Security

New security fashion wear

30 Jan , 2007  

No Vulnerability Pimping t-shirt

In keeping with Brad Stone’s NY Times article (Alan blogged about this too) about the nefarious use of security vulnerabilities for marketing and black market purposes, I’ve decided to introduce my new line of security fashion wear one week before RSA.

First in what I hope will be a long line of clothing and accessories is theNo Vulnerability Pimps t-shirt. Available in all popular sizes, this shirt makes a statement for those "vulnerability disclosure" conscious security professionals who wish to promote vulnerability research "for the right reasons." Any self respecting security professional wouldn’t be caught dead at RSA without their No Vulnerability Pimps shirt.

In our spring line up I’ll be introducing the new line of Wake up and smell the incidence, Cisco bought my security vendor, who bought yours?, My BOB can beat up your UTM and I don’t have to run faster than you, just faster than the hacker clothing from our spring and summer collections.

All clothing only available in black. For more info, send email.

Security

Breaking News: I’m biased

29 Jan , 2007  

blogging biasI had a good chuckle tonight when I sat down to read some blogs after eating dinner. I read Alan’s end of day analysis of the Symantec / Altiris announcement. Alan hangs up his “drive-by blogging” gun belt for a moment and shows his kindler, gentler side by exposing the biases of other bloggers (including your’s truly) and their agendas about the Altiris purchase.

Alan’s right. My agenda is that Symantec is a competitor to my company StillSecure in the NAC space, namely through their Sygate product. Truth be told, Sygate has been a non-factor in the marketplace for us. Is that my bias showing again or reality? Either way, it’s my actual experience

As an entrepreneur and business owner I always love it when a competitor is bought by a big behemoth company. In nearly every case it gives you a 6-12 (or more) month pass on that competitor thanks to all of the confusion, transition, customer uncertainty, talent exodus and management turnover created from the acquisition. How many customers have told you; “ya, their product and customer service was so much better before they were acquired.” Frequently innovation is stifled or stops altogether too.

Golden handcuffs or not, and despite whatever best efforts, acquisitions always create two things in the short term for the acquired company; uncertainly and paralysis. And the worse the acquisition track record, the better for competitors. Even the acqusitions that do succeed end up being more products to sell to existing customers, not market leaders.

So what’s this with all the complements I’ve lavished on Cisco about their acquisition success? We’ll they are a competitor to my company too, and to just about everybody else. But I acknowledge they’ve done much better than most when it comes to acquisitions, even though I might wish differently in some cases. They also validated a market for me when I came up with our Safe Access product 9 months before Cisco announced NAC. It works both ways sometimes.

Oh, and one other thing. Alan’s agenda is the same as mine. We work for the same company, remember? 🙂

Security

Symantec wants to be Cisco

29 Jan , 2007  

As I read the announcement about Symantec buying Altiris for $830m this morning the Symantec 2.0 strategy finally became clear to me; do what Cisco does but with software.

Yep, buy other companies and fold them into the lineup of other yellow products. As I’ve written (and complemented) before, Cisco is the best at buying companies and actually successfully retaining the IP and key people to make something useful out of the acquisition. And that’s a rarity in the world of acquisitions. (Eric Orgen agrees with my assessment, btw.) When you’ve got cash to burn and the core AV business hasn’t gone south yet, that’s a laudable strategy. And very difficult to pull off.

field goal attemptBut what Cisco has also done well in their acquisitions is integrate the acquired product into all parts of their company (in most cases). That’s hard to do, do well and to repeat.

So the question about Symantec’s strategy is will they be like Cisco? Will they just end up with most stuff to put on the selves at Best Buy? Or will these acquisitions wither and dry up like so many others? We’ll see.

Podcasts

Podcast 29 – Pragmatic CSO/Rothman

29 Jan , 2007  

podcast microphoneThis week Alan and I take a turn off the regular podcast path and have a special two-part series with Mike Rothman talking about his new book Pragmatic CSO, a 12 step program to being a Security Master. I guess that means that we now have to introduce Mike as “analyst and author, Mike Rothman” going forward. 🙂

http://www.pragmaticcso.comWe’re delivering this podcast in two parts. In part 1 we discuss the first six of Mike’s Pragmatic CSO steps:

  • Step 1: Assess the Value of Your Business Systems
  • Step 2: Baseline Your Environment
  • Step 3: Manage Expectations
  • Step 4: Build Your Security Business Plan
  • Step 5: Sell the Story
  • Step 6: Procure the Solution

We’ll post part 2 of the interview in the next few days so stay tuned for the rest of the show.

Rothman’s been on our podcast enough that I felt it appropriate to subject him to my now famous Mike Rothman impression. That’s near the first part of the podcast. Enjoy 🙂

Seriously, if you like to find out more about the Pragmatic CSO or would like to read his book, please check his stuff out at http://www.pragmaticcso.com. I’d give you my full review of the book but Mike hasn’t given me a copy and I’m too dang cheap to buy one, lol.

Please send along any questions, comments and suggestions to podcast@stillsecure.com. Most importantly, thanks for listening.

Icon_enclosure_music_7mp3 file

Security

Microsoft planning retirement

25 Jan , 2007  

Windows XP retirementWhat you say? Retirement? Well, yes of XP anyway. Microsoft announced (eWeek) it plans to support Windows XP until 2014 (extended from their original plans to only support it through April 2009). I hope I’m able to comfortably retire by then too.

While product management in most companies struggle to put a meaningful 3 year product plan in place, Microsoft has our futures planned out through 2014. At least as support for XP goes.

While Vista makes its showing in 2007, XP will be with us for some time. I still see Windows 2000 systems around once in a while too. You can bet there will still be systems running XP in 2014 and beyond.

printerOld operating systems never die, they just become print servers.

They look kinda similar, don’t they? 🙂

Security

The’07 noise ceiling

25 Jan , 2007  

vu meterWhen recording music in the studio a few of the terms people talk about are things like noise ceiling, noise floor, saturation, in phase, out of phase, and phase cancellation. In short we’re talking about how sounds, e.g. sound waves, interact and affect each other. At a point you reach a “ceiling” of how much sound a recording can contain.

Sometimes I see my email inbox as a sound meter on what’s happening in our industry. In the last 24 hours I’ve received email newsletters, promotions and seminar invtes on a variety of topics but most are centered around a few themes. What’s hot? Seminars on how to take advantage of server virtualization, the security (or question about) in Vista, and yet more NAC announcements. Alan blogged yesterday about the NAC momentum carrying over from ’06 into ’07. NAC will certainly remain a topic this year but I expect Vista and virtualization to be much more prominent in our ’07 inboxes.

I have no doubt virtualization will become a much more prevalent topic in the networking space as well. It’s an area I’m spending a great deal of work time on myself. In thinking back, we have a lot of virtualization already in the network. I remember the first RedBack box I worked with in the late ’90s where you could configure hundreds of virtual firewalls inside one box. What would our networks and wiring closets look like without VLANS? But what server virtualization software has done for the data center will cause us to radically rethink network hardware. Frankly, I believe this is really what Cisco’s new “software” strategy is all about.

It makes you realize how old fashioned our fixed appliance mentality is. Wouldn’t all of us like to put the network and security services on the hardware we want rather than the overpriced junk most of the vendors sell us? How powerful would it be to be able to dynamically reconfigure where network and security services live in the network as the network architecture changes or network traffic loads shift. We’re just at the beginning of what we can do with virtualization in networking and security.

inbox barbarianOur email inboxes are one gauge of what’s happening. Kind of reminds me of those Capital One TV commercials.

What’s in your inbox?

Network, Security

Fortinet embraces BOB

23 Jan , 2007  

BOB gets a hug from a new friendFortinet has expanded their product line beyond UTM security devices by adding network functions like routing and switching. In other words, a BOB product. “A convergence product, surely this is.” as Yoda would say. Well, only in part, Yoda. Its still a fixed appliance.

It’s a natural progression for the UTM guys to expanding into other networking features. But again, we’re stuck with a fixed function hardware platform – same old paradigm. Its an interesting move and lets see how they fare against products like Netscreen’s 5GT, and others. Stay tuned.

