Grimes On Firewalls Has It All Wrong

I was all set to write a post today commenting on Ellen Messmer’s article about Forrester’s picks for winner and losers in security. But that post will have to wait. Instead I am compelled to chime in on the firestorm that Rodger Grimes has ignited with his “firewalls are dead” article of a few days ago.

I didn’t comment on Rodger’s original article because after hearing my friend Richard Stiennon declare so many security technologies dead over the years, one more pundit calling something dead is just not something to get excited over.  Lets face it, you know what they say about pundits (or was it analysts), we all have one

But that didn’t stop others from calling Rodger out.  My friends at Securois, Mike Rothman in particular had something to say, a few other security bloggers mentioned it, heck even Richard Stiennon on his way down under tweeted on it.  But I thought the best response was by my friend and colleague Jody Brazil of Firemon.  Now for those of you who don’t know, I work with Firemon so I may be partial to Jody’s view. Truth be told I may have even seen a rough draft of the post and put my 2 cents in before it was published. To me that was a case of enough said.

But now Rodger has come back with another salvo defending his position. After reading it, I can’t help myself. I have to jump in.  Besides the fact that I think Rodger is flat out wrong, I feel it necessary to point out some weakness in his arguments:

1. Flat out dismissing firewall mismanagement – Yes it is easy with the stroke of a pen to just discount this very important part of Jody’s original post.  But the fact remains that firewall mismanagement is still one of the biggest factors if not the biggest in attacks being successful that a better managed firewall could have and should have stopped.  So before dismissing, at least give it its due.

2. The Verizon Report is all about big companies – Yes it is only is based on 855 breaches, but the fact is that almost 2/3’s of those 855 breaches happened at companies with under 100 employees!  That hardly qualifies as large enterprise accounts.  If you go up to companies under 1000 employees (classic SMB) the number is even higher. So you can’t dismiss the Verizon findings by saying that this only applies to large companies, it is just not the fact.

3. The browser did it, blame the browser – This one reminded me of if we set the firewall to block all traffic, we would not have security incidents.  Yes the browser is a nexus for attack, but it is a nexus because it is a fundamental factor in the equation.  You can’t take the browser out of the mix and still have an Internet as we know it.  So saying it is the browser’s fault and the firewall doesn’t help the browser is just not sound logic.  The browser goes with the Internet and it introduces it own set of challenges.  Blaming the firewall for not fixing the browser just doesn’t make sense.

4. The human hacking came later – Wrong again. It is the human hacking which comes first.  It is the spear phishing or otherwise targeted attack which is genesis of most security incidents. Grimes points to the large AV vendors as proof of his position. Well lets look at the recent Symantec Internet Security report.  They clearly show that targeted attacks against humans (by email, twitter or other social media) is a primary vector for many security incidents.  At the end of the day, the weakest link is still the person behind the keyboard.  Heck after getting rid of the firewall, lets get rid of the people, then we would really be safe.  Of course who would use all of those browsers?

5. Firewalls are a victim of its own success – Again the logic here is flawed.  Are firewalls the new polio or smallpox vaccine? Have we eliminated the scourge of attacks that firewalls have stopped, so now we can retire them? Of course not. Firewalls (especially well managed ones) are out there stopping garden variety attacks day in and day out.  Yes NGFW are an evolution up from what firewalls used to be, but the threats and attacks that firewalls have been stopping for years have not gone away, people like Rodger just take them for granted because firewalls are on call doing their job 24/7/365. 

So it is not yet time to give the firewall its gold watch and send it to a condo in Florida. There is still plenty of life and good security left in those boxes and the future for them is brighter then ever.

I would love to discuss this further and invite Rodger, Jody and if anyone else would like to join in to a podcast.  Let me know if you are interested!

Is Lawrence Orans the NAC Boy Who Cried Wolf?

OK I have to admit it. I downright laughed when I read Ellen Messmer’s article this morning in Network World about BYOD ushering in a revival of the NAC market. Really? Really? After I stopped laughing, I read some more.

Well it seems that Forescout has trotted out Gartner’s Prince of NAC, Lawrence Orans to proclaim that “BYOD is an unstoppable trend”. Of course this unstoppable trend will combine with that immovable force, NAC and finally all of those lofty numbers that Larry and the rest of the analysts made all of those years ago will be realized. Come on Larry. You are acting like the boy who cried wolf of NAC. Give it up.

Hey it takes a big man to admit he was wrong. God knows I am big, but I don’t admit I was wrong that often. But lets face it, who more than me was selling that NAC lemonade for all of that time.  But we all know how it went. As Larry says to Ellen, “NAC has been around for almost 10 years," says Gartner analyst Lawrence Orans, who acknowledges the "first wave" of NAC crested with a fairly modest adoption, mainly by financial institutions and some high-security situations, plus a few universities.” Fairly modest? How about pretty low.

Yeah, I remember those days well. Companies like Lockdown Networks, ConSentry, Vernier and so many others that I don’t even remember the names. Chasing that dream of widespread NAC adoption.  Of course Bradford Networks is still around having gone through several (OK a lot of) different business models. StillSecure still offers NAC though I think primarily to the Fed/DoD space, they are much more focused on MSSP and cloud. To be fair, Forescout has done a bang up job of being the last independent standing. Cisco and Juniper offer NAC as part of the network, as does HP. McAfee has some sort of NAC built into the ubersuite still I believe.

But really to think that BYOD is going to make NAC hot again?  The idea seems to be simple (it is always a simple idea with NAC, doing it is hard); we will recognize you as a private BYOD device. We will put you in some sort of quasi-guest network where you don’t get full access to all of the corporate LAN. So you don’t feel threatened we have the ability to make sure the corporate overloads don’t see all of the juicy personal stuff on your device (like they want to).  Of course you believe the corporate overloads don’t you? And this will make us all fly out and buy NAC?

I don’t think so, sorry Larry, Ellen and Forescout.  I don’t think there is anything that will ever make NAC  live up to the numbers that Gartner and others foretold all those years ago.

IBM’s New Threat Anomaly Detection Finds Malware by Looking Within

The security industry has followed a moat and castle strategy of defense for some time now. Collectively, tens of millions if not hundreds of millions of dollars or more has been spent on placing security technology at the perimeter of our networks to try and keep bad stuff out. Now a new security appliance from IBM is trying to turn that paradigm on its head by finding bad stuff by what we are sending out.

IBM’s new QRadar Network Anomaly Detection appliance analyzes network traffic inside your network to identify anomalies in real time. The new appliance looks at inbound traffic as well, but can spot “zombie” machines inside your network by monitoring the outbound traffic they send at the request of their botnet masters.

This should be an important part of any company’s security strategy. One lesson that has been made clear over the recent past is that many of todays advanced threats and persistent attacks can evade the IDS/IPS systems and firewalls we have put in place. Many security research teams including IBM’s own XForce report that social engineering type of attacks using social media and through mobile devices have exploded over the last 12 months.

Don’t be fooled into thinking that the type of attacks that this technology can discover only happens to large companies. Recent data from Symantec, Verizon and others report that at least 50% of all targeted attacks are aimed at mid-market and smaller companies. So no matter how big or small your company you are subject to being targeted.

These attacks are the types that usually evade traditional perimeter defenses. By discovering the evidence of infected machines, security admins can then take action to prevent further loss while determining how attack was performed.

This is part of a new trend in security we are seeing that acknowledges you are not going to be able to stop every attack that your network and organization may come under. At least recognizing you have been breached or attacked is a first step in dealing with the issue.

The new appliance is built on the QRadar technology that IBM acquired as part of its Q1 acquisition a while back.

IBM also announced several other enhancements to its network security line, among them a hybrid network IPS that leverages both the open source Snort rule set as well as integrating and leveraging the research of the XForce team.

Speaking of the XForce team IBM also recently announced the X-Force IP Reputation Feed which again leverages the research and analysis of the team. The XForce also released their annual Trend and Risk Report.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

MidMarket In The Cross Hairs: A Security Webinar

I am working with the IBM Midmarket group on a webinar on May 15th at 2pm eastern time.

The webinar: Mid-Market in the Crosshairs: Why Cybercriminals Are Targeting Midsize Organizations and How to Foil Them

We will pay particular attention to the most recent Verizon Data Breach Report as well as other sources to show that midmarket companies are indeed being targeted by cybercriminals.

You can register for the free webinar here.

I am lucky to have two friends and really smart security folks joining me on the panel for the webinar:

Alex Hutton

Currently, Alex Hutton is a Director of Operational Risk Management for a financial institution in the United States. Included in his responsibilities are both information risk management and vendor management. In his past life he worked for the Verizon Business RISK Team. The Verizon RISK Team builds and hones the risk models for Cybertrust services, produces the Verizon Data Breach Investigation, the Verizon's PCI Compliance report, and is responsible for the VERIS data collection and analysis efforts.

Alex likes risk and security so much, he spends his spare time working on projects and writing about the subject. Some of that work includes contributions to the Cloud Security Alliance documents, the ISM3 security management standard, and work with the Open Group Security Forum.

Alex is a founding member of the Society of Information Risk Analysts(http://societyinforisk.org/), and blogs for their website and records a podcast for the membership. He also blogs at the New School of Information Security Blog(http://www.newschoolsecurity.com). Some of his earlier thoughts on risk can be found at the Riskanalys.is blog (http://www.riskanalys.is).

Mike Murray

Mike Murray has spent more than a decade helping companies large and small to protect their information by understanding their vulnerability posture from the perspective of an attacker. From his work in the late 90′s as a penetration tester and vulnerability researcher to leadership positions at nCircle, Neohapsis, and Liberty Mutual Insurance Group, his focus has always been on using vulnerability assessment through penetration testing and social engineering to proactively defend organizations. In addition to being in charge of advanced curriculum at The Hacker Academy, Mike is also a Managing Partner of MAD Security, LLC, where he leads engagements to help corporate and government customers understand and protect their security organization.

His years of experience as a vulnerability researcher and leader of research teams have convinced him that the most important system to focus on in information security is the human and organizational systems, and Mike has most recently focused on research into exploitation of those systems. Mike’s talks about how to build a great career in security have been seen at major conferences like RSA, Blackhat and Defcon, and his work on advanced social engineering has been widely recognized. Mike’s thoughts on security can be found on his blog at Episteme.ca and his work on helping build careers can be found at InfoSecLeaders.com.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Hiding Behind A Mac Is No Longer An Option

For many mid-market and SMB firms one of the benefits of using Apple Macs was that you didn’t have to worry too much about security. At least that was the perception. So besides the “coolness factor” of using a sleek MacBook or Mac Air, all of those mass market worms, Trojans and malware were nothing for you to worry about. This made the job of securing endpoints at many firms a heck of a lot easier.

This image was reinforced by the cute commercials that showed that smug Mac guy making fun of the bumbling PC guy who had all kinds of insecurities. Behind the marketing spiel however there was a truth. As a result most shops running Macs did not even bother installing anti-virus or anti-malware on them. In fact for a long time Apple advocated that you didn’t need to put any security software on your Macs.

Many in the security community always said that the reason we didn’t see more Mac attacks was there were not enough Macs to make it worthwhile. They believed that when Macs captured a big enough market share, the malware authors would then turn their attention to them and we would see Macs under attack.

Well the chickens have come home to roost for Apple it seems. Along with selling lots of iPads, iPhones and iPods, they have done a great job of Mac market share. Estimates are that Macs now make up anywhere from 9% to 18% of the PC market. That is phenomenal considering that Macs hovered around the 3% to 5% for most of the last two decades. The downside of this though is that now there are enough Macs out there to make a mass attack worthwhile.

We have seen perhaps the biggest, if not the most publicized of these mass attacks with the recent Flashback malware which infected upwards of 600,000 machines. What is worse, the response by Apple was not handled as smoothly as they handle their marketing. There were multiple updates released to address the malware with some mixed results reported.

We have grown to take for granted the monthly patch Tuesday’s that Microsoft puts out every month. But pushing out patches and having them do the job without upsetting the apple cart (no pun intended) is not as easy as it looks. The good news is that Apple will in all likelihood get more practice to get their processes down tight. The bad news is that Apple in all likelihood will be the target of even more attacks.

So what does this mean for the midmarket? Well it means that if you have been running Mac in your office and homes and not worrying about security, you better start worrying. It is great news for companies that make Mac security suites. Some of the usual names like Symantec, McAfee, Kapersky and Sophos have Mac versions of their suites available. There are some Mac specific security companies as well that have been in the Mac security market for some time. Companies like Intego have specialized in Mac security and may be worth looking into as well.

But don’t rely just on the tools. Common sense and educating your users is still the most effective means your company may have to stay safe. Don’t open attachments from suspicious emails. Don’t click on links from non-trusted sources in social media, email or web sites. Whether you use a PC or a Mac, the weakest link in the chain is still the person sitting behind the keyboard.

In the meantime this should be a wakeup call for Mac users. Apple is advocating that you install security software. Don’t wait until you are the next victim. Install and maintain endpoint security software now. Virtually any of the choices out there are better than no security software at all.

One thing you can be sure of is that we have not seen the last of targeted malware against Macs. But before all of you Windows users out there gloat, remember you are targets as well.

Related articles

• 1 In 5 Macs Are Infected With Malware [Study Results] (inquisitr.com)
• Security firm identifies origins of 'Flashback' Mac virus (bgr.com)
• Week in Apple: Mac malware saga continues, Jobs interviews, and more (arstechnica.com)
• Flashback malware still on 140,000 Macs, despite Apple's fix (9to5mac.com)
• Apple MAC users learn that they're not untouchable... (lehsys.com)

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

When You’re A UTM Everything Looks Like A Nail

I have written about Richard Stiennon’s view of UTM’s as a Godbox before.  I don’t blame Richard for advocating and thinking that UTM’s really do everything they advertise themselves as doing and even for thinking people really do turn on all of those functions.  For Richard it is a case of when you are a hammer, everything looks like a nail.

Richard was the VP of marketing at Fortinet when they were hip deep in trying to show that UTM’s could scale beyond an SMB device. That turning on more than two functions on a UTM device would not have them grind your network gateway to a halt.  After leaving Fortinet, Richard tried to start an MSSP that managed, wait for it, you guessed it, UTMs.  After that Richard has written books on UTM.  So you can’t blame Richard for thinking that UTMs really are God Boxes.

But in his recent post on Forbes.com Richard takes Palo Alto Networks to the whipping shed for no good apparent reason. He questions Palo Alto’s technology, their revenue reports and their place in the market. 

In my opinion it comes off sounding a lot like sour grapes.  He disparages the amount of customers PAN has compared to his own Fortinet (Richard of course left Fortinet before it went public). So I don’t know what Nir Zuk did to make Richard so spiteful, but I guess it doesn’t take much.

This is now the 2nd time though that Richard has flat out said that NGFQ is just another name for UTM. Again it is Richard’s everything looks like a nail view coloring his world. In Richard’s view anything that combines stateful packet inspection with anything else is a UTM.  I guess by that definition maybe he is right, PAN is a UTM. But thank goodness the rest of the world doesn’t share Richard’s view. A UTM is usually firewall, IPS, gateway spam or malware and maybe filtering among other things combined on one box. But what PAN and other NGFW vendors have done around application based firewalling is not part of the UTM equation, no matter how much Richard wants to say it is.

So Richard get it straight. NGFW is not UTM. While we are at it, Richard lets set the record straight about UTMs. The fact is that today most people do not turn all of the levers on. Few use more than two of the functions of the UTM at once.  My “anecdotal reports” tell me that still most people use the firewall and IPS. Event then the IPS has very few blocking rules set. So if anything maybe we should rip the veil off of UTM usage?

Now, I don’t know who Richard’s sources are for his “anecdotal reports” that Palo Alto is mostly behind other firewalls and is not being used as advertised, but as my grandmother would say when speaking to someone really heavy who was on always on a diet “someone is sneaking it in”. Those kind of numbers don’t come from people buying those boxes to use as flower pots.

As Bill Frank over on Cymbel wrote in response to Richard’s post, the Q4 revenue dip was explained by PAN. They had a bang up 3rd quarter based in large part on a big end of year buy by the Federal Govt.  For companies that sell a lot to the federal space, the quarter ending Sept 30th, the end of the fiscal year for the Feds is often the big quarter of the year. What’s more I would think Richard doesn’t have to be reminded of that. So either he didn’t see the comment about the fed business or he choose not to disclose that.

Why should he disclose that anyway? He didn’t disclose in his Forbes post of his past history in the UTM market either.   I am not throwing stones here, but Richard should disclose that too. This way people can understand his view of everything being a UTM.

Spectorsoft Webinar on Compliance and UAM

I am appearing on a webinar tomorrow with my friends at Spectorsoft. The webinar is free and one attendee will win an iPad3. The details are below:

Date: April 18, 2012 | Time: 2:00 PM EST

Attend and learn about User Activity Monitoring, a unique technology that’s a critical piece of your overall Compliance initiative.

Attend this webinar and learn how User Activity Monitoring will help you:

• Assess the current state of your security … quickly
• Alert you to breaches in regulations … regardless of the application being used
• Audit access to sensitive information … automatically
• Provide absolute Context and Proof … document success or failure to meet regulations and standards

See how User Activity Monitoring blows away expensive, labor-intensive manual efforts such as aggregating disparate events and alerts to piece together your Compliance picture!

You can register for the webinar here: https://www3.gotomeeting.com/register/762240710

More Benefits of User Activity Monitoring

User Activity Monitoring allows Compliance and Security Experts, IT pros, Risk Managers, and HR to see what users and groups of users are doing at their network PCs, Macs, or laptops. SPECTOR 360 captures and replays how people, departments, and divisions work, which applications and systems they are using, and how they communicate, making it fast and easy to ensure Compliance.

Appearing on the Webinar:

Nick Cavalancia
Nick Cavalancia, MCSE/MCT/MCNE/MCNI, is SpectorSoft’s VP of Marketing where he assists in driving innovation and the evangelism of SpectorSoft solutions. He has over 18 years of enterprise IT experience and is an accomplished consultant, trainer, speaker, columnist and author. He has authored, co-authored and contributed to over a dozen books on Windows, Active Directory, Exchange and other Microsoft technologies.

Alan Shimel
Alan is the co-founder and Managing Partner of The CISO Group, where he focuses on security consulting and PCI compliance management for the payment industry. He is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years” (www.ashimmy.com).

Spam Cop: If The Messenger Has The Message Wrong, Shoot Him

So it seems that my post both here and on Network World about my recent experience with Spam Cop has touched some nerves in the anti-spam community. I understand, no one likes to hear that their baby is ugly or even worse a bully.  But I will stand by my initial posts.

My friend Richi Jennings is one of the people saying I am wrong on Spam Cop and he has written a very nice retort here.  I read it and we have gone back and forth on some comments, but I think it best I respond here.

First of all Richi and some others have the fact pattern wrong. I was not running a mail list server for a youth sports league. I was sending an email from my own email account to a fellow board member of a youth sports league I am involved with. The message that was blocked was from my own email account. So the whole “mail list management thing” is a red herring here.

Richi says that is even more reason to move my email account. As I wrote previously this is an email account which is kept at GoDaddy along with my domain and web site. It is a shared mail server I am sure (as opposed to someone who commented on Network World that this is what happens when people who shouldn’t administer their own mail servers do so). Moving my domain, web site, database, etc. is going to be a lot of work. I know GoDaddy is not perfect. But again I think Richi and the rest miss the real points of my post because they are so busy defending the stop spam industry.

Secondly I am familiar enough with reputation based filtering and the technology involved. I am not some Internet newbie you have to spoon feed. I owned a hosting company that battled spammers way back in 1995 and have been involved in hosting and the security industry since, so this is not my first ride on the spam tuna boat.

So here are the two main points I was making:

1. Spam Cop should not hide behind the skirts of the blocking ISPs. Don’t tell me that Spam Cop is not responsible for blocking my email, it is the ISP that is doing it. That is akin to me giving you a gun, telling you to shoot someone and then saying, “I didn’t shoot him”. You are still guilty. Stand up and say “we told the ISP that the host you are using has sent spam recently and they blocked your email as a result”. That is the truth and doesn’t make it sound like you are hiding behind someone else for your actions.

2. When you actually put things in writing like “They no longer have any sympathy for the innocent bystanders, such as yourself, who are using a mail server which has found its way onto one of the several major blocking lists.” You are asking for trouble.  It is just plain wrong. It violates long standing principles of law and common sense.  Let me give you an analogy and see if it helps.

Lets say we lived in an apartment building in a large city.  I was there with my wife and sick child who is on an electric respirator.  It was a large apartment building with 150 or more tenants. One of those tenants (but not me) had rigged his electric meter and was stealing power from the local electric utility.  There was a service that monitored electric usage and notified the utility that someone in that building was stealing electricity. Based upon that, the electric utility shut off electricity to the building. As a result my baby’s respirator didn’t work. Do you think the electric utility and even the electricity monitoring company should be liable at least civilly if not criminally for what happened here? Or are you going to tell me the thief stealing the electricity is responsible for my baby' not having his respirator?  I can tell you that I hope that electric company and the monitoring company have very deep pockets and lots of insurance because they are in a heap of trouble.

Our system of justice and law is based on the principle that the innocent are not punished for the crimes of the guilty. In fact there is a legal theory that better 10 guilty men go free than one innocent is punished.

There is also a long standing principle of due process. When I write and say that my email has not been used for spam and you have blocked me wrongfully, I should be entitled to due process and a chance to prove my case instead of just being told tough, even if you are innocent.

This is exactly what you are doing by freely saying we don’t care that innocent bystanders get hurt along the way. That is the same argument used in the theory of “total war” in WW II to justify bombing civilian centers such as London. It wasn’t right then and it certainly isn’t right to use to combat spam.

For the average company (and there are millions of them) that host their web site, data base, web applications and email at large providers like GoDaddy, picking up and moving all of that is no easy task and involves a big expense. Instead of saying the hell with the innocent, how about perfecting the technology so the innocent aren’t the ones being harmed.

The real spammers hop from server to server and when one gets blocked they move on to the next, it is the innocent who get left holding the bag. When your mission becomes so obsessive that you lose sight of protecting the innocent, it is time to step back and reevaluate.

When The Spam Fascists' Are Worse Than The Spam – Spam Cop

In my 20+ years of working in technology and the Internet I have learned many lessons. One of the things I have learned is that when the medicine is worse than the sickness, it is time to get a new medicine. We need a new medicine to replace Spam lists like Spam Cop.

Yesterday I was mailing with some of my fellow board members of the West Boca Tackle Football league.  I do so pretty regularly because as a board member there are always things that need to get done. All of a sudden my email was being refused by one of the ISPs of one of the members of the board.  I got that nice bounce message with a link to find out why my mail was being refused as spam.

I followed the link and it took me to Spam Cop that explained the IP my GoDaddy based email server was on was in a block of IPs that had made it onto the Spam Cop list. I know it happens from time to time and I did what I always do.  I wrote a very nice note to the admin address given explaining that I am not sure why my IP would be there, we do not spam, but would they please remove it.  It has always worked in the four or five times this has happened in all of these years.

Last night I got a long winded reply from Spam Cop by someone by the name of Don D'Minion (that should give you an idea of what we are dealing with here). Don sent me I guess his standard letter, that Spam Cop has nothing to do with blocking me email. They are not in the equation, but that ISPs are sick and tired of all the spam and “They no longer have any sympathy for the innocent bystanders, such as yourself, who are using a mail server which has found its way onto one of the several major blocking lists.”

Well I call bullshit on Spam Cop, they are directly responsible for my mail being blocked wrongfully first of all. It is their list that the ISP is using. If that IP is not on the list, my mail is not blocked. So at least have the decency and courage to get out from behind the ISP’s skirts and state the truth!

Secondly, the “screw” the innocent bystanders stuff is just wrong.  If the police said lets just start shooting because there is a criminal in the area and shot a bunch of innocent bystanders it makes them as bad or worse than the criminal. Same thing for Spam Cop. If you are not going to try and distinguish between the real people spamming and the innocent people (BTW they had a whole bunch of IPs in this particular block, I imagine a good chunk of GoDaddy folks), then you have no frigging business doing this.

The good news is the more innocent people who get blocked, the more legitimate email that doesn’t go through, the more likely the customer who uses the ISP using spam cop will leave to go somewhere else and the more likely that ISP is to eventually stop using over aggressive spam fascists like Spam Cop.

Now I know that spam is a serous problem. There are lots of good companies fighting the good fight against it. But when the philosophy becomes to throw the baby out with the bath water, it is time to switch methods.

Who Is Up For A Bloggers Meet up At InfoSec Europe?

Every year after our RSA Security Bloggers Meet up I am asked why we don’t have bloggers meet ups at other large security conferences. (I think we had one once during Black Hat. I remember Rich Mogull, Amrit Williams and David Maynor and drinking at some Star Trek themed bar. But that is another story.)

Anyway, many people ask why don’t we have a bloggers meet up at either RSA Europe or InfoSec Europe. With so many of our finest bloggers living on that side of the pond, it really does make a lot of sense.  The only thing holding us back is that I don’t think any of our organizing committee attends these shows on a regular basis, so logistics and such are difficult. But where there is a will, there is a way.

My friends at Firemon have volunteered to sponsor a Security Bloggers Meet up at InfoSec Europe. They are already having a cocktail party and there is a secluded private area they are going to allow us to use as a bloggers meet up as part of that party.  Many thanks to Jody Brazil and the Firemon folks!

Brian Honan had said he will try to help, but we will need more than just Brian. So any of you bloggers out there who will be at Infosec, are you up for a party? Would you be willing to help organize a bit. It really won’t take much, but we need some feet and eyes on the ground.

Who knows, if it goes well, next year we can expand and make it more like the RSA bloggers meet up at RSA. But for now we have a sponsor and host willing to give us room and pay for drinks. That is a hell of a start in my book.

So if you are interested in please either twitter me, comment on here or contact me at info@securitybloggersnetwork.com.  I need to let the Firemon folks know what they got themselves into

Related articles

• How To Get An Invite To Next Years Security Bloggers Meet-up (ashimmy.com)

Pink Hat Security, The Doobie Brothers and Infraguard, Oh My!

Lets face it South Florida is not Mecca for the information security world. But it is home for me. So as I wrote about before I was pleasantly surprised to run into my old friend Jeani Park a few months back and found out that she had relocated down here too. 

Jeani is working for a security company called Spectorsoft, which I was not aware of either. Spectorsoft is pioneering something called User Activity Monitoring (UAM).  Jeani runs product and a bunch of other stuff there.  They have had a tremendous amount of success in both the commercial and consumer markets.  I am doing some work with them and will be appearing on a webinar on compliance and UAM on April 18th. Will post more details on that soon.

Anyway, I was bugging Jeani to start blogging as I knew inside of her a great potential blogger lived   Well she finally put up her PinkHat Security Blog just a week or two ago.

Jeani is also speaking a bunch at Infraguard meetings and other locations around the country. She is chairing a panel down here in South Florida on April 19th. You can read about it on her blog post about it today.

She has a great line up for the panel on the 19th. But I liked that in her blog she mentioned Jeff Baxter of Dooby Brothers & Steely Dan fame who is now a cybersecurity expert for the DoD.  Anyone who can weave in some Dooby Brothers on a security post is getting the hang of this blogging thing.

Anyway, Pink Hat Security is now part of the Security Bloggers Network.  Congrats to Jeani and keep blogging!

Related articles

• Kevin Hostra- Cyber Security Expert Extraordinaire- joins April 19th InfraGard panel (pinkhatsecurity.com)
• User Activity Monitoring (UAM) and Data Theft Webinar (ashimmy.com)
• Becky Bace joins my South Florida InfraGard panel on CyberSecurity (pinkhatsecurity.com)
• SpectorSoft Releases NEW Spector Server 2010 - Surveillance Edition- New Product Provides Administrators with a Visual Record of Exactly What Happens on Servers (prweb.com)

Until You Walk A Mile In Those Shoes

Well it looks like a missed a good time up at the InfoSec show in Orlando. My friend Jeani Park from Spectorsoft was going and I was thinking about joining her, but had too much to do back at my office.  The highlight seems to be a panel that my friends Alex Hutton and Chris Nickerson were joined on by Marcus Ranum.  All three of those guys could be named Buck, because you know when it comes to speaking their mind, they don’t give a F^#k. That is a good thing for a security conference panel in my opinion.

From what I have read by Rob Westervelt the message was “Industry is doomed by automation, misguided IT security strategy, experts warn”. Rob says the panel members chided the security leaders in the audience to stop managing to compliance and do their job.

That silly rabbit, Raf Los says that from what he heard and what he believes, the problem is many of these so called security leaders don’t really know what their job is to begin with.

Both authors in their articles retold the story (I felt like I was reading different gospels of the same story) of the man that Chris Nickerson asked what the corporate mission statement was of the company he worked for. The man couldn’t say.  To Raf especially this was a smoking gun for much of what is wrong with the security industry and why we are in trouble. Westervelt’s article ended on a positive note with some examples of things and places done right in security cited by the panelists.

So before we all run for the exits because someone yelled fire, lets take a moment here.  First of all the guy who didn’t know his company’s mission statement might have had a case of stage fright and brain frozen. Or maybe he really doesn’t know it. But lets not go off and say that represents the majority or even a sizable minority of the security industry.  I would venture that more than most security folks know what the mission statement is for the company they work for.

Secondly, let’s not blame people for not being strategic, when they are tactically trained and experienced. Our industry is still relatively young. CSOs and CISOs have lots of different job functionality at lots of different companies. For many gigs the CSO or security leader is more of an NCO (non-commissioned officer) who actually works for a living, rather than a genuine officer.  Many CSOs achieve their positions by mastering a series of tactical engagements that have never tasked them with thinking strategically. They operate going from one fire to the next and just don’t know any better. If anything maybe our industry needs to do a better job of teaching people to think strategically, not tactically.

Does this make them incompetent and the wrong person for the job? No, not necessarily. Maybe that is just what the doctor ordered at that organization. They just want someone to come in and be very tactical about achieving specific goals. In the words of Rhett Butler, frankly they don’t give a damn about the higher strategic picture of why being vigilant about security is more important than being compliant. They are paying someone to fix what that damn auditor said needed to be fixed. They don’t want to pay someone to pontificate and blog and prioritize. Many mid-size and smaller enterprises operate like that. There is a CEO owner who calls the shots and that is the way it is.

I remember a few years back going into an airline headquartered down here in South Florida. The company was preparing to go public. As such the underwriters told them they had to be SOX compliant and the auditors had prepared a list of items outstanding.  I was shocked to find out the “CIO” and I use that term loosely was the CEO’s nephew and didn’t know jack about IT, let alone security. The “security leader” was just a security admin who ran the firewall, the IDS, the endpoint AV and probably cleaned the toilets when everyone went home.  Do you really think the CIO and his uncle the CEO gave a flying crap about what the security leader thought? 

Yeah, its easy to say you shouldn’t work in that environment.  But it was a job, it paid well, fast growing company and maybe one day they would see the light and let the security dude do what needed to be done.  But saying that guy is a dunce, not qualified or that our industry is in trouble isn’t right either.

Maybe it will take a breach at that organization for them to bring in a real strategic security thinker. In fact more often than not, that is what it takes. Nothing makes you jones for the cure like being sick already.

At the end of the day organizations get the security they want and the security they are willing to live with.  It is a decision that is made and that they live with. It doesn’t mean our industry is made up by a bunch of dolts who don’t see the big picture. It is made up by a lot of hard working people who make the best they can out of a situation where many in the organization still think of them as the people who say no and don’t appreciate the real risks. But everyone needs a job and like Donald Rumsfeld said “we got to war with the army we have, not the army we want”.

So until you walk a mile in those shoes, don’t be throwing stones.

CompTIA CASP and the SBN

I am happy to report that the good folks at CompTIA have signed on to be a sponsor of the security bloggers network (SBN). Thanks very much to CompTIA!

If you are not familiar with CompTIA they offer a full range of IT certification courses including some excellent security certifications.  Their newest certification is called CASP which is CompTIA Advanced Security Practitioner.  It is a master level certification for people with significant experience in the field.

I had a chance to speak with Rick Bauer, director of research and development at CompTIA. We spoke about CompTIA, the different certifications they offer and the whole technical certification space.

If you are interested in achieving technical certifications you should certainly look at what CompTIA has to offer. In the meantime you can listen to my conversation with Rick below.

If you are interested in finding out more about CASP or other CompTIA certifications, click the banner to the right.

PCI DSS Keeps Its Perfect Record Intact

I was reading Brian Krebs follow up article on the Global Payments breach this morning that something less than 1.5 million credit card records may have been stolen in this mess. How much less is still open. Could be 50k, could be 1.499m, I guess we will have to wait for more info. (BTW, kudos to Brian for once again showing why he is just so over and above everyone who writes about security- bloggers, reporters, writers, etc.).

I then read my friend Bill Brenner’s piece that Global “has some ‘splaining to do”. Bill is right, Global Payments is going to have give us a lot more details about how this happened and they should step up and take the blame here. The truth will set them free, but the fines I am sure will be heavy.

In the meantime, the security industry will analyze, over-analyze, read tea leaves and goat innards trying to piece together how this could have happened. With Albert Gonzalez behind bars, our own Lee Harvey Oswald couldn’t have done this one, we should be on the look out for the next Sirhan Sirhan.

One party though who will take no blame on this is the PCI Council. In fact they have managed to keep their perfect record intact through this one. As Brian noted and Bill said as well, Visa has promptly removed them from their list of compliant service providers. They are not PCI compliant. That is why they were breached. Of course if they were compliant, this breach would have never have happened, right?  Wrong. 

No PCI compliant provider has ever been breached. The whole thing is crazy. If you are breached you are not compliant by definition. Your compliant status was only at the moment you were certified, the moment after, if anything happened it is because you were no longer compliant. So what is the use of being on VISA’s compliant service provider list? It just means you haven’t been breached yet or recently.

So Global was not PCI compliant and will now have to be re-certified. The moment after they are certified if anything happens, they will not be PCI compliant again. This is a game where all of the rules are stacked for the Council. They can’t lose.

The losers are consumers and merchants who play this game. Merchants are charged lots of money to become PCI compliant. They are told that everyone has to be compliant, most especially the processors. Consumers are told that VISA, MasterCard and the rest of the industry has instituted the PCI DSS to protect them. That no PCI compliant merchant or provider has ever been breached.

The reality is that the only ones getting any protection are the card brands and their bank cronies who are offloading the liability to merchants and processors instead of themselves and who dip their beak every time one of us pays with plastic. The idea behind the bank and credit card company fees was that they were taking the risk when people promised to pay later while using plastic now.  But much of that risk has now been offloaded to merchants and processors, debit cards take the money out of your account almost instantly. The card brands have little to no risk and still charge both the consumer and the merchants high fees, dipping their beak on both sides of every transaction. That is not being a bird, it is being a pig.

So while their perfect record remains intact, the PCI Council remains the undefeated heavyweight champion of meaninglessness.

Final Thoughts From RSA This Year

So now that the dust has settled and we have all had time to reflect on what we saw, heard and experienced at RSA Conference this year, I wanted to talk about three key takeaways from this years conference.

Before I tell you what they are, let me say that this year’s show was certainly the biggest, brightest and most well attended RSA Conference that I have seen. It really seemed to signal that the security has arrived. With that being said, here are my three lessons learned:

1. Here a risk, there a risk, everywhere a risk. It seemed you couldn’t walk past more than two booths on the exhibit floor or attend more than two track sessions without seeing or hearing about risk. Risk and risk management was everywhere. Of course the devil is in the details. One person’s risk and risk management is not how another person defines it.

 

If I had a nickel for every company involved with risk I could retire. This is why I think it important to define risk and define how your company figures in the risk equation. It is an exercise that Firemon went through first released Risk Analyzer. You can read about it in some of their blog posts from then and some of the podcasts I did with with Jody Brazil and others.

Making sure you are clear on risk and risk management is important to distinguish what you are talking about in a very crowded field. My guess is the field will get even more crowded as well. Risk could become the next compliance, the previous simple black dress of the security world. My advice is avoid the risk gold rush and make sure you are clear in what you are trying to do and how you are going to accomplish it when strategizing on risk and risk management.

2. Going mobile. Walking the show floor and talking to folks I was reminded of an old song I loved from The Who, Going Mobile:

I can pull up by the curb
I can make it on the road
Goin' mobile
I can stop in any street
Invitin’ people that we meet
Goin' mobile
Keep me movin'
Out in the woods
Or in the city
It's all the same to me
When I'm drivin' free, the world's my
home
When I'm mobile

The move to mobile and its sibling BYOD is top of mind with everyone. This along with the move to cloud is changing the way we do IT more than any time since the Internet first came on the scene in the mid-90s.

Interestingly this seems to represent both a big new potential threat and a grand opportunity. While I think it a bit cynical that so many are expecting and almost cheering for a real mass security incident involving mobile devices to happen this year, let’s be realistic. Without a real incident on a mass scale that we can point to, it may prove difficult to make people take mobile security seriously. As much as I hate to say it, we may need a mobile code red or blaster type of event to keep the spotlight on mobile security and move it beyond buzz to critical mass adoption.

3. Money makes the world go round – I have seen several people comment on the sense of optimism at this year’s RSA. While I admit I felt that same sense of optimism, I don’t think it is because we have made any significant strides in combating insecurity. I was happy to see so many new companies with innovative strategies. But I don’t think that was the cause of the optimism either. I think the optimism was due to the obvious money that the security industry is awash in. The size and audacity of the booths on the floor, the parties, the extravagance were all readily apparent to anyone attending RSA this year.

The money being thrown at security is a direct result of the fact that finally security seems to be in the spotlight. After years of screaming “the sky is falling”, people finally believe us. Now as never before the security industry is being given the resources and attention we have been craving and demanding for a long time.

Of course there is a down side of all of this money and attention. If we can’t appreciably do something to improve the dynamic around security the money and spotlight could dry up pretty quickly. The security industry has been given its 15 minutes of fame. Whether or not we make the best of it is up to us. As an industry we need to deliver with some tangible results. What will that take and are we capable of doing so is something I will address in some future blog posts.

So this really was quite an RSA show. It will be interesting to see how it plays out and what effect we will see over the year in time for next years RSA.

Related articles

• Risk Management Priorities Change Given Job Responsibilities (tripwire.com)
• Risk, Risk, Risk (ashimmy.com)

How The Changing Face Of Mid-Market IT Is Going To Change Your Security Strategy

Now that I have had a few days home from the RSA Conference to digest what I saw and heard, I am more convinced than ever that we are on the cusp of a sea change in IT. This profound rethinking of the way we use information technology is going to mean a huge change in the way the mid-market does business. It will also have a huge impact in designing a successful security strategy in mid-market organizations.

The change we are seeing in IT is the move away from on premises servers on the LAN storing databases and data that are accessed by applications running on desktop and laptop clients.  Instead we will access apps via app servers located in the cloud. The data will reside in the cloud as well.  Our clients will be a variety of mobile-enabled devices ranging from smartphones to tablets/pads and other lightweight devices. They won’t need giant hard drives, as the apps and data won’t live on them. 

This promises to turn the traditional IT equation on its head. You are probably already seeing this dynamic in action with Bring Your Own Device (BYOD) having an impact in your organization, as well as web apps being accessed from all over your network. We won’t have to invest in expensive hardware which needs to be upgraded every two to three years. Even desktop and laptop machines will not be as in demand. It may be that employees bring their own access device of choice into the workplace and you have to deal with it.

This is also a game changer for the information security of your mid-market organization as well. The standard layered security model has resulted in security being deployed in lines. At the perimeter we have built a castle and moat system.  We have invested millions of dollars in this perimeter defense where firewalls, IDS/IPS, gateway A/V and spam filters reside.  Perhaps the greatest culmination of that entire perimeter defense is the UTM (Unified Threat Manager). Moving inward from the perimeter we have invested in identity and network access & monitoring, server or host based defenses and finally endpoint security. 

All of this adds up to lots of security technologies operating often in their own silos. Finally, some of the larger enterprises have invested lots of dollars and time into SEIMs to pull all of this information together into one comprehensive view.

With the change coming to IT, our security model is going to change. Throwing all of the money and iron at the perimeter is going to be a waste. Building a castle locks us in, when our organizations want to get out. With everything we need “out there” we need a lighter, quicker but still secure perimeter. Next Gen Firewalls (NGFW) with their application and identity access control are a great option for these new perimeter defenses.

Identity and device access control is being built into the fabric of our network with smarter and more secure switches. Network monitoring solutions have also taken it up a notch, but overall can our networks just be flatter? If all of the “good stuff” is out there, what zones and areas do we need to establish in here?  Maybe just who can get out there and when?

For server security, that will be a joint venture between your organization and your cloud/hosting provider. The service provider will be expected to provide host based security on the server whether it is physical or virtual.

Finally we come to the endpoint. There are some who say that much of our endpoint security anti-malware products are actually pretty useless today. While I realize there are many attack vectors that go right through our endpoint security, I am not ready to write them off just yet. In fact I think we need endpoint security products that go on our Macs, on our smartphones, on our tablets and everything else we use

Would I like to see them be better and more effective? You bet I would. But just because they could be better, I don’t subscribe to the “they are useless” theory either.

This is of course just a general overview of what we might see. At each level if we drill in there will be more and more changes and adjustments.  At the end of the day we will need to rethink each of our security strategies and see if they are still effective in this new IT architecture.

So how about you? How do you think this change in IT is going to change your security strategy?

 

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

 

In Search Of . . . Security BSidesLV Sponsorships Are Open!

I am happy to report that Security BSidesLV is now open for sponsors!  Our theme is “In Search Of . . . Security Pros.  If you are looking for real security professionals and people who take security seriously, BSides is the place to find them.

Working with the BSidesLV team we have tried to craft a sponsorship program which encompasses and is in harmony with the whole BSides experience. An event such as BSdiesLV takes in excess of 100k to pull off. That is a lot of money to raise. We also know that one of the strengths of BSides is its grass roots support from individuals and smaller organizations. But raising over 100k a few hundred dollars at a time would be daunting. So what to do?

The team has come up with a great plan. We have sponsorship and donation plans for everyone from individuals who would like to donate sub-$1000 dollars up to Stellar sponsors who get a hospitality room as part of their sponsorship.  You can check it all out in the sponsorship kit itself right here.

BTW, that is right I said hospitality room! We only have 7 of these sponsorships available but the lucky sponsors at this level will get a room at the even location (still TBD, but we are close) to set up for BSidesLV attendees to stop by get some career advice, find out about potential job openings and your company and hopefully to sample some of your hospitality.  If this sounds good for you, don’t wait I think these will go quickly.

Important to remember though that in keeping with BSides norms, it is not a marketing fest. Please send your recruiters, your engineers, your tech peeps. But lets not turn it into an expo hall!

If setting up a hospitality suite isn’t your cup of tea or beyond your budget, we have several other choices with correspondingly lower levels of commitment. Each level from individual donor on up has its own set of benefits. You can read the kit for details.

No matter what level of sponsor or donor you are, know that the BSidesLV team and the community are humbly grateful for your support. Without it there would be no BSides. Please go check out the kit and let us know what you think.

We don’t think we have cornered the market on how to do this and if you have an idea on sponsoring that you would like to discuss, please feel free to reach out to me!

A couple of book keeping issues. First of all, on the non-profit status. Genevieve (banasidhe), Jack and team are busy making that happen. While it is pending, Genevieve has set up an account to accept donations. We are not sure we will have non-profit status set up in time to give you tax deductible donation receipts, so please be aware. I don’t want to get into the whole non-profit rat hole, suffice to say I know it is in process and I know that there will be plenty of transparency for anyone with a question.

We have made it easy to donate. We are using WePay and you can go make your donation on line right now! This is really intended for donors and smaller sponsors. Larger sponsors would be better off dealing directly with the organizing team and you can contact us at sponsors@bsideslv.org

So go have a look and pick your level, but please donate. We probably need to raise 35k to 50k for deposits and insurance and stuff just to lock the location up. We need your help. 

To all of my security vendor friends out there, I am talking to you. I need your help if I am going to be successful in helping this team and event succeed. We are blessed that security is in the limelight right now. Marketing budgets are up. What a great way to reach the security professionals I always hear people trying to reach.  Please consider sponsoring!

On a personal note, when I volunteered a few weeks back to be the sponsorship coordinator for BSidesLV, I figured I know a lot of people and this would be fun and easy. It would be a good way to give back to the community. While I don’t know how easy it will be, but I have already gotten far more out of it, then I will ever give in. The BSides Community has been so appreciative and welcoming. It has been especially fun working with Genevieve. You have to love anyone who signs their emails with “With Love, Light, Laughter, Peace & Equality for All,” 

How To Get An Invite To Next Years Security Bloggers Meet-up

As I wrote about earlier this years RSA Security Bloggers Meet-up was the best one yet! We had over 170 people, mentalists/magicians, photo booths, great food, top shelf liquor and most of all the best, coolest people in the security industry.  It is invigorating to see and chat with so many intelligent and fun folks.

The organizing committee for the meet-up loves having as many security blogger community folks as possible at our parties. We do try really hard to make it a “marketing free” zone though. We even put limits on what our sponsors do. But stopping bloggers from coming to party, never!

A party like this though takes a lot of time, effort and most of all money.  We plan to make sure we have enough food/drink for everyone. We use our invite list and past experiences to estimate this. So you can imagine when we have a lot of people show up who are not on our list it could be trouble. This year we ran out of wrist bands for guests and had to pay 40 dollars a head for each person who came in after we were out of wrist bands. Can you guess how that ends?

So I am asking each of you reading this to do me a favor. If you were not on the list for this years event, but we let you in anyway, or if you want to make sure you are on the list for next years event (we actually start planning it soon), please send us your email now. 

You can send your email to info@securitybloggersnetwork.com or to mediaphyter@gmail.com . Please include your name and blog/podcast or place you write about security. If you would like to include your twitter name, that is fine too.

Next year, if you’re not on the list, you won’t be let into the event. So please, do us and you a favor and do this now!

In the meantime, the pictures from this years event are being posted to our Facebook page. You can check them out here: https://www.facebook.com/bloggersmeetup

Related articles

• Last Chance To RSVP For Security Bloggers Meet up (ashimmy.com)
• Social Security Blogger Award Winners (ashimmy.com)
• Naked Security wins Best Corporate Blog award at RSA (nakedsecurity.sophos.com)

Security Myth Debunked

Note: I had written this before RSA but did not have a chance to post. So a bit late, but still relevant:

Ellen Messmer over at Network World had a good article about 13 Security Myths that maybe you shouldn’t believe.  While each of the baker’s dozen that Ellen writes about are good. I wanted to highlight Security Myth #12:

Security Myth No. 12: "Sure, we have a firewall on our network; of course we're protected!"

Kevin Butler, information technology security analyst at the University of Arkansas for Medical Sciences, who says he has spent a decade as a firewall administrator, says there are plenty of myths about firewalls. Acknowledging he might have believed a few of them over the years, Butler says the ones that stand out for him are that "firewalls are always a piece of hardware" and "a properly configured firewall will protect you from all threats." About this second one he notes: "Nothing quite says hello like malicious content encapsulated over an SSL connection infecting your workstations." Other firewall myths he knows of include "with a firewall, there's no need for antivirus software" and one that really gets his ire, "Brand 'X' firewall protects against even zero-day threats." About this, he says, "New exploits against firewall protections are identified faster than they are mitigated. A firewall shall never be a 'fire and forget' solution for perimeter protection, EVER!"

I think Kevin is right on. There are no magic bullets in security and firewalls are certainly not the be all and end all. I especially love the zero-day threat myth. If only I had a dollar for every security product that was capable of stopping zero day attacks. I would be a rich man by now. But it is the last line of the paragraph that I really want to focus on today.

“A firewall shall never be a 'fire and forget' solution for perimeter protection, EVER!"

Amen to that Mr. Butler! How many of us have asked IT admins or even security folks when was the last time your firewall rule set was updated and received back a blank look or a mumble of “when we set it up a few years ago”. It is amazing that today, so many years later there are still so many networks where a firewall was installed, configured and left alone. (Let alone so many networks that don’t even have a firewall!)

What is even more amazing is that so many of these same people will swear by their firewall protecting them. It makes you almost want to shake them by their shoulders and wake them up. If your firewall is operating under the same rule set and configuration as the day you installed it, you probably are already p0wned. And please don’t blame your firewall, blame yourself for not managing it. Like guns don’t kill people, people kill people. Firewalls that are not managed don’t cause breaches, poor firewall managers cause breaches. 

Not to turn this into a pitch for my friends at Firemon (OK maybe just a little), I understand that many firewall management GUIs leave a lot to be desired. That is exactly why products like Firemon Security Manager exist though. There is just no good excuse for not actively managing your firewall.

While we are at it, let me get another pet peeve of mine off my chest. Just as bad as ignoring your firewall configuration, is not pruning your firewall rule set. Opposite of never adding rules or updating your firewall are the folks who add rules to their firewalls one after the other, multiple people adding rules without a process in place to do so. One person leaves, another person comes and rules get added on top of rules. Before you know it the electric spaghetti wires you have around your home entertainment systems are child’s play compared to the mess your firewall rule set is.

Just as two negatives make a positive, two rules trying to accomplish the same thing may negate each other and create a tunnel into your network that an 18 wheeler can drive through. If you don’t know why a particular rule is in place on your firewall it shouldn’t be there. Again, not to turn this into a Firemon commercial, but that is exactly the sort of thing their product takes care of. It examines your rule set and makes sure what you have is what you need. You can see what the consequences are of adding a rule to your firewall, it makes recommendations on what to add and what to take away. It makes you smart about managing your firewall.

Yes a firewall is not a panacea. By itself will not make you immune to successful attacks. But a well-managed firewall is still your best friend in keeping the bad guys out and your network running safely.

Related articles

• Stiennons Brief History of Firewalls and the GodBox (ashimmy.com)
• Firewall audit tools automate the impossible; AlgoSec adds next generation firewall support (securitybistro.com)
• Firewall Policy Management Described in Under 2 Minutes (algosec.com)
• Firewall Management "Best Practices." (nugenerationwebdesign.com)

User Activity Monitoring (UAM) and Data Theft Webinar

Living down here in South Florida, I am always excited to find out about security companies right here in my own backyard. About a month or so ago I came across Spectorsoft, where my old friend Jeani Park is now working. I don’t know how I missed Spectorsoft before. They have pioneered something they call user activity monitoring (UAM).

I am appearing on a webinar with Spectorsoft tomorrow at 2pm east coast time that will explore how UAM can help prevent data theft. If you are not familiar with Spectorsoft and UAM, you should definitely dial in to the webinar. It’s free of course and by attending you are eligible to win a new iPad3.

User Activity Monitoring allows IT Pros, Security Experts, HR, and Risk Managers to see what users and groups of users are doing. Capturing and replaying how people, departments, and divisions work, which applications and systems they are using, and how they communicate enables organizations to:

• See who accesses, transfers, and alters protected or confidential information
• Record and replay work activity to see which individuals and groups are most productive and efficient
• Capture and review email, IM, and chat communications to be sure your Electronic Acceptable Use Policies are met

Sounds pretty comprehensive I know. I have seen the product in action and can tell you it really does work.  Join us on the webinar tomorrow if you can!

Vroom, Vroom, fast cars, fast woman and security?

Now that RSA is over it is time for my annual rant on how we sell security.  As my friend Mike Rothman wrote, this years RSA was full of optimism, race cars and booth babes. The optimism was a refreshing change from the last few years of glass half empty, shoveling sand against the tide pessimism. But I don’t get the race cars and you know I don’t like the booth babes.

First the race cars. I will admit it, I am not a big NASCAR guy.  I am not even an Indy/Formula One guy. But just as I don’t mind seeing a beautiful woman, there is some sort of primal attraction of guys to race cars. My question is what does that have to do with security? 

So some security vendors (who seem to be awash in cash) find that sponsoring a race car is a good use of marketing funds. First of all I would be hard pressed to agree that it is a good use of funds, but hey its their money to spend as they see fit. That does not make it about security though does it?  Like Mike said, it is not like they were raffling off these cars. Is it that they think having a car is going to draw me over to look at it and while there they are going to sneak a security conversation in?  Seems weak to me, no?

Let’s substitute a pretty woman for the car.  Dress her scantily of course and have her hold a sign that says size matters.  You pretty much just described the Loglogic booth. So what is that about? How about you women reading this out there? How do you feel. Is there a connection here?

I have said it before and I will say it again, in spite of what my friend from ATL says. Booth babes have no business at a security conference in San Francisco. You want to do this in Vegas, I can understand it is the Vegas thing. But not at RSA, not here.

For the life of me I don’t understand what smooth tires and bumpy women have to do with security.  If your message isn’t good enough to attract the attention of the people who come to RSA, get a better message. Don’t try to compensate with fast cars and fast women. I think marketing folks who resort to these tactics need to figure out why someone would want their product or service beyond taking a picture with a car or booth babe. 

We have come a long way since the geeky dweeb who would never have a pretty girl talk to him was the norm in this industry.  It is time our marketing caught up.

Related articles

• PHOTOS: Check Out The Booth Babes Of CES! (businessinsider.com)
• The Booth Babe Controversy Rears It's Head Again (eoghann.com)
• Much Ado About Booth Babes (slashgear.com)

Alert Logic Cloud Security Report Shows Cloud Security Is Different and the Cloud May Be Safer

With all of the rush around RSA week last week, I didn’t get a chance to post on the “State of Cloud Security” report published by my friends at Alert Logic last week. I think this first installment of what promises to be a semi-annual report sheds some real light on the differences between on premises and cloud security environments and also advances the notion that despite the FUD, the cloud may in fact be safer for certain kinds of applications.

The report itself is an analysis of over 2.2B security events that were monitored by Alert Logic’s security team across over 1500 customers. With that volume of data you can really see trends and patterns develop. Also the fact that this was split between both hosted, cloud and on premises environments it gives you well rounded view of what is being seen in the way of attacks out there. BTW, you can download the report here.

Here are the important takeaways I would like to focus on:

•  When compared to traditional in-house managed IT environments, service
provider environments show lower occurrence rates for every class of
incident examined.
•  Service provider customers experienced lower threat diversity (i.e., the
number of unique incident classes experienced by a customer) than
on-premise customers.
•  On-premise environments were twelve times more likely than service
provider environments to have common configuration issues, opening
the door to compromise.
•  While conventional wisdom suggests a higher rate of Web application
attacks in the service provider environment, Alert Logic found a higher
frequency of these incidents in on-premise environments.

So what does it mean? First of all, there is a real difference in the kinds of attacks and events we see in the cloud versus on on premises. Anyone who is still saying that cloud security is no different than on premises cloud security to paraphrase President Obama, “doesn’t know what they are talking about”.

Secondly, the cloud does appear to be safer. They see fewer kinds of attacks, fewer attacks overall  and on the whole cloud/hosted environments have less configuration issues.

A third thing that is borne out in the data is something that I think intuitively we know. The bigger and more complex your environment, the more risk you have.

The report is chocked full of other great information. It is free and you really should go download it. Also stay tuned for future versions of the report in the months and years ahead.  Nice work by the Alert Logic team!

Related articles

• RSAC 2012 Microcast: AlertLogic (mckeay.net)
• What The WAF? Alert Logic Acquires ArmorLogic (ashimmy.com)
• Is There A Difference Between In The Cloud Versus On Premises Attacks? (securecloudreview.com)
• Alert Logic Completes Acquisition of Armorlogic to Expand Web Application Security Offerings (prweb.com)
• Alert Logic Acquires ArmorLogic and Their WAF Technology (securecloudreview.com)

Is Security Event and Information Management (SEIM) Finally Coming To The Mid-Market?

If you speak to many analysts in the information security space they will tell you that all roads lead to SEIM. Security Event and Information Managers represent the pinnacle of security technology. They proverbially tie the bow around all of the different security technologies and products you deployed, while giving you actionable intelligence into your security posture. However, SEIMs are also known for their complexity and have been deployed successfully in mostly large organizations. Now the time might be at hand where mid-market companies can leverage SEIM.

I am here this week at the RSA Conference in San Francisco. It is one of the largest if not the largest security information shows in the world. It is literally where the world gathers to talk security. Walking the show floor and meeting with many of my friends I am hearing of several ways that SEIM is being brought to the mid-market.

One method is harnessing the power of the cloud and SaaS delivery models, SEIM as a service is a play on Security as a Service. Taking the large upfront license fee out of the equation and wrapping a managed service around it vendors like Fishnet Security are now offering SEIM in affordable monthly bites with security services wrapped around it. Fishnet is not the only SEIM-as-a-Service either. Several MSSPs (managed security service providers) are also offering managed SEIM on top of the other security services they offer.

The as a service model offers several advantages for the mid-market organization. Besides less upfront cost and outsourced management of the service, expertise not available to organizations this size comes from the provider as well. Without these I don’t know how most mid-market companies can really utilize SEIM effectively.

Another option for SEIM in the mid-market comes from the open source security world. Alien Vault, makers of the OSSIM (open source security information manager) has just raised some significant new venture capital as well as a new management team. It seems that most of the executive team of Fortify software which was bought by HP as left to join Alien Vault.

Packaging several open source security products along with OSSIM, a mid-market company doesn’t have to go and buy different security technologies to feed data to the SEIM. This all in one is geared to mid-markets and gives them insight and views tailored to the needs. Alien Vault is also offering their mid-market customers the ability to share info on threats so that they are all better protected. The new management team is very high on bringing SEIM to the mid-market and believes the open source model is the way to go.

So it seems that finally the mid-market is going to enjoy the benefits of SEIM. Of course others have tried to bring SEIM down to the mid-market before and it hasn’t worked. While the jury is still out on these new ventures, it maybe that the time and technology are finally right to make this time the charm.

In other news from RSA, you would be hard pressed to know that the economy is not booming. The show floor was sold out, the meeting rooms are packed. There are lines to get in everywhere. Most of all, the parties by the vendors are some of the most extravagant and plentiful I have seen in my 10 years of attending RSA! Maybe security is finally being taken seriously by everyone.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Security Enters the Age of Mammals

Having spent the week at RSA observing and talking to the security industry I feel that we are on the threshold of a new era in security. After lamenting a lack of innovation and bemoaning nothing new under the sun for the past few years, I feel that over the last two years we are seeing clear KT boundary in the security space. As Marty Roesch said to me when I had a chance to catch up with him, security is entering the age of mammals.

First of all, it is obvious that the security industry is undergoing a boom time. It seems to be awash in cash. From the size of and number of exhibitors on the show floor, the sold out and over crowded meeting rooms and the amount of people who have flown in here from all over the world, it is hard to believe the economy is a factor in the security space.  Almost every company I speak to is having a hard time filling open slots for jobs. Perhaps most of all the number and extravagance of the parties being thrown this year is like no other I can remember.  Could it be that infosec has finally arrived? Have hacktavism, cyberwar, cyber espionage and high profile breaches finally put information security in the forefront of peoples wallets, if not their minds? I don’t know if I am ready to buy that yet, but something certainly seems to have changed.

At the AGC Conference on Monday it was reported that both investment and acquisition numbers are up, IPOs are once again a viable liquidity event.

More than a money trail though, speaking with security vendors it seems that they see real opportunity in the market. As Simon Crosby said on my panel Monday at the AGC conference, the old security vendors are history. There is a greenfield for new ideas, new companies and new security to fill in the niches created and vacated.

Like mammals crawling out and taking over after the death of the dinosaurs, there are new security companies that are emerging that tackle new problems and better deal with old ones. Of course it could happen that as in the past the big, old companies will buy the new small ones, but either way the optimism in the security space is refreshing.

A big factor driving this is that IT is changing the way they do business too.  Moving away from servers on the LAN. Desktops and even laptops is creating a brave new world. Mobile devices that access apps stored on virtual servers in the cloud present an entirely different set of security issues. This model needs new solutions, delivered in new form factors.

Virtual appliances have been around a while, but they are a way point and I think everyone knows it now.  Agents talking to multi-tenant back ends are being deployed all over the place in a SaaS model. But even the agent may give way to an API  that allows the security infrastructure to interface directly into the infrastructure or platform. We are seeing a change in the IT industry akin to the rise of PC. The twin titans of mobile and cloud are disrupting IT and security will be disrupted as part of it. But out of this disruption a new type of security will emerge. Like the small mammals that came out after the dinosaurs and took over the world, these new security companies will inherit the security landscape.

Related articles

• Open Source SEIM for the SMB (networkworld.com)
• RSA Conference 2012 and Ponemon Institute Join Forces for 2012 Research (365.rsaconference.com)

Social Security Blogger Award Winners

So the 6th annual Security Bloggers Meet up at RSA Conference is now in the books. I don’t know about you but I thought it was our biggest and best one yet!  We had about 170 folks at the party this year. As I said at the party if you were not on the list please make sure we have your email and blog so that you can be sure to be on the list next year.  You can send your info to info@securitybloggersnetwork.com or mediaphyter@gmail.com.

Thanks to my fellow committee members Rich Mogull, Martin McKeay, Jeanne Friedman and most of all Jennifer Leggio. These folks work all year long for these couple of hours to go smoothly. Also a huge thank you to our sponsors who stay with us year after year and make this party possible: Fortinet, Sourcefire, Barracuda Networks, Core Trace, Akamai, Qualys and especially our friends at RSA Conference.

For the 4th year this year we of course had the Social Security Blogger Awards.  Our finalists this year truly are the best of the best.  The winners are the very top of our community.  Before I tell you the winners, let me also give a huge shout out to our blue ribbon panel of judges: Bill Brenner, Kelly Jackson Higgins, Larry Walsh and our special guest judge, Wendy Nather.  As many of you know Wendy was not able to join us at the show this year because she is home getting better. Everyone who blogs in the security world wishes her a speedy recovery and look forward to her joining us here next year!

So here are the winners for the 2012 Security Blogger Awards:

Best Corporate Security Blog Nominees:

Fortinet Security Blog http://blog.fortinet.com/

Denim Group http://blog.denimgroup.com/

Trend Micro Cloud Security Blog http://cloudsecurity.trendmicro.com/

Veracode Security Blog http://www.veracode.com/blog/

Kaspersky Lab Blog https://www.securelist.com/en/

and the winner is:

Sophos Naked Security Blog http://nakedsecurity.sophos.com/

Best Security Podcast

Threat Post http://threatpost.com/en_us/podcast The Network Security Podcast http://netsecpodcast.com/

Eurotrash Security Podcast http://www.eurotrashsecurity.eu/index.php/Main_Page

Pauldotcom http://pauldotcom.com/

The Southern Fried Security Podcast http://www.southernfriedsecurity.com/

and the winner is:

Exotic Liability http://www.exoticliability.com/

The Most Educational Security Blog

Cognitive Dissidents http://blog.cognitivedissidents.com/

F-Secure blog http://www.f-secure.com/weblog/

The New School Security Blog http://newschoolsecurity.com/

AppSecInc Blog http://blog.appsecinc.com/

Evil Bytes/John Sawyer http://www.darkreading.com/blog/archives/evil-bytes/index.html

and the winner is:

Tao Security http://taosecurity.blogspot.com/

The Most Entertaining Security Blog

Rational Survivability http://www.rationalsurvivability.com/blog/

Andrew Hay's Blog http://www.andrewhay.ca/

New School Of Information Security/Adam Shostack http://newschoolsecurity.com/

Naked Security http://nakedsecurity.sophos.com/

Securosis Blog http://securosis.com/blog

and the winner is:

Uncommon Sense Security/Jack Daniel http://blog.uncommonsensesecurity.com/

The Blog That Best Represents The Security Industry

Uncommon Sense Security http://blog.uncommonsensesecurity.com/

SANS Internet Storm Center http://isc.sans.org/

Securosis blog https://securosis.com/blog

and the winner is:

Krebs On Security http://krebsonsecurity.com/

The Single Best Blog Post or Podcast Of The Year

Martin McKeay, Curing the Credit Card Cancer http://www.mckeay.net/2011/11/28/curing-the-credit-card-cancer/

Veracode Blog http://www.veracode.com/blog/2011/08/musings-on-custers-last-stand/

Idoneous Security http://idoneous-security.blogspot.com/2011/12/what-your-analyst-wishes-you-knew.html

and the winner is:

Moxie Marlinspike's ThoughtCrime Labs http://blog.thoughtcrime.org/authenticity-is-broken-in-ssl-but-your-app-ha

The First Two Members Of The Security Bloggers Hall Of Fame (please pick 2)

Adam Shostack (Emergent Chaos, New School of Security)

Rich Bejtlich, Tao Security Chris Hoff, Rational Survivability

Graham Cluley, Naked Security

and the first two honorees:

Bruce Schneier, Schneier On Security

Brian Krebs (Washington Post, Krebs on Security)

Congrats to all of our winners. Thanks everyone for coming and making this another great bloggers meet up. Now back to making next years event the best!