I like to oversimplify things. Not only does it mean I can understand them better, but it gives people the chance to criticise me, and start unneccessary arguments, which are, of course, the very staff of blogging. [Apologies to Leviticus (26:26) and Jonathan Swift for the mangling of prose].
Rich is going to blog some more on this in the coming days, so I won't add anything he hasn't already said to this précis, but I have been finding it increasingly difficult to keep up with him and Hoff with their ping-pong evolution of data security over the past couple of days.
I like to think of myself as a tool, in fact people often say to me: "Rob, you're a tool." So obviously that helps.
DLP= data loss prevention technology. There are a few players in this space, Vericept and Vontu being two that spring to mind. They are essentially passive endpoint filters which sit and monitor all data which is leaving and entering a closed system. The closed system needs to apply it's own classifications to data to prevent leakage or data loss. Hoff thinks it's a feature, not a product, which I only agree with long term. For now, it's a product in itself, and an important step on the roadmap.
CMF= content monitoring and filtering. As Rich says, this includes an extra step, where data at rest can be searched and classified.
CMP= Hoff's expression, content monitoring and protection. The next step in evolution, where the two are combined, so data already in the file system is protected when the solution is put in place, rather than waiting until each file is accessed. This is maybe why Hoff thinks DLP is a feature. Of CMP, it would be. However, so would encryption, key management, integrity, policy management, data classification, etc.
To make the full product, there needs to be a platform to build on, and there are yet more features needed. This is something I've started to pick Rich's brains on already, he's talked about policy and workflow management. This is something I want to pull Hoff into if he will oblige. In my opinion there are couple of ways this could unfold. As Rich says, EMC with Tablus could become a market force, and as they seem to be the biggest in the market right now, I expect they will be. I would like to see their roadmap and plans for addressing the market.
There is a company in the UK called Njini who are doing data-classification right now, with nothing fancier than that. They are focusing on de-duplication, which is a real business driver, with a real ROI, not a "Security ROI", i.e. it provides a GAIN, not just a prevention of possible /probable loss. There are plans afoot to develop this into a full data management system, where classified data can have encryption, integrity, compression, etc. applied as required.
I know of at least one other security company who are heading down the classification route, and I think it's a good move, because it makes business sense, not just security sense. I'm not sure EMC have got this yet, and are just going to add Tablus functionality to their high end storage. I would like to be proven wrong, but as far as I've seen so far, EMC really don't get security properly. In which case, someone else could undercut them, and their storage positioning, before they notice.
That someone else, again, in my humble opinion, could be someone small, and therefore might not make an impact, it could however come from somewhere better positioned from the get go.
Just a hypothetical question here, but what would happen if Microsoft implemented a proprietary data classification system in every Windows release from now on, included the code in the next set of Windows Updates even? How simple would it be for them to control storage then? How many of the encryption companies and integrity providers would want to be part of that? How much WORM storage kit would become redundant overnight, or at least require a total shift in marketing?
Is this what EMC are trying to achieve? Undoubtedly. It would give them a stranglehold on the storage industry like never before, but can they do it without the help of Microsoft? I don't think so, but then I think that's exactly what SISA is about.
You tell me, I may be barking up the wrong tree entirely. People often say to me: "Rob, you're barking." There have been tree references made, how wrong it is, and how far I am up it. So that helps.
Friday, 31 August 2007
Wednesday, 29 August 2007
Ambiron TrustWave acquires OneSec
This is very hot off the press. I have just had an excited message to say that OneSec, one of the leading QSAs in the UK, have been acquired by Ambiron TrustWave, one of the leading QSAs in the US. The deal has been sealed with a press release reading thus:
ATW have always been of special interest to me since I worked with Heather Mark at Vormetric, and more recently when I started contributing to PCI Answers with Mike Dahn. Mike was a top Ambiron consultant and Heather was the founder of a company acquired by Ambiron prior to the TrustWave takeover. They both did well out of the merger and now run a new consultancy together in the US, Aegenis, along with Heather's husband Chris, who I have yet to meet, but am assured is on equal footing in the brains stakes having held a senior security position at MasterCard. A pretty powerful bunch there... but this post is about ATW and OneSec.