Security

Podcast 28 – Jeremiah Grossman, White Hat Security

23 Jan , 2007  

podcast microphoneA new topic for this week’s podcast; application security. Web apps in this case. App security will be a big topic in 2007, and likely suffer some of the hype and parasitic vendor behavior we saw with NAC in ’06.

Jeremiah GrossmanJeremiah Grossman, CTO and founder of White Hat Security joins us as this weeks interview guest. Jeremiah has a long history of work in app security including his time with Yahoo, which led him to the problems that he’s solving with White Hat Security.

In this weeks The Converging Minute I discuss Apple’s iPhone and why this new platform for mobile and personal applications is an interesting paradigm that we should learn from.

This Week In Security topics include:

  • The data theft at TJX stores
  • Cisco’s possible GPL violation
  • Veracode and secure code development
  • Strata Guards visionary placement in the IPS Magic Quadrant

Next week Mike Rothman joins us to do a deep dive into his Pragmatic CSO methodology so be sure to join us for that one too.

Send along any questions, comments and suggestions to podcast@stillsecure.com. Most importantly, thanks for listening.

Icon_enclosure_music_7mp3 file

Uncategorized

The more things change, the more they change

23 Jan , 2007  

moverWe’ll it was a fascinating weekend for me. And I have a new found appreciation for some muscles in my back I’d forgotten are there. I helped my folks move into their new house this weekend. (Part 1 of the “on the move” weekend.) Sunday I was also recognized by my church’s womens group for volunteering my time for music. It was definitely unexpected and so gracious of them.

Then my son Phill surprised us and moved back home Sunday afternoon. (Part 2.) That entailed schlepping Phill’s furniture from his apartment to our house, including a very heavy $10 computer desk. I think the weight goes up as the price goes down on those things. I’m still recovering but the folks on my new product team thought I was taking a nap on Monday while laying down on the couch when I was really resting my back. (The snoring was just for effect, lol.) Phill also found out that he’ll be doing some work with one of the most talented Windows guys I know, Ken Connors. It’s a great opportunity for Phill as he fits this in with his school work and other job responsibilities. I’m proud of both my kids.

These things reminded me how much I enjoy change. Even the unexpected ones sometimes. I guess that’s why I enjoy working on new products, like the convergence product I’m leading right now. We’re in alpha testing with hundreds of users on this product and the feedback has been tremendous. Not just what users don’t like but ideas about what they could do with the product and ideas for the product’s future.

new productI’m working on a white paper for this new product discussing a new model for the convergence of security and networking. A different paradigm than the current fixed appliance world that brings into it the power of open source and new advances in hardware technology. But software is the driver. The hardware’s going to keep changing and I believe it’s important to take advantage of as many of the hardware advances as possible. I think software also gives you more options about how to bring products to market.

So look for this new white paper in the next week or so. And send me any thoughts, ideas or questions you have. I’d love to hear from you.

Uncategorized

Virtualization is reality, man

22 Jan , 2007  

Oh boy, I was just ready to pack it up and head home when Chris Hoff’s post on virtualization got my blood boiling. It’s time to gang up on Rothman for little network ta-ta about his post dismissing virtualization.

Virtualization changes everything. It is changing everything. Look in the data center. Do we think the impact virtualization is already having will be limited to servers? Nooo. We’re stuck in this “one box does [something]” world but the network’s not stuck there. “Buy me a firewall and I gots a firewall.” Not any more. Long gone my friend.

Hoff does a nice job of bringing it right back to Cisco and Juniper. Everything is getting virtualized, gang. And it’s not just happening in the enterprise, big box world. We’ll see it in mid-enterprise and SMB.

Will virtualization get over-hyped? Yep, in 2007 virtualization and app-security will be the NAC of 2006 so get ready. Time to strap on the boots and start wading through the gunk. But despite all the parasitic and carpetbagging we’ll see by vendors who don’t have a clue about the topic (like happened with NAC in ’06), virtualization is real and we’ve only begun to see it’s impact in the network.

check your mirrorDon’t look behind you. The future’s catch up quick.

Objects in mirror are closer than they appear.

Time to step on it. 🙂