintenance costs. Although many of these offerings don’t technically meet the definition of cloud computing, don’t tell the marketing departments. Cloud-Powered Security: Some vendors are leveraging cloud-based features to enhance their security product offerings. The product itself isn’t delivered from the cloud or aimed at securing the cloud, but uses the cloud to enhance its capabilities. For example, an anti-malware vendor that leverages cloud technologies to collect malware samples for signature generation. This is where we see the most abuse of the term ‘cloud’, and you should push the vendor on how the technology really works rather than relying on branding vapor. Cloud Security: The tools and techniques for securing cloud deployments. This is what most of us think of when we hear “cloud security”, but it’s what you’ll see the least of on the show floor. We suggest you attend the Cloud Security Alliance Summit on Monday (if you’re reading this before then) or Rich’s presentation with Chris Hoff on Tuesday at 3:40. You can also visit the Cloud Security Alliance in booth 2641. We guarantee your data center, application, and storage teams are looking hard at, or are already using, cloud and virtualization, so this is one area you’ll want to pay attention to despite the hype. For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, Endpoint Security, and Content Security. Share:

I’m probably not supposed to do this, as I took the security marketer’s oath to get my first VP Marketing gig. But I’m going to pull the curtain back on some of the wacky stuff vendors do to sell their product/services. Today’s specific tactic is what I’ll dub retro buffoonery, which is when a vendor looks back in time, and states that they could have stopped attack X, Y and Z – if only their products were deployed before the attack. You see this stuff all the time. Whether it was TJX, Heartland, ZeuS, or now the APT, vendor after vendor builds a marketing program saying they could have stopped or detected the attack. They build very specific timelines and show how their product theoretically defended customers. Note I said ‘theoretically’, because I’ve yet to see a case where a vendor had an actual customer to say “I didn’t get hosed by [Attack X] because I was using [Product Y].” To illustrate my point, let’s take a look at McAfee’s recent post-mortem on Operation Aurora. Now I’m singling out McAfee here, but there is nothing personal. Every vendor does it. I’ve done it probably a hundred times. If you work for a vendor, you’ve done it too. Rees Johnson, the blogger, did his job and pieced together a somewhat plausible story about how a combination of McAfee products could have been assembled to defend against the Aurora attack. Basically, if you had all your traffic going through a SSL proxy, had reputation working on every single gateway seeing network traffic, had whitelisting on every single device running code, and a huge research arm that could tell you there was something going on – then you could have detected the attack. Yeah, that doesn’t sound like either an economically feasible or realistic user experience situation – but let’s not split hairs here. And we know plenty of folks were running McAfee, but they don’t seem to have any success stories of actual Aurora detection ahead of the fact to share. Now to be clear, retro buffoonery tells a good marketing story and allows sales people to make a compelling case to customers for a company’s technology. Even better, by referencing a real attack, it can create enough customer urgency to get a check written. Which is good because security sales reps have those monthly BMW payments to make. But please understand, this Tuesday Morning Quarterback exercise will not help you protect your environment any better for the next attack. In the 20 years I’ve been in this business, we have proven to be lousy at predicting the future. How many of you predicted that a 0-day attack against IE6 on XP would constitute 30+ huge and successful attacks over the past 3 months? Probably the same folks who predicted SQL Slammer, TJX-style wireless POS attacks, and Heartland-style network sniffers. Even better, there are always multiple vendors telling stories about how different classes of products stop these attacks. Yet the attacks still happen, so it always gets back to the same thing – in hindsight, you’re sure you could’ve caught the attack. In reality, not so much. Vendors hope we’ll forget that it’s more than just a signature or a product that actually protects us against these attacks. We also must remember process and people complete the picture. Maybe if you backed up the truck and implemented everything McAfee has to sell you, you could have stopped Aurora. But probably not, because most companies have at least one unsuspecting employee who would have clicked on the wrong thing from the wrong place, and given the attacker a foothold on your network. And remember what persistent means. These folks are targeting you, so they’ll find a way in, regardless of how many cents per share you contribute to the bottom line of your favorite security vendor. So sorry, Mr. Retro Buffoonery Tuesday Morning Quarterback Always Completing the Pass Because It’s Easy to See in the Rear View Mirror, I don’t buy it. There are too many other things that go wrong to believe a wacky marketing claim that any set of products would stop a determined, well-funded attacker specifically targeting your organization. But you’ll see plenty of this bravado at the RSA Conference next week. And hopefully you’ll do as I do, and just laugh. Share:

To end a fine day, let’s continue through the Securosis Guide to the RSA Conference 2010 and discuss something that has been plaguing most of us since we started in this business: security management. Security Management For the past 20 years, we’ve been buying technologies to implement security controls. Yet management of all this security tends to be considered only when things are horribly broken – and they are. What We Expect to See There are four areas of interest at the show relative to security management: Log Religion: Driven by our friends at the PCI Security Standards Council, the entire industry has gotten the need to aggregate log data and do some level of analysis. Thank you, Requirement 10! So at the show this year, we’ll find a log management infestation, with a new vendor poking out of every nook and cranny to espouse a new architecture, disruptive pricing, or some other eye candy. And yes, you do need to collect logs, so focus your efforts at the show on figuring out what is the best fit for your organization. Are you just collecting logs, or do you need to correlate and alert? What are your volume and scalability requirements? What kind of reporting do you need? What about integration with the rest of your infrastructure? The point here is not to make a decision but to establish a short list of 3-4 vendors to dig deeper into after the show. Platform Mentality: Since security management is supposed to make your life easier, you don’t need to be a genius to realize that having a management console for every device type in your network doesn’t make a lot of sense. So you’ll hear a lot about SIEM + Log Management + Configuration/Patch + Vulnerability + Network Flow = Nirvana. To be clear, management leverage is good. Getting it by adding even more complexity to your environment: not so much. So to the degree that you are ready to start integrating management disciplines, focus your discussions on migration. How do you get to the promised land? Which hopefully doesn’t involve a truckload of high-priced consultants to do the ‘customization’. Risk Mumbo Jumbo: Risk is likely to be a hot topic at RSA as well. The more mature security programs have figured out that ‘security’ means nothing to senior management, but C-level folks get ‘risk’. Unfortunately, there are no accepted mechanisms to define or quantify risk. So when a vendor starts talking about “risk scores” you should focus on the amount of effort to get a risk model set up and what’s required to keep it up to date. You can’t go down to Best Buy and get Risk Management in a box, so the question is how much effort you are willing to put in to show a graph – which may or may not reflect reality – to the CFO. Operational Efficiency: Finally, you’ll likely hear a lot about improving the operations of your environment. That was a major theme last year in the depths of the recession, but the issue hasn’t gone away. This plays into the themes around integration and platforms, but ultimately there will be a number of niche tools (like firewall policy managers) designed to make your operational teams more efficient, saving money. Depending on the size and/or maturity of your security program, some of these tools may yield value. But adding yet another widget isn’t a good thing unless you can redeploy resources onto other functions by taking advantage of automation. For those so inclined (or impatient), you can download the entire guide (PDF). Or check out the other posts in our RSAC Guide: Network Security, Data Security, Application Security, Endpoint Security, Content Security, and Virtualization/Cloud Security. Share: