Friday, March 23, 2007

ShmooCon 07 Day One (well mid day maybe)

For those that don't believe that I'm here - here is my notebook, and official ShmooCon 07 badge. So there.. Kind of my poor-man's conference two-factor authentication. Something I've had for a while, and something I have now.

There also happens to be some type of Medical Professional conference here at the Wardman Park , too. The Society for Behavioral Medicine , or something like. I can think of no two better segments of society to be collocated for several days… While milling around this morning, it was quite funny to watch each group watching each other. Kind of like wolves and sheep, maybe? TSG has set some pretty strict rules about not hacking the locals – hopefully most will comply. So far – some of the familiar faces – Simple Nomad of course (who could miss him? - interesting boots by the way) although he doesn’t know me (only met twice), and rumor has it that our own SBN Martin McKeay is here too, apparently hosting a party this evening at Chipotle over on Connecticut Ave. We’ll see if they let me in. I’m apparently way overdressed for this venue, with my Dockers and Polos. Oh well.. I’ll change the color of my Polo tomorrow. Maybe I’ll blend in better tomorrow when everyone (mostly) is hungover..





Bill P

Where's Bill P? (been)

Been busy with my day job... Very busy... But - not for the next few days. I'm down in DC at ShmooCon 2007. If I can keep my wits, keep up with grading my student's work (Boston University), and keep the work emailbox doen to a dull roar, I'll try doing a few posts while on the lam here in DC. Already I've ran into a few familar faces (in the bar of course), and hope to see a few more.

More tomorrow.

Bill P

Friday, February 16, 2007

The Business of IT is the Business. Period.

Wow. Great post by Mark over at the SecurityBuddha. I’ve been saying this for years (well, maybe a couple anyway). One of the biggest hindrances to effectiveness and efficiency in an IT shop is IT itself. I still see kids coming out of school, whether it’s undergrad or grad, that do not have a good grasp on what it means to be in IT. The Business of IT is the Business. Period. All too often I see organizations that can’t get out of their own way because their processes are so ingrained and inflexible. What we really need (borderline heresy from an IT guy) is more technically oriented MBAs. It’s these types that can probably bridge the gap. The days of IT knows Best are long, long over… What is more frustrating - the fact that we still are not getting well-rounded IT grads, or the persistence of self-serving IT organizations? I'm not sure, but maybe it's both. I was in a conversation the other day (which I cannot share), and I swear it was almost like ObiWan was there saying "Those are not the IT services you are looking for..." as he waved his hand towards the technically challenged business folks. I happened to be with my Business partners, and the instant level of frustration scary, and real. I felt bad, and spent the remainder of the day trying to reconnect the dots that had been scattered during that phone call. It is an interesting take that it generally is the IT Security guy/gal that can do that, however, and shouldn't be lost on anyone. The best thing that can happen to us in our profession is that someday, we'll no longer be needed. Think about that one for a bit ;-).


Bill P

Saturday, February 10, 2007

Real Security, Anyone? Reflections and Ramblings from RSA 2007

Been going through a long dry spell here at InfoSecToday due to work, car, house, and kid stuff – but RSA seems to have shaken my pen loose, along with a social session with my friends at the Security Bloggers Network (more on that later). Four hours to ORD (Chicago), two more to BOS (Boston), then one more by car north to New Hampshire (Live Free of Die). Should be plenty of time to spill my thoughts, and to get them posted by mid to late evening. I’m going to try to get this posted this evening, so I’ll edit in the hotlinks later (lazy I know…) as well as more detail on some of my ramblings…

These early morning flights (Woke up at 3:15, boarded at 5:40 AM in SFO) are a pain, but necessary if you want to get back to the East Coast before evening.. I didn’t sleep much the night before (weird considering the blistering pace of this past week), and was glad I called for a Car Service the night before. Looking for a cab at 4:00 AM on the outskirts of the ‘Loin wasn’t something I was looking forward too. Besides – it was only about ten dollars more than the cab ride in earlier in the week. My hotel, the Diva, was above par. No – it isn’t one of the mega-chains, it didn’t have the fancy marble floors or any in-house amenities (bars, restaurants, etc), but I can say – my stay was great. The rooms were clean and the staff was extremely friendly and courteous. What I like best about the place was that it reminded me of my travels in Europe. Small hotel, clean functional rooms, lots of personality, and great value. And - within walking distance to lots of great food. San Francisco is a great place. No one jaywalks (a blood sport here in Boston), the cabbies are polite and don’t honk, and for a big city, it’s relatively clean.

By the way – a recent funny air travel anecdote from one of my many good friends, Steve at The Sox Jocky). While I was out at RSA saving the world this past week, Steve was in Chicago on business. On his way home (about four miles from me), he was flying back into Manchester NH. A very important note for you that may at some point in your lives need to fly to Manchester NH, the airport code is MHT, *not* MAN. Steve’s bags, of course, went to MAN, which happens to be the other Manchester – in England. Yes – his bags made the round-about trip from Chicago to Europe, then back to NH. All is well and they arrived home, eventually.

Well - Enough of my travelogue…

This was another banner year for RSA. While I’ve not attended many RSA conferences, I can say that they seem to be getting larger. Much larger in fact, to the point where I wonder if there should be some other venue for specific topics? A good friend (Scott) observed that there were something in the neighborhood of 300+ hours of session time, not counting the Exposition floor. At best, you would be able to only attend around 20 hours.. Speaking of the floor – what was with the Jugglers on Unicycles, the ToolTime gals, the torn sweatshirt spike belted gals, and of course, the Vinyl-clad, high-heel booted FemCops on Segways? Yikes. And - on several occasions I heard the phrase from various vendors hawking their wares “…the chicks will love this…”. Don’t get me wrong – I try to not go completely overboard with the Political Correctness, but wow – “chicks”, booth babes on Segways, and spiked belts? I also learned to not keep telling the spousal unit about the booth bunnies. It made for some interesting domestic discussions.

This brings me to my three main points for this year’s event reflection. It was the year that they (vendors) realized that their ability to differentiate themselves in the market has hit a brick wall (IMO). The usual suspects were there of course, and notably some that have survived consolidation like Vontu. What struck me as the two significant themes of this year were that of the small startups specializing in “Risk Assessment and Management”, and “leak prevention”. I’m not sure who coined that one but it has stuck, and the ILP / DLP / ED (information / data leak prevention and my favorite – Extrusion Detection) industry had it’s first real birthday this year. They have actually been around for longer than that, but I think the market has only reached legitimacy this past year. The third point is based on Art Corviello’s session on deperimeterizatoin (MS Word spell check apparently hasn’t had that one added yet – so I just did)

Differentiation seems to becoming more of a problem in the InfoSec space, as evidenced by the return of the Booth Babes. CA continues to gobble up startups in the Enterprise space, (as has Microsoft) and Cisco and the other network folks are doing the same with other niche providers of netquirky stuff.. You have to wonder when it will stop or slow down? It would be a shame to have only a handful of choices – but that would make vendor management easier, wouldn’t it?

Leak Prevention is something that we all had on our tech-radar years ago, but didn’t really have either the technology, or Business Drivers to properly address the problem. Three groups have set up camp. First are the Appliance guys. Their take is to place content examiners at various choke points (generally the exit points) of the network, and block “extrusion” of that data. The next crowd are the ones that place controls on the client endpoints themselves, and obstensibly can control access to removable media like CD-R/RW / Flash, etc. Lastly – the actual hardware guys are getting into the ace. I came away with evals of Authenix’s protected USB fobs, as well as one from Kingston (DataTraveler). While not easily manageable for an Enterprise without some additional layered products, they do hold a lot of promise. (although relatively expensive promise when compared to the deals at the local Best Buy)

Deperimeterization sounds like something left over from the Cold War, when in fact it is yet another one of those concepts that we in the industry have been professing for many years. Dan Geer was one of the first that I heard it from some time ago. Hearing at one of the major keynotes this year finally has lent it some legitimacy. Interestingly enough, it may be PCI (Payment Card Industry) that may finally give this concept some legs. The PCI standards clearly articulate (among other things) the concept of network and data segmentation / segregation (section 6 in particular). If you’ve not read the PCI DSS v1.1, you need to.

*The* social highlight this year was the Gathering. This was a event conceived by Rich (and others), and hosted by Microsoft and Fortinet at the Foreign Cinema.. Most of the usual suspects from the Security Bloggers Network were there, Alan (of course), Rich, my mentor Mike from Episteme, Bruce, Raphael, and more, most of whom I’ve only met for the first (but not last) time. Boy – can this crowd party. So – two things I learned about hanging with the InfoSec blog crowd – some of them can drink more than I can, and beware of bright lights, microphones and people asking questions, especially after having three or so glasses of Pinot Noir... I hope for my sake that any of those bits end up on the digital cutting room floor ;-). I tend to rant on occasion, and after being loosened up a tad, rant even more. Being up on a soapbox is second nature to me. Add lights, a camera, and a microphone – hooboy – look out. From there, we cabbed it over to the nCircle hoohah, and killed more appetizers and a emptied several vats of a vicious drink call the “nCircle Slice”. It was orange, tasty, went down smooth, and was dispensed from a cooler that was refilled many times. The next to last stop was the Thirsty Bear. Not paying too much attention to where I was being taken, I didn’t realize that we had just made a really, really large circle around the western San Francisco peninsula. After several beers there (very good micro brews, by the way), the battle cry was raised – “To the W….” Which – fortunately was right across the street. Yet more new faces and names to learn.

All in all, this was probably the most productive conference trip in some time. The combination of networking time, along with some good face time with prospective (and existing) vendors made it worthwhile. Next on the consched is ShmooCon in March. There was much craziness trying to get Early Bird tickets, and had to eventually settle for the second-tier when I was notified that -13 (yes that’s a minus sign) EB’s were left. I had to chuckle (a little more) when Hugh Thomson was describing his hacking of the airborne Gaming systems as it reminded me of the Shmoo signup page. Well - at least I got one. This will be my first ShmooCon, so stay tuned.

Oh – and by the way – has anyone see the new Mac spot on Vista? “Cancel or Allow”. I was snorting water out my nose…

Bill P