Today The Industry Is Changed!

Don’t I love overly dramatic headings? Yup, I do.
Pretty much since the day Security Scoreboard launched, I was a MAJOR fan of the site and have always considered it “an industry-changing idea”  that can solve the #1 problem in information security – no, not APT! – inability to match solutions to security problems and rate what solutions actually solve those problems well. The industry, as we all know, is full of crapware – from “PCI scans” for $0.41 per month to fake anti-spyware and “magic” appliances that “do security stuff.”
And now we have a powerful weapon to fight it! Today Security Scoreboard changes everything … again.
Specifically:

Security Scoreboard has announced the appointment of security industry veteran
Dominique Levin as Chief Executive Officer. The site offering unbiased end-user
reviews and ratings on security products also received an investment and moved its
headquarters to the Silicon Valley.

Yes, you can still think of the site as “Yelp for Security Products” – but also start thinking of it as “crowd-sourced and reality-based Gartner.”  In my opinion, there is NOTHING (!!!) that our industry needs more than clarity and Yes, even more than APT defense and easy-to-use SIEM  Lately, a lot of very smart folks have been bemoaning the state of the industry (example, example) and Security Scoreboard relaunch cannot have come at a better time.
Full press-release is pasted below (original) – yes, I am that excited to do it:

Security Scoreboard, which offers security product ratings and analytics based on real-world user experiences, announced that it has received an initial angel investment.
"Crowd-sourcing could significantly improve the validity and quality of the information available about commercial IT products”, said Dana Gardner, president and principal analyst at Interarbor Solutions. “As a consumer I can look at Angie's List, Rotten Tomatoes or TripAdvisor and it's crazy such thing doesn't exist for IT."
“Even if you have the time and money to test different solutions, it's always the details of real-life implementations that come to bite you”, said Chris Sawall, Supervisor of Information Security at Ameren Corporation, a Fortune 500 company and one of the nation's largest investor-owned electric and gas utilities. “You never know how technologies and solutions will really work until you have invested in them. Security Scoreboard allows me to be better informed."
At the time of the investment, the company also appointedDominique Levin as CEO.
Levin comes to Security Scoreboard from LogLogic Inc., a leader in security and log management solutions, where she served as Chief Marketing Officer and Acting CEO. She was also previously VP Marketing at PoliVec, held positions at Nippon Telegraph and Telephone and Philips Consumer Electronics and generated over $630 million in shareholder value as a venture capital investor.
“The recent funding and the move to Silicon Valley will allow us to tap into engineering talent to accelerate our roadmap,” said Levin.
“Security Scoreboard recently introduced new analytics capabilities, which highlight top vendors by user ratings and present trends on site visits”, said Dr. Boaz Gelbord, President and co-founder of Security Scoreboard and himself a practicing security executive. “We are looking to add more sophisticated analysis leveraging user generated data”.   
"The new analytics move Security Scoreboard in the direction from merely showing you what your peers are thinking to making true crowd-based recommendations about which vendor tools to use", said Jay Leek, Vice President of International Security at Equifax.
The company plans to raise additional venture funding later this year.
About Security Scoreboard:
Security Scoreboard is a community generated review and rating site to help security practitioners and executives select the right information security solutions. Security Scoreboard is supported by an Advisory Group and User Council of industry leading CISOs, CIOs and security managers. The site leverages crowd sourced ratings and state of the art analytics to provide recommendations based on real life experiences of other customers.

I am REALLY looking forward to the new era – and I do realize that it will take work!
Possibly related posts:

• “Security Scoreboard” Out! 
• Security Scoreboard Updated

Latest Reviews From Security Scoreboard

www.securityscoreboard.com

How to Write an OK SIEM RFP?

Ok, some people think consultants are supposed to make money off helping enterprises write RFPs, but I am busy enough and so it goes. This is what happens if Anton is stuck in a metal tube for 5 hours in seat 1A

Question: How do I go about writing a SIEM or log management RFP?

Quick answer: don’t. This “purchase method” is probably equally hated by vendors and end-users. As somebody who was “volunteered” to help sales folks with 1600 page (yes, really!) and smaller RFPs more than once during my “vendor years,” I can tell you that – with a tongue firmly in cheek:

a) if you ask a vague question in your RFP, you will get either a “Yes” or a nice blurb taken from a random location in vendor datasheet

b) if you ask a question starting with “How…?”, you will get a nice blurb taken from a vendor datasheet

c) if you ask a silly question (“do you have an Albanian language interface?”), you will get either a “Yes” or a nice blurb taken from a random location in vendor datasheet

d) if you ask a question that is impossible to answer (“Can your product handle the high load?”), you will likely get a “Yes” – surprise!

e) if you ask an honest question that might cast a product in a negative light (“will you every lose log data?”), what do you think you will get….?

See a theme emerge here?  Note that I am not trying to imply that any particular vendor would lie in their RFP responses – the term here is “defensible creative exaggeration.” BTW, what do you think happens when a standard enterprises RFP template collides with a standard vendor RFP “boiler plate” response? Boom! The explosion of high-grade concentrated idiocy…  And if you think that I am a bit cynical about this whole thing, than maybe you are correct… making sausage for a long time does distort one’s personality a wee bit

Despite the above, there are two exceptions to this rule of not doing RFPs:

1. You are obligated to do a RFP (government, etc)
2. You’d like to use your RFP as a chance to distill and focus your SIEM/LM requirements.

Let’s address them both at the same time. If you are case #1 above, you should really turn it into case #2.  As you recall (if not, review these posts here), one of the most important things an organization should do before buying a SIEM is to set its own goals, requirements, use cases, etc. BTW, this recent SIEM presentation stresses the same point – esp. see slide 16 and around.  This older presentation has some things to avoid at the product selection stage – see “worst practices” 1-4.

So, based on my experience on both sides of the RFP “interface”, here are some of my SIEM RFP tips:

• Keep it short! If you cannot express what you need in under 10 pages, go back and rethink it. “Every time an organization releases a 500+ page RFP, God kills an intern.” Yes, that very intern who is tasked with responding to that monster, of course.
• Start from your REAL main reason for getting a SIEM, your problem statement – monitor PCI DSS CDE, perform IDS/IPS alert analysis, monitor servers for suspicious logins, protect web applications via log correlation, etc
• Include your use cases – which simply means to describe how you plan to use the system and what you expect the system to do for you. Some examples are shown here  (more high level) and here (more detailed inside the whitepaper).
• Based on your goals and use cases (and that is important!), describe SIEM product functionality that is essential for your mission: agentless collection, bandwidth throttling, rule-based correlation, visual dashboards, trend reports, whatever…
• Include log sources / devices that you absolutely need supported and what you mean by “supported” (e.g. parsed, normalized, categorized, suitable for correlation, covered by default correlation rules, updated promptly when log source changes, etc). This area is notorious for extra-high volume of “creative exaggeration” (“of course we support VidgetMaster 7.2! – via our generic LogMahgic 1.0 (TM) collector … which  dumps log files right into storage without analysis … and then rotates them to oblivion within 7 days”)
• Avoid or reduce the usage of vague terms: ”scalable”, “high”, “flexible”, “effective”, “advanced”, “automatic”, “proper”, etc. Why tempt the other side unnecessarily?
• Clarify most other terms, even those that look clear to you: “correlation”, “reporting”, “keyword search”, “trend”, “responsive”, etc
• Size the environment before writing an RFP, as we discuss in LogChat #2. Baseline your log sources for 2-4 weeks to get your average EPS rate then include both the volume of data and number of log sources that you absolutely need supported. Also, specify response time for reports and searches while you are at it.
• Make phases of your SIEM project clear up front – don’t say “400,000 devices and 4,000,000 EPS enterprise-wide.” I got news for you – you probably will never get there… Be very clear about your Phase 1-2 and simply keep later phases in mind for the coming years.
• Try hard to avoid idiotic statements (sorry!): “Vendor MUST specify their efforts and processes to guarantee that products and services provided will completely satisfy us or exceed our expectations” (quote from a real RFP)

And – hold on to your pants – despite the above effort you should be prepared to take the responses with a HUGE grain of salt. One of my contacts on the enterprise side put it simply: “of course we ignore all the specifics in RFP responses.” With this approach to RFP writing, you WILL still benefit even if you don’t read the responses…

Finally, a more useful question than “how do I write a SIEM RFP?” is “how do I buy the right SIEM for my organization?” Keep this in mind while tuning your RFP. Or just retain me to help – a $20k consulting project is known to sometimes save an organization from  a $500k SIEM failure….

Possibly related posts:

• Log Management Tool Selection Checklist Out!
• "So, What Should I Want?" or How NOT to Pick a SIEM-III? 
• On Choosing SIEM
• I Want to Buy Correlation” or How NOT to Pick a SIEM?
• The Myth of SIEM as "An Analyst-in-the-box" or How NOT to Pick a SIEM-II?
• Logging, Log Management and Log Review Maturity
• Log Management + SIEM = ?
• On SIEM Complexity
• SIEM Bloggables: SIEM Use Cases
• Whitepaper with detailed SIEM use cases (using a particular SIEM as an example)
• Log Management / SIEM Users: "Minimalist" vs "Analyst"
• All posts labeled SIEM

Darn Good Idea ... If Done Well

"A free, downloadable, log management and compliance product that provides organizations with visibility across their networks, data centers, and infrastructures?" (here)

Somebody, somewhere is thinking ...

In any case, "free is in" :-) Look at all the announcements (NetWitness, Mandiant, this) as well as "the original free."

MS AV Out and Free ... Uh-Oh

With headlines like "MS Destroys the Consumer AV Market," the news hit ... well, hit the fan like the proverbial... well, you know what :-)

Is it really "Good-bye Big Yellow and Little Red?" Probably not, as this new offering is aimed at consumers and lower-end SMBs; large orgs will still pay ransom ... eh, subscription fees for their AV. It was also interesting to read some of the comments, like "OMG, I so hate paying for AV... and now I won't have to." If such sentiment is indeed widespread, maybe MS choose a really, really good moment to come out with this!

The most fun comments are found on the OneCare team blog here. Esp. see this one: "a majority of consumers around the world do not have up-to-date antivirus, antispyware and antimalware protection" (now they will, thanks to MS! :-)) and "this new offering will focus on getting the majority of consumers the essential protection they need by providing comprehensive, real-time anti-malware protection, covering such threats as viruses, spyware, rootkits, trojans, and other emerging threats, in a single [FREE!], focused solution."

UPDATE: very funny comments from AV firms and "normal people" (see below the article at the link)

UPDATE2: another very fun comment, including "maybe it's time that Symantec and McAfee start offering free versions of their own antivirus products"

On Idiots and Logs

How on Earth can someone even utter the phrases "scalable log management" and "Microsoft Access for data storage" in one sentence? OMG, OMG, OMG...

MS Access, for God's sake! I wonder if they tried storing logs in Excel spreadsheets?

Yeeeeesh.

So Cool: Richard on NAC

This is fun: Richard "IDS is dead" Stiennon says "NAC is dead."

I will now start calling him Richard "Both IDS and NAC are dead" Stiennon. Also, he is hereby proclaimed a Mortician of Security Industry :-)

Sorry, it is all in good fun!

More on that tomorrow in my "Security Reading II" piece, BTW.

Dancho on Security Industry and Media

Dancho Danchev makes this astute observation about the coverage of security by the media:
"You know it's a slow news week when you come across :
1. Articles starting that malware increased 450% during the last quarter - of course it's supposed to increase given the automated polymorphism they've achieved thereby having anti virus vendors spend more money on infrastructure to analyze it" + 9 more items.

It would be funny .. if it weren't sad :-)

$50 > life. WHYYYYYYY?

If you flipped thru my slides from the CSO Summit, you noticed slide #4 with a picture of a seatbelt. Why is it there?

That is why. This post really tied (for me) everything that happens in security today; and its essence is this quote:

"The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice. I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.

The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life."

and even

"I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws."

If you see anything weird in today's "compliance-heavy" security industry, it is probably explained by this phenomenon.

NAC Vendors Starting to ... You Know ... Die?

I really wanted to play some kind of joke on vendor being "knacked off," but all sounded too stupid to post here :-) In any case, some people were saying that there are way too many NAC vendors around, especially given slow adoption of this technology. Now they have proof.

Now, it is a sad thing to see a security company "go poof" and I am sure this one had good people, but I think certain market common sense should apply... For example, I know some people who want to launch a DLP vendor. Now, if their data loss "prevention" technology is better than anybody else's, they will probably fail. However, if they looked at the problem from a different angle and solved some of the challenges that nobody can touch (and which are real), now we are talking....

Bruce on Suites vs Best of Breed vs "Security as a Feature"

Now, some say that Bruce starts to lose it from being a spokesperson (not a doer) for too long, but this proves that he is still a security visionary and can start a fun, thought-inspiring controversy. This post called "Security Products: Suites vs. Best-of-Breed" is a VERY fun read (you MUST also read the discussion that followed - and think!)

A few representative quotes: "Honestly, no one wants to buy IT security. People want to buy whatever they want -- connectivity, a Web presence, email, networked applications, whatever -- and they want it to be secure." (do they really?)

"And sooner or later the need to buy security will disappear. " (bullshit, I say! :-) - analogous 'some day the need to have police will disappear...')

"It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling. " (year 3000?)

"IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it." (hmmmm... is your information infrastructure? no!)

Mike R comments on that (here): "But the idea that the answer is neither and that outsourcing will be the death knell in the security business is interesting, but ultimately wrong. [...] Trying to wait for Big Security to die would give new meaning to the long and slow goodbye."

Two Fun and Thought-provokinng Pieces

This is very fun and insightful read from Gunnar Peterson: "When Will We See Market Forces in Infosec?" Example fun quote: "... Wait - they listen to customers, innovate new things, control costs, and deliver safety mechanisms to market while growing their business? When will Silicon Valley answer the bell on this model?" Read on.

On an unrelated note, Hoff's comments on "McGovern's "Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security" are very fun too. Example quote: "Mistake 3: Putting network engineers in charge of security: When will you learn that folks with a network background can't possibly make your enterprise secure." Read on!

Mike R on "DLP"

Mike R makes a good point here when he says that "data leak prevention (DLP) stalls in 2008, continuing to be a solution looking for a problem. " He also predicts that DLP will suffer in the marketplace from "poor man's DLP" or "good enough DLP using other technologies."

I plan to outline just such a plan: poor man's DLP using logs. Yes, it will suck :-), but it will be free, not "$500,000". What can I say, 'Welcome to the world of "good enough technology!"'

More Required Reading: Mike R

Mike R was going thru his 2007 predictions and checking them (good idea!); all are fun, but this are extra-hot:

• Report Card: 2007 Incite #4 - Trust No One
• Report Card: 2007 Incite #5 - You (Mal)ware it well
• Report Card: 2007 Incite #8 - Identity Everywhere
• Report Card: 2007 Incite #9 - Help Wanted: Fortune Teller

and while we are at it: this bit from Mike on security management trends in 2008 is fun too (especially check his reference to log management!)

Security Companies 2 Watch - 2007

Everybody already looked at it, I am sure, but why not: "10 IT security companies to watch." Now, some might check it out and say "Come one, this is 'Network World'! How dumb can that be?" Well, I think it is worth looking at anyway: the fun part is the common themes. And they are:

• Authentication (What?!)
  
• Smart traffic sniffing (A yawn? Maybe)
• DLP (tooooo f late...)
• Behavioral anti-malware (one more? nooooo...)
• Identity risk-management (WTF?)
• Database security (well, maybe)
  
• Encryption (what a novel idea?)
• Code review (finally time?)

Still, check out the list!

Still, I Stick to It or 'SIEM vs Log Management'

Even though I did talk about it at length before (e.g. here), this article reminded me to remind you :-) I think Forrester folks are a bit optimistic. Think about it: if you have logs - you need log management. If you are ... if you have ... ehhh, well - when do you need a SIEM?

A long time ago, in my previous life, somebody came to me and said "I want everybody to need SIEM, our SIEM! Make it happen" (well, not exactly these words, but you get the idea). I thought about it long and hard and you know what? - even back then it occurred to me that SIEM is not for everyone. Log management, on the other hand, is for everyone who has logs (well, more than a trivial amount of them ...)

Nobody Is That Dumb ... Oh, Wait! - V

Another day, another stellar "Nobody Is That Dumb ... Oh, Wait!" case, number V is the series. ... So, will you file for an IPO under such circumstances? :-) Mike adds some hilarious details: "Their income statement showed a loss of about $10 MILLION on revenues just over $2 MILLION."

Ha-ha-haaaaaa. Ha-ha-ha! Haaaa :-)

On Crossing the Chasm

Fun post from Andy on "crossing the chasm." Be careful, if your success is only due to early technology adopters, you can run out of them :-) And then, if you cannot sell to "normal people," you are f*cked ...

Why Some Vendor Webcasts Suck?

So, I was attending this vendor's webcast related to log management the other day and it sucked ... pretty bad.

OMG, why oh why some vendors think that their customers and prospects are stupid!? How many times a "C{T|M}O hybrid" can utter "changing threat landscape" and "you now have a legal obligation to protect information" (or even such gems of deep thinking as "success requires commitment of resources AND effort" :-) Gee, monkey, I really thought I need only resources, but not effort!) and still retain any semblance of credibility?

WTF? If his mouth is "presenting solutions" to the audience's problems, but his brain keeps thinking "buy our crap!!!," the webcast will likely result in audience being both bored and aggravated ...

I usually take offense when security pros in the trenches call vendor people "vendor scum" (or even here), but after this webcast I think I why now. Mike, please create your "Selling to Pragmatic CISO" ASAP and then jam it up the /.../of these folks!

Fun Insights from "Missing Mike" :-)

This one: "I have no doubt that in the coming years; there will be a lot of focus on data-centric security – but not in 2007."

and this one as well (which makes me somewhat happy): "6-month grade: D - Much to my chagrin, compliance is still alive and well. [...] Compliance will remain a factor for 2-3 year planning horizon. Now I need to go get some Tums, since eating crow wreaks havoc on your digestive track." :-)

A small comment on the latter, if I may. Indeed, a new compliance mandate won't scare a "Pragmatic CSO", but - what's the antonym? a "romantic CSO"? - will likely be scared shitless ... Thus, it is a good thing that compliance will still be a factor, since it will prod less "pragmatic" security leaders into action!

Last Blog Post for Today: Ranum on Trends

OK, OK, I will shut up :-) Just this last thing: a fun interview with Marcus Ranum here.

As usually (mmm.. make that 'AS ALWAYS'), Marcus Ranum is heavily pessimistic: "And, as a consequence, security is going to be permanently in the "expense" column [A.C. - and what, pray tell me, is wrong with that? Door locks are an expense too...] and it'll be a legal mitigation/triage game played by executives and lawyers, with the security guy's job consisting mostly of hovering over the system admin's shoulder to make sure that they actually clicked the "on" button where it says "security."

So - I think security's about to suffer a mental and financial heat-death. Frankly, we deserve it. If you look at what security has accomplished in the minds of most IT execs, during the last 10 years, it has been an endless stream of annoying bug-fixes. All the positive [A.C. - positive stuff? In security which is inherently 'anti-X' or, more softly, about 'not having X happen'? What do you mean? :-)] stuff is completely overwhelmed by the flood of mal-this and mal-that and the constant yammering for attention from the vulnerability pimps."

Enjoy the rest!