Harvard.. Thursday

So today was probably one of the best (BEST!!!) lectures I think I've ever heard in any course.. a day full of a 43 year professor (the one who taught Obama!) talking about communications and persuasion. Gary Orren had us for a full day, with a full framework for better targeting and framing communications to persuade others (voluntarily) to change course. WHAT A DAY.

Better? It was topped off with two speakers at the Forum (Agora -- a food market by day, speaking pulpit at night)... unfiltered Q&A. Eric Cantor (http://www.majorityleader.gov/) talking on the budget. The talk was terrific, but HIV activists protested at the end and were walked out. Regardless, an incredibly civil session! Finally topped off the night with a lecture from William Perry. What a day!

Jeff

My arrival at HKS...

Shirley asked me to post pictures of my immediate arrival, so here goes... This is my little room. There's a common living room as well, but nothing special. The view from the room however is really nice. The room is on the 4th floor of a dorm overlooking Soldiers Field Road, the Charles River, and the main Harvard Campus. The dorms are shared with Harvard Business School, so who knows, I may be sharing a dorm with the next Warren Buffet! Speaking of networking, it's already starting. Had lunch with two guys also here for the Senior Exec Program --the Regional Director for the Park services from Philly, and another from the Fed Trade Commission. Great conversation over lunch.

Ok, I'm off. Need to change into a suit for opening day. We were asked to be in business attire. You know how much I hate wearing a tie, but I'll do it just this once... in case they take pictures ;)

Jeff

Another mover into the MSSP space?

Just running through my required reading. I know, it's a little late, but heck, I'm a bit of a multi-tasker, not-so-good television tonight, and I'm in between good books. Ok, not really, I'm reading "The Accidental Salesperson".. it's actually pretty good, but I've had enough for today.

Anyway, in my browsing my required reading and RSS feeds, I came across an interesting post. ADP (the payroll outsourcing company) is  advertising for forensic people for their 'converged security' practice. About five seconds of digging --http://www.indeed.com/q-Converged-Forensic-jobs.html --shows several postings for ADP's new outsourced practice. Funny, I know there's money attached. I saw something from a year or so ago that talked of $355b government spending for cyber security, but a payroll company? Wow. Talk about teaching old dogs new tricks! I'm impressed! The bigger question? Will they be successful? What exactly does ADP call 'converged'? I know what I call it, but the definitions seem to change.. infosec = cyber. What exactly does converged mean in the market today?

Jeff

On Value...

I’ve been dieting since the beginning of the year. Anyone who knows me knows I need to be on a diet, but last night, after heavy jonesing for Chinese food, I broke down and had Chinese food.

At the end of my meal I sat thinking about what I’d just eaten. The dumpings weren’t hot; the sweet and sour sauce obviously from a can (bag?); and the meal as a whole just tasteless and lacking. It was going to cost me at least an hour on the treadmill and frankly, just wasn’t worth the calories I’d eaten. On my way out the door I stopped at the register to pay. The owner asked (as they always do) how my meal was. I said nothing. She obviously saw the painful grimace in my face as I held back my criticism and pushed a little more. In a slow, and deliberate way, I explained –my dumplings were cold, my sweet and sour pork was plain, and the meal as a whole was simply lacking. The woman explained that the dumplings should have been hot, but the sweet and sour pork is “the way we do it”.

So here’s a clue. “The way we do it” means “There’s a reason you only have five people in your restaurant at the peak of the dinner hour”. “The way we do it” is directly related to the fact that you’ve got a sign on your front door announcing a price reduction on your buffet.

What’s this got to do with tech? I do consulting –not full time, but on request under the name Hammerhead Research. So this piece isn’t a plug for Hammerhead, but it reinforces a message that demonstrates exactly what I have been telling clients (and now my government bosses) for years.

1.     Know your customer.

2.     Know exactly what your customer considers valuable.

3.     Know who your competitors are, and your value proposition in relation to them.

4.     Create products that add value

5.     Don’t stray. Pick your value proposition, stick to it, and deliver it consistently.

6.     In the commercial world, target customers who both need the value you add, and have the ability to pay.

It’s a pretty simple formula actually. It took a startup failure, $800K in angel funding and being sued for me to learn this lesson in retrospect.

Two years or so ago I authored a plan for a Fortune-100 company who wanted to move from the physical security monitoring space (think ADT, but not ADT) into the computer security space. They wanted to become a global-scale managed security service provider, competing with ADT in the consumer market by integrating wireless unified threat management (UTM) devices into home fire and security monitoring systems. If a fire, flood, home invasion, or cyber bad guy set off an alarm, one of this company’s monitoring centers would be alerted. It would then be evaluated, and the analyst could make pre-determined decisions on how to react. 

To understand the customer, I researched consumer demand for information security devices. Not surprisingly, most consumers don’t know what they don’t know. Anti-virus was deemed by most to be enough. Consumers are already price conscious when it comes to home monitoring, with $25-$40 being the current market pricing.

To research the space, I studied current offerings, and gaps in current physical security and MSSP offered services. I called on (by phone and in person) customers who were showcased on potential competitor websites to find out what they liked and didn’t like about their current provider. I polled competitor salespersons about future company plans (those guys will tell you anything!). I performed this service across the spectrum of providers that might compete with the new business in this F-100.

In the end, the company decided not to enter the market. Consumers were highly price sensitive, don’t understand the need (yet), and the market fragmented by a perceived lack of value in the home monitoring market and a low opinion of the companies selling services. In my opinion, this company was smart to not become just another monitoring company. While the computer monitoring service would likely differentiate them from the rest, the value proposition wasn’t strong enough (in the customers’ eye) to generate long-term sales.

This is one example. I’ve researched and authored dozens of startup plans or turnaround studies for companies large and small who simply don’t understand the value proposition. I’m hoping the owners of that Chinese restaurant read this post.

Know your customer

Know your competitor

Know your value proposition

Deliver consistently

Repeat!

On Virtual Internet Experience and Good Hygiene...

I was reminded yesterday of my tracking of Invincea. Virtualization -great strategy! I'd like to offer a few thoughts however, as with any application, remember this.. architecture counts, as does basic system hygiene. Hygiene is the process of keeping systems up to date, patches installed, antivirus up to date, etc.  Realizing there are probably 400 things that need to be kept up to date to keep your networks from stinking like bad breath, and only one needs to go wrong to allow in hackers, System hygiene is one of the hardest things, but one of the most important things, to do. In fact, I'd argue that ensuring the basics of system hygiene are far more important than applications you might buy. Pay attention to how applications get deployed- especially virtualization, and you'll have better results in the end.

I've seen several schemes for virtulization of the users' internet experience. Please don't get me wrong. I'm a HUGE fan of the strategy --so long as it's implemented correctly. IPS alone wasn't the panacea; nor will virtualized internet experiences. How does this get accomplished? Think about the kinds of things users must (or want) to do. What things do they need to do to not feel pain of virtualization? They need to browse, share email, download. They need to move information from the virtual space (for internet use) to the corporate network. So now we've moved from the realm of a virtualized internet experience to a need to move information to and from the corporate intranet. How does this happen? Good system hygiene and architecture. The basics of defense in-depth, and dedication to keep those items clean an up to date (hygiene).

Bottom line. VCs tell startups "Sell across the street before you sell across the ocean".

I'd tell admins and CIOs, Practice good hygiene before you spend money on more advanced infosec offerings promising to stop advanced persistent threats. Ya can't get there from here.

Jeff

Bit9 (and a bit of a rant about Infosec Pros!)

I have to tell you, every now and again I get a presentation from a product vendor that just makes me go "Wow. I wish I'd thought of that!" Bit9 was one of those.

During my travels I keep hearing the name Bit9, but hadn't really been exposed to their product. I attended a conference in January where they had a booth, but I hate those things. You can never have a serious talk. I guess they are a good way to get exposed to a lot of things and then circle back, but I always try and take notes on which to circle back on, and then either forget, or end up misplacing the literature.

Anyway, I did see Bit9 during the conference but didn't get to spend any time with them. When I returned, I forgot about them, only to be reminded a couple of months ago. So I set up a time, and offered my staff a lunch 'n learn.

Bit9 is a tool used (I'm sure they have others, but I loved this one) to identify installed malware on a system. More importantly, I was surprised to see that Bit9 is the brains behind some of my other favorite tools like Mandiant's MIR and is delivered by about a dozen others providing services. Interestingly enough (maybe I hadn't looked hard enough) I was under the impression that this space was wide open for exploitation with very little competition and a reasonable barrier to entry... meaning if I went to a VC for money to build the solution, a business case could be made, and I'd have enough of a run on my competition to be able to make a few bucks before they caught up. I still think that... the market for malware identification is still wide open and the AV vendors don't seem to have a clue.

Back to the point. Bit9 backends several malware identification tools with a database in a 'cloud' (marketing speak for two datacenters in Massachusetts). Regardless, the cloud is a massive repository of unique indicators each representing specific pieces of malware. The Bit9 tech is deployed to scan an environment using a client based system which compares files on a system to those in Bit9's database. The management console was, as you'd expect, pretty. Pretty without functional does no good, but in this case, the management console was totally functional. Running in a browser, it can be operated by any SOC or remote worker.

Bottom line: If you're looking for malware identification/remediation and whitelisting tools, save yourself some time. I've heard the name from some of the best companies in the world. Bit9 appears to have something real. I'd look at them first.

[rant]
In sitting with my team (and others I've worked with), it seems vendor presentations are peppered with questions like "You do X, why don't you do Y?"

This case was no different. Scope creep in vendor presentations is easy, and often takes away from the presentation. In this case, Bit9 has some really nice tech. They found their niche, filled it nicely, and are licensing the hell out of it to others who provide services in their space. Well done. What they didn't do was lose focus on their principle value proposition... finding malware on a host.

I'd love for one magic bullet solution. I'd drop it in my environment and turn it loose. It'd solve every problem I have, and those I haven't thought of yet. My users would be happy, it'd be free, and wouldn't require any maintenance... never going to happen.

Bit9 focuses on malware. Other technologies focus on other areas. Good management finds that first thing, with that first customer and puts it out of the park. Bad management finds thousands of customers and delivers mediocre solutions. I'm with Bit9.
[/rant]

Jeff

Invicea bake-off in a large company Internet isolation strategy

I had the opportunity to speak with a colleague last week. This gentleman is the CIO for a very large company and is in the middle of a bake-off between Invicea and another virtualization offering.

I'd discussed virtualization with him previously, but not in the form you're probably thinking. This is not a datacenter reduction strategy, rather an internet isolation strategy. He's trying to figure out a way to isolate his corporate network from the open internet.

My discussion started like this... "I'm interested in understanding how the Invincea test is working for you." His response? "No virtualization offering is worth anything by itself. Let me show you the what we wanted, what we did, and the architecture that we had to build behind it." In the end, this CIO built one reference architecture in which he tested two virualization strategies. Both were intended virtualize only Internet Explorer on the desktop.

His measures of success were easy to understand and very straight forward:

1. Isolate to the greatest extend, the internet from the corporate environment.
2. Do it with the least possible pain experienced in the end user experience.

I'd had a strategy discussion with him about a year ago. We discussed several options, including other virtualization applications, but also the use of simple terminal services, as well as a more simple idea.. issue everyone an iPhone. In the end, the iPhone dog didn't hunt and was dropped for discussions of the limitations of terminal services versus the implementation of an application virtualization strategy.

They've done a great job in that year, and now have about 1200 users in the pilot. Invincea had strengths and weakenesses, as did the other product. The other product has a significant price advantage, but is a tool developed for one thing, then used in another (therefore, no support for this particular use). Invincea on the other hand is a small company and therefore, more willing to accept development money and allow this large company to shape its product strategy.

Bottom line: No one application (including this wonderfully promising tech) is the cure-all. Remember defense in depth? Invincea handles only one of those layers, but with the right architecture in place provides a truly viable option. There are others however. Don't be afraid to look around. One company I talked with was experimenting with qmu! Others, VMWare, simple terminal services, etc. Do you homework. Do the architecture. And remember, in the end, nothing's cheap!

Jeff

Killed my SafeSocial account...

Great idea, not so good execution.

SafeSocial sent me the following:

"We have some cool news for you. Your parent, JEFFERY STUTZMAN, signed you up for something called SafeSocial.

You know how sometimes the adults in your life worry about you on the Internet because stuff can happen on sites like Facebook that isn’t safe? SafeSocial is a way for your parents to protect you and keep you safe without invading your personal space too much. It will make everybody's life easier."

I thought to my self, is this in language that my kids would respond to? Maybe. Regardless, after receiving this email telling me my parent (me) had some cool news, I decided to go back and look at the results. If I'm going to pay nine bucks a month for the service it needs to provide value. In this case, even though I have a couple of social networking accounts, SafeSocial didn't really do much for me. My five day trial period was up. I'll try it again later.

If anyone else has feedback on this service, my personal opinion? It's a great idea. I'd love to see it. I probably won't pay nine bucks a month for it, but would consider say, four or five.

Thoughts?
Jeff

SafeSocial.com - Great idea! My thoughts...

I received an ad this morning for AOLSafeSocial. The idea is, parents can monitor their kids Facebook, Myspace, Twitter, etc., accounts via one portal, and the thing would both check the reputation of your child's online social network friends, and report any bad sites that your child may have been exposed to.

Having one new teen and another a bit younger, both knowing they're not allowed to have sex before their 42 (or I'm dead, whichever comes first) I had to try this.

