Network Security Podcast

Martin Mckeay and Rich Mogull were kind enough to invite me to their network security podcast.  We had a nice discussion on Privacy, Information Centric Security and a few other topics.  You can check it out here. 

The week in review

Spent last week in San Francisco at various shows and events, so I thought I would share some of the high (and low) points.

 

IDC Virtualization Conference : I was at the Virtualization show on Tuesday just to get some variety during the week of RSA all the time. Really not much going on here at all other than product pitch after product pitch ad-nauseam. You would have thought they were selling condo time-shares. And here is a hint, if you are going to inundate us with a sales pitch, at least have coffee to keep us awake. 

The only presentation that actually had a customer success story, Pano Logic, happened to be the highlight. This is a very cool little box for client side virtualization. From a security standpoint, data is not floating around, as there is no disk or local memory to steal from. And the session follows the user to any location they choose to use. While not suitable for every user the benefits in both security and IT costs are considerable. Check it out!

 

Ziff-Davis: A very nice security briefing put on by Ziff Davis Enterprise in the evening, and followed it up with excellent food & drink at the reception. I have seen Lawrence Walsh presentations a couple of times now and I always enjoy them, and this particular “Risk Perceptions and Reality” was no exception. His research on where security dollars are being spent, and presentation points on applying those dollars in a more risk management oriented way is similar to some of the presentation I give, only his research data is better than mine. The major theme was ‘security will not improve until security becomes part of the business process’.  Not sure the audience was getting the point, but it was not for lack of trying. 

 

RSA:  How would I encapsulate the RSA show? In a word? “uhhhh”. I am too apathetic to yawn. It appears that they are still waiting for an answer to the question “What would Turing do?” Even the San Jose Mercury news only had a very tiny piece on Chertoff's presentation, so if they could not find much to write about you know it was bleak. 

It seemed to me that the industry has fallen back onto two of the ‘security pillars of truth’, access control and encryption. Essential ingredients to security cookbook, sure, but nothing that appeared innovative and new. Marketing these solutions to Governance, Risk and Compliance, which is new and possibly only 3 years too early, plus no one seems to agree on exactly what GRC means. Oh well, here’s to next year!

 

Security Bloggers Meet Up 2008:  The best after hours RSA party had to be the Security Blogger’s event organized by Jennifer Leggio at Fortinet. Great turnout, great people, great food and a whole lot of fun. I met up with people I have not seen in 8-10 years, and met a dozen so Bloggers who I have been reading for the last year or more.  Fun and educational. Great work Jennifer!

 

Miscellaneous fun #1: McAfee Hacks hackers. Did you know that? Their banner says so. I was intrigued, so I stopped by their booth and asked for a white paper on how exactly they do this?  What is it they offer? Can I pick the hacker to hack, or is it more random hacker hacking?  How do you reduce the false positives of hacking White Hat guys instead of Black Hat guys? What is my ROI? They took my business card and said they would get back to me. Maybe the product is still in Beta. 

Miscellaneous fun #2:  SFPD & Security. I took Cal Train into the city on Wednesday morning. It did not dawn on me that this may be a problem until I arrived and I heard that several of the bus lines were shut down because of the Olympic Torch. Then I started to worry when 10 kids with Chinese flags were walking along side of me right into the gauntlet of Sherriff’s officers.  Uh oh!

I have been to the out front of the west wing of the White House,  the executive building, the Senate and various other official places, but I have never seen a security show like this. Every hundred yards all the way up 4^th street were a pair of motorcycle cops flanking both sides of the street. Every nook, cranny and side-street had a Police, Sherriff, Marshall or undisclosed official vehicle standing by. Train schedules altered, bus routes changed or halted, streets barricaded, street lights run manually, profiling of participants, helicopters and more. Nothing going on as I guess they moved the torch route, but the Police were clearly on 100% alert. Amazing!

Miscellaneous fun #3:  A few years back, at the Oakland Coliseum, I had a disconcerting experience. I was walking out of the men’s room and was suddenly faced with half a dozen very large men in suits who were angrily walking towards me with hands reaching for me. At the last second the tall thin man next to me told them it was OK and they stopped in their tracks and just glared at me. I just so happened to exit the door and bump into Michael Jordan. His entourage was none too happy having me pop out of nowhere and be standing within inches of their charge. Cooler heads prevailed, but you never forget that split second feeling that things are not OK.

So I am walking around RSA exhibitor’s area on Tuesday, down a crowded aisle, and six guys in suits and short hair turned and are suddenly staring at me with that same glare of concern. At first I was thinking it was a secret service detail, and maybe Al Gore was in the area. Did I somehow look threatening in my casual sweater and dungarees? Then I looked up and saw I was standing in front of Guardium’s booth. Ah, now I get it! Move along!  Nice to know they care.

Miscellaneous fun #4: I was over at a partner’s Booth on Wednesday. I did not recognize anyone at the booth, nor did they recognize me. I decided to see what they were selling and what messages they were delivering at the show. Access Control. OK, what about the other security products you offer? I started to quiz them on database monitoring, auditing and the like. My questions were returned with blank stares. The first person did not believe they offered other security products … they do, trust me on this one … and the more senior representative said “Yes, we offer that product, but we have no one here who can talk about it”. OhhhhKay! Your spending $30K on a booth, collateral & shipping at a Security conference, not to mention whatever employee & lodging costs, and you don’t prepare to talk about your Security products?!?!? Nothing like wasting an investment.