OneSec I have met on several occasions, they are a great bunch of guys to hang out with at conferences. I've had several conversations about log integrity and whether they should be running with TripWire AND Kinamik, rather than just TripWire. Even when TripWire agreed that Kinamik did something different, OneSec were skeptical about the value-added. They know their business extremely well.
When I last spoke to Brooks Wallace at ATW, he revealed to me that they had their own technology, but he would look into it. That was the last I heard from them. Maybe it's time to pick up the phone again...
"CHICAGO AND LONDON (August 29, 2007) – AmbironTrustWave, a leading provider of data security and compliance management solutions worldwide, has acquired London-based One-SEC Ltd. (One-SEC), the leading provider of Payment Card Industry Data Security Standard (PCI DSS) compliance solutions for businesses and organizations in Europe, the Middle East and Africa (EMEA). The deal is closed, and its terms will remain confidential."The full document can be read here.
ATW have always been of special interest to me since I worked with Heather Mark at Vormetric, and more recently when I started contributing to PCI Answers with Mike Dahn. Mike was a top Ambiron consultant and Heather was the founder of a company acquired by Ambiron prior to the TrustWave takeover. They both did well out of the merger and now run a new consultancy together in the US, Aegenis, along with Heather's husband Chris, who I have yet to meet, but am assured is on equal footing in the brains stakes having held a senior security position at MasterCard. A pretty powerful bunch there... but this post is about ATW and OneSec.
OneSec I have met on several occasions, they are a great bunch of guys to hang out with at conferences. I've had several conversations about log integrity and whether they should be running with TripWire AND Kinamik, rather than just TripWire. Even when TripWire agreed that Kinamik did something different, OneSec were skeptical about the value-added. They know their business extremely well.
When I last spoke to Brooks Wallace at ATW, he revealed to me that they had their own technology, but he would look into it. That was the last I heard from them. Maybe it's time to pick up the phone again...
Tuesday, 28 August 2007
Interview with Rich Mogull
I had the great fortune to catch up with Rich Mogull on his recent departure from Gartner. Without too much pre-amble, here's what transpired:
RN: So, Rich, the question on everyone’s lips, why did you decide to leave Gartner?
RN: Most people dream of the day they could think Gartner is stale. Did they try and make you stay?
RM: My managers were great and very supportive, if disappointed. Leaving is never easy.
RN: Back to blogging about data security on a permanent basis to influence the industry then?
RM: I won’t be limiting myself just to data security. Data security is really morphing into a data and application security stack, since the ties are so close (at least for structured data).
Talking of the industry as a whole however, what's your opinion at the moment? Where can I make some money?
We’re also in a confusing time for security pros as the career tracks morph; and that’s something I want to write a bit about.
I think it’s all just the pain of one of those industry shifts that hits every now and then. Melissa and Code Red ushered in the days of network security and AV, and showed us that if you don’t secure the network, you can’t do business anymore. Today we’re seeing the twin attacks of compliance and web application/phishing/data exploits drive us towards better application and database security. Compliance is also forcing some of that professional shift since we’re having to deal more directly with executive management and learn to speak their language.
And it’s not like things will settle- the expanding proliferation of consumer devices and services is forcing us to rethink how (or if) we lock things down. That wave is hitting even before the compliance/data breach wave ends.
RM: It’s all good, just a little painful at times. I like to think of it as job security.
RN:
RN: Ha ha. Good job there's nothing funny about your name or I'd have you on that.
Thanks Rich for a thoroughly entertaining and informative interview. Good luck with wherever the wind takes you, and keep in touch. I look forward to many arguments.
Endless suffering of the security brains
I started talking about Web2.0 security recently in fairly simple terms some time ago, on the back of something someone else said, just to explain it to myself really. I find it interesting that the Long Tail that is creating such an economic phenomenon, enabled by the web, is causing such a security issue. Then I couldn't help noticing all the attention VMWare has been getting recently, for exactly the same issues. Hoff waded in over the weekend with all sorts of new-fangled words and explanations to make my brain bleed, but the underlying message is exactly the same. Web2.0 security and hypervisor security are evidently very closely related.