Here's how it worked for me:

1. I clicked the AOL link which took me to safesocial.com.
2. The interface looked relatively sparse, but I did it anyway.
3. I decided that since I too have social networking memberships, I'd try it on myself first to see how it went. I added my email and name to the 'who do you want to spy on' (my words not theirs) field and clicked submit.
4. SafeSocial then sent me a link to my address telling me someone wants to monitor my social networking use. Do you really believe my 13 y/o daughter would consent to my monitoring her? (hint: not only no, but... you know the rest!)
5. Since I was experimenting on me, I clicked 'agree'.
6. Immediately SafeSocial squealed on me. It told me that I was on LinkedIn, which is not normally a site for kids. It then checked facebook and twitter.. both seemed ok (for now).

Couple of thoughts:

• My daughter will never allow my monitoring, nor should she have the option. I pay for her service, she's a minor in my charge, and I should be able to monitor without her consent. Love the idea of the service, but would have preferred to see it be more seamless.
  
• $9.99 isn't a bad price if the service actually delivers. I can say, I received multiple emails immediately upon signing on for the service.
  

Looking forward to seeing how this shakes out. My daughter is going to kill me!

Jeff

Mobile threats?

Damn! I knew I should have attended Blackhat this year!!

------------------------------------------------------------------------------------------

"It collects your browsing history, text messages, your
phone's SIM card number, subscriber identification,
and even your voicemail password." -
mobile.venturebeat.com

http://mobile.venturebeat.com/2010/07/28/android-wallpaper-
app-that-steals-your-data-was-downloaded-by-millions/

questionable Android mobile wallpaper app that collects
your personal data and sends it to a mysterious site in
China, has been downloaded millions of times, according to
unearthed by mobile security firm Lookout.

That means that apps that seem good but are really
stealing your personal information are a big risk at a time
when mobile apps are exploding on smartphones, said John
Hering, chief executive, and Kevin MaHaffey, chief
technology officer at Lookout, in their talk at the Black Hat security
conference in Las Vegas today.

"Even good apps can be modified to turn bad after a lot
of people download it," MaHaffey said. "Users absolutely
have to pay attention to what they download. And developers
have to be responsible about the data that they
collect and how they use it."

The app in question came from Jackeey Wallpaper, and
was uploaded to the Android Market, where users can download
it and use it to decorate their phones that run the Google
Android operating system. It includes branded
wallpapers from My Little Pony and Star Wars, to
name just a couple.

It collects your browsing history, text messages,
your phone's SIM card number, subscriber identification,
and even your voicemail password. Itsends the data to a web site,
www.imnet.us. That site is evidently owned by
someone in Shenzhen, China. The app has been downloaded
anywhere from 1.1 million to 4.6 million times.
The exact number isn't known because the
Android Market doesn't offer precise data. The search
through the data showed that Jackeey Wallpaper and
another developer known as iceskysl@1sters! (which
could possibly be the same developer, as they use
similar code) were collecting personal data. The wallpaper
app asks for "phone info," but that isn't necessarily a clear warning.

The Lookout executives found the questionable app
as part of their App Genome Project. Lookout is a mobile
security firm, and it logged data from
more than 100,000 free Android and iPhone apps as part
of the project to analyze how apps behave. It found that the
apps access your personal data quite often. On Android, each
user is asked if they give their permission to access an app,
but on the iPhone, where Apple approves apps, no permission
is needed.

Roughly 47 percent of Android apps access some kind
of third-party code, while 23 percent of iPhone apps do.
The executives also found that many apps use third-party
software programs to do things such as feed ads into an app.
Often, developers unquestioningly use the software
development kits of those third parties in their apps,
even if they don't know what they do. In many
cases, there is a good reason for the use of personal information.
Ads, for instance, can be better targeted if the app knows a
user's location.

Hering said in a press conference afterward that he
believes both Google and Apple are on top of policing their
app stores, particularly when there are
known malware problems with apps. But it's unclear what
happens when apps behave as the wallpaper apps do,
where it's not clear why they are doing
what they are doing.

More on Invincea

Last night I had dinner with an old friend. As often times, the conversation rolls around to information security, and the new threats. One tactic for protecting against these new threats appears to be, at least on the surface, is virtualization. How can a company remove access to the Internet while maintaining the ability of those who require access, to get it in a safe way --all without killing the user experience to the point where they'll find alternative means of gaining access.

As mentioned before, I've seen pitches from VMWare, talks on using Med-V, thin client solutions --all of whom believe they have the answer. Not sure if they do, but one thing is for sure. My friend is the Director of Information Security for a very large company and they've doing a pilot/bake-off, and this little, out of no-where company called Invincea is actually one of the companies in the bake-off. Amazing. I can't wait to hear how this goes.

... More to follow on that.

A bit of advice for Invincea? Knock this one out of the park!

I'm liking what I'm hearing about this tiny company so far. I'm going to continue to track it. If anyone from the company is reading this (Dr. G did respond directly to me yesterday), I'd love to talk to a few reference companies!

JS

Anyone ever heard of Invincea?

I hadn't until just a few minutes ago. I was performing research for a consulting job for an investor who's considering making an investment in a security company. I'll sometimes do these on the side. Anyway, in this case I happened a cross a company called Invincea --using the words in their summary:

"Developed a patent-pending, revolutionary technology for protecting computer workstations from Internet attacks."

I love these words. Nothing thrills me more than patent-pending, revolutionary technology for protecting computers from Internet Attacks! Right now, I'm typing with sweaty palms and my hearts racing because the thought of new, patent pending revolutionary new software to protect my computer workstation from Internet attacks makes me, well, downright giddy!

So I read on... at the website (http://www.invincea.com/), I found a white paper. All startups have them. I was hoping to also find a list of reference customers I might contact while contemplating this paper. You see, the company is headed by the standard board of venture capital execs, but also by Dr. Anup Ghosh. That name might ring a bell for many reasons -DARPA program manager, NSA? That said, he's a smart guy and at first glance the company looked interesting. Now, while I haven't taken the time yet to look at the patent application, just reading the whitepaper tells me a little about the product:

1. It's revolutionary (their words not mine.. I'll stop making fun of them now ok?)

2. It uses virtualized browsers

3. It captures everything that happens during utilization of the browser during an attack

4. It sends everything from the virtualized session to a database somewhere (local or, as it states, in the cloud -I'm guessing Invincea is offering a managed service as well as software?)

Thoughts:

Virtualization seems to be a great buzzword for protecting from drive-by downloaded malware. I've seen a number of vendors (most of our favorites) pitch their wares on how good their product is in protecting from these threats. Some say the product can be reset at the close of each session (actually they all say that); some talk about how the virtual wall between the child and parent operating systems can't be broken (it's true, I've heard this before). Invincea however seems to be using a honeynet process in a virualized session. I like it. If you can't beat'em, set a smart trap for 'em. It seems to me, to be the best of both worlds -protection and collection; intel gain/loss (speaking in a purely network protective context of course!). 

What's next? I'm really interested in seeing some reference customers posted on the site. I've seen presentations on the technology before it became Invincea. I had doubts at the time. It looked to me to be far to much overhead to be powered on an already overburdened laptop, but what the hell. If it works, it could be good!

Back to you Dr.~!

I HATE COMCAST!!!

I hate Comcast!

I was paying a fee for a DVR from Comcast. Most of the time, many of the features didn't work. For example, the machine often froze, on demand NEVER worked, and on top of everything else, Comcast had to reset my system several times a month.. all for the high value, very low monthly price of $130.

So, I bought an Elgato Hybrid stick, inserted it in my trusty Mac Mini, hooked the whole thing up to my flat screen and off I went. All those ClearQam channels plus the local stuff. LOVE IT. The story gets better hang with me.

Comcast announced a few months ago that everything was going to digital.. and they did. My Elgato handled it nicely until... Comcast seemingly started encrypting more signals! I lost the Discovery Channel!

Finally over the weekend after missing Mike Rowe I broke down and bought a TiVo --only to find out that I need a multi-streaming CableCard --a PCMCIA card that plugs into the backend of the Tivo. So, on Sunday I enter into a chat session with a very nice Comcast rep who tells me "no problem! I'll ship you one.. or better yet, you have a Comcast office right around the corner from your apartment". If you go pick one up it'll save you ten dollars in shipping. I agreed.

So yesterday I took time over lunch and ran to the Comcast office. After waiting in line for twenty minutes the CSR told me that I had to schedule a service appointment. SHIT! FOILED AGAIN BY F*ING COMCAST! No appointments after 5! I have a secretary who scraps for every timeslot during my day and Comcast wants me to stay in the apartment waiting for one of their idiot flunky high school dropout (ahem) technicians? I asked if they could call so I could meet them... no. I didn't get a card. I didn't schedule a service appointment.

Today I called Comcast. I finally ended up with an appointment. The CSR on the phone put 'a note in the file' to tell them to call thirty minutes before they arrive. She couldn't promise anything. We'll see.

Poor customer service
High price
Low value programming
Three hour time slots required for delivery
Uneducated technicians (the last one sporting Appalachian goatee)

Let me say it again: I HATE COMCAST!!!

Jeff

Is Google the new NSA?

Am I the only one worried about this?

I've been watching Hulu and keep seeing Google ads for Chrome.

Every time I turn around, I see ads for the Google Droid (cell phone).

