Research

If you’ve been following this series, we’ve highlighted some of the breaches of trusted sites that were, or could have been, used to attack visitors. There’s nothing like hitting a major media or financial site and using it to hack anyone who wanders by that day. This week we’re breaking it down security style, thanks to multiple vulnerabilities at McAfee. McAfee suffered multiple XSS and CSRF vulnerabilities in different areas, including a simple CSRF in their vulnerability scanning service (ironic, eh?). If you don’t know, Cross Site Request Forgery allows an attacker to “influence” your session if you are logged into a service. If you are logged into your bank in one window, they can use malicious code from the evil site under their control to transfer funds and such. I know a lot of exceptional security types over at McAfee so I don’t want to slam them too hard. This shows that in any large organization, web application security is a tough issue. Hopefully they will respond publicly, openly, and aggressively, which is really the best approach when you’ve been exposed like this. Just a friendly reminder that you can’t trust anyone or anything on the Internet. Except us, of course. Share:

On Monday at the RSA conference I learned that Oracle is purchasing Sun Microsystems. I was so busy/exhausted from the conference that I forgot about it until this week. This is pretty exciting! Whether it’s really a good or a bad thing depends upon your perspective. Technology-wise it’s a good match, but the corporate cultures are very dissimilar. I have spoken with a few current Sun employees who are really worried about what life will be like at the Big-O. However I heard very much the same concern from many PeopleSoft employees, and the catastrophic fallout anticipated as part of that merger never happened; with the current economic situation, it probably won’t happen this time either. I also have to say this is a much better fit, with Oracle being the acquirer, than it would have been with IBM or HP. The product lines are more complimentary than IBM’s or HP’s, and I suspect there will be fewer layoffs than if either of those companies had made the acquisition. Sun’s people may not like the culture, but I have been hearing complaints from current and ex-Sun employees for years that they were unable to win market share despite having really innovative technologies, and there will be a sense of pride in having the products you worked on effectively marketed and sold. When I worked at Oracle way back when, it was amazing to watch the sales dynamic that was going on. If the customer was making a $20M purchase of hardware and software, let’s say $17M of that was for the hardware. However, the customer’s motivation for the purchase was they needed a solid database platform. That meant the $3M Oracle purchase is what mattered to the customer, and how well Oracle performed on the hardware was the deciding factor in the purchase. This meant the smaller database software company held sway over the larger hardware vendors. For years Oracle has used this incredible leverage over their hardware partners and ‘squeezed’ them on pricing. Now Oracle is the huge company with great margins, but the market dynamic is really changing, and commoditization is moving right up the stack and squeezing their core business as well. It’s not just about the database any longer. Look no further than Cisco getting into the Server/Switch business and offering a unique take on virtualization and provisioning. Several people I spoke with at the RSA conference all said the same thing: Oracle needs to own more of the data center in the coming years if they want to continue their growth curve. I believe Mr. Ellison meant “We’ll engineer the Oracle database and Solaris operating system together. With Sun we can make all components of the IT stack integrated and work well.” quite literally, and it reflects Oracle’s long-term growth strategy. Bundling Solaris with whatever virtualization technologies are at their disposal, InfiniBand Switches, and a full array of servers, gives Oracle a chip-to-web-app presence in the data center that makes the LAMP stack look like a child’s toy. From a security perspective, Oracle now has some really compelling technologies at their disposal. Trusted Solaris is the most secure general purpose OS in the world. Sun’s data encryption and authentication/key management may not be best of breed, but they are solid products that could generate considerable revenue in the hands of Oracle’s professional service arm. And while it is really difficult to secure a JVM properly, it can be done, and the beauty of the Java programming language is that it flat out has the best object model I have ever used. I can properly encapsulate and protect objects, and the language syntax is far easier to read and analyze for coding and security flaws than C++ or other commonly used environments. If Oracle decides to knit these components together within their Data Vault variant of the Oracle database, you will have all of the elements for a very secure development environment. One of the rumors that I was hearing was that Oracle would kill off MySQL. This has been covered in some of the blogs as well. I personally think this is nonsense. MySQL is a very well-designed database. It is modular and cannot only be tuned like an Oracle database, but is instead configured more like a Linux kernel to meet the user’s specific needs. MySQL has a rabid following and what I am estimate at around 15 million installations around the world. When you couple this with the BEA pieces in place and the Java programming language and associated tools/platforms Sun has, you have a really phenomenal web application development suite. Oracle no longer has to ‘compete’ with MySQL – now they have a real answer to PostgreSQL (No, Oracle Lite fans, that was not the answer) without undermining their core database business. What Oracle really needs to do is provide a PL/SQL parser/pre-processor for MySQL, thus providing developers not only the option to use existing SQL/PSM, but the Oracle-specific procedural language most DBAs are familiar with. This would keep the existing MySQL users happy, and offer a migration path into the core Oracle database platform should they outgrow MySQL’s capabilities. Also keep in mind that Oracle purchased Innobase InnoDB, which is not really a database, but rather an underlying storage engine that is commonly used by MySQL. One of the cool things about MySQL is that you can configure it with different storage backends, such as clustering or ISAM. So Oracle owns MySQL and one of the commonly used storage technologies for it, and that platform has strong user affinity – now they just need to find a way to leverage that and make money from it. Letting that community wither and die just does not make sense. To me this looks like a very complimentary acquisition. Share:

On Thursday at the RSA Conference, I had the opportunity to attend a lunch with the conference advisory board: Benjamin Jun of Cryptography Research, Tim Mather of RSA, Ari Juels of RSA Laboratories, and Asheem Chandna of Greylock Partners. It was an interesting event, and Alex Howard of TechTarget did a good job of covering the discussion in a recent article. As with many things associated with the RSA Conference, it took me a bit of time to digest and distill all the various bits of information crammed into my sleep-deprived brain. I find that these big events are an excellent opportunity to smash my consciousness with far more data than it can possibly process, and eventually a few trends emerge. No, not this year’s “hot technology”, but macro themes that seem to interweave the disparate corners of our practice and industry. It might run contrary to many of the articles I read, or conversations I’ve had, but I think this year’s subtext was “innovation”. (And not because I presented on it with Hoff). Every year when I run into people on the show floor, the first question they tend to ask is “see anything new and interesting?” Finding something new I care about is pretty rare these days for two reasons. First, if it’s in my coverage area I sure as heck had better know about it before RSA. Second, most of the advances we see these days are evolutionary, and earth-shattering new products are few and far between. That doesn’t mean I don’t think we’re innovating, but that innovation is more pervasive throughout the year and less tied to any single show floor. One really interesting bit that popped out (from Asheem) was that the Innovation Station had only 14 applicants last year, and over 50 this year. I think in these days of tight marketing budgets for startups, a floor booth is hard to justify, and perhaps some of the total crap was weeded out, but security startups are far from dead (just look at my Inbox). But more interesting than innovation in startups is innovation from established players. For the first time in a very long time I’m seeing early tendrils of real innovation leaking from some of the big vendors again. We talked about it for a few minutes at the lunch, but it’s obvious that the security industry was able to coast for a few years on its core approaches. Customers were more focused on performance and throughput than new technologies, thus there was little motivation for big innovation. The limited market demand pushed innovation into the realm of startups, where new technologies could incubate until the big companies would snatch them up. Our financial friends at Marker Advisors even talked about this trend in a recent guest post, and how “traditional” buying cycles are now disrupted by technology turnover and changing client requirements. It all ties in perfectly to Hoff’s Hamster Sign Wave of Pain. On the other side, we’re seeing some of the most dramatic attack innovation since the discovery of the buffer overflow. And for the first time, these attacks are causing consistent, real, measurable, and widespread losses. We’ve seen major financial institutions breached, the plans for the Joint Strike Fighter stolen (‘leaked’ doesn’t nearly convey the seriousness), and malware hitting the major news outlets (with often crappy reporting). There is evidence that all aspects of our information society are deeply penetrated and fallible. Not that the world is coming to an end, but we can’t pretend we don’t have problems. This combination of buying cycles, threat innovation, growing general awareness, and product and practice innovation creates what may be the most interesting time in history to work in security. We’ve never before had such a high profile, faced such daunting challenges, and seen such open opportunities. Merely building on what we’ve done before doesn’t have a chance of restoring the risk balance, and there’s never been better motivation for big financials, the government, and big manufacturing (you know, the guys with all the money) to invest in new approaches. I’d call it a “Perfect Storm” if that phrase wasn’t banned by the Securosis Guide of Crappy Phrases, Marketing Hyperbole, and Silly, Meaningless Words (after “holistic” and before “synergy”). Frankly, we don’t have any choice but to innovate. When market forces like this align the outcome is inevitable. Tim Mather referred to the National Cyber Leap Year, a program by the government to engage industry and push for game-changing security advancements. Not that the Leap Year program itself will necessarily succeed, but there is clear recognition that innovation is essential to our survival. We can’t keep layering the same old crap onto hot newness and expect a good result. Those of you who hate change are going to be seriously unhappy. Those who revel in challenges are in for a wild ride. The good news is there’s no way we can lose – it isn’t like society will let itself break down completely and go all Road Warrior. Especially since Mel turned into an anti-semitic whack job. (Image courtesy www.pdrater.com). Share:

Last week I posted an outline for a patch management cycle to base Project Quant metrics on. Based on some feedback, I think we need to hear from those of you who actually do this for a living (you really don’t want to know the crappy process we used back in my sysadmin days). If you have a moment, please pop over to the forums and let us know what you are using for your process. (If you want to leave anonymous feedback, instead of the forums you can leave it as a comment on the main post; this is a weird limitation of our platform). Thanks Share:

Another interesting news item during the RSA show that I am just getting time to comment on is LogLogic’s announcement they have acquired Exaprotect. When LogLogic announced a partnership with Exaprotect a few months back, my initial reaction was “Who”? Actually, I had heard of the company, but knew very little about the technology. I had not heard any of the companies I speak with on a regular basis mention them, so I had not been paying very close attention to this small firm. When I went to Exaprotect’s website to see what products they offered, I really was unable to tell. It looked like a carbon copy of the LogLogic product benefits summary! It is amazingly difficult to understand what differentiates one product from another on corporate web sites when they are all attempting to cover the current market drivers, and do so at the expense of explaining what they actually do. The company is not very well known by those of you who do not follow this space closely, but they do offer a security event management product, along with a couple of other interesting pieces in the areas of configuration management and policy management. The reason this acquisition is important is two-fold. First, this is the removal of the last line of distinction between log management vendors and SEM vendors. ArcSight, LogLogic, eIQ Networks, Q1Labs, LogRhythm, NitroSecurity, and so on are all covering log management and security analysis. Granted, the degree to which each vendor provides the respective capability varies, and each has its own strengths. All in all, these systems collect disparate events, analyze the events in relation to some policy, and provide storage and reporting. The difference was the type of events collected, the speed with which the analysis was conducted, and the audience for the results. These distinctions were usually split down the middle, either near-real-time security response or a forensic analysis and event correlation. What we will see in the coming quarters is adjustment in vendor architectures for these offerings to be efficiently merged into seamless offerings, continuing to provide evolutionary updates to near-real-time and forensic offerings, and looking for ways to differentiate from their competitors. The second reason is that it spotlights the technical and value path this market segment is (and needs to be) headed down. The tough question, now that the vendors collect just about every relevant piece of security & operational data available, is what do you do with that data? How do you differentiate yourself? How do you provide the customer more value? Sure we are going to see new features appended to the core offerings, a la database protection, but the more important feature/functions will have to do with configuration management, business process verification, and policy management/enforcement. Configuration management provides the vendors with a big missing piece of preventative control and baselining of systems that are critical for most compliance efforts. It’s not that difficult to implement, fits nicely within a log management architecture, and offers value to several buying centers. Policy management, provided the vendors actually can take a business policy and automatically map that to the underlying data streams available, will also provide a huge leap in value to customers and speak to non-technical audiences. The final piece of the puzzle is a flexible analytics engine, so policy verification can be performed in an appropriate time-frame in the specific customer environment, in order to verify business continuity and efficacy. I use the word ‘verification’ because enforcement is not really the customer requirement, and more importantly blocking is not typically the appropriate way to remediate problems – the solution is often more complex. All three of these offerings show SEM moving up the stack and making sense of business processing and compliance in the business context. I look at the LogLogic acquisition as a step necessary to compete, not just the in basic SEM infrastructure of near-real-time event processing, but in all three of the evolutionary ways security event management is heading. That’s not an endorsement of the Exaprotect technology – I have not gotten my hands on it and could not tell you how well it works – but it does encapsulate the segment trends. I intend to delve into each of these trends in more depth. Share:

Sometimes the most energizing thing you can do is absolutely nothing. Last week at RSA was absolutely insane, in a good way. It’s kind of like being a kid and going to summer camp. You get to see all the friends who live in other towns, you all go nuts for a week with minimal supervision, and then everyone staggers home all excited. Between the Recovery Breakfast, 4 official RSA panels, a Jericho panel, my 160+ slide Friday morning session with Chris Hoff, and the nonstop speed-dating during the day, and parties at night, I should really be in much worse shape. But I found this year’s RSA to be incredibly motivating on multiple levels. First, I think this is absolutely one of the best times to be in information security. Yes, major crap is hitting the fan all over the place, including massive national security, financial, and infrastructure breaches, but security is also hitting the front pages and reaching into the common consciousness. This is exactly the kind of environment true security professionals thrive on – with challenges and opportunities on all sides. As someone who loves the practice and theory of security, I find these challenges to be absolutely energizing and I wouldn’t want to be doing anything else. Well, except for maybe being an astronaut. Next, RSA was extremely motivating from a corporate standpoint. I won’t say much, but it validated what we’re trying to do, and how we are positioning ourselves. Finally, it was a very motivating week on a personal level. I used to have friends at work, and acquaintances in the industry. But these days I find some of my closest friends are scattered throughout the world in different jobs. I realized I spend more time interacting with many of you than I do with my local ‘meatspace’ friends outside of the industry. I especially appreciated the group that took me out for my birthday on Monday night – it really eased the pain of spending yet another family event away from my wife and (new) daughter. After RSA I took 4 days off, and the combination of intensity followed by relaxation was a major recharge, but didn’t leave me much content for this week’s summary. Except stay away from, like, every Adobe product on the planet since they are all full of 0days. One reminder – if you’d like to get our content via email instead of RSS, please head over and sign up for the Daily Digest (it goes out every night). We’re also thinking of creating a Friday Summary-only version, so let us know if that would be of interest. And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences Martin and Rich on the weekly Network Security Podcast. I did a series of three videos and an executive overview on DLP for Websense. It was kind of cool to go to a regular studio and have it professionally edited. The videos (all about 2 minutes long) and Executive Guide are designed to introduce technical or non-technical executives to DLP. It’s all objective stuff, and cut-down versions of our more extensive materials. I show up in the Sydney Morning Herald, based on some TidBITS/Mac writing. Speaking of TidBITS, I wrote up some thoughts on how to read Mac security articles. I was quoted in a TechTarget article on cloud computing, based on my involvement in the Jericho panel. Favorite Securosis Posts Rich: The latest Project Quant post – we really need your feedback on the patch management cycle! Adrian: Rich’s post on the Security Industry Anti-Disambiguation Movement. Having watched this first-hand at a couple of startups, I know how well the mere mention of a competing technology by one of the major competitors could halt your POC process in an instant. Favorite Outside Posts Adrian: Favorite external was Greg Young’s comment on Becoming the Threat … An excellent analysis of something we see in society, and certainly something