Sunday, October 19, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Spam Art [Commtouch Café]

Posted: 19 Oct 2008 02:42 AM CDT

Luckily there are creative people who will take even one of the most annoying things - SPAM - and turn it into something positive, that is, artwork. Artist Linzie Hunter has created a series of “one-liners” where she took spam subject lines and experimented with hand-lettering, turning them into works of art. Below is the cover [...]

Victor is back [Security Balance]

Posted: 18 Oct 2008 01:14 PM CDT

My friend Victor is back to the blogosphere. He built a blog platform just for his new blog, Visigodos.org.

He blogs about a series of things, but mostly on software development and security. His last post (VP, you need to develop something to link directly to an specific post!) about vulnerabilities related to debugging code is pretty interesting.

Welcome back, VP!

"Airport security in America is a sham—“security theater” designed to make tra..." [Security Circus]

Posted: 18 Oct 2008 12:01 PM CDT

Airport security in America is a sham—"security theater" designed to make travelers feel better and catch stupid terrorists. Smart ones can get through security with fake boarding passes and all manner of prohibited items—as our correspondent did with ease. –The Things He Carried - The Atlantic (November 2008) - a MUST READ

Port Scanning the Internet - THC Blog [Security Circus]

Posted: 18 Oct 2008 10:26 AM CDT

Anton Chuvakin on "how not to log" [Security Circus]

Posted: 18 Oct 2008 10:25 AM CDT

Application developers, sit down NOW and have a look at what you shouldn't do: "Application Logging Good Bad Ugly ... Beautiful?" is a nice lesson.

Great work as usual, Anton !
Reaction to anton_chuvakin

Integration is an education [Security Circus]

Posted: 18 Oct 2008 10:25 AM CDT

8005_1535_400

Integration is an education
In other news, our politicians want separate classes for foreign students...

Reposted from sid77

This posting includes an audio/video/photo media file: Download Now

EFF Tackles Telecom Immunity [Liquidmatrix Security Digest]

Posted: 18 Oct 2008 10:11 AM CDT

The EFF issued a challenge on Thursday to the blanket retroactive immunity that has been granted to telecom providers in the wake of the warrantless wiretapping.

From EFF:

In a brief filed in the U.S. District Court in San Francisco, EFF argues that the flawed FISA Amendments Act (FAA) violates the federal government’s separation of powers as established in the Constitution and robs innocent telecom customers of their rights without due process of law. Signed into law earlier this year, the FAA allows for the dismissal of the lawsuits over the telecoms’ participation in the warrantless surveillance program if the government secretly certifies to the court that either the surveillance did not occur, was legal, or was authorized by the president. Attorney General Michael Mukasey filed that classified certification with the court last month.

“The immunity law puts the fox in charge of the hen house, letting the Attorney General decide whether or not telecoms like AT&T can be sued for participating in the government’s illegal warrantless surveillance,” said EFF Senior Staff Attorney Kevin Bankston. “In our constitutional system, it is the judiciary’s role as a co-equal branch of government to determine the scope of the surveillance and rule on whether it is legal, not the executive’s. The Attorney General should not be allowed to unconstitutionally play judge and jury in these cases, which affect the privacy of millions of Americans.”

Interesting.

I wonder how this will play out in the waning moments of the current administration?

For the full piece read on.

Article Link

"Nature" on Italy's cuts to university budgets [Security Circus]

Posted: 18 Oct 2008 10:11 AM CDT

Partial Disclosure [Donkey On A Waffle]

Posted: 17 Oct 2008 04:04 PM CDT

I had a bit of a discussion with someone this morning on the nuances of partial disclosure and their effectiveness/risk within the greater security stage. The discussion was sparked by a recent post by Dan Kaminsky at www.doxpara.com. In this post Dan is essentially saying that partial disclosure in general is a bad idea; however it is occasionally required if the scope of the issue is so large and potentially dangerous that disclosure at any point would put a significant portion of the computing populous at risk. What Dan is afraid of (and I believe rightfully so) is that the research community and their affiliated companies and marketing machines realizes the fact that partial disclosure generates revenue. When distilled down, partial disclosure can be used as a way of putting FUD out there in an effort to generate buying impulses. Not everyone will directly attempt to utilize partial disclosure as a money making machine; However, I believe the majority of business minds will. They'll either do it with the approval of their researcher or occasionally without. Sometimes the researcher themselves will recognize the positive brand impact and money that can come from partial disclosure and exercise this model directly. So what do we do about this? We create a group to help police the partial disclosure process. We create a way for the populous to know if the released partial details is real or is it FUD.

The second part of our discussion centered around who should be responsible for vetting security related partial disclosure. Dan suggested that a group of security researchers be responsible for the determination if a particular vulnerability should be partially disclosed. This is where I disagree with Dan a bit. There are no parties that can truly act impartially within the security research community when it comes to vetting disclosure. We all have a stake, either directly or indirectly, at the release and disclosure of such information. I suggest that a higher level group that contains people outside of the general security research community be put in charge of vetting the legitimacy of a particular partial disclosure. They could bring in subject matter security experts as required but the group itself must be sufficiently removed from the process to be properly impartial while bringing in the technical expertise only on a consultative basis. The technical details are factual, the risk impact is always subjective.

Maybe I'm being too pessimistic in thinking that the abuse of partial disclosure is imminent. Maybe I'm being too altruistic in thinking that a group of people even at a higher level could ever be impartial enough to properly vet partial disclosure requests. But I do know one thing, this topic is very touchy and will certainly require a large scale effort and significant hand holding if it is ever going to come to fruition.

As always, comments are welcome...

Friday Summary 10-17-08 [securosis.com]

Posted: 17 Oct 2008 02:05 PM CDT

Rich is off to see Jimmy Buffet in southern California and get some R&R, so I have blog duties this week. It’s briefing season in the analyst community. I probably shouldn’t be surprised, given my previous employers typically launched PR tours this time of year, but even Rich has been a little surprised at the volume of discussions. We have been in full swing with a packed calendar the last couple of weeks, and it shows no sign of letting up through November. If I am a little slow returning your email in the morning that is why. And I’ve got to admit it is more interesting being on the receiving end of the equation that delivering the same information 100 times. The breadth of technologies and companies is very exciting, for me at least, and as a result I am digging deep into a number of technologies I have not had a chance to play with while working for a vendor. I have been seeing a lot of solid advancements from several companies, so that makes the calls interesting as well.


I have to further comment on the comments last week that the OS X Server Wiki/Blog software we switched to internally has been great for us. For a small team like ours, the ability to collaborate and keep information centrally has been a great convenience as we can work independently yet still catch up on what the other is doing by scanning the internal blog and wiki. Easy to use and still more functions than we really need at this point. Highly recommended! The Drobo Rich ordered looks very, very cool … yes, I am jealous. Given the number of photos I have been taking I think I am going to order one as well. Going to hook it up between the iMacs via Firewire. I will keep you posted.

On a personal note I was watching Iron Man last night on DVD. Great movie. But how many of you saw the movie trailer with Samuel L. Jackson at the end? No? Surprised the heck out of me that after the credits finished, there was a little teaser where no one … practically no one … would see it. Pretty cool! Oh, and Rich may have seen two coyotes in the park near his house, but I have discovered a family of tarantulas living on my back porch. We were having drinks on the patio when this 7″ fuzzy spider cruised by us a few nights ago. Last night a couple smaller ones were climbing the wall about 10 feet off the ground as if gravity simply did not apply to them. They are fascinating to watch.

Webcasts, Podcasts, and Conferences:
  • Nada this week for me.
Favorite Securosis Posts:

Favorite Outside Posts:

  • Adrian: Over on the Network Security Blog, Martin has an excellent post on a topic that should get far more attention than it does: Why Is Your Company Storing Credit Card Numbers?
  • Rich: Hoff continues to be ahead of the curve on developments in the virtualization security space, as well as coverage on the VMWare acquisition of BlueLane. VMWare may not have hired the Hoff, but they seem to be taking his advice.
Top News:

Blog Comment of the Week:

Jim Hietala’s comment on my “Will Database Security Vendors Disappear” post:
I don’t know the database security market all that well, but it
strikes me that all of the points you made can be applied to every
individual security segment, including NAC, endpoint security, DLP,
e-mail security, and on and on. Certainly the trust one applies to all,
breadth of function in most cases applies, and too many choices I think
does as well. Doesn't bode well for the health of the security start-up
market in the next couple of years…

No Securosis company meeting this week, so I am off for a little recon work. More on this later.

-Adrian

Security Briefing: October 17th [Liquidmatrix Security Digest]

Posted: 17 Oct 2008 11:58 AM CDT

newspapera.jpg

Pardon me while I adjust the focus on my binoculars… yes, it is indeed Friday. There’s a weekend just over the next hill.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Security is an Empirical and Social Science - Emergent Chaos Interesting little discussion going on over there.
  2. Gadget-savvy but socially inept? - The Globe and Mail More and more I find myself half listening to a real person while typing, must.stop.now.
  3. Insiders dodge security for productivity, RSA says - Security Focus
  4. $5,000 Chinese Solar Car is 100% Power Grid Free - Gizmodo
  5. 50 Most Influential People in Business IT - Baseline An interesting mix of public, private and government agencies represented.
  6. Can Private Companies Helping the NSA Be Watchdogs, Too? - Wired, Threat Level
  7. The Netbook Newbie’s Guide to Linux - The Register Go ahead, roll your eyes, but someone out there will find this useful. Honest promise.
  8. And something for the audiophiles…

  9. Dork Talk - Stephen Fry, The Guardian

Feeling a little punch drunk, healthier than yesterday, looking forward to a relaxing weekend. You have one, too!

Tags: , , , ,

Twitter, it's the new "blog" [Donkey On A Waffle]

Posted: 17 Oct 2008 10:49 AM CDT

Blogging is out, "Tweeting" is in. Twitter is the new black, it's the latest and greatest, it's.. well weird. I've posted on my thoughts regarding microblogging in the past (here). "At first I was afraid, I was petrified", but then I realized just how useful this type of medium can be. I've since found myself adopting this technology as a way to keep up with the latest and greatest information security minutia directly from the people that are creating it. With groups of people such as the Security Twits along with the researchers I know personally, it's a very useful 1:Many discussion medium. The down side of the microblogging thing is that it's been taking away from my time/energy to create real blog entries for my reader(1). I promise this will change soon.

In the mean time, follow me on twitter (txs_) if you wish to join in the interesting conversation. I'm always keen to hear what my reader(1) has to say.

Microsoft's October 2008 Patches (and an OS X Update) [Sunnet Beskerming Security Advisories]

Posted: 17 Oct 2008 06:31 AM CDT

October's Security Patch Release from Microsoft has seen 11 patches provided. Four of the patches were identified as Critical, six as Important, and one as Moderate. An advisory release was also provided, but not listed with a MS08- number, which provided killbit settings for a number of third party ActiveX controls and set the killbit for Microsoft controls mentioned in MS02-044, MS08-017, MS08-041, MS08-052. Several of the patched vulnerabilities were under active attack prior to patch release and sample exploit code has since been released for several other vulnerabilities. It is imperative that these patches are applied at the earliest opportunity.

It should also be noted that this month marks the start of the Microsoft Active Protections Program (MAPP), and Microsoft have already provided Severity Guidance for this month's patches.

Sûnnet Beskerming provides Briefing packs that are tailored for all users.

It should also be noted that Apple released a Security Update last week, which is now available from the Software Update Apple Menu item for OS X 10.4.x and 10.5.x users. Details for Apple's updates can be found here.

Don't Forget Your Oracle Patches [Sunnet Beskerming Security Advisories]

Posted: 17 Oct 2008 01:28 AM CDT

In a week when Microsoft released eleven patches, and an advisory, and Apple released a Security Update (actually released last week), some people might have been forgiven for missing Oracle's quarterly patch release, which coincided with Microsoft's releases this month.

41 vulnerabilities were patched in the release for a broad range of Oracle products, including Siebel, BEA, PeopleSoft and JD Edwards applications.

The next quarterly mass update from Oracle is due on January 13, 2009, which matches with Microsoft's scheduled patch release for January 2009.

End-to-End Encryption in the AP Region [PCI Blog - Compliance Demystified]

Posted: 17 Oct 2008 01:05 AM CDT

I (Chris) recently completed a training session in Australia and while meeting with the Visa representatives in the Asia Pacific region I was surprised to learn about some of the initiatives in the region.  Visa has sponsored a program that resulted in  the entire country of Malasia employing end-to-end encryption for payment card transactions.  This is a tremendous step forward in data security and demonstrates that end to end encryption is viable.  Thailand, and Australia are also moving quickly toward end-to-end encryption in addition to chip and PIN with the support of card brands in the region.  As anyone that has read any of Aegenis’ writings knows, we are big proponents of end-to-end encryption and other technologies that reduce the risk to payment card data, as well as minimize the need for PCI DSS.  Recently we published a whitepaper on the topic of Cardholder Data and whether encrypted data is, or is not, Cardholder data.  It is my position that the categorization of data is predicated not upon the use of encryption rather upon the key management processes.    You can read the paper here.

To truly be able to reduce the risk to cardholder data, it is going to require more than compliance with any standard.  Companies are going to have to begin looking at methods to remove the value of data or protect the data during the entire transaction cycle.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Traveling Man Part Deux [BumpInTheWire.com]

Posted: 16 Oct 2008 11:20 PM CDT

I’m off to Chicago for the weekend to meet up with some college buddies.  I’m scared of the brutality I’m about to endure.  With that I need to get my weekly Husker pick in a bit early.  Saturday’s game will be played at my alma mater in the friendly confines of Jack Trice Stadium in Ames, IA.  The ‘Skers are an 8 point favorite and I don’t think they cover.

Nebraska 34  Iowa State 27

Looking back I am 3-3 on my predictions…for what its worth.

links for 2008-10-16 [Raffy - Security Data Visualization]

Posted: 16 Oct 2008 09:02 PM CDT

Snort Overview Project [VRT]

Posted: 16 Oct 2008 04:26 PM CDT

Some enterprising young students from the University of Skovde in Sweden came up with what we think is a great informational poster for Snort. So good in fact that we got a copy and have posted it on snort.org for all to see.

Many thanks to Simon Wallin and Gustav Calson for taking the time to read the documents on snort.org and asking good and pertinent questions about Snort and Snort architecture, which resulted in a definite A+ project and for allowing us to post it for the world to see. If this doesn't give you a good idea of how snort works and what it is, nothing will.

Here's a link to the poster: http://www.snort.org/vrt/docs/white_papers/snortposter.pdf

Review: SANS Pen Test Webcast Part 1 [Nicholson Security]

Posted: 16 Oct 2008 02:51 PM CDT

Yesterday was the SANS Webcast on "Combining Network, Web App and Wireless into the Ultimate Penetration Test," I had registered to catch it live but my lunch break disappeared under a pile of deadlines. Today I was able to catch the archive of the presentation.

The focus of the webcast was as the title describes, using combined methods and attack vectors during a penetration test. Sometimes depending on the client requirements, a pen test will be requested but with a very limited scope. For example they might only want their wireless network tested or a public facing web application. Usually due to either lack of interest or cost some companies will not get the full Monte? I think this is bad because the results provided from the pen test are only part of the picture. I think that if a business is going to have a pen test conducted it should cover all the potential attack vectors. Otherwise a business might have a false sense of security.

The example used in the webcast was using an open wireless connection that a business might use for guest Internet access, to gain access to the businesses network. It starts with using various wireless attach methods to discover and attack clients on the network. By intercepting employee Internet traffic over the wireless network they inject an exploit and use BeEF to escalate access and bind a reverse shell to the client to gain access to the businesses internal network. Once they have access into the businesses network they start to scan the network, compromise services and exploit clients on the network.

This was only part 1 of a 3 part series. Part 2 is said to be release middle of next month. My first impression is that it's a good series and I am looking forward to the others. We have so many specialist in security I see it all the time in my classes. I have students that just do "Windows" or just do "Linux" or just do "Networking." That is great and they discuss that in the webcast, we need people that know each of these technologies cold, but as they say in the webcast do you want to pigeon hole yourself?

I have always tried to keep a balance when it comes to my skills. Now due to my 13+ years of experience I am viewed mostly as a System and Network "type" of IT Professional. But I have also over the years learned and worked with Programming from Assembly to JAVA and even done Web App development from Perl/CGI to PHP and even Wireless networking.

What it all comes down to is that nobody can know it all but personally I think we should all know what is possible and understand our skills and limits. Collaboration is another key component that is important. I think that is why there is such a huge network of Ethical Hackers and Penetration Testers out there all willing to share what the know and exchange knowledge so freely.

If you're interested in Pen Testing and have the time, I would suggest checking Part 1 of the series. When your done please post a comment and let me know what you thought about it.

Random Posts

Internet phone calls, terrorism and finding the balance for law enforcement [Voice of VOIPSA]

Posted: 16 Oct 2008 09:00 AM CDT

The Times of London is out today with a provocatively titled piece: “Internet phone calls are crippling fight against terrorism” and leads with this:

The huge growth in internet telephone traffic is jeopardising the capability of police to investigate almost every type of crime, senior sources have told The Times.

As more and more phone calls are routed over the web – using software such as Skype – police are losing the ability to track who has called whom, from where and for how long.

The key difficulty facing police is that, unlike mobile phone companies, which retain call data for billing purposes, internet call companies have no reason to keep the material.

And goes on to mention issues security officials have with the new world of online communication:

At present security and intelligence agencies can demand to see telephone and e-mail traffic from communication service providers, such as mobile telephone companies. But rapid expansion of new providers, such as gaming, social networking, auction and video sites, and technologies, such as wireless internet and broadband, present a serious problem for the police, MI5, Customs and other government agencies.

Communications data is now a key weapon in securing convictions of both terrorists and serious criminals. It also plays a central role in investigations into kidnappings and inquiries into missing and vulnerable people.

It is indeed a challenging problem. How do government security services exercise their legitimate need to have access to some communications-related data in the pursuit of a crime when the communications providers are no longer easy to identify?

In the old days of just the PSTN, the communications carriers were easy to identify and easy to work with… in the sense that jurisdiction was usually rather clear since the provider was based in the country where the communication was taking place. Government security services could work with those companies to be able to do lawful intercept and other such actions.

VoIP changes all of that. From a technical perspective, geography goes out the window. You can use a software product created by a company from anywhere in the world to communicate with someone else. It can be encrypted. It can use different protocols. It can be unencrypted yet go over an encrypted VPN.

THERE IS NO CENTRAL CONTROL!

And without central control, there is no central way for a government agency to be able to easily obtain that communications data.

So what do you do? Do you create (and somehow futilely attempt to enforce?) draconian and Orwellian legislation that gives government agencies extremely broad powers to access Internet-carried information? (As it sounds like is happening in the UK?) Do you try to have industry entities voluntarily assist security agencies? Do you give up and admit that it’s next to impossible to really get all this kind of information?

There’s a balance to be struck somewhere in there - and finding that balance is going to be one of the toughest policy issues we all will confront over the next few years.

I can see both sides… as a strong privacy advocate, I do not want the government to have broad powers to intercept and view Internet traffic - the potential for abuse and mis-use is far too high in my opinion. Yet at the same time as a father and husband I can assure you that if something were ever to happen to any of my family, I would want law enforcement to have access to every tool imaginable to track down the perpetrators and bring them to justice.

Where’s the line? What’s the right approach?

No easy answers…

Technorati Tags:
, , , , , ,

Security Briefing: October 16th [Liquidmatrix Security Digest]

Posted: 16 Oct 2008 08:26 AM CDT

newspapera.jpg

Sun is up, coffee is hot and the news has been delivered - good morning.
Bugs and bots and patches, oh my!

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. Oracle discharges monster bug fix - The Register
  2. Adobe patch thwarts clickjacking - The Register
  3. Warezov botnet rises from the grave - The Register
  4. Security Software Suites No Match For Custom Attacks - Brian Krebs, Washington Post
  5. Cellphone Botnets, Blackmailing VOIP & a Healthy Cybercrime Economy- Dark Reading
  6. Users Know Security Policy & Break It Anyway, Study Says - Dark Reading
  7. Giant database plan ‘Orwellian’ - BBC
  8. And something a little lighter… Have a great Thursday.

  9. Portsmouth seeks internet service - to apply, just call. - The Register

Tags: , , , ,

Oracle Critical Patch Update, October 2008 [securosis.com]

Posted: 16 Oct 2008 12:10 AM CDT

The Oracle Critical Patch Update for October 2008 was released today. On the database side there are a lot of the usual suspects; DMSYS.ODM_MODEL_UTIL seems to be patched in every CPU during the last few years. All in all the database modifications appear minor so patch the databases according to your normal deployment schedules.

It does seem that every time that I view this list there is an entirely new section. It is not just the database and Oracle Apps, but BEA, Siebel, JD Edwards, and the eBusiness suite. As a security researcher, one of the tough chores is to figure out if these vulnerabilities inter-relate, and if so, how any of these in conjunction with The others could provide a greater threat than the individual risks. I do not see anything like that this time, but then again, there is the BEA plug-in for Apache that’s flagged as a high risk item by itself. Without details, we cannot know if the BEA bug is sufficient to compromise a web server and reach vulnerable databases behind it.

The BEA plug-in was awarded Oracle’s highest risk score (10 out of 10), so if you’re using that Apache plug-in, PATCH NOW! I am guessing it is similar in nature to the previously discovered buffer overflow described in CERT VU #716387 (CVE-2008-3257). However, there is no mention of a workaround in this CERT advisory as with this previous attack, and in general Oracle is not very chatty about the specifics on this one. And I love the teflon coated catch-all phrase in the vulnerability ‘description’: “…which may impact the availability, confidentiality or integrity of WebLogic Server applications…”. Helpful!

Friends I have contacted do not know much about this one. If you have more specific details on the threat, shoot me an email as I would love to know more.

-Adrian

Its A Two Year Old’s World… [BumpInTheWire.com]

Posted: 15 Oct 2008 11:07 PM CDT

…and I’m just living in it.  You’d have to be the intellectual equivalent of a plant to not know that the third and final presidential debate was tonight.  What was on the television in my house?  Go, Diego, Go!  I was stuck watching the debate online on my laptop.  Ridiculous!

Deigo = 46″ big screen

Future President = 4″ image on a laptop

CEI Experience [BumpInTheWire.com]

Posted: 15 Oct 2008 10:59 PM CDT

Thought I’d give a little update on my experience with the Client Endpoint Integrity client.  Of those of us testing the client I’m the only one testing it on a laptop so I’m able to experience the client in a different manner than a desktop computer would.  As for the experience when connected to the corporate network the client is barely noticeable.  Every 60 minutes the client does a scan and tells me I failed the scan.  Stupid client.  How dare it tell me I fail?!  We are testing this with scan notification activited.  So once an hour a balloon pops up in the system tray notifying me that the scan has started.  A few seconds later the scan is complete and another balloon pops up with a success or failure.  That’s it.  In the management interface I can see exactly what end point and user is in compliance or not.  The status of these endpoints is reported on the dashboard so its part of the first screen you see after logging into the management server.

I mentioned the laptop earlier because I wanted to touch on the behavior of the CEI client when away from the corporate network.  When my laptop is away from the corporate network the client simply does not launch.  The ActiveX component is still installed and enabled but the client does not launch.

Any downsides or things I don’t like about the client?  Maybe one thing.  When the CEI scans are enabled the client is activated by launching a web browser.  My only knock against the client is the behavior of the web browser after the client launches.  The browser is ”hijacked” and displays a page with a message thanking me for logging in and installing the CEI client.  After the client is launched the browser closes.  Sometimes I catch myself thinking “what the hell just happened to IE?  I know I just opened it.”  I’m fairly certain I know why this behavior exists.  In previous versions the browser didn’t close and there would be the occasional event where web access would not be allowed because the authentication had not completed.  By closing the browser this buys a little time to ensure that authentication has completed before being able to access the internet. 

My Take On The Database Security Market Challenges [securosis.com]

Posted: 15 Oct 2008 07:28 PM CDT

Yesterday, Adrian posted his take on a conversation we had last week. We were headed over to happy hour, talking about the usual dribble that analyst types get all hot and bothered about, when he dropped the bombshell- one of our favorite groups of products could be in serious trouble.

For the record, we hadn’t started happy hour yet.

Although everyone on the vendor side is challenged by such a screwed up economy, I believe the forces affecting the database security market place it in particular jeopardy. This bothers me, because I consider these to be some of the highest value tools in our information-centric security arsenal.

Since I’m about to head off to San Diego for a Jimmy Buffett concert, I’ll try to keep this concise.