Where Web2.0 (and no, I don't approve of the term, but it serves a purpose) is made up applications bringing together data and applications in new ways, to create new workings of the web as we know it, so hypervisors, virtual machines to you and me, do the same in a more localised environment. Thankfully, Mogull's back on the scene, and finished Hoff off before I even woke up this morning, with a "dump the problem to hardware". But it seems that you don't even have to be that concerned about the hardware if you have a reliable secure framework.
The guys at Matasano, more precisely Thomas Ptacek, have all the info on this, which is worth reading a few times. Slowly. And then again. I'm on at least my fifth reading by now, and I learn more each time. By now you will have seen the Black Hat presentation from MC telling how they can always detect the BluePill rootkit, and it is evident that their Samsara offering is THE thing which I said I had no idea how to create. A framework for detecting virtualised malware. How I wish I'd been at BlackHat.
[Note: I find it ironic that Samsara is a term used in Buddhism which can mean not only "cyclic existence" as I believe is the allusion which Thomas et al were aiming for, but also "endless suffering", which may be closer to the truth for them. And what's with all the buddhism/security stuff around at the moment?]
Thomas, having put in what seems like a lifetime of research from the quality of the results, comes to the conclusion that:
Hypervisor rootkits may not be a major threat, but Web2.0 security is a huge problem. Can we apply what we know here to "the Internet" as described in my original post? I believe this is what Mark Curphey is trying to do with SourceClear, and I really believe it is the way forwards. I've been a believer in such frameworks for some time, but as Rich will probably point out at some stage, there's really very little in the way of business drivers for such things to be deployed in any great mass.
I'd like to see Microsoft and/or VMWare pick up Samsara/SourceClear and any number of other security frameworks, not to improve business in any way, but to improve the future of security. To make our conversations more interesting if nothing else.
As Rich says, can we talk about DLP again now, or CMF (content monitoring and filtering) as Chris has dubbed it? I've also used this term since because I like it and it seems to describe a much more specific problem. Now I'm satisfied that all of this hypervisor and Web2.0 stuff can be ignored, I'm back to playing with the data.
Where Web2.0 (and no, I don't approve of the term, but it serves a purpose) is made up applications bringing together data and applications in new ways, to create new workings of the web as we know it, so hypervisors, virtual machines to you and me, do the same in a more localised environment. Thankfully, Mogull's back on the scene, and finished Hoff off before I even woke up this morning, with a "dump the problem to hardware". But it seems that you don't even have to be that concerned about the hardware if you have a reliable secure framework.
The guys at Matasano, more precisely Thomas Ptacek, have all the info on this, which is worth reading a few times. Slowly. And then again. I'm on at least my fifth reading by now, and I learn more each time. By now you will have seen the Black Hat presentation from MC telling how they can always detect the BluePill rootkit, and it is evident that their Samsara offering is THE thing which I said I had no idea how to create. A framework for detecting virtualised malware. How I wish I'd been at BlackHat.
[Note: I find it ironic that Samsara is a term used in Buddhism which can mean not only "cyclic existence" as I believe is the allusion which Thomas et al were aiming for, but also "endless suffering", which may be closer to the truth for them. And what's with all the buddhism/security stuff around at the moment?]
Thomas, having put in what seems like a lifetime of research from the quality of the results, comes to the conclusion that:
"Hypervisor rootkits are not a major threat."What? Why didn't you just say that in the first place. Why on earth put all that effort into just proving Joanna Rutkowska wrong? Should we all carry on looking at something else...? Hang on!
Hypervisor rootkits may not be a major threat, but Web2.0 security is a huge problem. Can we apply what we know here to "the Internet" as described in my original post? I believe this is what Mark Curphey is trying to do with SourceClear, and I really believe it is the way forwards. I've been a believer in such frameworks for some time, but as Rich will probably point out at some stage, there's really very little in the way of business drivers for such things to be deployed in any great mass.
I'd like to see Microsoft and/or VMWare pick up Samsara/SourceClear and any number of other security frameworks, not to improve business in any way, but to improve the future of security. To make our conversations more interesting if nothing else.
As Rich says, can we talk about DLP again now, or CMF (content monitoring and filtering) as Chris has dubbed it? I've also used this term since because I like it and it seems to describe a much more specific problem. Now I'm satisfied that all of this hypervisor and Web2.0 stuff can be ignored, I'm back to playing with the data.
Saturday, 25 August 2007
A bit of news...
I've just nipped out to the hotel bar area to catch up on some email, and thought of something worth sharing. My wife is happy with her pina colada on the sun terrace, so 5 minutes on the blog I should just about get away with. Shhh... no, that's not the thing that's worth sharing.
A couple of weeks ago I got a mail from someone I admire a great deal. Since I've started blogging, he has encouraged me, let me pick his brains when he's got far better things to do, and coached me around some pretty tricky subjects, including his recent departure from a pretty high profile job. Why did I need coaching around HIS departure? I hear you ask. Who the hell are you talking about? I hear you cry. Well, if you stop talking a minute, I'll explain.
One of my very first entries on this blog mentioned how I'd followed Rich Mogull for many years. I still do wherever possible, although Gartner had made that difficult with their "gagging" of analyst blogs. I still regularly make comment entries on his blog however, just so he doesn't forget me. I guess I pestered him enough to talk to me, and when I joined my current company he very graciously agreed to speak to me about what I was doing.
I've still never met Rich in the flesh, we've never been in the same country at the same time since he's known who I am, to my knowledge. However, when Rich handed in his notice to Gartner a couple of weeks ago, he emailed me to let me know. "You may have already heard..." he started. I hadn't, so I was pretty startled to be getting an email of what must have been a pretty personal event. I imagine, therefore, that a few others in the security community got a similar message.
Quick as a flash, with my reporters nose for a story, I asked if I could write something about it. He asked that I keep it quiet until he announced it himself. Someone at Ziff Davis had scooped it already, which was somehow roundly ignored by everyone in the SBN (maybe because Rich emailed us all). But now the covers are off! For 2 weeks I have been biting my tongue and wanting to tell everyone. Well Rich, I managed to keep it secret. My wife knew, but not being in security and although she was interested to meet a rich mogul, I think she was thinking more Hollywood.
As a concession to not getting the scoop, and being good with secrets, I blackmailed Rich into giving me an "exclusive" of my own. When I get back I will be printing a short interview with His Mogullship, which I am genuinely excited about.
That's just one of the exciting pieces of news to come in the next 2 weeks. It doesn't get much better than this, but it should remain interesting...
Mrs. N's just finished her cocktail, so I'd better be off.
A couple of weeks ago I got a mail from someone I admire a great deal. Since I've started blogging, he has encouraged me, let me pick his brains when he's got far better things to do, and coached me around some pretty tricky subjects, including his recent departure from a pretty high profile job. Why did I need coaching around HIS departure? I hear you ask. Who the hell are you talking about? I hear you cry. Well, if you stop talking a minute, I'll explain.
One of my very first entries on this blog mentioned how I'd followed Rich Mogull for many years. I still do wherever possible, although Gartner had made that difficult with their "gagging" of analyst blogs. I still regularly make comment entries on his blog however, just so he doesn't forget me. I guess I pestered him enough to talk to me, and when I joined my current company he very graciously agreed to speak to me about what I was doing.
I've still never met Rich in the flesh, we've never been in the same country at the same time since he's known who I am, to my knowledge. However, when Rich handed in his notice to Gartner a couple of weeks ago, he emailed me to let me know. "You may have already heard..." he started. I hadn't, so I was pretty startled to be getting an email of what must have been a pretty personal event. I imagine, therefore, that a few others in the security community got a similar message.
Quick as a flash, with my reporters nose for a story, I asked if I could write something about it. He asked that I keep it quiet until he announced it himself. Someone at Ziff Davis had scooped it already, which was somehow roundly ignored by everyone in the SBN (maybe because Rich emailed us all). But now the covers are off! For 2 weeks I have been biting my tongue and wanting to tell everyone. Well Rich, I managed to keep it secret. My wife knew, but not being in security and although she was interested to meet a rich mogul, I think she was thinking more Hollywood.
As a concession to not getting the scoop, and being good with secrets, I blackmailed Rich into giving me an "exclusive" of my own. When I get back I will be printing a short interview with His Mogullship, which I am genuinely excited about.
That's just one of the exciting pieces of news to come in the next 2 weeks. It doesn't get much better than this, but it should remain interesting...
Mrs. N's just finished her cocktail, so I'd better be off.
Friday, 24 August 2007
Just before I go...
Ken Belva posted last week on his policy of using private email conversations as blog posts. I have to agree with him, it's pretty tight to go publishing what someone else has told you in confidence. Anyway, I posted a comment on Kai's post about Ken's original and Ken mailed me to say "ha ha, very funny", and finished it off with: "Naturally this email is confidential unless sold on eBay."
I think I may have just broken the terms of his contract.
Hasta luego hombres! :)
I think I may have just broken the terms of his contract.
Hasta luego hombres! :)
Dunmoanin
You know what? I'm through with complaining for the moment. I actually have it pretty good right now, and I've just arranged for a fabulous weekend away for my first wedding anniversary with Mrs. N.
So, with apologies (and thanks where they've put me straight or just put up with the rant) to Mike Rothman, Evan Schuman, Richard Stiennon, Rory McCune, and everyone else I've inadvertently growled at in the last month or two, I'm off for a rest. I've been under some stress and I've needed to make some changes. I will be revealing some stuff in the next couple of weeks which will make you go "Aha!", or at least "oh, right, stupid sod."
On another note, I've started receiving comment spam, so I've turned off the free for all commenting and everything has to be approved before it's printed. Boring for me, and boring for you, but if some idiots will spoil it for everyone, then the whole class will have to stay behind during lunch. Boo.
The first post after I get back will be an interview with a great man who has just stepped down from a great position, a chance for him to put things over in his inimitable way and tell us what he's doing with his life. The second will be more personal news, which should help tie together a few loose threads that I have left dangling in the previous weeks. If that doesn't tempt you to keep reading, I don't know what will. But first, I'm off for my break...
Don't tell 'er indoors, but I'm taking her away to Sitges for a long weekend. One of the most beautiful towns on the Costa Brava, steeped in history, miles of sandy beaches, and the gay capital of Catalunya. I had forgotten this until after I made the booking, but I don't think she'll read anything into it.
Anyway, I won't be posting anything for a few days, and when I get back I will be filling you in on some of the missing links you'll need to piece together these cryptic clues.
So, with apologies (and thanks where they've put me straight or just put up with the rant) to Mike Rothman, Evan Schuman, Richard Stiennon, Rory McCune, and everyone else I've inadvertently growled at in the last month or two, I'm off for a rest. I've been under some stress and I've needed to make some changes. I will be revealing some stuff in the next couple of weeks which will make you go "Aha!", or at least "oh, right, stupid sod."
On another note, I've started receiving comment spam, so I've turned off the free for all commenting and everything has to be approved before it's printed. Boring for me, and boring for you, but if some idiots will spoil it for everyone, then the whole class will have to stay behind during lunch. Boo.
The first post after I get back will be an interview with a great man who has just stepped down from a great position, a chance for him to put things over in his inimitable way and tell us what he's doing with his life. The second will be more personal news, which should help tie together a few loose threads that I have left dangling in the previous weeks. If that doesn't tempt you to keep reading, I don't know what will. But first, I'm off for my break...
Don't tell 'er indoors, but I'm taking her away to Sitges for a long weekend. One of the most beautiful towns on the Costa Brava, steeped in history, miles of sandy beaches, and the gay capital of Catalunya. I had forgotten this until after I made the booking, but I don't think she'll read anything into it.
Anyway, I won't be posting anything for a few days, and when I get back I will be filling you in on some of the missing links you'll need to piece together these cryptic clues.
Subscribe to:
Posts (Atom)