172 posts categorized "General Background"

February 21, 2013

Where is AShimmy at RSA?

You can feel the pace rising to a crescendo, you sense it coming. But don’t look now, RSA is just next week.  The last two months have been pretty much a blur in getting ready for the big conference.  As usual I should have done 12 things I didn’t, but the dozens of things I have done is going to have to be enough. 

I am happy to be chairing two panels during RSA week this year.  The first is on Monday, the 25th (also my 23rd wedding anniversary) at the annual and well attended Americas Growth Capital Conference, over at the Westin.  The panel I am chairing is at 11:30 a.m..

The topic is Cloud Security Services: The Evolution Continues

Here is the abstract:

With the initial gold rush to the cloud it seemed that every security vendor was pushing a cloud security service. Every security company had to have their “story on the cloud” for customers, analysts and investors. But over the months and years we have seen a steady evolution of cloud security services beyond those early “everything but the kitchen sink” strategies.

More than just putting data and analysis off premises, today’s cloud security services are truly leveraging the unique features of the cloud like elasticity, massive scale and instant on provisioning.

Just because you can do it in the cloud doesn’t mean the cloud is the best place to do it. As we move beyond the explosion of cloud security services, which types of security services are best suited to the cloud? Which cloud security services will have markets large enough to create substantial business opportunity? Which cloud security services are so disruptive that they will eliminate or replace non-cloud based security services?

Evolution can be a cruel master, only the strong survive. The losers fall into the trash heap of history. Our panel will tell you who the winners will be in cloud security services.

I am joined on the panel by:

Matthew Prince, Co-Founder, Chief Executive Officer, CloudFlare

Dave Dewalt, Chief Executive Officer, Chairman, FireEye, Chairman, Mandiant

Jay Chaudhry, Founder, Chief Executive Officer, Zscaler

Stuart Scholly, President, Prolexic

Carson Sweet, Co-Founder and CEO of CloudPassage

It should be a great panel!

Then on Wednesday I am chairing a great panel at RSA at 9:20 am in room 304 on Ipv6 Vulnerability Management: From Theory to Reality. The agenda:

Join the leading lights of the vulnerability management industry as they carry forward their discussion on the challenges of managing vulnerabilities and network security in an IPv6 network. Where last year the discussion was theoretical, this years panel will focus on actual case studies of standing IPv6 networks in govt., retail, large enterprise and the cloud.

My fantastic panel for this one is:

Wolfgang Kandek - Chief Technology Officer, Qualys
Ron Gula - Chief Executive Officer and Chief Technical Officer, Tenable Network Security
HD Moore - Chief Security Officer, Rapid 7
Tim Keanini - Chief Research Officer, nCircle
Misha Govshteyn - Vice President Emerging Products, Alert Logic

Besides that I will of course be at the Security Bloggers Meet up and Security Blogger Awards on Wednesday.  Besides that I will be in and out of meetings and sessions, parties at night and usually at the W bar before heading in for the night.  If you see me, be sure to say hi.

Enjoy RSA, let the fun begin!

Related articles
Enhanced by Zemanta

Posted at 10:08 AM in awards and PR, cloud, cloud security, Current Affairs, education, General Background, links and appearances, RSA, security bloggers network, the security industry, tradeshows, VAM, vulnerability management, Web/Tech | | TrackBack (0)

November 13, 2012

Enterprise Server Backup, 20% of the Price

One of the companies I do some consulting for Idera, had some big news today. They have just announced a major new release of their server back up product. Idera Server Backup was formerly known as R1Soft Continuous Data Protection (CDP).  It is not rebranded as Idera.  More importantly though they have added a bunch of new features and significantly lowered the price.

I should mention from the outset that a lot of this release is driven by virtualization. Virtualization is changing the backup industry.  It is hard to charge “per server” when you can have so many servers on one machine today. Or is so many machines on one server? You get the point. 

Idera has recognized that today’s commercial server market is not what it was even a few years ago. Virtual or physical, Windows or Linux, on prem or in the cloud, it doesn’t make a difference, everything needs to be backed up.  On top of this there are more apps and data then there was before as well.

With backup so critical, price points should not be a barrier to best practices either. With this release they really aren’t. When you figure in the total cost of ownership you can get an enterprise class solution from Idera for less then using an open source solution.

Idera is not a Johnny come lately to the backup market either. Through their acquisition of R1Soft some years back they have a ton of experience and expertise in this market. They are already backing up over 275,000 servers today.

Idera’s backup is available direct to commercial customers, as a service through service provider partners and through many hosting providers.  This new release could really shake up the backup market.  Check it out if you are looking for a new solution for your server backup needs. 

Posted at 11:33 AM in General Background, Midmarket, other security companies | | TrackBack (0)

April 12, 2012

When The Spam Fascists' Are Worse Than The Spam – Spam Cop

In my 20+ years of working in technology and the Internet I have learned many lessons. One of the things I have learned is that when the medicine is worse than the sickness, it is time to get a new medicine. We need a new medicine to replace Spam lists like Spam Cop.

Yesterday I was mailing with some of my fellow board members of the West Boca Tackle Football league.  I do so pretty regularly because as a board member there are always things that need to get done. All of a sudden my email was being refused by one of the ISPs of one of the members of the board.  I got that nice bounce message with a link to find out why my mail was being refused as spam.

I followed the link and it took me to Spam Cop that explained the IP my GoDaddy based email server was on was in a block of IPs that had made it onto the Spam Cop list. I know it happens from time to time and I did what I always do.  I wrote a very nice note to the admin address given explaining that I am not sure why my IP would be there, we do not spam, but would they please remove it.  It has always worked in the four or five times this has happened in all of these years.

Last night I got a long winded reply from Spam Cop by someone by the name of Don D'Minion (that should give you an idea of what we are dealing with here). Don sent me I guess his standard letter, that Spam Cop has nothing to do with blocking me email. They are not in the equation, but that ISPs are sick and tired of all the spam and “They no longer have any sympathy for the innocent bystanders, such as yourself, who are using a mail server which has found its way onto one of the several major blocking lists.”

Well I call bullshit on Spam Cop, they are directly responsible for my mail being blocked wrongfully first of all. It is their list that the ISP is using. If that IP is not on the list, my mail is not blocked. So at least have the decency and courage to get out from behind the ISP’s skirts and state the truth!

Secondly, the “screw” the innocent bystanders stuff is just wrong.  If the police said lets just start shooting because there is a criminal in the area and shot a bunch of innocent bystanders it makes them as bad or worse than the criminal. Same thing for Spam Cop. If you are not going to try and distinguish between the real people spamming and the innocent people (BTW they had a whole bunch of IPs in this particular block, I imagine a good chunk of GoDaddy folks), then you have no frigging business doing this.

The good news is the more innocent people who get blocked, the more legitimate email that doesn’t go through, the more likely the customer who uses the ISP using spam cop will leave to go somewhere else and the more likely that ISP is to eventually stop using over aggressive spam fascists like Spam Cop.

Now I know that spam is a serous problem. There are lots of good companies fighting the good fight against it. But when the philosophy becomes to throw the baby out with the bath water, it is time to switch methods.

Posted at 07:26 AM in General Background, General Security | | TrackBack (0)

March 05, 2012

Vroom, Vroom, fast cars, fast woman and security?

loglogicNow that RSA is over it is time for my annual rant on how we sell security.  As my friend Mike Rothman wrote, this years RSA was full of optimism, race cars and booth babes. The optimism was a refreshing change from the last few years of glass half empty, shoveling sand against the tide pessimism. But I don’t get the race cars and you know I don’t like the booth babes.

First the race cars. I will admit it, I am not a big NASCAR guy.  I am not even an Indy/Formula One guy. But just as I don’t mind seeing a beautiful woman, there is some sort of primal attraction of guys to race cars. My question is what does that have to do with security? 

So some security vendors (who seem to be awash in cash) find that sponsoring a race car is a good use of marketing funds. First of all I would be hard pressed to agree that it is a good use of funds, but hey its their money to spend as they see fit. That does not make it about security though does it?  Like Mike said, it is not like they were raffling off these cars. Is it that they think having a car is going to draw me over to look at it and while there they are going to sneak a security conversation in?  Seems weak to me, no?

Let’s substitute a pretty woman for the car.  Dress her scantily of course and have her hold a sign that says size matters.  You pretty much just described the Loglogic booth. So what is that about? How about you women reading this out there? How do you feel. Is there a connection here?

I have said it before and I will say it again, in spite of what my friend from ATL says. Booth babes have no business at a security conference in San Francisco. You want to do this in Vegas, I can understand it is the Vegas thing. But not at RSA, not here.

For the life of me I don’t understand what smooth tires and bumpy women have to do with security.  If your message isn’t good enough to attract the attention of the people who come to RSA, get a better message. Don’t try to compensate with fast cars and fast women. I think marketing folks who resort to these tactics need to figure out why someone would want their product or service beyond taking a picture with a car or booth babe. 

We have come a long way since the geeky dweeb who would never have a pretty girl talk to him was the norm in this industry.  It is time our marketing caught up.

Related articles
Enhanced by Zemanta

Posted at 04:31 PM in General Background, Security Incite, the security industry, tradeshows | | TrackBack (0)

March 01, 2012

Security Enters the Age of Mammals

Having spent the week at RSA observing and talking to the security industry I feel that we are on the threshold of a new era in security. After lamenting a lack of innovation and bemoaning nothing new under the sun for the past few years, I feel that over the last two years we are seeing clear KT boundary in the security space. As Marty Roesch said to me when I had a chance to catch up with him, security is entering the age of mammals.

First of all, it is obvious that the security industry is undergoing a boom time. It seems to be awash in cash. From the size of and number of exhibitors on the show floor, the sold out and over crowded meeting rooms and the amount of people who have flown in here from all over the world, it is hard to believe the economy is a factor in the security space.  Almost every company I speak to is having a hard time filling open slots for jobs. Perhaps most of all the number and extravagance of the parties being thrown this year is like no other I can remember.  Could it be that infosec has finally arrived? Have hacktavism, cyberwar, cyber espionage and high profile breaches finally put information security in the forefront of peoples wallets, if not their minds? I don’t know if I am ready to buy that yet, but something certainly seems to have changed.

At the AGC Conference on Monday it was reported that both investment and acquisition numbers are up, IPOs are once again a viable liquidity event.

More than a money trail though, speaking with security vendors it seems that they see real opportunity in the market. As Simon Crosby said on my panel Monday at the AGC conference, the old security vendors are history. There is a greenfield for new ideas, new companies and new security to fill in the niches created and vacated.

Like mammals crawling out and taking over after the death of the dinosaurs, there are new security companies that are emerging that tackle new problems and better deal with old ones. Of course it could happen that as in the past the big, old companies will buy the new small ones, but either way the optimism in the security space is refreshing.

A big factor driving this is that IT is changing the way they do business too.  Moving away from servers on the LAN. Desktops and even laptops is creating a brave new world. Mobile devices that access apps stored on virtual servers in the cloud present an entirely different set of security issues. This model needs new solutions, delivered in new form factors.

Virtual appliances have been around a while, but they are a way point and I think everyone knows it now.  Agents talking to multi-tenant back ends are being deployed all over the place in a SaaS model. But even the agent may give way to an API  that allows the security infrastructure to interface directly into the infrastructure or platform. We are seeing a change in the IT industry akin to the rise of PC. The twin titans of mobile and cloud are disrupting IT and security will be disrupted as part of it. But out of this disruption a new type of security will emerge. Like the small mammals that came out after the dinosaurs and took over the world, these new security companies will inherit the security landscape.

Related articles
Enhanced by Zemanta

Posted at 02:47 AM in General Background, General Security, the security industry, tradeshows | | TrackBack (0)

December 14, 2011

The Sleazy Dark Side of Product Reviews

Yesterday I wrote in response to Bill Brenner’s Salted Hash post about the Google-funded, Accuvant conducted browser security study which found (surprise) Chrome on top.

In my post yesterday I mentioned that one company that I thought is doing product  reviews right was NSS Labs.  Well Rick Moy of NSS Labs wrote me last night, having read my post.  The NSS Labs folks have had a look at what was publicly available.

Vik Phatak, CTO of NSS Labs has a blog post up on the subject here. More importantly Vik and team have put out a more complete analysis of problems they see with the way this study was conducted and some issues in Google’s behavior. You can read the analysis here.

It is a very interesting read and you should take a look for sure.  It certainly raises some questions about what went on with this browser study and calls into question some very questionable practices by Google. 

It just proves that product reviews are a dirty business and why any reader has to look at and weigh all factors in deciding how much faith to put in them.

Related articles
Enhanced by Zemanta

Posted at 08:33 AM in General Background, General Security, the security industry, Web/Tech, Weblogs | | TrackBack (0)

December 13, 2011

The Death of Product Reviews

English: This is a logo owned by Google Inc. f...

Image via Wikipedia

My friend Bill Brenner has a post up on his Salted Hash blog today about a recent browser security study done by Accuvant LABS. The study shows that Google Chrome was the safest browser tested. Like Bill, I use Chrome too and agree with the Accuvant study.

The problem for Bill is that the study was sponsored by Google, the makers of Chrome. The fact that they paid for this study in Bill’s mind and in many other people’s minds calls the legitimacy of the entire study into question. Even if it is correct, it just doesn’t sit well with Bill.

Frankly I have the same problems with most product reviews, bake offs, analysis reports, etc. I have written about this before as well. In my mind it is a big reason why no one seems to pay attention to product reviews anymore.

It doesn’t make a difference if it is an “independent lab” doing the testing, a magazine’s testing department, industry awards or an analyst firm analyzing the market, the first thing I look at is who is paying for it. Sometimes finding out who is paying for it is not so easy or transparent either.

To be fair, some firms like Securosis for instance will say upfront that some research they are doing is being financed by a paying customer. Such was the case when Mike, Rich and Adrian did a dive on “fact based security security metrics”. The boys said upfront and at the bottom of the page that they thanked Red Seal for sponsoring the research.

Now does that mean that everything they wrote was for the benefit of Red Seal? I know Rich, Mike and Adrian too well to believe that. But it does give me pause when I read the report to remember that fact.

But I will say that over time I have come to soften my attitude on this issue (I must be getting old). For me it is a case of forewarned is forearmed and I take that disclosure in terms of evaluating how much weight to give the research. The same way a juror has to weigh the testimony of a witness depending on their believability.

In the case of Bill’s browser study, same thing. The chances that Google had a heavy hand in the study by Accuvant is pretty low, but it is something to consider. That is just the way it is.

But for Bill and the other doubting Thomas’s out there, what is the alternative?

One alternative is what Rick Moy and the guys at NSS Labs are doing. They have turned this equation on its head. They make their money from the end user, so the vendors being tested have little to no influence.

As Bill says just because Google paid for it doesn’t mean the study is wrong, but it does give you something else to consider. But since no one wants to do these tests or studies for free, someone has to pay and that is the truth of it.

Related articles
Enhanced by Zemanta

Posted at 03:57 PM in awards and PR, General Background, General Security, marketing, rich mogull, Security Incite | | TrackBack (0)

December 12, 2011

Blogging is a Conversation

For those of you who may be wondering, yes there will be a killer Security Bloggers Meet up at RSA this year. There will also be another Social Security Blogger Awards with some new categories as well. More on those in another blog. But the reason I write today is something Rich Mogull said on our blogger meet up organizing committee call.

Rich said “lets face it, the security blogger’s community isn’t what it used to be”. While I don’t disagree with Rich, I went back and looked at some of the numbers and some of the security blogs. While Rich is right, we don’t see as many as blog posts from the community as we used to, I think we all agree that Twitter probably plays a significant role in that. In fact the Tripwire 25 most influential people in security list seems pretty skewed towards twittter users. But that being said, there are still plenty of security blog posts being posted. The SBN feed is still fresh with lots of new posts every day.

One thing I do see is many of the posts come from corporate security blogs rather than individuals. Many of the corporate blogs don’t develop the personality that a good personal blog does. More importantly what has changed is another thing Rich brought up. We don’t comment anymore. We don’t blog back anymore.

People are blogging and putting their 2 cents into the conversation, but no one is repsonding. Oh, maybe they respond on twitter, on but it doesn’t make it into the blog. Blogging has always been and will always be a two way street. A blog should be a multi-party conversation with the blogger putting forth his ideas and others responding. They can agree, disagree, or concur, but they put their thoughts into the conversation.

One of the great things about reading a hot blog post was following the thread of comments, that was where the real action took place. Whether it was a Rothman post on Security Incite/Securosis or Tom Pcatek on Matasano, a good threat with 50 comments kept you reading for more.

Now maybe Twitter is where blog comments have gone and some of the discussion. Can we have a plug in that captures the real time of twitter comments and discussions back to the original blog post? Doesn’t sound too hard.

How about writing a blog post in response to another blog post? That is part of carrying on the conversation as well. Need something good to blog about? Go look at what your community is writing and join in.

Adam Shostack over on Emergent Chaos has a post up about Threat Modeling as a result of a conversation he had with Wendy Nather, who has her own good blog post about “what your analyst wishes you knew” (and she is not talking about your psychoanalyst either).

I am going over to both of those blogs and adding my voice to the conversation. I already tweeted Wendy’s post, but I realize that is not enough. If we are going to keep the Security blogging community strong and vibrant we have to add our voice on blogs.

What about you? Are you ready to rejoin the conversation?  If so, head over to your favorite security blog and join in.  Or better yet, write a blog in response to someone else’s blog.  It starts with you and you and you.

Related articles
Enhanced by Zemanta

Posted at 11:47 AM in General Background, rich mogull, security bloggers network, Weblogs | | TrackBack (0)

October 06, 2011

Steve Jobs: It can happen to you

Steve Jobs at the WWDC 07

Image via Wikipedia

First of all let me wish my condolences and sympathies to the family, friends and colleagues of Steve Jobs.  To say he was a visionary with a profound effect on the technology world for years to come, somehow comes up short to truly describe the genius of the man.

While I was never a big Apple fan, you have to admire what he accomplished in two different stints at the company. You also have to admire his vision in buying Pixar from George Lucas and turning into yet another multi-billion dollar property.

While there are no shortage of tributes and homages to Jobs being written tonight. I wanted to go on a slightly different path. That path is to challenge the next Steve Jobs out there to go out and grab greatness.

That is right, there might be more than one next Steve Jobs out there, there are even a few not Steve Jobs out there. But take the lessons of Job’s life and his advice, go out and make it happen.

This country, this world, humanity needs more Steve Jobs. We need them to imagine, create and give us ideas and products which will make the world better. To advance the human experience in ways that make us all better.

With all of the heartfelt sympathy pouring out about Steve Jobs now, I hope it does inspire others to be the next Steve Jobs.

There is also another lesson in this all to early death of Steve Jobs. That is at the end of the day, death is the great equalizer. It makes no difference how much money you have, how much of a genius you are or even how much good you did for your fellow man.  We are all here at the grace of God. When he decides it is time to go, we have no say, we obey. That is at the end of the day the ultimate human condition that not even Steve Jobs could avoid.

Related articles
Enhanced by Zemanta

Posted at 12:38 AM in Current Affairs, General Background | | TrackBack (0)

September 22, 2011

How About A Schmear With Lo(x)cks

locksHaving gone to my share of security conferences over the years, I have seen more than my share of the “uniqueness” of the security industry.  I passed through the stage of the large multi-color Mohawks, the piercings that set off the metal detectors at TSA stations in a 75 mile radius and yes even the attraction to wearing a good, old kilt to let things “air out” a bit.

Over the years I have always liked to watch at BlackHat/Defcon all of the lock picking stuff.  I wasn’t quite sure if it made sense for HackKid Con, but hey who am I to judge if people want their kids to learn to pick locks.

However, I just don’t see why we are seeing such large crowds around the lock picking table at the recent security shows I have attended.  I mean really. Is that what we as an industry should be putting our time and focus into?  At the same time we run around as Chicken Little about how hard and insurmountable our jobs are, we devote hours picking deadbolts and other locks?

Figuring that I am just an old crab (not a security curmudgeon mind you, that is reserved for old guys with long beards) I thought I would ask some folks what is with the locks? The variety of answers confirmed my thoughts.  Security people play with locks for the same reasons dogs lick themselves, that is because they can.

Here is a sample of some of the answers I heard:

1. Lock picking is sort of like security. It is about keeping people out from what you are trying to protect, so it is adjacent.

2. It keeps my kids interested in security and that is a good thing.  My kids need to know how these things work.

3. It is a great family fun activity

4. Security people love a good puzzle and picking locks is sort of like a good puzzle. It keeps us sharp

5. We fail so miserably at protecting our networks and data, it feels good to get a “win” when we pick a lock.

6. It is just a fetish and really has nothing to do with security at all (I respect the honesty)

So, as you can see the answers were a bit all over the map. This leads me to believe we are grasping at straws to justify our behavior.  So lets just say picking locks does not help us manage risk on our networks. But it feels good.

OK, now that we have that out of the way, why stop at locks?  Andrew Storm would like a Makers Fair at his security shows.  Misha Govshteyn would like a “foodie” table. Security shows are what we make of them.

Related articles
Enhanced by Zemanta

Posted at 02:09 PM in General Background, the security industry, tradeshows | | TrackBack (0)

Next »
My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search


Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Blog powered by TypePad
Member since 10/2005

About