Here's a question for you.. does anyone know how Google makes money? It's not the same as other phone manufacturers, or Apple, or netbook manufacturers. They make money by selling hardware and/or software, and take a cut from the cellular providers for every two year contract.

Google makes money by collecting and selling information. Of course they're going to make money on the device itself, and from a cut from the cellular providers, but their main source of revenue is from collecting information -YOUR information, and selling it to marketers, data miners, analysts, researchers, or anyone else who will pay.

Now we've all heard the stories of how much information NSA (and other SIGINT collection agencies in the world) collect, and how much they process but these agencies get what can be collected over the air. Google has a better source --the handset itself. Can you think of better way to understand individual user preferences, calling patterns, behaviors? I can't. It's the one electronic device that we use the most; we depend on to stay connected, and Google gets to see it all. Where exactly do all of those apps connect back to? How does the phone stay in touch with Google? How much information is being collected? Who uses this information? Try Googeling "Google versus NSA" and see how many results come back.

Now take this a step further.. Google, although being challenged by Microsoft's Bing owns the search market, is moving quickly with their 'Chrome' browser, owns the blog I'm publishing this on, owns YouTube (and all of it's subscribers), Google Earth, Mail, Wave, Google Voice, and endless apps that they collect information from, and now, Droid.

Silly, but I keep having visions of a movie from last summer "Eagle Eye" and the automated actions of a supercomputer who used information collected from all of these devices and software, analyzed it, and used it to control every movement Shia LeBouf and a second unwitting victim. In the movie they referred to this information as 'collective intelligence'.

The difference between Google and NSA? NSA has intelligence oversight. Google does not.

Am I the only one worried about this?

The NEW Infosec is upon us! (but we're still armed with old products!)

Everyday I read dozens of articles regarding cyber war, DDoS, cyber espionage, the President's cyber czar (which, as I understand, remains unfilled), a TON of pro and con opinions in the press, and dozens of analyst opinions. This doesn't include vendor pitches and the deluge of advertising aimed at the Information Security dollars that will be spent in the coming years.

I'm going to lay it on the table in the hopes that someone will get it... today is the first of a couple of blogs offering comments about where we are, why we have issues, and hopefully, what we can do about it.

Here's number one... Vendors.

Vendors -companies who sell infosec products -don't get it!

Entrepreneurs want to hype their companies all with the hopes of making their products, companies and books looking better than than they really are will say anything to make it sound like the products are the best thing since sliced bread. In fact, many just don't get it. I can't tell you how many presentations I've sat through, only to ask the hard questions --hard questions about not the 80% of the threats they've built their pitches on, but about the top 20% of the threats that come in through spam, phishing, and drive-bys --all fueled by sophisticated social engineering? Yeah? Whadya gonna do about that?? So vendors, here it is --your products are built on the old threat models. Get with the program. Hire people with recent experience and sell GOOD products rather than products that try to solve EVERY problem. Find the pain point in the market, get really good at it, and fill the hole as best you can. Do your homework! Use a competitive intelligence guru who knows your space and can tell you exactly what your competitors are doing. Please, for the love of God, please, don't come see me without having detailed competitive intelligence in your back pocket. I swear, if I hear one more entrepreneur tell me they don't have any competition I'm gonna puke.. and then kick you out of my office.

Medium sized vendors.. I've got to pick on Security Information Management for a moment. Great idea, but it's making our SOC analysts dumb. They have come to rely on the boob tube with absolutely no idea what's going on the background. These products have turned skilled analysts into movie watchers. What's worse? The vendors have'em hooked like crack whores. Once the licenses are bought, and the SOC works on the SIM/SEM GUI, the company never looks back and will continue to pay over and over and over and over and over. They'll keep coming back for more because the sunk costs are two high to leave behind without without the CISO getting really red faced over the already money spent. Why do I have so many issues with SEM/SIM? Remember the old days when we watched a VT100 screen with IDS logs passing by? We were inundated with information but had no idea which ones were important. Today we have the same issue. How do you know what's important? OK, I'm a pretty seasoned guy, and can (sometimes) tell by looking, but most SOC analysts aren't. They need to know what's bad and what isn't. Then, they need to be able to look deeper. So, SIM guys, make it so! Bells and whistles aren't worth a damn if everything looks important. I can't tell you how many times I walked into the SOC, saw the SEM top ten list on the big screen and asked what was happening with the number one... I always got the same answer ... "It's a false alarm." Bull shit.

Larger vendors (like the Antivirus Vendors), can sit on their laurels and enjoy the fruits of ineptitude. That's right, I said ineptitude. Do we really know how (in)effective antivirus is? It's a good thing it's cheap! If it didn't why would we need so many layers in our defense in depth program? A/V should be able to kill anything landing on the computer, but, alas, they cant. Instead they have to rely on a whole slew of other technologies to do their job, and guess what? There's no way to correlate all of those things together to tell what's good and what's not! Sorry folks, I've come to the realization that A/V vendors would rather expand their market rather than make their product more accurate.

