Category: Security

Websense buying PortAuthority

Websense buying PortAuthority

Websense is buying PortAuthority for $90 million. If you are not familiar with them, PortAuthority makes a leak prevention security product. This makes sense in the Websense model, but I like the deal for another reason. This tells me that Websense may be seeing the light finally and is trying to diversify a little so they don’t implode.

Of course, we’ll see if they have learned anything at all by watching what they do to the pricing model of PortAuthority. If they follow their current structure, current PortAuthority customers might find themselves paying 100% maintenance every year.

By the way, has Websense ever bought anyone before? I need to do some research.

Vet

Interviewed for the SSAATY Podcast

Interviewed for the SSAATY Podcast

Alan and Mitchell at the StillSecure After All These Years podcast interviewed me last week for their podcast. It is up here at Alan’s site and here at Mitchell’s site.  I gave an update on my move to the channel, about honesty in selling security, the converging of the security professional and the general IT professional article I wrote at CW, and some other stuff.  It was fun.
Thanks to Alan and Mitchell for having me on again. I really enjoy talking about myself, as anyone can plainly see, and Alan and Mitchell actually seem to genuinely be interested in the people they interview. They are two great guys that I hope to meet soon at the RSA Conference security blogger gathering (not sure if Mitchell is going to be there, but I know Alan is going to show).

Thanks for the kind words, guys. You are two class acts.

And Alan, notice that I did not alter the picture in any way!  Or did I?
Vet

I’m getting cynical with age

I’m getting cynical with age

I was reading through my many newsletters I receive daily, and I ran across a couple of articles about security vendors warning about spam, spyware, phishing, the mob and hackers teaming up, etc. As I was reading those headlines, I found myself quickly sneering and thinking these were nothing but more FUD from people trying to make another buck.

Then I thought, Wow, I sure am getting cynical. Though it is obvious that there can be a lot of FUD coming from these guys, that doesn’t mean that I shouldn’t read their stuff. I’m sure there are people in those companies that are sincerely trying to help the security industry. It just comes out as FUD when those dang “marketeers” get their claws into it.

Maybe I’m a little gloomy because it has been raining down here for the last couple of days. I need to take a happy pill!

Vet

Citrix NetScaler training

Citrix NetScaler training

I am in Citrix NetScaler training for most of this week.  I have heard good stuff about this product, but I am interested to hear about anyone else’s opinion.

Another interesting thought.  Now that I am not responsible for the security of a network, I have no issue posting on my blog what I am going to be doing for the next couple of days.  I feel so free! 

Vet

EXTRA! EXTRA! READ ALL ABOUT IT!!! NEW SECURITY VENDOR BLOG!!!!!

EXTRA! EXTRA! READ ALL ABOUT IT!!! NEW SECURITY VENDOR BLOG!!!!!

I posted a couple of weeks ago about me doing a talk at Alert Logic. Misha Govshteyn is the founder and CTO of AlertLogic was in the group as well, and we talked for a bit about various things. If you have not talked to Misha, he is a very informed person, and he is clearly intelligent with clear cut and well thought out opinions about security.

By the way, I WAS NOT PAID FOR THE TALK, AND I DO NOT HAVE ANY STOCK OR INVESTMENT IN ALERT LOGIC.

Anyway, one of the issues that came up was the possibility of Misha starting a blog. To my knowledge, he has not started one yet. However, Alert Logic has a blog that has been kept under wraps. Until now, that is. I have been given the honor of revealing their blog to the world (they chose me because of my thousands and thousands of readers and fans – **HACK, COUGH** – sorry, hairball).

But in all seriousness, I have read some of the stuff on the blog, and it looks good. The writing is often very witty and well though out (this Jeremy Hewlett guy has some great skills with the written word). And I have found them to be very informative as well. Go check ’em out here.

Of course, now that you Alert Logic guys have been exposed to the world, be prepared for comments and criticisms. I hope you have some thick skin. It ain’t easy out here sometimes!

Vet

Requiring sex offenders to register IM names and email addresses

Requiring sex offenders to register IM names and email addresses

I just wrote a post over at Computerworld entitled The Security of Web 2.0 – an Oxymoron. Then I find this story about Senators McCain and Schumer proposing legislation that will require sex offenders to register their IM names and email addresses. I need to read more about this bill. Like typical security legislation passed by our government, this one appears on the surface to be nothing but security theater and something else to boost Schumer and McCain’s appeal before the presidential elections.

Think about it. How difficult is it to create a different IM name or email address?

The registration provisions would make failure to notify the authorities of all e-mail addresses a felony punishable by up to 10 years in prison.

Uhhh, so? These perverts are already breaking the law and facing jail time and some serious nastiness in the big house (child molesters supposedly don’t fair well in prison – though I have no proof of that). What makes anyone think they are going to change their ways because of another law?

Don’t get me wrong. I am fully on board for catching these “people”. I have children and would unleash all hell if one of these sick, twisted individuals even came close to one of my kids. But another law on the books that effectively does nothing to help the situation is just words on paper. Just make the behavior illegal (which it is) and make the punishment such that if the perv is caught he never sees the light of day again (there are a couple of punishments that would fit that description – you decide which one is right for you).

Vet

Ding Dong…DDoS is dead!

Ding Dong…DDoS is dead!

CJ Kelly, a blogger at Computerworld, proclaimed yesterday that the Internet is safe from DDoS. She  says:

…maybe 5-8 years ago this was a possibility, but I don’t think it’s possible to do a large scale DDoS attack any more.

Man, I am so happy to hear this news. You can’t fathom the relief at hearing Ms. Kelly announce our new found safety. I am so indebted to Ms. Kelly for fixing the Internet yesterday right after she posted this announcement.

What was that?  What happened yesterday? Well, let’s see. A business web service provider called CrystalTech went down for four hours due to a DDoS attack (it happened the same day she wrote her post). I am glad that isn’t going to happen anymore.

Oh, and EveryDNS was hit hard last week with a DDoS attack that took them down for 1 1/2 hours. I am totally relieved that we won’t see that again.

I also seem to remember a company called Blue Security closing its doors in May because a nutty spammer decided to DDoS them and started causing trouble all over the Internet. Here’s a quote from the article:

The attacks not only disrupted Blue Security’s operations but knocked out the Web blog hosting service Six Apart and a handful of Internet service providers, including Tucows.

Man, I am so happy we are done with DDoS attacks.

OK, I guess that is enough. CJ Kelly’s post is nothing short of ridiculous. I mean, really. Does she write from a black hole where the only articles she can find to support her are Cisco press releases and product whitepapers? I’m not kidding. Look at her links to Cisco. It is friggin’ Cisco propaganda that she calls “informational pages”.

Holy crap, my head is about to explode.

Ms. Kelly, please do some research. Please read the news. If you are a “real world Information Security Officer” as it says in your CW bio, I beg you to better serve your company and the information security industry by informing yourself before you start writing.

Vet

One helluva weekend

One helluva weekend

I usually don’t post about my personal life, but I have to share some stuff from this weekend. 

First, my five year old son is in Taekwon-do.  Normally, a white belt would go to yellow tab, then yellow belt, green tab, green belt, and so on.  But with juniors, this group makes them go through degrees of white belt (black stripe, red stripe, blue stripe, and green stripe) before they can get the yellow tab.  Well, he’s been going for about 4 months now, and he finally got his yellow tab (first step towards black belt, is what they say).  So congratulations to my boy.

Second, I learned about some exciting stuff happening with my son’s Taekwon-Do class.  There is a “secret seminar” on December 9, and I have been given the lowdown by Mr. Howard, the owner and instructor at Global Taekwon-Do.  I don’t want to give out any details, but if this turns out to be as cool as I think it is going to be, then I recommend going out to the website in a couple of weeks.  I am excited about it.

Third, after I got over all the excitement of the Taekwon-Do stuff, we woke up this morning went to church, and my 2 year-old daughter fell in Sunday School and split her chin WIDE open.  My wife and I were trying to teach a class full of crazy 4 year olds, and they came in and grabbed my wife without telling me what was going on.  So here I was, wondering what was happening, and starting to freak out.  Finally, they came and told me, then found some other teachers to take our class, and off we went to the clinic.  She ended up having 5 stitches.

So here I am, trying not to cry and trying not to hit something at the same time while my little girl is screaming at the top of her lungs because the nurse and doctor are cleaning this gash, then putting other stuff to deaden the pain, then sewing it up.  It was horrible.  And the kicker is that neither one of my 5 and 4 year old boys have ever had a cut or broken bone (thank God), and my two year old daughter isn’t half their age and she’s already got 5 stitches to her name.  Well, at least it is under the chin and not out there for everyone to see. 

