An Information Security Place

I have decided to start putting down some of the day-to-day events with this new job.  I think it will actually help stir my mind to blog more since I have not been writing near enough lately.  So here goes.

I have actually been kinda bored since my recent job change.  Though I have been getting in contact with our vendor partners and getting setup for training on products, the real action is out there selling and designing and proposing.  I really want to get thrown into the fire. 

Part of the reason I’m not out there yet is we do not have a sales person dedicated to the Houston market.  We need someone badly because the guy selling in Houston is based in Dallas, and he has a lot to do up there as well as down here.  However, he finally got down here today, and it got crazy quickly (be careful what you ask for).

The sales guy flew in at 9am this morning at IAH (Houston Intercontinental), but he didn’t get in my car (I was chauffeur today) until 9:25am, and we had an appointment in SW Houston at 10am.  For those of you who know Houston, IAH is on the far north side of Houston, and Houston is BIG.  I made the trip in about 25 minutes, which I was proud of.

Anyway, the talk was basically an introduction to Accuvant and what we could offer.  This was my first real meeting with the sales pitch thrown to a client, so I learned a lot (I learned even more through the day).  But to be honest, I think of the term “sales pitch” as negative.  What we did today was, technically, selling Accuvant.  However, Accuvant really has differentiated itself quite a bit from most “security” companies because of the unique approach to the industry.  I have talked about it before, but Accuvant just seems to do things right.  Yes, there are always going to be internal problems, but Accuvant just seems to be a company that takes customers seriously and at face value.  We don’t want to walk in and just sell a box then walk out until it’s time for a maintenance renewal.  We want to partner and grow with our clients, and this is no BS.  I am really impressed by Accuvant, and I know this compnay is going to succeed even more in the coming years.

OK, sorry.  Anyway, the meeting went well.  We have some strong offerings in compliance and assessment, and the client seemed to take to that well (we were talking to IT risk manager and audit types, so they loved the ControlPath product we offer for keeping track of compliance, risk, etc.).

The next client is looking at implementing Infoblox, which is a pretty sweet product in my estimation.  Infoblox offers simple and secure DNS, DHCP, IPAM, and RADIUS services in an appliance.  I have seen the box and how it works.  It is very simple.  Many companies are replacing their Microsoft-based DNS, DHCP, and RADIUS with this product, and I am seeing some great results. 

The next client was a partial introduction - I had previously worked at this client, so the intro was more for the sales guy and Accuvant in broader terms.  They are a property-management company who delas almost exclusively with apartments.  They are looking at wireless access for their tenants in new complexes, which is going to be fairly daunting for a lot of reasons that I won’t get into.  Suffice it to say that they want a lot for little.

So after that client, we went to an established client that is looking into SIM / SEM (some call it SIEM) for capturing very specific events in remote offices and centralize it to corporate (insert Rothman negative comment here).  We are putting Network Intelligence in front of them for the scalability and sheer EPS (events per second).  To put it simply, I like this product.  I might get into that at a later date.

Anyway, we left that client, located in Downtown Houston, at almost exactly 5PM.  Not a good time in Houston.  The sales guy’s plane left at 7pm, so, needless to say (but I am going to say it anyway), we were a bit rushed.  However, we found out after we got on the road that, due to a LOT of storms down here today, his flight was delayed for over an hour, so we calmed down.  Then, wouldn’t you you know it, we still made it to the airport in plenty of time for the original flight time.  I guess being relaxed during the drive helped me just go with the flow better, so driving was a lot quicker than I expected.

So, that’s my day.  It was very busy and crazy, but I finally got in the mix.  I have a lot of ”action items” from these meetings, so that is going to help me get even more familiar with the products we sell.  These meetings also helped me get down our philosophy (I think that sounds better than “sales pitch”), so I will be better prepared for future meetings with clients (especially since I know I will be mostly on my own until we get a sales person down here).  Things are starting to pick up, so I got out of the house, and I am glad for that.  I love my wife and kids, and they love me (or so they tell me), but we are all getting a little tired of each other right now!

More later.

Vet

Mike Rothman takes issue with my SIM post.  Basically, I said that it is a good thing that Arcsight is trying to create a standard log format for SIM’s. Mike disagrees. 

Let it be known that I DO have a SIM in place now, and I have received some value from it.  I think the value that anyone gets from SIM depends a lot on how your environment and how the SIM is implemented.  This is the same as any security product.  Is SIM living up to it’s expectations?  No, it is not.  I agree with Mike on this point.  But I do not believe that SIM is dead. 

So I stand by that assertion that a common reporting standard for security appliances is a good thing, though I agree with Mike that it will be years before this has any real benefit because of the delay of vendors to move on such things.  I also agree with Mike that SIM does not meet expectations right now.  Vendors very clearly point out what their product will do and then steer away from those security appliances and products that it will not support, so the ol’ bull shitake meter definitely hits the high scale when they try to push something on me.  But I don’t think it is a lost cause necessarily.

Here’s a quote from Mike about SIM:

It’s all about being able to 1) prioritize efforts and remediate faster, and 2) crank out a report to keep the auditor happy. 

The point is that if we can get a common standard, number one can be met.  Should we just throw out SIM if there is a possibility of having a standard that may give us what we are asking of SIM now?  No, I don’t think so.  There can be some value now if, again, you implement well.  But the problem here is what Mike says about the timing and when we would see value.  So if you do not have a SIM yet, I would say do a LOT of research before getting one, and I would possibly recommend against it at this time (and with the advent of UTM’s, you may not need to get one if you go that route).

On point two, I think Mike’s really big analyst’s hat is getting in the way.  He is forgetting about us little people!  Auditing is a REALITY that I and my fellow security managers have to deal with.  I am all about securing my network and getting everything else out of my way.  If I can satisfy and auditor and get him out of my hair by producing a report from a SIM, I am damn sure going to do it.  If a SIM makes ‘em happy, then I will spend the money.  That is value to me right there!  That may not sound fiscally responsible, but the less I have to answer questions from some dude who is reading off of a script, the more time I have to actually do my job.

So overall, I disagree with Mike that the common format is not a good thing.  I think Mike is trying to throw out SIM when there is a possibility of it actually giving a lot of value later down the road.  But if you do not have SIM now, take a long, hard look before buying.

Vet