  • Database security is more a collection of markets and tools than a single market. We have encryption, Database Activity Monitoring, vulnerability assessment, data masking, and a few other pieces. Each of these bits has different buying cycles, and in some cases, different buying centers. Users aren’t happy with the complexity, yet when they go shopping the tend to want to put their own cars together (due to internal issues) than buy a single full product.
  • Buying cycles are long and complex due to the mix of database and security. Average cycles are 9-12 months for many products, unless there’s a short term compliance mandate. Long cycles are hard to manage in a tight economy.
  • It isn’t a threat driven market. Sure, the threats are bad, but as I’ve talked about before, they don’t keep people from checking their email or playing solitaire, thus they are perceived as less urgent for prevention.
  • The tools are too technical. I’m sorry to my friends on the vendor side, but most of the tools are very technical and take a lot of training. These aren’t drop-in boxes, and that’s another reason buying cycles are long. I’ve been talking with some people who have gone through vendor product training in the last 6 months, and they all said the tools required DBA skills, but not many on the security side have them.
  • They are compliance driven, but not compliance mandated. These tools can seriously help with a plethora of compliance initiatives, but there is rarely a checkbox requiring them. Going back to my economics post, if you don’t hit that checkbox or clearly save money, getting a sale will be rough.
  • Big vendors want to own the market, and think they have the pieces. Oracle and IBM have clearly stepped into the space, even when their products aren’t as competitive (or capable) as the smaller vendors’. Better or not, as we continue to drive towards “good enough” many clients will stop with their big vendor first (especially since the DBAs are so familiar with the product line).
  • There are more short-term acquisition targets than acquirers. The Symantecs and McAfees of the world aren’t looking too strongly at the database security market, mostly leaving the database vendors themselves. Only IBM seems to be pursuing any sort of acquisition strategy. Oracle is building their own, and we haven’t heard much in this area out of Microsoft. Sybase is partnered with a company that seems to be exiting the market, and none of the other database companies are worth talking about. The database tools vendors have hovered around this area, but outside of data masking (which they do themselves) don’t seem overly interested.
  • It’s all down to the numbers and investor patience. Few of the startups are in the black yet, and some have fairly large amounts of investment behind them. If run rates are too high, and sales cycles too low, I won’t be surprised to see some companies dumped below their value. IPLocks, for example, didn’t sell for nearly its value (based on the numbers alone- I’m not even talking product).

There are a few ways to navigate through this, and the companies that haven’t aggressively adjusted their strategies in the past few weeks are headed for trouble.

I’m not kidding, I really hated writing this post. This isn’t an “X is Dead”, stir the pot kind of thing, but a concern that one of the most important linchpins of information-centric security is at risk. To use Adrian’s words:

But the evolutionary cycle coincides with a very nasty economic downturn, which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those who earn most of their revenue from other products or services may be immune, but DB security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire sales, or bankruptcy, depending upon how and when they act.

-Rich

In my opinion... [IT Security: The view from here]

Posted: 15 Oct 2008 01:46 PM CDT

It's funny, I keep getting invited to dinners, phone calls, webinars, etc... by people who have done surveys, created documents, got an expert in, etc... and I keep on politely turning things down. Not because I don't want to speak to people, far from it, I'd love to talk all day, but because I have more pressing engagements, and my life, to get on with.

I received a missive from Compuware earlier in the week, who have actually done a really good job of surveying IT professionals and printing out some relevant statistics. It makes a refreshing change from previous surveys I've had to rip apart here. Having said that, I'm not really 100% sure what they are trying to achieve with it, and fully expect them to explain by return of mail tomorrow...

HP have also come knocking, with an invitation for dinner up in London in a couple of weeks. On a Monday night. I don't know about you guys, but I have busy weekends, stay up late, watch "Poker After Dark" (Hellmuth is a dick isn't he?), occasionally even play poker and even less frequently win, but I'm always up past my bedtime. Monday morning, I get up at 6am, drive to the gym, churn out a couple of k's, and by the time I go home I'm ready for anything except getting on a train to London. I'm normally asleep on the sofa by 6:30pm.

I know exactly why they approached me though, and I AM interested in what they have to say, just not in London on a Monday night. Southampton on a Wednesday lunchtime, when they're paying, different matter entirely. And I think that's really my point here.

Neither of these companies is wrong, bad, or even out of line. They have both done good things, reached out to me in a polite and positive way. However, I can't help thinking that something isn't working. How much research gets done in the name of security, only to find that 70% of attacks/breaches/losses are accidental/internal/external/laptops? How much of it do you read?

How many solicitations do you receive on a daily basis for your opinion/answers/blog space/ or just to plain sell to you? How do you like it?

I like the personal approach, and don't even mind when it comes through a third party, although I'd prefer it was direct from the companies themselves - shows more respect somehow. Just a perception maybe?

I like the offer of something for my time/blog space/amazing company - it doesn't have to be much, but I kind of value my time, and it doesn't normally come that cheap.

I hate being sold to. I've worked for vendors all my working life in one way or another, and know what every sales cue sounds like a mile away. I will most likely lead you down a very inviting path and slam the door in your face rather than buy anything, sorry, but I just don't own the budget, I'm a contractor. By the way, you can hire me... :)

No comments: