Total Immersion

Just got an email through from those nice folks at RSA Conference Europe. Here’s the skinny:

Session Track: Business of Security

Session ID: BUS-207

Scheduled Date: Tuesday 28th October

Scheduled Time: 16:05 - 17:05 hrs

Session Title: Software and Security as a Service: the risks and the rewards

Session Classification: Strategic

Session Abstract: There is much buzz in the IT industry at present around Software as a Service (SaaS). As with any new trend in IT, there are a number of potential risks which need to be considered when looking at SaaS solutions – but things don’t stop there. At the same time, certain security services can also be delivered using the “as-a-service” model. This panel of security vendors and consultants considers both the risks and rewards of SaaS and security as a service, and delivers practical advice on what organizations should be thinking about today.

Moderator(s):

Jon Collins, Analyst, Freeform Dynamics

Panelist(s):

Gerhard Eschelbeck, CTO, Webroot

Eldar Tuvey, CEO, ScanSafe

David Stanley, MD EMEA, Proofpoint

I was recently asked for some examples of events I have spoken at, so for the record this is what I’ve participated in so for this year:

Taking back control of IT, Webinar, 28 February 2008 (video stream - registration required)

Improving business productivity through effective content management, Webinar, 4 March 2008 (video stream - registration required)

Governance in virtual worlds, Pisa, Italy, 13-14 March 2008 (slides)

Which is more Important – Compliance, Security or Operability? (Panel Chair) - Infosec Europe, London, UK, 22-24 April 2008 (podcast)

Progressive IT, Sourcing and Architecture, Microsoft Architect Insight Conference - Windsor, UK, 28-29 April 2008 (slides/video stream - requires Windows Media Player)

How to sell virtualisation (Panel Chair), Channel Expo, Birmingham, UK, 22 May 2008

IBM Optim Internal Data Threat event, London, UK, 29 May 2008 (slides)

If you need any more information please do get in touch.

A while back, I remember seeing a sketch by Eddie Izzard. The detail eludes me but roughly speaking it covered the cyclic nature of being cool. One could progress from totally uncool, to slightly cool, to cool, to - put one matchstick in the corner of the mouth - very cool, to - put another matchstick in the other corner - totally uncool again.

So it is with technology-related PR, and nowhere is this more starkly illustrated than in the press releases associated with IT security. I have written about how hard it can be to incite a sometimes apathetic audience into action about very real threats; equally, many IT managers will agree how difficult it can be to get funding for security-related purchases. IT security companies have a vested interest in both of these issues: they are obviously not working altruistically. However, in my experience the majority nonetheless do want to deliver value to their clients.

Such desires may be reflected in IT security PR, which often needs not only to explain what a company does, but also why it matters. Frankly, when a “bad thing” is reported in the media it can be gift for any company that offers products in that area – but what to do when there is no bad news to piggyback on? The answer is to put out awareness-raising press releases, to augment the more standard ‘customer win’, ‘expands in Europe’, ‘new partnership’ fodder. It is here, just as with Eddie Izzard’s sketch, that we find the line which should probably not be crossed.

What are the different kinds of press releases? I would grade them into four categories:

· Best practice activity. A vendor may have put together a set of guidelines explaining how to deal with an issue. While it is a fair assumption that it may reference their product or service, it may also contain some sound advice. Press releases saying that a vendor has documented some best practice are little more than treading water in PR terms, but they are innocuous enough.

· Publicising research findings. A security vendor may conduct a study to highlight the scale of a given problem. This is useful when although the area is known about, there is general complacency that the issue has already been dealt with, or that it only happens to other people. Indeed, this is often the kind of activity that we get called in to help with – anonymous surveys may be the best way to talk about an issue that nobody is supposed to have.

· General awareness raising. These tend to be more educational, to highlight that a problem or threat really does exist. A good example of this would be PR surrounding man in the middle attacks, which are a valid candidate for awareness raising. The only downside is that sometimes such press releases assume the audience knows what is being talked about, which is more than a little counterproductive.