It may be sexist, but I don’t want my little girl to have any scars like that.  I don’t care if my boys have a couple of scars.  Scars just make men interesting, and it gives them plenty of material to make up cool stories (not that I would condone that – by the way, did I ever tell you about the time I stormed a bunker and jumped on a grenade to save 20 soldiers?).

And fourth and final, my Dallas Cowboys pulled out a win over the NY Giants.  That was awesome.

So anyway, crazy weekend.  Here’s to hoping for a quiet week!

Vet

Is your boss spying on you? – or – Change management is important

Is your boss spying on you? – or – Change management is important

My friend Martin McKeay posted a few days back about email privacy. Another friend, the great Alan Shimel, responded with some thoughts of his own. In light of these posts, I found interesting the following story from another friend (not a blogging buddy).

Here’s the story: My friend works at a rather large national sales-type company. He has worked there for about the last 10 years. Recently, the company cut quite a few staff in an effort to get rid of some bloat they had accumulated over the years. My friend was passed over by the cuts. He actually got a promotion out of it because he was placed in charge of a territory that was previously run by 5 sales managers and several account managers (so either they did have substantial bloat, or they are trying to kill my friend instead of firing him).

After my friend received his promotion and started to take over the operation of his new territory, his boss informed him that the IT department had been instructed to forward all emails of the previous managers to his inbox. This was done for obvious reasons, and my friend got ready for the deluge of emails. What surprised him was that he started recieving the emails of an additional 5 sales people that were now his employees, and he knew that neither he nor his boss had requested this to be done.

After scratching his head for a few minutes, my friend decided to check with his boss to see what was going on. You can probably see where this is going, but basically, they found that one of the previous managers that got the axe was spying on his sales people. According to my friend (and I believe him), this guy was a micro-manager from hell, and he would not let his sales people make any decisions without his explicit approval. He basically beat his employees into submission and made them little more than robots doing his will. But he was smart enough to keep this from his boss.

He made sure that his boss knew nothing about the emails being forwarded to him by going directly to a single IT person and asking to have this done. I have no clue about the company’s change management process (it is obviously pretty weak), but I guess this IT guy was either bribed or just charmed into doing this without ever letting anyone else know about it. And the IT guy could not really be held accountable after they discovered what had happened because he had taken an early retirement option that had been offered when the company was cutting back (they ended up letting 48 IT people go by either layoffs of early retirement).

So what are some lessons here? First, change management is important. This could not happen (or would be less likely) if the company had a strong change management process that made requests go through the system, and those requests were checked by more than just one individual. Second, system reviews are important. Even if something like this slips by, having a regular review of systems from someone outside this particular responsibility area would have likely turned up something fishy. Third, your privacy is never guaranteed, especially in email and in an employment situation. Though this was done incorrectly, and these employees (according to my friend) did not know they were being monitored, it is still within the rights of the company to check up on the employee’s corporate email.

Vet

Alert Logic talk

Alert Logic talk

So the presentation went over very well. Let me break down a bit why I went to talk to Alert Logic and some specific points on the talk.

Sam Van Ryder is a friend of mine who is a sales guy at Alert Logic. He wanted me to come in and present to the sales staff what a Security Manager’s job entails. I jumped at the chance because it gave me a chance to show sales people what trench warfare in security is all about.

How I approached it was from the standpoint of an SMB security manager type. Since this type of security manager is usually low on resources and high on duties (and since this is the most common type today), I figured showing them the daily grind of the just how much work a security manager has to do. I broke the day down like this:

7:35 AM – 9:00AM Check security logs
9:01AM – 10:30AM Check spam filter
10:31AM – 12:00PM Answer voice mails and email
12:01PM – 12:45PM Lunch (maybe)
12:46PM – 1:59PM Run network scans
2:00PM – 2:59PM Check helpdesk tickets
3:00PM – 3:45PM Install patches
3:46PM – 4:30PM Tune IDS/IPS
4:31PM – 6:45PM Administrative crap
6:46PM – 7:30PM Drive home (maybe)
7:31PM – 7:29AM Worry

That all got a good laugh, but I assured them that this is often not far from the truth, and this was not everything a security manager had to deal with.

To give them a more in depth look from the technical side, I reproduced my post about all the many and varied security devices a security manager has to work on (IDS, IPS, firewalls, routers, switches, email gateways, etc.) and the maintenance on them.  Then I hit them with the many non-technical issues a security manager has to deal with, like employee issues, meetings, project management, budgets, etc. I could see that many in the room had not thought about those as being security manager tasks.

I went a little deeper into the amount of research a security manager must do and how much training (user, IT employee, and self) must be done and kept track of.

Then I talked about the compliance issues that security managers deal with. I did it without going too deep and boring them, but I wanted them to realize how important compliance was in today’s world (especially PCI).

I talked about how security managers prioritize projects, though I honestly said that I could not really talk about how others do it. I described how I tried to keep a schedule as best I could, and how it was typically unsuccessful because of everything that popped up during the day.

Then I spoke about what makes a successful security manager and how admin crap was necessary to the job but tended to take away focus on securing the network and could lead to security problems.

Then I produced a list of what talents and skills a security manager must have to be successful:

•Has strong technical skills and knowledge
•Has strong documentation skills
•Can talk to employees and exec’s in layman’s terms
•Can lead and mentor a team
•Has strong project management skills
•Has the talent and the patience to deal with corporate politics

Before you start commenting and adding to this list, realize that my purpose here was to show just how varied and wide a security manager’s job must be. And I admitted that I was not good at the last one and that it was the main reason I got out of the security management role.

Finally, I told them about how they could help the security manager. My answer was, “Give the gift of time” (if you see this in any of the Alert Logic marketinf materials anytime soon, I told them they could have it – it’s not really unique, but they liked it).

I explained that good reporting capabilities for any type of device and service such as theirs is one of the most essential time-saving tools a security manager can have. Give me a pretty (and functional) portal that I can place in front of my CIO where he can run his own reports and leave me alone, and I will pay a couple more grand right up front.

Also, make the device where it actually contributes to security and is not just a compliance widget.

There was some other stuff, but a lot more came out in the Q&A session after the presentation that was great.

  • I told them that cold-calling sucked very much bad.
  • I told them to not just ship a POC box out and expect it to get installed and demo’ed in the month that is typical (help out with the install and keep in contact).
  • I told them to sell through channel partners (resellers) instead of direct and use the resources (SE’s) provided by channels

That was basically it. I felt very good about it, and I received several positive comments. I’ll talk about Alert Logic as a product sometime soon (from what I have seen of it).

Vet

Speaking for the AlertLogic sales people

Speaking for the AlertLogic sales people

I have a speaking gig for the Houston office of Alert Logic today.  I will be talking to the sales team to let them know about the job of a security admin / manager and how they can help him / her in the job.  I will try to discuss the points of the talk later this afternoon or tomorrow.

Vet

Rothman rants about vendors – I say Amen Brother!

Rothman rants about vendors – I say Amen Brother!

Mike posted some rants about his vendor pet peeves this morning. I like these two alot:

Don’t spend time on your background – In 90% of the cases, I’ve trolled your website before our briefing. So I’ve read the executive bios. You don’t have to tell me you did this or did that. I pretty much don’t care. If there is something interesting in your background that I want to discuss, I’ll bring it up. I’m not a bashful guy.

Where’s the beef? – Especially if we’ve spoken before, just get right to it. You’ve asked for my time, so don’t waste it by telling me stuff I already know. Give me a 2 minute update on your business (which may take longer if I have questions or want clarification) and then tell me why I care about your news or ask for my advice on something you are thinking about. Not much annoys me more than hearing stuff I already know.

Mike is an analyst, and vendors want him to talk about their stuff. But it is amazing that the pitch is the same if you are an analyst, an in-the-trenches professional, or a sales engineer like me. Basically, vendors have this desire to tell you everything about the history of their company. History is important, make no mistake. But like Mike says, if you are coming into my company with a pitch, I have already done my research.  Just get to what needs to be said.

As a sales engineer, I try to know my customer.  The vendor should make the same attempt by asking me to whom he is going to be speaking so he can modify his pitch.  And I watch my customer when the vendor is pitching.  If the customer is more technical, and they start looking kinda bored and start twitching or something, I pick up on that and push the vendor as needed.

Basically, get to the good stuff.  If the customer wants the fluff, he will ask for it.
Vet

Generalist vs. Expert

Generalist vs. Expert

I have been thinking about the idea of generalists vs. experts in security (which probably translates into any field). I tend to look at the generalist as a jack-of-all-trades (joat), where the individual knows a wide range of subjects. Some people would say a mile wide and an inch thick, but I think generalists are often much more knowledgeable than they are given credit for. The strength a generalist can lend is a wide variety of experience to help solve problems in many areas. The weakness is if you need a very focused skill or knowledge base, the generalist will probably not have it.

