An Information Security Place

…for this interview?  It is titled "Embedding security has drawbacks says TippingPoint chief architect", but the explanation Brian Smith gives is about as weak as the American dollar.  Did TippingPoint marketing write the questions?  Sheesh.

Look, there is a need for embedded security AND security on the edge.  It really comes down to your business.  When good and fast security becomes built into the switch, I will look at it and judge it’s merits for MY BUSINESS (or my client’s business).  But this whole thing about switching and routing technology being outpaced by security technology is the largest piece of crap answer I have ever heard.  Of course the security technology is outpacing it.  That is because security is hot, hot, hot right now, and it has been for the last few years, whereas routing and switching are routing and switching.  But what does that mean?? 

Mr. Smith, was the incorporation of IPS into 3COM switches was a "fool’s errand", as you called it at 3:21 in the video?  Does that mean that you can’t incorporate the two?  Does it simply not work?  Is this just not feasible?  Of course not.  The reason you are saying this is because the 3COM / TP deal fell through for other reasons.  Plain and simple, 3COM was not in any kind of position in the switching market to make a dent.  I wrote about this a while back.  Here’s most of that post:

When I was an infosec manager, I was a TippingPoint customer. When I bought the TippingPoint box, stand-alone devices were still all the rage. UTM and NAC were pretty much still new terms. But right about the time TippingPoint was bought by 3com, the convergence track had started to emerge. Cisco was really getting into putting different devices in their switches. Things were really starting to move in that direction, and 3com probably thought they should do the same.

But just in case things were not what they seemed, 3com decided to test the waters (conjecture on my part, but plausible conjecture nonetheless). So they surveyed their customers (or TippingPoint customers, at least). I received one of these surveys. Among other things, it asked if I would buy a 3com enterpise switch with a TippingPoint IPS blade integrated into it. Understand that I come from the network engineering world. I have installed and configured many a switch and router. And for the immediate 4-5 years before this survey hit my inbox, 3com had been about as present in the enterprise switch space as a woman at an ISSA chapter meeting. The biggest place you saw 3com was on a NIC or a little white 8-port hub in a room full of cubicles. So, I answered a definitive “not no, but hell no”.

To clarify (if the above didn’t explain it well enough), it was the 3com switch that threw me. I wasn’t unhappy with TippingPoint (except that they had been bought by 3com). I liked the box. It served me well. If I could get a TippingPoint blade for the 4506, I would have seriously considered it. But there was no way I was going to replace my Catalyst 4506 with a 3com switch, no way, now how.

Of course, I cannot answer for every TippingPoint customer who received the survey, but I can guess that many of them answered the same way. And this makes me wonder if 3com and TippingPoint are sitting in ivory towers and ignoring the trends because it doesn’t compute that people don’t like their switches.

And to add one more thing that may add some credence to my hypothesis: I also had a couple of 3com reps come out to visit me during the final months of my tenure as an infosec manager. When my boss and I told the 3com guys that we would not consider in any way replacing our current switching infrastructure with 3com because of our impression of 3com as a serious player, they were completely surprised by our attitude. Now maybe they had never received that reaction before because we were just a little more harsh and up front with our opinions. But my immediate opinion was that they really didn’t know they had that kind of reputation. Maybe it is just me that thinks this about them, but I don’t think so.

 

So basically, what it came down to was that 3COM did not impress me, so I would never have bought their switches.  The IDEA was a good one.  They recognized that it was a good one.  But they could not make it happen because no one wanted to buy 3COM switches.  Plain and simple. 

Now let us get back to the business of security while you guys go try to fool a few more people.

Vet

The Internet is a nuisance. Really, it is. It never ceases to amaze me how much "trouble" the Internet causes.  Now I will be the first to say that it is possibly the best innovation in human history. But at the same time, it has also caused more problems, headaches, and heartaches than almost any innovation that I can think about. And it continues to redefine everything we do as a society and a race

I know this is really not news, but it just struck me when I was poking around the news this morning and ran across this article about some websites looking to sue the state of Oregon over publishing laws online (I have written about issues similar to this about governments and publishing SSN’s online here and here).  Here’s some of the opening paragraph:

Both Justia and Public.Resource.Org have been at loggerheads with the State of Oregon over their desire to publish the state’s complete body of law online, for free. While that sounds noncontroversial—state law even requires the laws to be offered as widely as possible—the state’s Legislative Counsel Committee claims copyright over portions of its Revised Statutes.

And as I started to think of something to write about this, it struck me that this was really just a symptom of a larger issue. Basically, the problem is that no one has figured out just how to deal with these issues because we have moved so far so fast in the last 15 years.  But why can’t we catch up? 

Seriously, we have been moving a the speed of light with technology for the last 100 years or more, and we have always been able to catch up with safety and laws pretty fast.  Cars were invented, there was the first crash, and then we started figuring out that we need to have some kind of traffic control  It may have been a while before it was worth a crap, but we caught up relatively quickly.  Then there were airplanes.  The Wright Brothers invented it (I have heard that it is debatable), then they crashed it and killed someone, and we figured out that we needed to make this safer.

Honestly, I don’t know how quickly people started figuring out that these types of things needed to be regulated.  Likely it was all about risk since there weren’t a lot of planes or cars around when they were first invented, so a lot of safety was needed yet.  But we got smart eventually.  Consider this quote:

It’s like trying to predict back in 1910 the impact of the automobile on society - the highway system, gasoline refineries, motels instead of hotels, new dating patterns, increased social mobility, commuting to work, the importance of the rubber industry, smog, drive-thru restaurants, mechanized warfare, and on and on. The net will bring more than quantitative changes, it will bring "qualitative" changes. Things that were impossible will now become inevitable. – Larry Landwehr, 1993

The move to adopt the Internet and the rush to make it better and faster just came to quickly.  Just like the Wright Brothers probably didn’t imagine planes that could traverse the globe in a matter of hours, the inventors of the Internet never really factored into their design a world wide public network that had to contend with a bunch of thugs trying to steal everyone’s information.  They were trusting souls who figured it would just be a bunch of geeks from colleges talking to each other over email because they couldn’t get a date. 

But it became so much more so much more quickly than anyone imagined.  And it pervaded everything.  And now it is a struggle to catch up because the people who are really trying to fix the problems are often contending with the bad guys and the people who look like they are doing something and are really just riding the gravy train that the security issues have created (I have been guilty of that and still am in many people’s eyes since I sell security services and products).

So how do we fix this stuff?  Well, short of bombing us all back to the bronze age ("Stone Age" is so overused, and bronze is shinier), I really don’t know.  There are theories abounding.  Some people say we need to go back to the people and get them to buy in to doing things right.  Some people say we need to leave them out of the equation and just implement technology.  Others say we should just start over from scratch and build in security from the ground up.  There are books upon books and speakers upon speakers (two more lucrative by-products of bad security) talking about security and the Internet.  But it all keeps coming back to one thing: we’re still insecure.

What I don’t understand is how the bad guys keep figuring out how to break in when we supposedly have people out there trying to find the flaws before they do.  Is it simply a numbers game?  Do they have that many more people looking than we do?  Do they have a much more lucrative job than we do, so they are better motivated?  Is it because the countries in which many bad guys reside don’t give a crap or just don’t have the resources to catch them?  All of the above?  What else?

How do we get ahead of this?  How can we put the same amount of resources into this to find the vulnerabilities before the bad guys?  People have tried to create communities and projects where they pay for vulnerabilities.  But there’s no guarantee that they are the only ones getting the results of their research. 

You know what?  I don’t see and end to this.  I think there is really no way to fix it.  This simply is a human problem.  There have always been bad people, and there always will be.  And since humans are imperfect and will make mistakes, the bad guys will find ways to exploit those mistakes.  There are smart people on both sides, and they will continue to struggle against each other forever (I know, kind of melodramatic).  All this talk about "security should have been built in" is just a pipe dream.  Security Nirvana is not possible.  There will always be mistakes.  Every time we come up with something new, someone figures out how to break it.  And yes, part of that may be because it is based on old, insecure technology, but the human element will always creep in.

I just don’t see another way.  Yes, there can be some model changes when it comes to how stuff is sold and what really works and other things can be factored in to make change happen on a substantial level.  But this is really what we have to work from.  I know there is a lot of room for discussion here, and I welcome it.  Please help me see this differently.  But for right now, this is how I see it.  I am not being cynical.  I am not quitting on security.  I just think it is going to be a protracted battle that will require dedication and persistence. 

Vet

I went out to see one of our customers this week who had their web app pwned a while back.  This is the second client since I have been with Accuvant that we were trying to help via our security assessment services who got smacked around before they could make up their mind to spend the money or not.  It has been several weeks since they were attacked, and they are still running around like school girls with their hair on fire. 

Yes, they are making a lot of progress (much of it due to us having a couple of guys helping them out for the last 4 weeks).  But the point is that they could have avoided all this craziness and stress if they would have made the right choice in the first place.  Like I have said in the past, business decisions have to be made.  But when you are a financial company that serves a lot of customers, you need to make sure due diligence is performed.  Sitting on your hands is not an option.

Vet

I have always been hesitant to use friends within companies as a means to getting business.  I just think it is a very dangerous move and can kill the friendship along with the business deal if something goes south. 

I have had two instances of this happen this week.  One involves a former coworker of mine.  She now works for a fairly big organization here in Houston, and I knew that if I could get them as a client, it could have some nice rewards.  However, I just did not want to start asking her to setup appointments and all that for fear of seeming like I was using her.  So I stayed away.  I knew that she was somewhat aware of what I did and what Accuvant did, so I decided to just let things fall where they may.  Well, she actually contacted me a couple of weeks ago through our former boss (she couldn’t find my contact info - said the cat ate it).  And now it has turned into a full-fledged opportunity to do some business for them, and I just have a great feeling about the gig.  They need a lot of what we provide as far as services and products, and her coworker (the security guru) seems to really want to meet with us. 

And then there is another company down here in Houston that is just an absolute monster.  They are all over the US and Canada, and Accuvant has been trying to get in there for some time now.  But we just could not get them to give some love.  Well, I have a friend that also works at this company at a very high level in security, and I knew I could probably get in the door.  However, the same thing applied.  I just don’t want to be that person who tries to use my friends for gain.

Well a few weeks ago someone approached me about a possible PCI opportunity.  He had a client that needed some PCI scanning services.  He had met one of the Accuvant founders at an event and learned what we do (we are QSA certified, are certified scan vendors, and we do PCI gap analysis work) and thought we would be a great fit.  There had been a couple of people he had brought in before us, and they had fallen flat on their face.  We walked in, and now we have the business.  Granted, PCI scanning is not huge money.  But we proved ourselves by impressing the very friend that I refused to use.

I am not saying it is wrong in all circumstances to use friendships for business purposes.  But as a general rule, I just am really hesitant to do so.  And with these two instances, I have found that if you don’t use the friend and you end up getting in and proving yourself and your company anyway, then it is that much more rewarding.

Vet

Well, I am back from our annual sales kickoff meeting. The week was rough, but the content was great, especially the last day (we had a three of our top SE’s teaching our processes and how to be a more effective SE - the sales people were in there as well, so they got a good idea of what we have to deal with). I am more jazzed up now about working for Accuvant. The people I met were great. Everyone is stoked about 2007. I am convinced more than ever that this was a good move for me.

I know. Everyone is highly motivated by these meetings, and it will probably wear off. I agree to a point, but what you have to understand is that I have never worked anywhere that I felt like a part of something good. This is the first company that I am proud of being a part. It is a good feeling. Maybe that’s a little cheesy, but that’s the way I feel.

It was held at Copper Mountain in Colorado. Very nice location, but we never had any time to get out and enjoy it since we were in meetings the whole time. Oh well.

I could barely breath up there. I think it is somewhere around 9,500 feet where we were staying. Since I live in Houston, which is about 6′ about sea level, I was completely unprepared for the thin air. I had a headache the whole first day and was gasping for air all night when I was trying to sleep. That REALLY sucked. I got about an hour of sleep that night.

I got used to it the next day, but I was so friggin’ tired that I still don’t remember much of the day. I slept like a baby the second and third night, and I was fine just walking around. Next time I will be taking as much of this advice as I can.

Vet

Websense is buying PortAuthority for $90 million. If you are not familiar with them, PortAuthority makes a leak prevention security product. This makes sense in the Websense model, but I like the deal for another reason. This tells me that Websense may be seeing the light finally and is trying to diversify a little so they don’t implode.

Of course, we’ll see if they have learned anything at all by watching what they do to the pricing model of PortAuthority. If they follow their current structure, current PortAuthority customers might find themselves paying 100% maintenance every year.

By the way, has Websense ever bought anyone before? I need to do some research.

Vet

I was reading through my many newsletters I receive daily, and I ran across a couple of articles about security vendors warning about spam, spyware, phishing, the mob and hackers teaming up, etc. As I was reading those headlines, I found myself quickly sneering and thinking these were nothing but more FUD from people trying to make another buck.

Then I thought, Wow, I sure am getting cynical. Though it is obvious that there can be a lot of FUD coming from these guys, that doesn’t mean that I shouldn’t read their stuff. I’m sure there are people in those companies that are sincerely trying to help the security industry. It just comes out as FUD when those dang “marketeers” get their claws into it.

Maybe I’m a little gloomy because it has been raining down here for the last couple of days. I need to take a happy pill!

Vet

A while back, when I was in the operations side of security, I wrote a series about how to be a good security admin / manager.  It was fairly successful and got some good play out there in the blogosphere, so I figured that I would write something akin to those posts in a blatant attempt to drive more traffic to my site. 

Oh yeah, and I, ummm, want to make a difference in the security industry, or something… whatever.

So, how to be a good SE.  First, let’s define the term “SE”.  In many to most cases, that term means System Engineer.  In my case, it means Security Engineer.  Both perform the same function, however.  At least they do in what I am referring to here, and that is in their pre-sales role.

A pre-sales SE is often perceived as the salesperson’s lapdog, to be ordered around and told where to go and when to be there.  This may be the perception, but it is almost always not the case.  The real truth is that the SE is the one who follows the salesperson around and makes sure the salesperson is telling the customer the truth.  For example: “No, Bob, this product cannot call down lightening and destroy hackers attempting to break in to the website.” 

If you can’t tell, I have been reading “The Dilbert Principle”.

But in all seriousness, the reality is that the SE’s number one job is to protect the customer from making mistakes and buying the wrong product for their needs.  That is also the salesperson’s job.  And though I can say with all seriousness and honesty that all of the salespeople I have met at Accuvant truly are honest and try to protect their customers, this is not always the case out there.  A salesperson has a quota, and they have pressure to meet that quota, and they don’t always have their customer’s best interests in mind.  So the SE has to be that buffer.  And when an SE meets with customers, he is EXPECTED to be that buffer that the technical people at the customer need.

In case you didn’t get that, I’ll type it again.  The SE is EXPECTED to be the buffer.  That means that the SE is expected to be honest in his appraisal of the situation.  He is looked at as the guy who works for a living, just like the technical people in the trenches.  He is supposed to be the guy who knows what the technical people are going through day after day, dealing with users, management, etc.  Even if the SE has never held a true operations type job, he still will be perceived as such.  That perception is what garners trust in the SE, and that trust CANNOT be broken.

What many people may not know is that pre-sales SE’s typically get bonused on sales (they don’t get the same compensation as salespeople, but they do not have as much at stake either).  And just like salespeople, SE’s with VAR’s (like me) are often approached by manufacturers with incentives to push their product (these are often very good - money, electronics, etc.).  This is called a spiff.  These two things together can cause serious temptation for the SE to not make the customer’s needs the number one concern.

But if you are and SE, or are considering a move to this type of position, you MUST be able to resist this type of temptation.  Notice that I am not saying it is wrong to accept these types of rewards (most of the time, you cannot take an SE job without the bonus, and I would personally think you are a little crazy if you didn’t take it - and taking a spiff is not wrong if you made an honest sale and kept the customer’s need on the forefront).  But you must be able to look long term.  The desire for an immediate reward must be superseded by the customer’s needs. 

And when the SE does resist the immediate gratification, he will almost always see a long-term return that comes from a relationship with the customer because that customer knows he can trust the SE.  It is often the case that once a relationship is established with a customer, the SE is the person who is contacted most.  That is because the SE has direct knowledge and contacts with people who can solve the customer’s problems.  So creating that bond of trust will lead to dividends for the SE’s employeer, and the SE as well.

So all that in a nutshell is this: create REAL trust with the customer by keeping his / her needs first.  You may have to wait a little longer for your reward, but it will be a greater reward after all is said and done. And just so you know, I do not mean only monetary reward.  The reward of being trusted and held in high esteem is also a reward, and it can be more valuable than any earthly possession.

Vet

Everyone seems to be commenting on the Counterpane acquisition by BT.  But unlike most of the “analyst” type comments out there (here, here, and here), I want to comment about this acquisition from my not-too-long-ago viewpoint of a security manager.

First all, with all respect to Mr. Schneier, I was never impressed with Counterpane.  They pitched to me about a year ago, and I was singularly unimpressed to say the least.  The sales person talked like she had been on the job about a week.  I don’t mean to be nasty.  Maybe she had not been there very long and was just learning the ropes, so I this might not be a fair critique (another thought - maybe she was just too stunned by my dashing good looks to get her thoughts collected - hmmmm).  But no matter what the case, she really seemed to have zero clue as to what she was saying.  And I expected a little more from Counterpane.  That was my first clue that they were not doing too well. 

Also, about a week after our meeting, she called and basically went through the whole sales pitch that she should have gone through when she was face-to-face with me.  So one of two things was happening: 1) either my suspicion about my stunning good looks is correct and she had no problem when she didn’t have to see me (though my voice is nothing to sneeze at, I tell ya’!), or 2) she didn’t receive any sales training before she was thrown to the lions.  If the latter reason was the case, then that also did not show positive for Counterpane.

And while the engineer she brought along seemed to be knowledgable, he also could not tell me what exactly brought Counterpane to the forefront in the field besides some reference to them pioneering the field (and what I talk about in my second point).  They just didn’t have anything that floated to the top.

The point is that an MSSP is an MSSP is an MSSP.  In the finer points of the trade, that statement is probably not totally true.  But in general, they all do the same thing.  So you have to have some fine point that makes you different, better, or just cooler.  And they did not have it.  By the way, I also met with LURQH and Solutionary.  They all had somewhat the same stuff.  Honestly, of all of them, LURQH had the best sales pitch and seemed overall better than the other two.

Second, as to Alan Shimel’s comment that “Counterpane was not a professional services company”, I would say that I think he forgot to tell them.  First, just look at this page from their website.  Second, when they talked to me, they seemed to want to push their professional services down my throat.  They seemed to focus on that during a great part of the meeting, maybe even more so than their MSSP services.  This is what they seemed to think gave them the edge (I alluded to this above in point 1).  And I honestly got the feeling that was was a key area that they were trying to develop heavily and on which they planned to spend some focused resources.  Maybe I put too much stock in what a couple of sales types were pitching.  Maybe they just picked up on something and thought they should pitch that side heavily.  But they way they spoke of it, I was literally waiting for an announcement with them changing focus.

Before I go on, I have to admit that this next point is a little bit “analyst-ish”.  I ask forgiveness from the people in the trenches.  OK, here goes…

Third (and this is again with all due respect to Mr. Schneier), you cannot bank your business on a hero figure, even one such as Bruce.  Yes, he is a security master and a legend.  Yes, he is brilliant.  Yes, he could whip Chuck Norris in a fight (uhhh, went too far - sorry).  But that really can only carry you so far.  You have to produce and keep producing.  You have to differentiate, especially in a field where most of your competitors are offering essentially the same services.  A name just is not enough.

So, that’s my take on the deal.  I honestly was not at all surprised to see this happen.  I think BT is basically doing what the market is demanding, and they went the cheapest route possible.  No more, no less (crap, another analyst comment - I need to watch that).

Vet

…but it is also one big pain in the neck!  I have been thrown into the process of answering an RFP (request for proposal) for a city government down here in Texas, and I cannot begin to tell you how tedious and ridiculously complicated the whole process can be.  RFPs can be complicated enough with corporations.  But when you get one from a governmental entity, you have so many other things to worry about (there are a ridiculous number of special considerations and conditions when you do work for governments).

Another thing I am finding out first hand is that many government workers (not all, but I wouldn’t think it too far from the truth in saying most) are functionally inept in their positions, at least when it comes to technical matters.  Though I have had some inkling of this from talking to peers over the years, it amazes me when I see it so closely. 

First of all, the RFP is very poorly written.

Second, it is incomplete.

Third, when you try to ask questions to work out the inconsistencies, the answers are often, “Because I say so”, or “Don’t question why our network is setup as it is.”

I don’t know if we will win this contract or not.  If we don’t, then we have wasted a LOT of man hours.  I guess it is worth the payout if it happens, but I have to wonder if anyone has figured out the cost of NOT getting one of these and compared it to the potential profit.  I am sure someone has. 

And if you are thinking that I make a salary, so it doesn’t matter, then think again.  I have about 4 projects for which I am either scoping or actively talking to clients to complete.  Two of these are sure things, and two are 50% or above on probability.  And these aren’t some small deals you can just sneeze at.  There is good money to be made here. So the more time I do this dang RFP, the less time I am working on some potentially good profit for Accuvant.  All to work on a deal that no one has a good idea whether it will come through.

Oh well, business is business!

Vet

I have decided to start putting down some of the day-to-day events with this new job.  I think it will actually help stir my mind to blog more since I have not been writing near enough lately.  So here goes.

I have actually been kinda bored since my recent job change.  Though I have been getting in contact with our vendor partners and getting setup for training on products, the real action is out there selling and designing and proposing.  I really want to get thrown into the fire. 

Part of the reason I’m not out there yet is we do not have a sales person dedicated to the Houston market.  We need someone badly because the guy selling in Houston is based in Dallas, and he has a lot to do up there as well as down here.  However, he finally got down here today, and it got crazy quickly (be careful what you ask for).

The sales guy flew in at 9am this morning at IAH (Houston Intercontinental), but he didn’t get in my car (I was chauffeur today) until 9:25am, and we had an appointment in SW Houston at 10am.  For those of you who know Houston, IAH is on the far north side of Houston, and Houston is BIG.  I made the trip in about 25 minutes, which I was proud of.

Anyway, the talk was basically an introduction to Accuvant and what we could offer.  This was my first real meeting with the sales pitch thrown to a client, so I learned a lot (I learned even more through the day).  But to be honest, I think of the term “sales pitch” as negative.  What we did today was, technically, selling Accuvant.  However, Accuvant really has differentiated itself quite a bit from most “security” companies because of the unique approach to the industry.  I have talked about it before, but Accuvant just seems to do things right.  Yes, there are always going to be internal problems, but Accuvant just seems to be a company that takes customers seriously and at face value.  We don’t want to walk in and just sell a box then walk out until it’s time for a maintenance renewal.  We want to partner and grow with our clients, and this is no BS.  I am really impressed by Accuvant, and I know this compnay is going to succeed even more in the coming years.

OK, sorry.  Anyway, the meeting went well.  We have some strong offerings in compliance and assessment, and the client seemed to take to that well (we were talking to IT risk manager and audit types, so they loved the ControlPath product we offer for keeping track of compliance, risk, etc.).

The next client is looking at implementing Infoblox, which is a pretty sweet product in my estimation.  Infoblox offers simple and secure DNS, DHCP, IPAM, and RADIUS services in an appliance.  I have seen the box and how it works.  It is very simple.  Many companies are replacing their Microsoft-based DNS, DHCP, and RADIUS with this product, and I am seeing some great results. 

The next client was a partial introduction - I had previously worked at this client, so the intro was more for the sales guy and Accuvant in broader terms.  They are a property-management company who delas almost exclusively with apartments.  They are looking at wireless access for their tenants in new complexes, which is going to be fairly daunting for a lot of reasons that I won’t get into.  Suffice it to say that they want a lot for little.

So after that client, we went to an established client that is looking into SIM / SEM (some call it SIEM) for capturing very specific events in remote offices and centralize it to corporate (insert Rothman negative comment here).  We are putting Network Intelligence in front of them for the scalability and sheer EPS (events per second).  To put it simply, I like this product.  I might get into that at a later date.

Anyway, we left that client, located in Downtown Houston, at almost exactly 5PM.  Not a good time in Houston.  The sales guy’s plane left at 7pm, so, needless to say (but I am going to say it anyway), we were a bit rushed.  However, we found out after we got on the road that, due to a LOT of storms down here today, his flight was delayed for over an hour, so we calmed down.  Then, wouldn’t you you know it, we still made it to the airport in plenty of time for the original flight time.  I guess being relaxed during the drive helped me just go with the flow better, so driving was a lot quicker than I expected.

So, that’s my day.  It was very busy and crazy, but I finally got in the mix.  I have a lot of ”action items” from these meetings, so that is going to help me get even more familiar with the products we sell.  These meetings also helped me get down our philosophy (I think that sounds better than “sales pitch”), so I will be better prepared for future meetings with clients (especially since I know I will be mostly on my own until we get a sales person down here).  Things are starting to pick up, so I got out of the house, and I am glad for that.  I love my wife and kids, and they love me (or so they tell me), but we are all getting a little tired of each other right now!

More later.

Vet

Go listen here.

Thanks again to Alan and Mitchell for having me on the panel.  And thanks to the panel for a great discussion.

Vet

I forgot to mention that I was a guest panelist on Alan Shimel’s SSAATY podcast last night.  This was a great panel.  I had a great time, and I think we really hit some key points and offered some solutions to security admins and managers out there that need some help selling security to execs.

The panel consisted of yours truly along with Martin McKeay (Network Security Blog, ComputerWorld), Bobby Dominguez (Sykes) and Mike Rothman (SecurityIncite, NetworkWorld).  It was hosted by Alan and Mitchell, two of the best podcast hosts I know, and though I have never met either face to face, I know they are both good guys.

One person that was scheduled but ran into some emergency security management duties was Michael from mcwresearch.com.  I understand why he couldn’t be there, but I really missed his insight.  I would have loved to hear some of his horror stories.

BTW, I was VERY impressed by Bobby Dominguez.  I have never talked to Bobby, but I figured out very quickly yhat he has a vast amount of experience, expertise, and just plain ol’ smarts.  You REALLY need to listen to this guy.  Hopefully he will start a blog soon himself.  He has a lot to offer the community.

Martin is always good to have on a discussion like this because he has a lot of experience in this area.  He never ceases to impress.

And Mike Rothman, well…, he’s Mike.  What else need be said?  And we actually agreed on something in the podcast, if you can believe it!  Actually, Mike and I agree on a lot of things.  We just like to disagree to make it exciting.

And of course, there’s me.  ‘Nuff said!

Anyway, the podcast should be up soon.  Go look for it in the next few days at Alan’s blog.

Vet

Karn Griffen over at the the Information Security Gurus blog mentions my post about getting out of security management.  He has a good post today about how we should all be getting out of the front lines when there are so many possibilities with outsourcing.  He also commented on that same post, where he said the following:

If I can turn on secure networking services, complete with IPS, Virus, Spam filtering, etc. and the company I outsource this to will provide me an SLA that guarantees the service parameters I’m looking for, why would I bother with a full-time person (or more) to do these things.

While I agree with Karn on this point, the question that comes to my mind is if you can’t convince an exec that security is needed at all, then why would he  / she do either?

The big problem is that execs often cannot justify security at all as a cost.  The ramifications to not spending money on security are still so light.  Much of the legislation out there still does not have teeth.  The media is getting tired of printing stories about this stuff because readers are tired of it.  Some non-governmental regs like PCI are starting to get somewhere, but that is not anywhere close to where it needs to be.

So unless you can convince your execs that security is needed, they ain’t gonna spend money on it, no matter if you outsource or insource it. 

But let’s play devil’s advocate here and assume that all exec’s get smart and buy off on security.  Then, the SMB exec’s get even smarter and see Karn’s point that they can outsource.  Where does that leave guys like me getting out of operations and trying to sell security?  Should I be selling to SMB’s now when I know they would be better served by outsourcing?  Do I sell to MSSP’s?  Better yet, do I have to start working for MSSP’s, sitting in a chair watching packets go by?  Do I lose even that job to ever-more sophisticated UTMs / IPSs / heuristic filters that can figure this stuff out better than I can?  Does the UTM take over for those MSSPs where there are only 2 or 3 viable options for them to filter traffic for their clients, essentially killing much of the security market?  Are the enterprise-type clients enough to hold up the market?  Does the technology get so good that even enterprise clients can use it?  Does my job just go POOF in 5 - 10 years?  AAAAAAAHHHHHHHHH!!!!!!!!!!!

Karn, you are on to something, but I’m not sure it’s good.  But good or not, is it inevitable?

Vet

OK, let me start this out with a disclaimer: I am going to work for Accuvant (as most of you know by now since I can’t stop blogging about it), and they are a big Juniper reseller.  They do not sell Cisco, so they drink the purple Kool-Aid.  Also, I am a fan of Juniper when it comes to many of their security products (I love their SSL VPN and their firewall / VPN devices, but their IPS leaves something to be desired).  All that being said, you might think I am going to say something positive about this deal between Juniper and Symantec.  Well, you’re right and wrong.

First, I agree with Mike Rothman’s comments:

…adding Symantec’s anti-spam, IPS signatures, and vulnerability research to Juniper’s products will make them better and I think it will actually happen. Why wouldn’t Juniper do this, given they are pretty much irrelevant in the IPS space and don’t really have a compelling UTM platform? They’ve got nothing to lose.

I also agree with Mike that this mostly comes from a “We Hate Cisco” reaction.  I don’t think Cisco is the best out there in most things that they do.  They do many things decently, but they are not the top in quality.  But they ARE Cisco, and they are taking so much of the market for the simple fact that nobody ever got fired for buying Cisco.

The fact that Richard Stiennon hates this deal is not surprising.  Stiennon is negative on just about anything that ever happens in security nowdays simply because he doesn’t agree with the direction security is taking, namely “host plus network security”.  However, his perspective that Juniper and Symantec have not taken advantage of opportunities given to them is correct.  Symantec is the epitome of the “bumbling giant”.  I don’t think Juniper is anywhere close to that yet, but Stiennon has to lump them in because, again, he is negative about anything to do with NAC, UTM, etc.

I don’t like this deal because it is with Symantec.  I just don’t like how Symantec works and I don’t like John Thompson (especially after his keynote at RSA 2005).  But I like this deal from the fact that it can help Juniper leverage Symantec’s knowledge.  Juniper NEEDS to become a premier security knowledge source on the par of Symantec or TippingPoint if they ever hope to be completely respected in this arena.  Building boxes ain’t gonna do it.  What I am hoping is that they use Symantec to maybe help them learn how to do this themselves.

Vet

I just read this post by Richard Bejtlich at Taosecurity. Basically, a guy was trying to come up with an ROI for security, trying to show management where security adds value in actual dollars. Richard is correct that there really ain’t no such animal.

I have never figured out a way to show my CEO or CFO value for putting in an IPS. I can show how it fills a security gap or helps us comply with HIPAA (though when you come up with a concrete definition for that one, let me know). But I cannot show him that the IPS will pay for itself by adding value to our company. Like Richard points out, security is insurance. The IPS will only pay for itself if it prevents an attack that would have cost the company more than what we paid for the IPS.

Of course, the problem with that argument is that you never really know what an attack would have cost you. Yes, you can quantify an asset and tell the CFO that it will cost the company $50,000 if it is lost. But not many execs put stock in something that MIGHT happen or what it MIGHT have cost. They want numbers.

Vet