· Publicising specific examples of where things have gone wrong. This is probably the worst kind of awareness raising press release. At best, it draws attention to an example of where the threat has been realised, or malpractice has been found in that, “I told you so,” kind of way. At worst, it can only be construed as ambulance chasing, using some unfortunate soul who has found themselves wanting, and attempting to bask in the reflected publicity.

Don’t get me wrong. In general, I like receiving press releases. I may not read all of them, end to end, but I am not embarrassed to admit that I cannot keep on top of everything that is going on, all the time. So, if I am told about a threat that I did not know existed, nor indeed, a product which in some way can resolve that threat, I can add this to my catalogue of knowledge. Equally, however, I make no bones about the fact that I detest ‘ambulance chasing’ press releases. While I concede that it can be useful to use such incidents as examples, they should be used as no more than a passing mention to support any of the other kinds of awareness raising. Consider the difference in the following two statements:

· “The HMFE were foolish, and should get their act together,” said Charlie Farley, vice president of security firm Ultrasecurix. “By using technologies such as ours, it would never have happened in the first place.”

· “Ultrasecurix would like to announce the latest iteration of our product. “It has been redesigned from the ground up to deal with the latest generation of threats,” says Charlie Farley. The many features include… which enable comprehensive protection. “Situations such as those am highlighted at the HMFE only serve to highlight how things are changing and the need to stay vigilant.”

OK, the latter requires the company to have actually done something, which should maybe be the prerequisite in the first place. If, however, you feel the need to put out awareness raising press releases, remember the first three kinds before settling on the fourth. The bottom line is, if you can’t be constructive and add value in the first few paragraphs, then please don’t bother at all.

Like many people I suspect, I have struggled to get my head round identity management. This is less to do, I suspect, with the nature of the thing itself (great intro here, and I’d recommend Neil M’s reports on the subject), and more with the fact that there’s so much going on, in so many domains. The concept of identity itself is a nebulous beast, stretching from personal identity (yup, me, got that one) to corporate identity (aka managing and provisioning roles and access rights) and even more broadly, to that bar conversation – “every person, thing, asset etc can have an identity” – which can very quickly unravel into a flight of fancy.

Identity is a hot topic these days of course, what with incidents like the loss of all those records from the HMRC punting identity fraud into the public eye. Examples are legion, of identities being stolen, misused or otherwise abused – its perhaps surprising that incidents such as Goo-do-no-evil-gle and the Scoble Facebook hack have taken so long to materialise. While none of these examples are particularly relevant to the concepts being espoused by corporate identity management, one nonetheless stimulates interest in the other. There are overlaps of course - the hapless employee who lost the HMRC disks could have been deemed too dim to warrant access to the disks in the first place, but this thought process is in a different compartment to thinking about the risks caused by offering up our kids and (indeed) our bank details to all and sundry.

The issue for corporate technology sellers and buyers alike, is that while the subject of identity may no longer leave people glazing over at the slightest mention, conversations can munge all of the above issues into a convoluted glob, incorporating on one hand worries about the protection of personal information, and on the other practicalities around ensuring corporate information and systems are only accessed by those who have been granted access. Given that this industry thrives on three letter acronyms, perhaps we need a couple of new ones - “Personal Information Protection” for the former and “Enterprise Identity Management” for the latter. Thus, EIM could have been used to support PIP, in the HMCE case.

Taking just the corporate, “EIM” side of things. this looks to be an interesting year. The last couple of years have seen a number of acquisitions and product announcements in this space from the larger management vendors, notably CA and Oracle, IBM, BMC, Sun and Novell: the most recent step has been to bring in roles-based management and directory integration. There have been a number of challenges along the way, some of which remain – for example the architectural decision of whether a database or a directory is sufficiently scalable to serve up identity-related information at the required level of granularity; meanwhile a variety of standards are being put in place. Catalysed by the more general, populist buzz, all of these things put together should yield more general acceptance, and resulting deployment of identity management solutions.

I should admit to a level of personal interest here, in what amounts to “the greater good”. While I view the HMCE incident with disappointment, I don’t subscribe to the headline-grabbing faux-abhorrence that some press have expressed, and I certainly don’t believe any one person should carry the can. Given the problem is indeed systemic (I believe so too), and if we can also agree that such a thing could have happened in most organisations, then we require a systemic approach to solving it. Taken in the round, identity management can offer such an approach, underpinned by the appropriate use of technology – this is most definitely a place where technology alone cannot provide the answer, but neither can the problem be solved without it. Indeed, if the HMCE incident serves to raise awareness and adoption to the extent that other organisations do not suffer the same fate, then it will not have been without value.

It’s now six weeks since RSA Europe, when I made a diary note to take a deeper look at the SAFECode forum. SAFECode stands for the Software Assurance Forum for Excellence in Code - we can be profoundly grateful that the founders didn’t try to expand out the entire acronym. It also stands for “increasing trust in information technology (IT) products and services through the advancement of proven software assurance methods” - a kind of Green Cross man of the IT world, helping software developers across the highly risky freeways of the technologcal world.

The SAFECode idea is to co-ordinate software best practices across software vendor companies, build in appropriate checks and balances to ensure the resulting applications are secure (or at least, to minimise the risks). Is it necessary? Where there’s smoke there’s fire, and to be sure, Microsoft is no longer the only target of cyber-attacks. As hackers mature into commercial operators, no longer motivated (just) by “giving it to the man,” an ever-widening pool of programs is coming under threat.

In principle, then, SAFECode is a good, worthy and valuable idea. It is by no means guaranteed to succeed, for a number of reasons. Don’t get me wrong - of course it will be a good thing to co-ordinate and share best practice. From the point of view of its longer term success there are several howevers, based around:

- Credibility. To succeed, the SAFECode forum requires to be seen as successful. This is a conundrum but it isn’t new - consider the ITIL library of systems management best practice, which has taken a good 10 years to establish itself. It may be that SAFECode by itself proves inadequate because it focuses only on security, and quickly runs into the weeds as it tries to integrate with the wider picture of software development, which is itself peppered by competing best practice, from waterfall to RUP to agile.

- Critical mass. While there are big hitters in the list (from the site: EMC Corporation, Juniper Networks, Inc., Microsoft Corporation, SAP AG, and Symantec Corp.), the number of members is not yet adequate to cause a mass adoption or understanding of the best oractices it wants to espouse.

- Clarity. SAFECode can perhaps learn from the mistakes of other forums - notably in this case ITIL - by opening its documents to the widest possible audience. A quick glance at the publications page indicates that the organisation does not yet have anything to tell people, not in terms of best practice. The wrong thing to do hereon in would be to make any publications for members only, or indeed available only for sale. Commerciality will get in the way of SAFECode’s mission, if not scuppering it already.

- Collaboration. The technology world has come a long way since the smoke-filled rooms in which many best practice standards have been conceived. We have ridden the open source wave and now we are in the midst of a new era of collaboration, as illustrated by social networking. The fastest route to success (and I’m not always a fan) for SAFECode would be to build a Wiki, and open it up as widely as possible with appropriate editorial responsibility. While noise to signal would have to be managed, this would aid both visibility of the process and road-testing of the results

- Certification process. Without some kind of certification, SAFECode members do not have to prove anything for themselves, nor would there be any kind of recourse should SAFECode practices not be kept. Certification needs to have teeth - while anyone can join the forum, only products that fulfil appropriate criteria should be marked as “SAFECode certified”, and only organisations that continue to apply the best practices should be able to maintain their member status.

In summary, then, all initiatives such as SAFECode should be applauded. However, the forum should be judged not on its existence alone, but on its ability to change how applcations are written - and ultimately, on whether the risks posed by member applications are reduced. This may seem like a tall order but if SAFECode can’t provide some kind of guarantee, then it will be of little use. Not only this, but its currency will very quickly devalue, to the detriment of its founders and the credibility of their products.

I was fortunate enough to attend the IT Security Analyst Forum a few weeks ago, where I was one of many analysts meeting with a number of security vendors. A a kindly gentleman was there recording the proceedings, and I just came across the videoed results - isn’t the Web marvelous?

Anyway, if you’d like to know more about Freeform Dynamics, how we operate or my views on IT security, please do watch the below!