A specialist (or expert) is generally looked at as an inch wide and a mile deep. But unlike the generalist, this is probably a fair statement for most specialists. This person is extremely knowledgeable in one or two areas. The expert can give you advice to likely solve any problem that arises in her area. But experts tend to be very tunnel-visioned and may not be able help in other areas.

I would say that a generalist has the advantage of being able to fit in many organizations, so the career path for such an individual may be better because of this. I know that I have a fairly broad knowledgebase, and it has helped me in my career because I had experience in a lot of different areas.

However, from the direction of value to the industry, I think experts have an advantage because they can answer in depth questions with much more certainty than generalists can. If you frequent forums and knowledgebases, you will find that the questions asked there are almost always very pointed questions about a particular product in a particular scenario. This type of question plays into the specialists hands.

As an example, I can see a huge value in the expert knowledge of the people in Accuvant’s assessment practice.  These people totally kick ass in what they do, and it adds a HUGE amount of value to Accuvant’s offering.

I think generalists tend to end up in roles like security evangelists and pre-sales engineers (though I know a couple of SE’s who are very broad and deep in their knowledge of security).

So I guess you can argue this all day without coming to a consensus.  And though I have have essentially taken the generalist path in my IT and security career, I don’t think either is “better” than the other.  It really depends on your proclivity and your basic talent.

Vet

Security Blogs and Politics

Security Blogs and Politics

 

Before you read this post, go take a look at my “Rules” for my blog.

 

OK, now that you are back, let me piss off some people.  During this election season, I have to say that most of the security bloggers out there stayed out of the fray by sticking to what their blogs are about, namely: security.  And my blog rules state that I will do the same.  Basically, if you want to discuss a law or other political issue that pertains to security, then fine.  I will do the same.  Martin McKeay and I have had our friendly blog disagreements concerning phone tapping, phone tracing, tracking terrorists, and privacy stuff.  Alan Shimel and I have done the same to a degree.  All that is fine because that kind of stuff is relevant to security.  You can make judgements and assumptions as to our political leanings based on what we have posted (and maybe the region of the country we each live in), but that is no guarantee as to where we stand because we have made no definitive statements on the subject (I haven’t read all of Martin’s or Alan’s stuff, but I haven’t seen it in any of the stuff I have read).

I say this because I read a couple of posts from security bloggers during this last election season that, in my opinion, are just a little off.  One post was by the Great One, Mr. Schneier himself.  He says he is glad to see the Republicans get some of the brunt of the electronic polling problems.  He backs off of that kinda quickly, but it shows his bias clearly.  Another is by a blogging buddy of mine, Christian Koch (might not be a buddy after I writie this, but I hope all is still well).  In his post, he doesn’t even try to hide his feelings at all (not saying that he should have to, but you will see where I am going with it below).

First of all, I want to say that I respect everyone’s views, even if I don’t agree with them or understand them.

Second, if you have a blog, then it’s your fingers doing the typing, so you have full freedom to write about anything you want.  I get that, and I would never say you can’t. 

However, don’t we, as security bloggers, owe it to our readers to stay a level above all this mud slinging and give content that is relevant to security?  It seems a tab bit like false advertising if you have a blog that is advertised as a security blog and you use it to blast a politician or a political party because you don’t like their politics.

And another reason not to show which side you are on is because it tends to taint your readers’ opinions of you from then on.  If you try to come at an argument with logical, non-biased opinions, your debate will still be tainted by your blantantly-stated political beliefs.  That is no better in my mind than if you stated that you liked TippingPoint IPS better than anyone else’s, then tried to go into a debate about IPS products and tried to stay neutral.  There is nothing wrong with stating your opinion on the matter because you are free to say what you want.  But your opinion will be tainted from then on.  And you would never again be able to be neutral on the debate (at least, not for a long time) because you can’t switch to neutral once you have got in gear.

Anyway, my two cent’s worth.  You may think I am just frustrated because I did not like the outcome of the election.  But you really can’t make that statement, because I have never said which side I am on, regardless how many clues you think I have given.  So there!

And Christian, just to hopefully ease hurt feelings, I thought the cartoon in your post was pretty funny.

Vet

Wikipedia used for spreading malware

Wikipedia used for spreading malware

This article just kills me.  Wikipedia is about as reputable and reliable as a submarine with screen doors, yet people continue to go there for info.  It amazes me.

Another thing that is funny is that Wikipedia was mentioned in a play at my church this weekend.  Our church has a big Sunday School group that is made up of the kids and their parents.  There are lessons that have skits, etc. in them.  One of the actgors was playing a kid who was doing research for a school project, and he said his parents told him to use “The Google” and to stay away from Wikipedia.  I laughed out loud I thought it was so funny!

Vet

How to be a better SE

How to be a better SE

A while back, when I was in the operations side of security, I wrote a series about how to be a good security admin / manager.  It was fairly successful and got some good play out there in the blogosphere, so I figured that I would write something akin to those posts in a blatant attempt to drive more traffic to my site. 

Oh yeah, and I, ummm, want to make a difference in the security industry, or something… whatever.

So, how to be a good SE.  First, let’s define the term “SE”.  In many to most cases, that term means System Engineer.  In my case, it means Security Engineer.  Both perform the same function, however.  At least they do in what I am referring to here, and that is in their pre-sales role.

A pre-sales SE is often perceived as the salesperson’s lapdog, to be ordered around and told where to go and when to be there.  This may be the perception, but it is almost always not the case.  The real truth is that the SE is the one who follows the salesperson around and makes sure the salesperson is telling the customer the truth.  For example: “No, Bob, this product cannot call down lightening and destroy hackers attempting to break in to the website.” 

If you can’t tell, I have been reading “The Dilbert Principle”.

But in all seriousness, the reality is that the SE’s number one job is to protect the customer from making mistakes and buying the wrong product for their needs.  That is also the salesperson’s job.  And though I can say with all seriousness and honesty that all of the salespeople I have met at Accuvant truly are honest and try to protect their customers, this is not always the case out there.  A salesperson has a quota, and they have pressure to meet that quota, and they don’t always have their customer’s best interests in mind.  So the SE has to be that buffer.  And when an SE meets with customers, he is EXPECTED to be that buffer that the technical people at the customer need.

In case you didn’t get that, I’ll type it again.  The SE is EXPECTED to be the buffer.  That means that the SE is expected to be honest in his appraisal of the situation.  He is looked at as the guy who works for a living, just like the technical people in the trenches.  He is supposed to be the guy who knows what the technical people are going through day after day, dealing with users, management, etc.  Even if the SE has never held a true operations type job, he still will be perceived as such.  That perception is what garners trust in the SE, and that trust CANNOT be broken.

What many people may not know is that pre-sales SE’s typically get bonused on sales (they don’t get the same compensation as salespeople, but they do not have as much at stake either).  And just like salespeople, SE’s with VAR’s (like me) are often approached by manufacturers with incentives to push their product (these are often very good – money, electronics, etc.).  This is called a spiff.  These two things together can cause serious temptation for the SE to not make the customer’s needs the number one concern.

But if you are and SE, or are considering a move to this type of position, you MUST be able to resist this type of temptation.  Notice that I am not saying it is wrong to accept these types of rewards (most of the time, you cannot take an SE job without the bonus, and I would personally think you are a little crazy if you didn’t take it - and taking a spiff is not wrong if you made an honest sale and kept the customer’s need on the forefront).  But you must be able to look long term.  The desire for an immediate reward must be superseded by the customer’s needs. 

And when the SE does resist the immediate gratification, he will almost always see a long-term return that comes from a relationship with the customer because that customer knows he can trust the SE.  It is often the case that once a relationship is established with a customer, the SE is the person who is contacted most.  That is because the SE has direct knowledge and contacts with people who can solve the customer’s problems.  So creating that bond of trust will lead to dividends for the SE’s employeer, and the SE as well.

So all that in a nutshell is this: create REAL trust with the customer by keeping his / her needs first.  You may have to wait a little longer for your reward, but it will be a greater reward after all is said and done. And just so you know, I do not mean only monetary reward.  The reward of being trusted and held in high esteem is also a reward, and it can be more valuable than any earthly possession.

Vet

Weighing in on the Counterpane acquisition

Weighing in on the Counterpane acquisition

Everyone seems to be commenting on the Counterpane acquisition by BT.  But unlike most of the “analyst” type comments out there (here, here, and here), I want to comment about this acquisition from my not-too-long-ago viewpoint of a security manager.

First all, with all respect to Mr. Schneier, I was never impressed with Counterpane.  They pitched to me about a year ago, and I was singularly unimpressed to say the least.  The sales person talked like she had been on the job about a week.  I don’t mean to be nasty.  Maybe she had not been there very long and was just learning the ropes, so I this might not be a fair critique (another thought - maybe she was just too stunned by my dashing good looks to get her thoughts collected – hmmmm).  But no matter what the case, she really seemed to have zero clue as to what she was saying.  And I expected a little more from Counterpane.  That was my first clue that they were not doing too well. 

Also, about a week after our meeting, she called and basically went through the whole sales pitch that she should have gone through when she was face-to-face with me.  So one of two things was happening: 1) either my suspicion about my stunning good looks is correct and she had no problem when she didn’t have to see me (though my voice is nothing to sneeze at, I tell ya’!), or 2) she didn’t receive any sales training before she was thrown to the lions.  If the latter reason was the case, then that also did not show positive for Counterpane.

And while the engineer she brought along seemed to be knowledgable, he also could not tell me what exactly brought Counterpane to the forefront in the field besides some reference to them pioneering the field (and what I talk about in my second point).  They just didn’t have anything that floated to the top.

The point is that an MSSP is an MSSP is an MSSP.  In the finer points of the trade, that statement is probably not totally true.  But in general, they all do the same thing.  So you have to have some fine point that makes you different, better, or just cooler.  And they did not have it.  By the way, I also met with LURQH and Solutionary.  They all had somewhat the same stuff.  Honestly, of all of them, LURQH had the best sales pitch and seemed overall better than the other two.

Second, as to Alan Shimel’s comment that “Counterpane was not a professional services company”, I would say that I think he forgot to tell them.  First, just look at this page from their website.  Second, when they talked to me, they seemed to want to push their professional services down my throat.  They seemed to focus on that during a great part of the meeting, maybe even more so than their MSSP services.  This is what they seemed to think gave them the edge (I alluded to this above in point 1).  And I honestly got the feeling that was was a key area that they were trying to develop heavily and on which they planned to spend some focused resources.  Maybe I put too much stock in what a couple of sales types were pitching.  Maybe they just picked up on something and thought they should pitch that side heavily.  But they way they spoke of it, I was literally waiting for an announcement with them changing focus.

Before I go on, I have to admit that this next point is a little bit “analyst-ish”.  I ask forgiveness from the people in the trenches.  OK, here goes…

Third (and this is again with all due respect to Mr. Schneier), you cannot bank your business on a hero figure, even one such as Bruce.  Yes, he is a security master and a legend.  Yes, he is brilliant.  Yes, he could whip Chuck Norris in a fight (uhhh, went too far – sorry).  But that really can only carry you so far.  You have to produce and keep producing.  You have to differentiate, especially in a field where most of your competitors are offering essentially the same services.  A name just is not enough.

So, that’s my take on the deal.  I honestly was not at all surprised to see this happen.  I think BT is basically doing what the market is demanding, and they went the cheapest route possible.  No more, no less (crap, another analyst comment – I need to watch that).

Vet

TV / Movies and security

TV / Movies and security

I’ll be the first one that says TV shows and movies are hardly based on reality.  But when they screw up something that is near and dear to me, I get very upset. 

For instance, I was in the Army and Army National Guard for over 7 years.  Though I was never a career soldier, I still took it seriously, and I still do today.  Maybe too seriously.  I get very upset when I see a TV show or a movie that screws up things like rank insignia (Army sergeant rank on upside down in some sitcom I watched) or basic military rules (you do NOT salute indoors unless you are reporting to an officer – that mistake is in too many military movies).

This feeling also bleeds over big time into my chosen profession of information security.  There is a new show on NBC called Kidnapped that I have been watching and enjoying for the last few weeks.  Basically, it is about a rich family’s son getting kidnapped and the family trying to get him back.  There are all kinds of twists and turns in the plot.  The dad used to be into some bad stuff, so it seems to revolve around someone getting back at him or trying to get some stuff from him. 

Anyway, last week the family’s hired gun (ex-military, police dude, etc.) gets asked by the FBI for help.  They want him to apply for a job with a civilian-run military company (basically, mercenaries) that supposedly has info on some people they think are involved in the kidnapping.  The guy goes through some weird psych-interview, then he is placed in front on some computer by himself that has a program running with pictures flashing.  The guy looks around, then easily opens some access panel to the PC and inserts a “remote control” device in some very conveniently-placed access port.  Of course, I am thinking, “where are the cameras that should be watching this guy?” 

Then, as the agent outside in the FBI van (real unique, right?) takes over the running of the program, he runs down the hall, guided by the blue prints of the inside of the building (which that type of compnay probably just publishes on the Internet) and strolls into the server room with no challenge and no lock on any door that I can see.  There are racks of servers, switches, etc.   Then he sticks another device in the “mainframe”, and away they go. 

He does get caught, but it was only because another agent ran in the building and called a security alert in a ploy to get the main bad guy to start erasing sensitive files.  They capture the screens (with all pertinent information on the first screen – nice, huh?), thus saving them the effort of searching through records.

Yea, ok, right.  I know it probably shouldn’t bother me, but that just pisses me off.  At least TRY to make it somewhat real.  I think even a layperson without security experience would probably be thinking, “where’s the security here?”

Sheesh.

Vet

Spammers getting ultra-sophisticated

Spammers getting ultra-sophisticated

Go check out this article at Dark Reading.  Looks like this group is creating a botnet with a trojan that has a cracked version of Kaspersky AV to clean machines (except for itself, of course) to make sure it gets all the bandwidth it can to send out spam.  It is called the SpamThru trojan. 

This is crazy.

Vet

In training today and tomorrow

In training today and tomorrow

I will be in training today and tomorrow on Bluecoat. 

I am impressed thus far, but I am having some serious trouble staying focused  because I keep getting calls on the RFP I posted about yesterday.  Oh well, the life of a pre-sales SE.

Vet 

Selling security to government may be profitable…

Selling security to government may be profitable…

…but it is also one big pain in the neck!  I have been thrown into the process of answering an RFP (request for proposal) for a city government down here in Texas, and I cannot begin to tell you how tedious and ridiculously complicated the whole process can be.  RFPs can be complicated enough with corporations.  But when you get one from a governmental entity, you have so many other things to worry about (there are a ridiculous number of special considerations and conditions when you do work for governments).

Another thing I am finding out first hand is that many government workers (not all, but I wouldn’t think it too far from the truth in saying most) are functionally inept in their positions, at least when it comes to technical matters.  Though I have had some inkling of this from talking to peers over the years, it amazes me when I see it so closely. 

First of all, the RFP is very poorly written.

Second, it is incomplete.

Third, when you try to ask questions to work out the inconsistencies, the answers are often, “Because I say so”, or “Don’t question why our network is setup as it is.”

I don’t know if we will win this contract or not.  If we don’t, then we have wasted a LOT of man hours.  I guess it is worth the payout if it happens, but I have to wonder if anyone has figured out the cost of NOT getting one of these and compared it to the potential profit.  I am sure someone has. 

And if you are thinking that I make a salary, so it doesn’t matter, then think again.  I have about 4 projects for which I am either scoping or actively talking to clients to complete.  Two of these are sure things, and two are 50% or above on probability.  And these aren’t some small deals you can just sneeze at.  There is good money to be made here. So the more time I do this dang RFP, the less time I am working on some potentially good profit for Accuvant.  All to work on a deal that no one has a good idea whether it will come through.

Oh well, business is business!

Vet

IE7 breaks Juniper SSL VPN

IE7 breaks Juniper SSL VPN

For anyone not aware, the new IE7 is going to be pushed out auto-magically by MSFT with auto-updates.  Juniper does not support IE7 or Vista yet with its SSL VPN product.  Here is the release by Juniper:

PSN Issue : Microsoft will soon be releasing Internet Explorer Version 7 (IE7) and Windows Vista. 

Solution: Please be advised that neither IE7 nor Windows Vista are supported in the current releases of the Juniper SSL VPN Products (IVE/SA products). The following plans are in place to add supportability.  

*     IE7 support will be added to the IVE 5.3 and 5.4 branches in maintenance releases in the month of December. 

*     Windows Vista support will be available in Q1 2007.  

We recommend that users of the IVE/SA products do not upgrade to IE7 until the appropriate release is made available and is installed on your device. 

Microsoft offers a tool that will prevent the auto update of Windows machines to IE7. Please see Microsoft’s web page for more details.

If you use Juniper’s SSL VPN, download this tool (issued by MSFT) to block the download of IE7.

Vet