Bottom line. Vendors are out of touch with their market. Here are a few things that'd make things a WHOLE lot better.

1. Small and medium size companies --use Competitive Intelligence as a regular part of your marketing team. CI can help with pricing strategies (by finding out what competitors charge), product management, and long range planning. For the cost of one engineer, you can have a VERY clear idea of what you're facing and where the niche is.

2. Larger companies? Pay attention to your customers. Premium service packages are nice, but not if you're only catching 10% of the problems. The products should work first time, every time, and be right.

Next time... Magic Quadrant!

Jeff

We Have A Cyber Czar, and He Has Spoken

I couldn't help it. I took a link from Bob Gourley's CTOVision blog where he tells the world that we ALREADY have a Cyber Czar. His name is Vladimir Putin!

http://ctovision.com/2009/05/white-house-cyber-policy-review-and-a-cyber-czar/

Bob tells it like it is, so there's no need for me to :)

Enjoy!

Jeff

eWeekNews: Discovery Features Make DLP Smarter... really?

Lawrence Walsh's article (eWEEKNews, 2009-05-29) entitles "Discovery Features Make DLP Smarter" made me both scratch my head and chuckle a little. It's a story I've heard many times, and in fact commented on a few days ago in my blog notes entitled 'Vendor Hype'. In this case, it didn't take long to see something in the news about the one very item that I always think about when I think about vendor hype. Sorry Larry. You know I love ya!

Over the past several years (since 2004?) I've been keeping a close eye on the DLP space. This for many reasons. First if they can ever figure out how to go beyond SSNs, credit card numbers, and a few other key pieces of PII without the high false positive rate, this solution would be an absolute win. I'm not saying PII isn't important, but PII can be found using MANY tools, not just the expensive solutions offered by Vontu, Reconnix, and a half dozen others out there. There's something good that comes with these solutions (don't get me wrong!) but it is very simply this --they can find simple strings in moving data that they can flag on to tell you when something is leaving the enterprise that probably shouldn't.

I chuckle because one vendor in particular took a host based approach --Verdasys --to finding data and watching it move, while the rest seemed to believe they could do a better job of flagging it in motion. Now it appears they're heading in the same direction. The network based tools want to do host based detection/protection, while the host based providers want to start moving in the direction of the network.

That said, I polled several reference customers of a couple of DLP vendors. Not one of them reported their DLP vendor having done great jobs in the areas not considered their sweet spot. The network providers don't do host based work well.

Hunting critical information to effect its protection? This is a task not easily performed. Here's why... even in a small environment, data doesn't always sit where you think it should. While shares and repositories are likely places you'd want to find source code, work product, finished proposals, PII, or anything else you might consider important they almost always sit on the users computers and in many cases, private backup disks and other removeable media. Another critical issue --I've worked in LARGE enterprise (100,000+ users) for the last several years. One thing that troubles me in large enterprise is that most times the owners of those environments have no idea, nor any accounting, for where critical information resides. This is especially true of any company who's growth came from the heavy acquisition strategy used in the '90s!

OK, it's easy to be negative. Here's what I'd like to see to solve the problem:

1. DLP vendors need to consider integrating spiders into their applications that can do pattern matching in an attempt to flag data in a data classification schema. Once this is performed, do a bucket analysis of each of the different flags and let a human review the schema to ensure it's accuracy, and how the data should be protected. Use company policy (if it exists) to enforce as needed.

2. Performing hash value calculations on anything in a database and then watching them leave the enterprise isn't an effective solution. First, as I mentioned above, it's rare to know where everything resides. Second, documents have lives of their own. Hash values will change every time the document changes. It's impractical.

3. Consider integrating with digital rights management solutions. DRM DOES tagging, as well as offers access credentials. By integrating DRM solutions into DLP, you get the best of both worlds without having to build another solution.

DLP vendors need to think about partnering to offset some of their gaps. One does host based protection well. Others do network based protection well. Stop trying to be something you're not and pair up!

As always, feedback welcome! Mine is only one opinion :)
Jeff

Study finds IT security pros cheat on audits --Is this a surprise?

In an article received on twitter yesterday, the author (Angela Moscaritolo, on May 27, 2009) discusses the fact that IT Security Pros cheat on Audits. The article may be seen at:

http://www.scmagazineus.com/Study-finds-IT-security-pros-cheat-on-audits/article/137546/

It should come as no surprise that corners get cut in audits. I wouldn't call it cheating per se, nor am I defending those who blatantly gundeck (a Navy term for cheating on assigned tasks) for a few reasons, but here are two:

1. In smaller/medium sized companies, resources generally don't exist to carry out the full scope of even the most basic audit frameworks (measuring against 800-53, ISO, etc.), thereby leaving gaps in the completed audit when compared to the plan.

2. In larger companies, the audit teams report to the board of directors, not the ISO or CFO as will the Risk team or Information Security team. Auditors get treated like every other auditor.. they get what they ask for -nothing more, nothing less. I've worked as an auditor, and worked with auditors several times in the past eight years and know the drill quite well. If an auditor is uninformed, they don't ask good questions, and as a result, get inaccurate information.

Tips for doing better audits?

1. Look for experience IT/Security people that can be taught auditing. Certifications are good, but not perfect. CISA is common among the large consulting organizations, but again, personal experience leads me to believe that not all CISAs are created equal.

2. Create an environment of cooperation between the audit team and the infosec/risk team. If an audit is going to happen at a certain location, why not leverage the audit team to perform a risk assessment at the same time. There's an opportunity for resource sharing if you can get legal to sign off.

3. Cross train and labor share. Use infosec people as auditors, and get auditors involved in sitting in the SOC. This makes everyone smarter, and eventually, the company better.

4. Find a good framework and stick to it. Measure the results location versus location, program against program, or division against division. It's not a report card but a score card that offers baseline, and hopefully upward trending.

Most importantly, remember, auditors get treated like auditors. They're outsiders and need to know what to ask, and whom to speak with to get the right information. They get this through bonding and familiarity in the organization. Train them well, get cooperation with infosec, and you'll see markedly better, and more consistent audit results.

Happy hunting!
Jeff

Podcast: More Targeted, Sophisticated Attacks: Where to Pay Attention

What timing! I just blogged about this this morning.

The conversation is 20 minutes long, but the piece with Marty talking about new issues --Social Engineering and (still) bad code is about 6. It's worth a listen. I'd love comments back. Thoughts? What other issues should we be concerned with during this period of adjustment to new threats?

More Targeted, Sophisticated Attacks: Where to Pay Attention
http://www.cert.org/podcast/show/20090526lindner.html

Featuring:
Marty Lindner - CERT Julia Allen

RSS: http://www.cert.org/podcast/exec_podcast.rss

Information Security Vendor hype?

It seems we're in an entrepreneurial dilemma... especially in the information security field.

Entrepreneurs/innovators/tech sales people create, commercialize and sell new, innovative tools, but it seems we've hit a plateau where the entrepreneurs don't understand the new market. In this down-turned economy how many infosec companies have failed? How many have been bought? I'd guess far fewer acquired than failed but then again, that's always been the case. Now it seems harder. It seems entrepreneurs are stuck in two areas that they just can't seem to find their way clear of:

1. New attack methods are not caught by old security tools! No matter how many signatures you stick into an IPS, it's not going to be able to stop a C2 channel heading out your door when it's buried inside of FTP! Don't tell me about Data Loss Prevention or losing the perimeter. I've had all the sales garbage that I can stand from the likes of Vontu and Verdisys. While both good ideas, DLP is not a solution for identifying and stopping badness inside your enterprise. The solutions stop 'not so smart' people from doing stupid things but do not stop smart people from stealing information from you.

2. Entrepreneurs are so busy selling (hyping) their products, and so busy with their noses pointed squarely at their keyboard (or financials), they've lost touch with what infosec practitioners really need... and the worst part is, they're not getting it from the trade magazines either! SC Magazine has gone from a robust magazine with good information to an ad rag full of expensive ads and very little content that will give entrepreneurs information to help them focus their product lines and strategy. So here's a bit of advice folks (from a guy who gets pitched more times than most), stop pitching. Leave your marketing materials at the door. Do your homework and be ready to answer hard questions. If I visit your company, I don't want to talk to your business development people. I want the techies. I want to see the results of your product on your company network, and I want to see the demonstrated ROI realized by you. I want to talk down and dirty tech. Tell me why it works. Show me that it does. Tell me it's current limits... then, and only then, will we have more to discuss.

3. Venture capitalists continue to push offshore development because the numbers make sense. You know what though? I won't buy it if there's no way to assure the security of the product, and EAL certification isn't it. Show me something that hits a product squarely with the newest attacks and handles it well. Base certification on that. Until then, VCs, you're limiting the ability of your portfolio companies to be able to sell to government and government contractors.

There, I said it. Want to know what the market looks like? Want to know what the market is going to look like? Want to know what kinds of threats your security tools need to be able to handle? Contact me. I'll tell you.

Jeff