May 05, 2011

Shoemaker's Children

As has been well-publicized by now, RSA Security was broken into, a fearful event because of the possibility (however remote) that the result would be compromising the security of one or more of their token customers. RSA did a pretty good job of communicating with their customers and with the analyst community, but you have to wonder what kind of realization is sparked inside. At the RSA Show earlier there was a beginning dialog that businesses should assume that they are at least partially penetrated rather than just focusing on preventing penetration. I would guess that is what RSA realized painfully. Historically businesses used a perimeter defense with a "soft" interior meaning distrust those on the outside and trust those inside. If you think you may be penetrated you have to distrust everyone and become much more consequential about examining and controlling all communications, include that which is entirely inside the business. I'm betting, unencumbered by any facts, that RSA is getting much more concerned about who does what within the company as well as from the outside. It's a good lesson for all, ideally learned before the attack.

Posted at 04:58 PM in RSA, Security | | Comments (0) | TrackBack (0)

March 02, 2011

Scott Charney: Internet Security as Public Health (take 2)

Microsoft's Security CVP Scott Charney regularly produces really provocative ideas. In the last 12 months Scott lofted the idea of treating computer infection like human infection and using network quarantine just like we do in the case of infectious diseases. He got quite a bit of feedback and he discussed that and his revised vision as part of his RSA keynote. There are a lot of infected PC's in the world that are used in BotNets to inflict all sorts of evil things. In most cases the PC owner is blissfully ignorant of the infection. So what if your PC-based VoIP phone has replaced your land line, and just when you need to make an emergency call your PC has been quarantined from the network (Charney's original suggestion). Obviously bad things could happen. In response to this criticism and others, Scott ingeniously folded in the use of Microsoft's Identity Claims architecture. A key concept here is that a user has many ways of satisfying an external request for identity credentials and which is used is entirely under the user's control. The idea here is that low value Internet uses could continue unabated on an infected computer (where the infection had been determined externally – all the security companies have lists of lots of known infected machines) but that sensitive transactions could require that some proof of health. For example, your PC is believed to be infected and you try and access your bank account. The bank replies by requesting a proof of identity that incorporates a health certificate (that could be provided by your security software). If the trusted security software believes that the machine is healthy (the security software is enabled and running with up to date signatures and a scan has been done recently) then the request would go forward. Otherwise the user would need to take a cleansing break until that certification was available. It's not as simple as the original quarantine idea but a lot more practical. It's clearly not a practical short term solution but could be an important component of improved network security and trustability downstream.

Posted at 01:54 PM in Microsoft, RSA, Scott Charney, Security | | Comments (0) | TrackBack (0)

Cancer and Security

I just finished reading The Emperor of All Maladies, a quite remarkable "biography" of cancer and the struggle to cure it. In the end, the author reasons that cancer can't simply be cured (like finding an antibiotic for a specific biological agent) because it really is our genomic evil twin, a parallel evolution of our DNA gone bad and leveraging many of the genomic innovations that got us to where we are from an evolutionary perspective. In many ways I think this is an excellent metaphor for the broad problem of IT security – our modern technology is very much a two-edged sword.  Effective defense will evolve as the technology evolves; we can only "win" if we stop making progress. One of the learnings in the struggle against cancer is that effective mitigation strategies vary significantly depending on the "stage" of the cancer (how far it has progressed and spread).  Historically we have focused on the prevention of IT attack. At RSA this year some of the discussion was based on the notion that we should assume that our systems are probably compromised (rather than pristine) and more attention should be paid to intrusion detection, mitigation and remediation as well as prevention, in which case the cancer treatment analogy (different methods depending on the stage of the infection) probably makes a lot of sense.

Posted at 01:49 PM in cancer , IT, IT Security, RSA, The Emperor of All Maladies | | Comments (0) | TrackBack (0)

The Expense of Getting Butts in Seats at RSA

When we showed up for a briefing with Cisco they apologized for the fact that they had pinned little "reserved for Cisco" notes on the chairs outside the meeting room but then explained that the chairs cost $126/day and disappeared otherwise. Our friends at RSA (the division) also mentioned the cost of the chairs and noted that RSA (the meeting) was just passing the cost on from the Moscone and not making any markup. These were sturdy chairs but not exciting chairs. It's hard to imagine them costing much more than $126. I did notice fewer places to sit than at previous meetings and maybe that's why. It can get worse in the strong union labor towns like NYC but it sounds like the Moscone folks understand the lock they have on large conferences in attractive cities and fully intend to milk it for what it's worth.

Posted at 01:45 PM in Cisco, RSA | | Comments (0) | TrackBack (0)

March 15, 2010

Cisco @ RSA

John Chambers was conspicuously missing from the RSA keynoters reflecting Cisco's decision not to be a major sponsor. The recent prominence of security in the news assured no shortage of luminaries however, including the heads of the FBI and Homeland Security. What's ironic perhaps is that Cisco emerging security message seems stronger and more broadly relevant than ever before. In the past Cisco promoted the "Self-defending Network," a fabulous tagline but unfortunately a vision that was very hard to realize (the network simply can't do it all). Last year it was an amalgam of some security announcements in the context of Cisco emphasis on collaboration ("secure collaboration" not surprisingly). This year it's Borderless Networks. On the one hand, the idea of providing access to anything from anywhere on any device isn't just Cisco's emphasis. But on the other hand, if you go beyond the marketing, this effort seems to reflect a substantial rethinking of networking for Cisco, specifically incorporating the notion that you have to consider that which is attached to the network (the user, their device, and the assets they want to use) as a fundamental part of the "network" — the network no longer ends at the wall jacks, the people and purpose are essential in order to decide what the network should do and how it should do it. Cisco hints that there is a lot more to be explained soon (with enough tantalizing substantiation to make it sound pretty interesting). Our old friend Tom Gillis who now is the GM of the product division gave the overview at the press and analyst event. What struck me was that it was more about business enablement and value than I ever remember from a Cisco talk and stayed away from the protocols and features supported by specific boxes. I guess we'll just have to wait a little longer to see where this is all going. pchristy@irg-intl.com.

Posted at 04:28 PM in Cisco, RSA | | Comments (0) | TrackBack (0)

The Cisco RSA Field Trip

For the last three years Cisco has orchestrated a customer visit to go with their RSA briefing for press and analysts, capped with a dinner for all. Maybe it's just fond memories of grade school, but I love field trips. This year we visited the Judicial Council of California and heard a wondrous tale of how an aspect of government in California actually improved. 50 years ago the California courts were fragmented and locally controlled and funded. With some insightful and patient constitutional and regulatory changes the structural issues were lessened (funding was moved to the state level), and then a remarkable IT organization (the visit) built a solid shared infrastructure and patiently nudged the various courts to use it (the courts are still the fiefdoms of the elected judges). It is a heartwarming story and there is nothing like hearing it from the team. Pchristy@irg-intl.com.

Posted at 04:28 PM in Cisco, RSA | | Comments (0) | TrackBack (0)

Reputation Wars (Déjà vu all over again!)

For those of you with good memories, you may recall that we were the first analysts to really embrace the role that network-derived reputation could (and does) play in spam mitigation. In 2003 we published a report predicting that the spam problem would be solved in 2004. Yes we were young and foolish, but there is also an important back story. In 2003 Kevin Doerr (who was Microsoft's mail abuse tsar at the time) anticipated that the meetings with AOL and Yahoo would result in the three companies agreeing to share underlying reputation information. But that didn't happen. Enough of the "business" minds decided that reputation was of proprietary value and the sharing would never come to pass. Spam wasn't solved; maybe it wouldn't have been solved even with greater industry cooperation, but the lack of it unquestionably hurt. As Scott Chasen noted to me at an industry meeting, "It's like pharmaceuticals: you make a lot more money with medications for chronic diseases than you do with vaccines." Now we seem to be repeating history with modern security which increasingly depends on cloud based correlation of multiple attack vectors to provide near real-time reputation and signatures. At RSA, Dave Dewalt proudly promoted the McAfee solution. But if you back away from the topic (1) all the security companies are doing more or less the same thing and (2) as the recent Chinese attacks highlight, we're not doing a very good job collectively securing cyberspace. We think we're at the same decision point and the right answer again is to share information and use that information to mitigate attacks in the network (always best to get close to the attacker) rather at the end points that the security companies serve. Does anyone out there really want to argue that the go-it-alone approach will work better this time or that any vendor's solution is substantially different? Security vendors differentiate by the breadth of what they cover, by their ability to make it convenient and automatic for their customers to deploy and by the price at which they provide the solution. Being able to mitigate a few attacks better is no longer the buying proposition, especially if it comes at the price of doing worse on others. pchristy@irg-intl.com.

Posted at 04:25 PM in AOL, Microsoft, RSA, Yahoo | | Comments (0) | TrackBack (0)

May 06, 2009

RSA 2009

As always RSA was a good use of our time. The meeting was definitely slower than last year and there wasn't a lot of earthshaking news, but it is still unquestionably THE security meeting and a great place for use to meet with a lot of interesting companies and people efficiently. Security continues to be best viewed as a war between the forces of good and evil, and in the last year you would have to say that evil gained ground as evidenced by things like the Conficker virus. In the end we think that Conficker will be great wakeup call because it shows so clearly that if we thought we were well-protected because disruptions like SQLSlammer hadn't returned it was very bad thinking. There is unquestionably progress being made on much more sophisticated security solutions, with many forms of sensor input and often requiring analysis and some part of the solution in the Cloud. All the big desktop security companies seem to have realized that the desktop systems that get infected in the past are likely to get infected in the future. The value of this epiphany is that they act as a great Petri dish for the early detection of new malware. The cleverest application of this understanding is the realization that pirated security software in China running on pirated versions of Windows are a really good deal as long as they report what they see back to the mother ship. Machiavelli lives!

Posted at 04:25 PM in Cloud applications, Computer Virus, RSA | | Comments (0) | TrackBack (0)

Cisco Day at RSA

For a second year Cisco organized a press and analyst event at RSA consisting of an overview to what Cisco was announcing and then followed by a field trip and dinner. Last year the field trip (and dinner) was all about Esurance, the Internet auto insurance provider. This year it was Kaiser-Permanente. Both of these companies depend intrinsically on the network, but Cisco is smart and generous enough to let the discussion range much more broadly. We visited the Garfield Innovation Center that KP has created in San Leandro where they mock up elements of clinics and hospitals and then bring in practicing doctors, nurses and other staff to test various ideas. Much of the discussion was about the fact that KP is well on the way through the conversion to paperless clinics and hospitals, and the significant health care benefits that this delivers along with cost savings, a really important topic considering that in the US we have the most expensive but by no means the best health care system, with costs continuing to spiral out of control. Cisco again delivered a well constructed event with excellent participation from a really interesting business partner.

Posted at 04:20 PM in Cisco, RSA | | Comments (0) | TrackBack (0)

April 24, 2008

Whither RSA?

RSA is a puzzling event. On the one had it's a very successful meeting, fun to attend, and brings together the IT security industry for a week. On the other hand, when we saw old friends and exchanged the traditional show greeting "What have you seen that's exciting?" and the answer in general was "not much." That's paradoxical, or at least troubling. All the vendors were there and they were spending money like Persian Princes. And the security problems are as important as ever, if not more. So if the spending is there and the problems exist, why wasn't there much new? It's a puzzlement. Part of the problem is that it's a lot harder to solve today's criminal attack problems than it was to stop worms and viruses. And the customer now wants to talk in terms of intelligent risk mitigation rather than just "preventing bad things from happening" and that's difficult too. Maybe most of the vendors neither know how to prevent the modern problems nor how their customer should justify the expense. We can hope that things will improve by next year.

Posted at 05:05 PM in RSA | | Comments (0) | TrackBack (0)

Next »

About

Our Book

Search

Archives

More...

Categories

Newsletter Archives

Infrastructure2.1 Feeds

  • Subcribe to John's Feed
  • Subscribe to Peter's feed

Email Updates

IRG-Intl