that is a problem here in Phoenix. Oddly, this is something I do NOT see with most corporate IT. Why is that? Rich: Chris Eng’s Decoding the Verizon DBIR 2009 Cover. Very cool. Top News and Posts Joint Strike fighter plans nicked. Will someone in charge WAKE THE FUCK UP! Good: Microsoft removes ‘AutoRun’ option for Memory sticks. Bad: Pushing 8 out through auto-update? What if I don’t want it? Targetted worms and banking scams. Adobe is having a seriously bad run. More 0days. Interesting take on WAF+VA. The Black Hat call for papers is extended. Blog Comment of the Week This week’s best comment was from Ant in response to Rich’s post on Security Industry Disambiguation Movement. Well I mint not have chosen those terms, but I personally* fully endorse the sentiment! A different problem arises where a perfectly serviceable term is pressed into use in several different but not wholly dissimilar markets, leading to ambiguity and confusion – e.g., identity management, policy management. So… it’s not strictly anti-disambiguation, but it some vendors are guilty of disingenuously using a term which doesn’t apply to them in their market. – Ant * i.e., this is not (necessar Share:

While we don’t plan on posting every Project Quant update here on the main blog, we will be cross-posting some of the more significant project updates, as well as other content we relevant to our broader readership. (For these posts we will turn off comments to consolidate them all in the Project Quant area.) So here is our first pass at defining a patch management process for the project: Although we posted some of our initial thoughts, and have been getting some great feedback from everyone, Jeff and I realized that we haven’t even defined a standard patch management cycle yet to start from. DS, Dutch, and a few others have started posting some metrics/variables, but we didn’t have a process to fit them into. I’ve been researching other patch management cycles, and here’s my first stab at one for the project. You’ll notice it’s a little more granular than most of the other ones out there – I think we need to break out phases in more detail to both match the different processes used by different organizations, and to give us cleaner buckets for our metrics. Here’s a quick outline of the steps: Monitor for Release/Advisory: Anything associated with tracking patch releases, since all vendors follow different processes. Acquire: Get the patch. Evaluate: Initial evaluation of the patch. What’s it for? Is it security-sensitive? Do we use that software? Is the issue relevant in our environment? Are there workarounds or dependencies? Prioritize/Schedule: Prioritize based on the nature of the patch itself, and your infrastructure/assets. Then build out a deployment schedule, based on your prioritization. Test and Certify/Accredit: Perform any required testing, and certify the patch for release. This could include any C&A requirements for you government types, compliance requirements, or internal policy requirements. Create Deployment Package: Prepare the patch for deployment. Deploy. Confirm Deployment: Verify that patches were properly deployed. This might include use of configuration management or vulnerability assessment tools. Clean up: Clean up any bad deployments, remnants of the patch application procedure, or other associated cruft/detritus. Document and Update Configuration Standards: Document the patch deployment, which may be required for regulatory compliance, and update any associated configuration standards/guidelines/requirements. This is a quick and dirty pass and meant to capture the macro-level steps in the process. I know not all organizations follow, or need to follow, a process like this, but it will help us organize our metrics. Let me know what you think – I’m sure I’m missing something… To comment on this post, please see the original over in the Project Quant area. Share:

With all the recent talk about cloud security, I’ve really been struck by the blatant deliberate confusion promulgated by various industry stakeholders. For example, last week around RSA I saw a nonstop stream of press releases containing the word “cloud” for products and services that were merely the same old beloved security tools, now rebranded to ride the froth of the cloud marketing wave. But ‘cloud’ is only the latest example – from NAC to DLP to GRC and other technologies of yore, we see often-deliberate message dilution and confusion so certain poorly-positioned individuals or companies can avoid being left behind by market innovators. We don’t just see this in security; calling yourself “green” is an instantly classic example (hello “green” bottled water), but I do think we see it more in security than other areas of IT. When you think about it, we are probably the farthest reaching area of IT- spanning everything from development to storage to desktops to networking, and as such have a fair bit more running room. You might be able to rebrand your storage solution “green”, but it isn’t like you can call a hard drive a WWAN SAN just to hop on a trend (having been to many non-security conferences, I think this is a reasonably safe statement). And what I’m focusing