Part 1: About Freeform and general security views

Part 2: what trends are you noticing?

Part 3: has the analyst forum been a success?

P.S. Yes that is my bald pate in the first frame…

In a break with tradition, I’m going to write about a specific company in this one, or at least a specific series of conversations. I’ve been talking quite a lot to the guys at Tier-3, a company specialising in software that can look for anomalies in how IT is being used. While there are many potential applications of such a capability the company has focused its efforts on looking at IT security, sucking in events from computer logs and looking out for things that don’t fit with the norm. Think intrusion prevention, unauthorised access and the like.

It sounds so great in theory - and indeed, the company has recently announced wins for its HUNTSMAN product with some quite sizeable players such as Toshiba, so it must have something going for it. I still find myself feeling dubious however, not least (indeed, mostly) because whenever we do research into who’s buying what in IT security, behavioral analysis software seems to come out near the bottom of the pile.

So, there appears to be a bit of a behavioral anomaly about the whole thing. If such products are recognised to be so blooming useful, why is nobody buying them? My conclusion has been that, while such security products as antivirus, firewalls and VPN are quite simple to explain and therefore cost-justify, it was always going to be harder to assemble a business case for such tools as behavioral analysis.

When I spoke to Tier-3 I put to them this position, and asked (on the back of such deals as Tosh), whether it was changing. What Peter Woollacott, CEO told me, was that it was true, but he shed a bit more light onto what made it so hard. “Anomaly detection investments are currently being driven by the value ascribed to IT/IP assets relative to cost,” he said, “yet many organisations still fail to understand the value of their IP assets.” In other words - if you don’t know what you’ve got, it’s difficult to work out its value, or indeed (as Peter explained), how vulnerable it is against the legions of potential threats.

It’s an interesting one, not least because (according to my illustrious colleague Martin’s report) the lack of asset knowledge is such an age-old problem in IT, leading to that other age-old chestnut- how can you secure your IT environment, if you don’t know what you’ve got?

Funnily enough however, the answer to the asset management issue may well come form considering some of the desired outcomes of security - not least that mother of all reasons, the reduction of business risk. Peter used the term “return on security investment” - the ramifications of which can be seen quite clearly in more regulated environments, and are starting to be visible in other verticals. “Just as Basel II rewards better operational risk managers with lower costs of capital,” commented Peter, “risk adjusted decision making is already featuring in corporate investment cases.”

Understanding of IT risk requires (and therefore drives the need for) understanding of IT assets, and their vulnerabilities. Ultimately this also drives the need for products such as those from Tier-3, but its unlikely that the company can currently use this as a product pitch. Rather, organisations that are already educated on the need to manage risk for business reasons, and are acting upon it, will also want to get on top of their IT assets and what they are up to.

To take this one step further, perhaps there is no business case for behavioral analysis per se. That is, if such analysis is seen purely as a security measure, i.e. a way of working out what went wrong after the event so the hole can be plugged, it will always be difficult to justify. Alternatively, organisations that “get” such topics as risk management will be able to see behavioral analysis as a way of achieving some of the higher level goals that ensue, such as ongoing monitoring of risk levels in an already well-managed environment. In this context, anomaly spotting becomes a feature, and not an outcome.

Which is perhaps, as things should be. Companies such as Tier-3 better be in it for the long haul however, as there is still plenty educating to be done just to get some organisations off the starting blocks.

Well, well. The last thing I expected to see when I plugged in my SD card this morning, was a virus. I think I must have been picked it up earlier in the week. as I was transferring files between computers.

First thing was when an AVG window popped up, to say a file was being quarantined. When the file re-appeared, I knew there was something awry. For anyone who is interested, it was the “microsoftpowerpoint.exe” virus - conveniently explained (along with removal instructions) on the Trend Micro web site, among others.

(Unless I speak too soon,) I got rid of the blighter in the end. But it was a timely reminder that, while the debate should quite rightly shift to take into account the true breadth of the risk landscape, that ol’ external threat is still alive and kicking.

Nigh time to check those signature files are up to date, before heading off to the RSA conference in London next week…