Wahey! EMC brings ConfigureSoft on board

This afternoon EMC announced it had acquired configuration management vendor Configuresoft. EMC has OEMed Configuresoft technology for a while now - EMC Server Configuration Manager and Configuration Analytics manager are both ConfigureSoft products.

Now when I was at Forrester, people used to run around saying "the sky is falling, the sky is falling!" when it came to securing a virtual environment. Vendor after vendor would regale me with tales of malfeasants - usually foreigners I'll have you know - wanting to take liberties and exploit complex vulnerabilities at the hypervisor layer. Strangely enough, nobody was ever able to tell me of any breaches resulting from this.

ConfigureSoft, on the other hand, had a far more down-to-earth and concrete story. They were one of the first to realize that virtualization brought a whole new set of ways of doing things around changes, patches and configurations, and that these new ways of doing things introduced whole new sets of ways to screw up. And since screw-ups are the mother of the vast majority of security breaches, then it stands to reason that good configuration management is the cornerstone of virtualization security.

ConfigureSoft has some splendid technology and people, and having them on board really rounds out EMC's portfolio, further bridging the gap between security and IT Ops, no matter whether you live in the physical world, the virtual world, or whether like the rest of us you're floundering somewhere in between!

Interop: Security by Compliance, Karaoke and Booth Babes

So as Interop Las Vegas 2009 comes to a close, and we all go back to Normalville, USA (BTW - I loathe this place, a part of me dies every time I come here) thought I'd share my experiences.

Enjoyed many of the sessions, John Pironti did a splendid job of putting the security track together, and it's getting more and more business centric every year. It shows that even at a network show, people are thinking about security in more business terms and less about the plain old bits and bytes.

I sat on a panel entitle "Security by Compliance: Information Risk Management's Greatest Challenge" with Tom Murphy of Bit9, Troy Leach of the PCI Standards Council and Khalid Kark of Forrester. Much of the the topic was around "how prescriptive is too prescriptive?" for compliance regulations. There was definitely an acknowledgment that it's a fine line that we tread here. Tom from Bit9 lamented that if you specify a technology like Anti-Virus, then that stifles innovation and investment in competing technologies like application whitelisting, even though the effectiveness of that technology rivals (or even exceeds, some argue) that of the "blessed" one.

Poor old Troy from the PCI Standards Council took a few on the chin, but I think everyone acknowledged that his organization is doing a great job of advancing the thinking in this area.

Josh Corman of IBM coined a great phrase when I chatted with him afterward, he referred to PCI as "no child left behind". It makes sure everyone handling credit card data has at least a set of minimum controls, but does have an impact on those at the higher echelons of the security world. His argument is that prescriptive standards mean that people who used to do risk management don't any more

I reckon few people actually do true risk management so that impact isn't too great. My point is that prescriptive regulations make the link between buying drivers and controls much more explicit, and that helps security folks justify their purchases more easily, but I certainly see the merits of the counterargument.

Granted, passing an audit alone makes you no more secure than graduating from clown school makes you funny. But the thought processes and investment that audit requirements spawn must have *some* positive effect in most bases.

Talking of Josh Corman, he did a splendid rendition of "Ring of Fire" at the karaoke in the Luxor bar - it was a great ying to my butchering "Mack the Knife" yang.

Finally - a word about booth babes.Training company Rock Solid Technical was there again with their hired help playing Twister and jiggling hula-hoops while wearing naught but skimpy bikinis. Now I cannot and will not condone tricks like that (although I fully appreciate their artistic merits). However, I was able to recall the name of the company involved and what they did with very little effort - no mean feat for a very small organization tucked away in a far corner of an exhibit hall with hundreds of vendors. I suppose I'm just as gullible as anyone!

Webinar week: SIEM, DLP and Smackdowns

Show's what a great blogger I am (not!) when I forget to mention two events I was involved with this week. I mean, what's a blog all about if its not about shameless self promotion?

On Tuesday, I was part of an online panel on log management with Alert Logic, ArcSight and LogLogic.

For those who are interested - the recording is here (registration required)

My key takeaways? We've got to stop putting technology at the center of it all. We're a long way from the "analyst in a box" world that ArcSight's so fond of telling everyone about. Even if SIEM technology was as inherently smart as some would have you think, you'd have a job convincing people of that without some pretty strong proof points and examples.

I would never belittle the place of SIEM - I think it's vital to have as comprehensive a window as possible into what's going on in your security world. This "SIEM is dead" stuff spouted by log managment pure plays is just a reaction to the expectations that vendors have set about what SIEM should be designed to do. In fact, it became clear in the webinar that the distinction between SIEM And log management is becoming more blurred by the day.

What we need to remember, though, is that SIEM is at the nexus of a number of processes, around incident response, compliance management, and security strategy planning to name a few. It's about putting the right information in the right hands at the right time to make the right decision. If that decision is clear-cut and mundane enough to be automated, then so be it, but that's a bonus, not the main aim.

Also yesterday, I presented along with Derek Brink from the Aberdeen Group, as well my colleagues Katie Curtin-Mestre and Ron Kent on the integration of SIEM and DLP technologies. Again, the recording is available here (registration required)

Derek had some great stats and analysis on what leaders and laggards were doing with SIEM, and Ron Kent gave a super demo of RSA enVision and RSA DLP working together. I was just the marketing fluff monkey on this occasion.

Busy but fun week. See you all in Las Vegas next week.

Conference Season: Round Three - Interop

At this time of year, I realize how much energy goes into conferences. It's not just the time spent preparing, traveling, catching up with old friends and colleagues over a beer or three. It's the entry/exit/re-entry into domestic life and office life, and catching up on all the minutiae of life you tend to leave behind, like sleep, exercise, expenses, weekly status meetings, customers that you promised to put a couple of slides together for...

Plus, there's the action items you pick up on meeting so many customers, partners, colleagues. A more effective multi-tasker might be able to do these things better than I, but something had to give. So that's why you've not seen much Twittering or Blogging from Token Security Guy over the last few weeks. The pent-up postponed meetings kinda sucked the creativity out of me!

Anyway, next week I'm being unleashed on Vegas for Interop - I'll be on a panel with Khalid Kark from Forrester and Troy Leach from the PCI Standards Council on a panel entitled: "Security By Compliance: Information Risk Management's Greatest Challenge". It's all led by John Pironti, formerly of Getronics and Unisys "fame".

I'll also be hanging around the Cisco booth, carrying on the good work we've been doing around integrating location data from Cisco MSE into RSA enVision, so we can add some physical data into this distinctly logical world. Good news is that I won't have to wear one of those God-awful vests, although I am in serious danger of a logo-emblazoned shirt...

RSA Conference - Thank you very much, you were a lovely audience

As always, the conference was great fun. Sessions were attended, deals were done, claims were made, outrageous claims were made, outrageous claims were debunked, business cards were exchanged, hors d'oeuvres were served, beers were drunk, vests were lost, and multifarious passive voice occurrences...well...occurred

Favorite cliches?

• "We're securing the cloud." Lots of talk about cloud/SaaS security - with few details, which is understandable since if the past is anything to go by, we'll do it, we'll screw it up, and we'll go back and secure it properly. But there's some great ideas about how its going to be done, so that should make a) the screw up as painless as possible, and b) make it as quick as possible to fix when said screw up occurs

• "We're lowering TCO." Everywhere you went you were bombarded with recession era "cheap sells!" claims. Still much work to be done on proving it though - at least it shows vendors are listening to their customers - or their investors anyway.

• "Traffic is down - but quality is up." Yeah, from a sheer numbers perspective, attendees were down, but that came as no surprise. There were most definitely fewer RSA vacationers than usual - but it was clear that those driven away were more the tchochke-grabbing masses, rather than the glitterati. So that made the conversations we did have much more of a deep, deep communion than in previous years.

RSA had some whiz-bang demos for anyone that stopped by. On the enVision front, we showed enVision working with RSA DLP, showing how we can prioritize issues based on sensitivity of the information we *know*, rather than suspect, is involved. Cisco were also at our booth, and we could show not only the information that they were dealing with, but geospatially where they were doing it. All very cool in my deeply biased opinion.

My session on SIEM was well-attended (over 150), and was even picked up by journalist Neil Roiter with TechTarget. He didn't mention my name though - I mean if I'm going to all this trouble it's generally about the shameless self-promotion. Consider yourself 'On Notice', Roiter - you'll feel the wrath of my pen! Only kidding. He pained a brutally honest picture of the space, which I'm getting a rash of proverbial for, but hey!

Some cool RSA press releases -

• SharePoint solutions - which will help customers find out wat information is being stored in their sharepoint environment, plus define the right accesses to information in it, and monitor who's doing what with it.

• Risk Based Authentication for the enterprise - which lets enterprises use some of the cool profiling and self learning technologies to identify genuine users that online banking people have been using for years with their consumer base.

• Virutalization and DLP - which lets customers use DLP to inspect infromation travelling between Virtual Machines to make sure sensitive information is ony going where it should.

I would've written more about the other folks at the conference, only I barely got time to speak to them. I realized I gotta get me a promotion before next year, before I have to engage in more of the soul destroying activity that is vest-wearing booth duty. Only kidding, I enjoyed it more than I thought if I'm honest about it.

I'm currently preparing myself for Round 2 - InfoSecurity in London! See you there if you're going

RSA Conference: I used to be influential – but now I wear a booth vest

At last year’s RSA conference, I would gauffaw loudly at those folks wearing corporate uniforms around the Moscone. However this year, vest karma has come to bite me in the nether regions, and it has a sharp pair or choppers, I can tell you. I’ve had to swallow my ego, put on my corporate apparel and accept my place as a consummate vendor. I’ve been through the 7 stages of grief, and now I’m accepting my fate – I shall be donning my booth vest with pride and seeking multifarious pieces of flair to adorn it. Feel free to stop by...and point....and laugh

On a more serious note, though, apart from seeing me in a booth vest, what’s going to be the highlight of the RSA Conference? What do you mean it’s not going to be Art, or Enrique Salem, or the bloke with a funny moustache from Mythbusters? No my friends, the highlight of the conference will *clearly* be a little known session in Purple 306. NET-107 4:10-5:20 on Tuesday “SIEM – the good, the bad and the ugly”.  It’s going to be a rip-roaring panel, with some splendid individuals – moderated by yours truly.

We’ve got two top-notch CISO’s – Denny Dean from a Fortune 500 company here in the Northeast, and Chris Leach from ACS. They’ve both been burned by SIEM in the past, and have some very interesting opinions on the topic.

We've also got Nick Selby from The 451 Group, and John Kindervag of Forrester, who spend more time than most thinking about where this is and where it’s going. Plus, they keep fluffy vendors like me honest.  All in all it should be a good time

New beta for MS Stirling available

So Microsoft just released a new beta version of "Stirling", the next-gen incarnation of their threat protection solution, Forefront. For those not familiar with Forefront, its a unified policy management and enforcement architecture for Microsoft's security and threat protection products, plus technologies from Microsoft's partners in adjacent areas like vulnerability assessment and intrusion detection.

RSA's working with Microsoft too. RSA enVision will provide a fully functioning alerting and reporting engine for Forefront too. What does this mean?

• We'll be able to prioritize Forefront events, so customers can get alerted in different ways depending on the type of alert and where it's coming from.
• We'll be able to aggregate Forefront events, so a bunch of similar alerts in a short space of time won't fill up a security analyst's mailbox.
• We'll also let the customer look at Forefront events in the context of other stuff that's happening in their environment, like server and router logs. They'll then be able to use Forefront events in correlated alerts and forensic queries.
• We'll keep and report on Forefront logs so that customers can prove to auditors that all their products are working in the right places to enforce policy as regulations require.

We'll also be integrating RSA DLP with other Microsoft products like RMS and Sharepoint, so we'll be able to protect against good stuff leaving the network as well as stopping bad stuff coming in. All in all, it's going to be a great partnership that'll let customers do some cool stuff with their most strategic vendors.

It's a lot easier to leave docs lying around these days

After I posted this about the faux pas by the head of counter-terrorism in the UK, a security buddy of mine and I we chatting over a beer about how bad this problem's getting.

1. In the age of electronic information, its ironic that so much printing goes on. Xerox reckons companies spend 3-4% of revenue on printing. That's one heckuva lotta paper - and you can guarantee that a good amount of that is senstive stuff - and we have no idea of where it's being printed.

2. You used to need to go a dedicated place to talk about stuff on the phone. Nowadays people can - and frequently do - talk about anything, anywhere on mobile phones. Airport gate waiting areas are the worst - I was next to a guy giving an employee his performance review a couple of weeks ago. I'm sure the poor employee on the other end didn't appreciate his shortcomings being shared with half of O'Hare!

3. To make stuff available to people, you don't actively need send it to them. If you put it in the wrong folder on your laptop, it could end up on a P2P network. If you stick it an a file share, it could end up on Google. And don't get me started on Sharepoint. That thing is a black hole for sensitive information - and it ain't the product's fault, it's the people that use it. I mean when was the last time anyone deleted anything from a Sharepoint server? Seriously, trying to share stuff only with the people you intended to is really, really difficult these days.

That's why I reckon we need to re-name the data leak prevention space eventually - since leaks are only a symptom, not a cause. And "leak" implies drip, drip, not a deluge!

RSA DLP 7.0 released today!

The new version of RSA DLP got released today with some cool new features. My favorites?

• As well as finding unstructured data in file shares and the like, it can now find sensitive structured information in places like SQL server databases.
• It's improved its ability to fingerprint specific files you know are sensitive - whether they be stored on a server, a laptop or desktop, or whether you find them traversing the network. That way, if somebody inappropriately tries to copy or share those files, you'll know about it.
• A whole new bunch of policy templates. including one that make it easier for customers to spot personal information covered by data protection laws in places like Australia and New Zealand, and a host of EU countries too.

What's more, RSA DLP 7.0 works with the RSA enVision SIEM solution. This means customers can, from one place, see DLP alerts and logs in the context of other things that are happening in the IT environment, and then alert and report on them. The possibilities here are endless, but a few examples of where I reckon it's cool:

• Say enVision has just helped you discover some particularly nasty malware. DLP can determine whether the malware "phoning home" sent sensitive information
• Say DLP has just discovered unprotected financial information on a file share. enVision can help you decide how bad a problem it is by telling you who's been accessing it over the last few days.
• Say enVision helps you spot an employee using your customer database to get contacts for his side business. DLP can help you find where he's storing his information about the business and who he's sharing the information with i.e. who else is "in on the deal"
• Say enVision web proxy finds somebody accessing hacker sites. You can add this person to a watchlist, and get paged if they send out sensitive information - something that might just be logged otherwise.

All in all it's pretty cool stuff

UK Counterterrorism Chief Helps Security Awareness

So the UK Counter-Terrorism Chief just quit after a spectacular blunder. He accidentally held a confidential document in full view of photographers, causing police to need to raid a suspected terror cell a day early.

Rather than get on our high horses about the fact that he made the blunder, I think we should think about the wider implications of his resignation. I bet there's not an exec anywhere who hasn't seen this story and thought twice about times they've left documents lying around, or worked on confidential presentations on a crowded airplane.

Despite the tactical impact of the blunder, wake-up calls like this are always welcome.