on today isn’t mere bandwagon hopping, but purposeful efforts by laggards to create confusion in a market and defeat clarity. I call it the Anti-Disambiguation Movement, and it follows a predictable path. The movement is led by vendors, press, and analysts; with end-users (and some innovative vendors) suffering the consequences. Here’s how it works – when a vendor is late to the party, they start issuing a bunch of marketing chaff to distract everyone from the real innovation. This takes a number of forms (which we will talk about in a moment), which result in one of several outcomes (which we’ll also detail). Interestingly enough, I think this tracks very nicely with the Gartner Hype Cycle (I love the Hype Cycle, and am sad I don’t get to use it anymore). Let’s start with the methods (I’d apologize for the language, but you should be used to it by now): The Marketing Cock Block: A large vendor claims that they are bringing a product to market within a nebulous time frame, when they have no existing product in that market. The goal is to Osborne effect any direct competitors or small vendors in the space by creating a belief that the “official” solution from a stable supplier is just around the corner. In some cases the vendor has a product, but it isn’t close to competitive. Example: Microsoft and Cisco with NAC. Neither had a viable solution until relatively recently (and that’s still debatable), but that didn’t even slow down their marketing efforts and interoperability announcements. The PR Territory Piss: A variant of the Cock Block in which the vendor issues extensive press releases on their ownership of a trend, which they may or may not later buy or build into. Example: AV vendors and antispyware. Malicious Confusion: Vendors know they don’t have an offering in that market/trend, so they expand or otherwise deliberately misuse the definition of that trend to include their products under the hot umbrella. The goal isn’t to produce anything for that market, but to create enough confusion that whatever they already had on the shelf can be marketed with today’s cool term. They purposely and maliciously create confusion for their own benefit. Ideally, they even convince some press or analysts to include them in a market list or product evaluation. Example: DLP and USB port blockers, endpoint encryption, and about a dozen other things that have nothing to do with DLP. The Glom-on: A trend starts hitting and clumps of vendors start piling on for the ride, making a subconscious but collective decision to link their market to the trend until the trend/market definition becomes so diluted as to be worthless. Examples: Cloud and information-centric security. The Lemming Roller Coaster: A trend becomes hot, and less-intelligent vendors jump on, usually late, without really knowing where they are headed. The lemming is less deliberate than some of our other examples, and typically the result of a brain dead marketing/PR type. It’s usually smaller companies, and may lead to their death once users figure out the product doesn’t help with that problem, or after they score poorly in magazine/analyst ratings. Examples: Seeing this a lot with DLP and a bit in GRC. Unintelligent Design: Some ass-clown of an analyst invents their own term for something, often issuing some sort of market report, triggering one of the other methods listed above. Examples: The Anti-Disambiguation Movement… and GRC. The result falls into these categories: Death: The trend/market becomes so toxic that it dies, taking the slower companies with it. Example: PKI. Clarity: The ambiguities fade away and clear definitions emerge, although often not until after a few early innovators die. Example: NAC. Redefinition: The term/market is redefined, but doesn’t necessarily resemble its original form. Example: I think cloud security is headed this way. Meaninglessness: The term becomes so diluted it’s essentially worthless, even though there might be some nuggets of truth in there. Example: GRC. I’m having a bit of fun here, but the simple truth is that very often market terms are atrociously abused by laggards, often (deliberately) damaging the real innovation and innovators. Share:

Wanted to post my highlights of the RSA show. Rich and I meant to post daily updates about our experiences during the show, but we were quite literally in meetings or gatherings from 8:30 AM until we went to bed each night. No chance of writing and posting from a secure connection. I have a stack of 70+ business cards sitting here on my desk, and I gave out almost all of the 200 I brought with me. I can barely remember talking to that many people over the course of the week. The weather was awesome. Warm. Actually, very warm. For those of you who don’t get to San Francisco too often, it was about 20 degrees hotter than it was supposed to be Sunday through Wednesday. Rich and I usually stay at a funky little hotel that is close to Moscone; it’s cheap and we are never in the rooms for very long. However the older hotels lack air conditioning. In fact, if you want to get cool air, you open the window. Sleeping in a 90 degree room with big city traffic outside your window does not make for a restful visit. When you combine 15 meetings a day on four hours of sleep, things begin to blur together. But both Rich and I had an awesome time, and spent the entire weekend recovering from sleep deprivation. Best Food: The Venrock party was held at ‘Two’, which is a nice little restaurant off Howard and somewhat hard to spot. The food was simple ‘Cowboy’ fare: barbequed tri-tip – carnitas like shredded pork and roasted chicken, but simply amazing. We were planning on going out to dinner but our plans were promptly discarded when we tasted the food. We ate until they took the trays away. I am going to have to go back there for dinner! Best Party: The Security Bloggers event, if for no other reason that there were so many interesting people there that I talked until my voice gave out. Good friends, good food, good drink, and good fun! Best Presentation: I am probably disqualified from this category, but I am putting out my nomination anyway. I was only able to attend a half dozen presentations, and I knew both the people on stage for my favorite, however there was one clear winner from what I saw. Rich Mogull and Chris Hoff on Disruptive Innovation simply rocked. Biased? Sure. Small sample size? Sure. But on a Friday morning, to fill a conference room and have no one leave is pretty amazing. To cover 160 slides in 50 minutes and make sense is astounding. When it becomes available on the RSA site, you tell me if it was not the best preso! Special mention goes to Brian Chess and Gary McGraw for another interesting Friday talk on secure coding and the release of the Building Security In Maturity Model. http://www.bsi-mm.com/ Attendance: Officially I was told that the numbers were off about 22%. Lots of the vendors along the edges of the exhibitor hall were complaining that they were not getting anyone by their booths, but I have seen that first hand in past years as well. What I did not see were the people with shopping bags loaded with tchotchkes and stuff – instead I saw people legitimately there to see what the vendors offered. Seemed like the people who had company budget to show up were there to learn from the sessions, visit a couple vendors they were interested in speaking with, and that was about it. Not many people looking for innovation, but their existing vendors to get better at what they do, or in some cases, what they are supposed to do. Biggest Surprise: How many of you knew Webroot has a complete email and web security service offering? I cover the space and I did not even know until this week. Kind of a strange time to start, but the service based offerings makes switching very easy to do. And if Postini’s ability to filter spam continues to slide, I think Rich and I will begin looking at other vendors. If we are, I will bet others would consider this as well. Favorite event: First annual Securosis Recovery Breakfast (which will be named The Disaster Recovery Breakfast in the future, thanks Mary Catherine) was a big hit. Jillian’s was really nice to us and gave us the entire restaurant. We had about 70 people show up. No screaming over the noise, no elbow to elbow crowds, lots of chairs and good food. It was different than anything I have been to at RSA, and I am glad Rich had the idea. Relaxing fun, so we will definitely do it again next year. Theme: Security. This may seem obvious to some of you, but it should not be. We have gone through previous years where every vendor was a one stop shop for solving your compliance problems, and we have seen every gadget and appliance marketed to us as the one and only solution for Governance, Risk and Compliance. I expected to see 500 vendors telling me how they could secure the cloud, but I only saw a smattering of that. While I know a very large percentage of revenue is derived from compliance spending, the message was back to security, and I think that is a good thing! The buyers are beginning to see that operational controls, compliance, and security are closely linked needs. Saddest Scene: It’s a security conference. We are security professionals. We read about how easy it is to hack wireless end points, and that man in the middle attacks are sometimes trivial for a skilled hacker, but common traffic sniffing is usually sufficient to gather user accounts and passwords. This is not a big secret. Yet there was always a group of people grouped around the wireless access points, gathering their email and checking their eBay bids. Are you freakin’ nuts? RSA needs its own “Wall of

Hey folks, Just a quick note that we had a few people ask if we were going to hold a meeting on Project Quant out here at RSA. We know it’s last minute, but if you are interested in hearing more about the project and providing some input, we’ve decided to hold a Town Hall meeting right after the Securosis Recovery Breakfast on Wednesday morning at Jillian’s. The breakfast runs until 11, and we’ll gather up all the Quant people right after that and find a quiet corner. The WASC meetup is at 12, so if you plan things right you can probably hang out at Jillian’s all day and never head over to Moscone. Feel free to drop a comment if you think you might show, but otherwise we’ll see you there… Share: