Book Review: “UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A complete guide to analyst influence” by Richard Stiennon

This is not a book for everybody (and your grandmother probably does not need to read it; neither does an average IT professional). However, I think that this book is pure gold for those tasked with interacting with analyst firms.

I am an analyst, and I wish every vendor client read this book and followed some of the advice given there. It would reduce pain on both sides of the conversation, as well as make the interactions more valuable for – again! - both sides.

Obviously, this is not a book to guarantee your IT product a favorable placement in analyst research. It is also not a book on how to bamboozle the analysts, despite its focus on analyst influence. However, it is definitely a book to make sure that well deserving products, developed and marketed by good teams of people, don't get sidelined.

Some of the specifics that I liked include the influence pyramid concept, social media techniques, a careful approach to managing corporate Wikipedia entries, specific approaches to various analyst activities (such as calls, reports, advisory days and conferences), etc. My favorite sections (both fun to read as well as insightful!) are the one on “guerrilla tactics” and the obligatory “what not to do” chapter (the latter has a few sad case studies of IT vendors who screwed themselves up). Another great chapter covers the role of a vendor sales team in both helping the interaction with the analyst firm and avoiding some embarrassing mistakes.

In fact, this book makes me proud to be an analyst. Then again, maybe it is my ego talking as the book seems to project an impression that “an analyst is the most important person in the world“, at least as far as IT vendors are concerned.

Finally, if you are a IT vendor marketer, remember: when you say “holistic," some analysts think “imaginary.” Richard suggests to scrub your presentations of silly meaningless words like “synergy” and “holistic.”

• All book reviews.

Book Review: “Security De-Engineering: Solving the Problems in Information Risk Management” by Ian Tibble

This book is probably the most thought-provoking book on security I read in the last 5-7 years! While I'm somewhat known from my proclivity to exaggerate, I assure you this is not an exaggeration. As I was reading it, I felt like I connected to deep layers of the subconsciousness of security industry.
In fact, the influence this book already had on me is palpable: I found myself using some of the terms (such as author’s favorites, “intellectual capital” and “CASE”) and concepts on the next day after I started reading it.

As a brief summary, the book investigates the evolution of the way we do information security from the “hacker-lead” late 1990s to “compliance-heavy” late 2000s and today. The author also highlights dramatic problems with today's approach to security and suggests some of the solutions in the way people think and operate around security.

In fact, it might be one of the most influential books ever written in history of security industry - the one that appeared at the best possible time when it’s most needed. Along the same line, I have grown worried about the ranks of security professionals who are not hands-on with technology and who have never secured production systems. Just as the author, I've been grown frustrated with the ranks of idiots who equate compliance and security. Even author’s rant about ethics is something I've been thinking for years.

The author slaughters a few of the sacred cows of security industry: one that “executives are clueless” and the one that we “must have reliable actuarial data on incidents to stay relevant.” He also highlights a few categories of security products, which are notorious for not delivering value and explains the reasons for that. Most of his points are backed up by specific cases from his experience, going back to the end of 1990s when the security industry was born.

And, of course, as with any thought-provoking writing, I cannot say I agree with every word I read. For example, I am much less negative on the vulnerability assessment technology than the author (I don't think they give you 50% “false negatives” on common platforms today). Furthermore, I abhor the use (misuse, really) of “ROI” for justifying security spending. Style-wise, the author is a little too fond of repetitions to my taste. However, having a summary after each chapter is a great idea.

Finally, despite the unreasonably high price, I feel that every member of the security community MUST read this book. Literally every chapter will have insights that will make you a better security professional today.
All book reviews.

Book Review: “Security Information and Event Management (SIEM) Implementation”

Here is my review for “Security Information and Event Management (SIEM) Implementation” by David Miller, Shon Harris, Allen Harper, Stephen VanDyke, Chris Blask. It has just been published to Amazon as 4 stars out of 5.


I was looking forward to reading this book for a few months – pretty much since the time I’ve heard that it is being written. Obviously, I was very excited when it arrived in my mailbox. Now that I am done reading it, I can say it left a mixed impression. Mostly positive –but still mixed. I definitely enjoyed reading it, despite (or maybe due to) the fact that I’ve been involved with SIEM for nearly 10 years.
Let me first go through all the chapters and then give my overall impression. The book is organized in three big parts: “introduction to SIEM: threat intelligence for IT systems”, “IT threat intelligence using SIEM systems ” and “SIEM tools.”
Chapter 1 covers security basics with minimum connections to SIEM. It might have that over-simplified refresher of what information security is about.
Chapter 2 can be summarized using the quote from the chapter itself: “the bad things that could happen.” It contains another refresher on attacks, somewhat jumbled and somewhat dated. We’re not really touching SIEM yet at this point.
Chapter 3 has an author’s view of regulatory compliance: the usual suspects are mentioned – PCI DSS, HIPAA, FISMA, SB1386, SOX, GLBA, etc. HIPAA is not misspelled which counts as good news
Chapter 4 has a bizarre name: “SIEM concepts: components for small and medium-sized businesses.” It contains an overview of SIEM with little focus on SMB. It is mildly confusing (for example, it calls LogRhythm “a commercial syslog server”). It contains a few outright mistakes as well (like a mention of one log management vendor whose application reportedly covers ”all 228 PCI controls”). The chapter tries to talk about everything (yes, even GRC) and makes a very weak impression.
Chapter 5 looks like a twin of the previous chapter. It also contains an overview of SIEM, but a different one – a better one, in fact. These two chapters don’t contradict each other much, but joint their presence in the book is mysterious and somewhat confusing.
Chapter 6 is a sudden break from SIEM into incident response. It does contain a few useful – but high-level- flow charts for incident response. I doubt that it was written by somebody who did much incident response however.
Chapter 7 is both a curse and a blessing. I loved the ideas in the chapter – using SIEM for BI – but I hated the fact that its author didn’t even bother to check what “SIEM” abbreviation stands for (see page 116)…
Chapter 8 and Chapter 9 are about OSSIM/AlienVault. From all the SIEM product chapters below, these are the weakest and the least useful. They offer little practical guidance and miss – yes, really! – most the details you’d need to know before deploying OSSIM in production. I was especially annoyed by “screenshot-three lines of text-screenshot-three lines of text…” model that most of Ch 8 and Ch 9 follow. It makes pages 152-166 just wasted paper. Ch9 tries to be a bit more useful (has two case studies), but collapses under the load of too many screenshots as well.
Chapter 10 and Chapter 11 talk about Cisco MARS. Since nobody cares about MARS anymore, I won’t be reviewing them here.
Chapter 12 and Chapter 13 cover Q1Labs SIEM. Unlike the above, these are actually useful for practical architecture planning of QRadar deployments. These chapters also contain useful SIEM insights – still, even these can benefit from more real-world tuning tips. The case study in Ch13 is useful as well. If you are thinking of getting a Q1Labs SIEM, grab the book to quickly review what you will encounter when you get the product.
Finally, Chapter 14 and Chapter 15 cover ArcSight SIEM. Despite minor mistakes and “vendor whitepaper feel,” the chapters would be handy for people in early stages of selecting, reviewing and deploying ArcSight SIEM. The chapters suffer a bit from trying to duplicate product help – you’re more likely to learn how to patch ArcSight them how to use it well.. Sadly, no case studies are included in these chapters.
Overall, the book has unfortunate signs of being written by a team of others who didn’t talk to each other. Despite the promises of implementation guidance, it leaves some of the very complex SIEM issues untouched – and even unmentioned. Very few case studies (some good ones are stashed in the appendix for some weird reason) and few tips and tricks for real-world SIEM implementation. Also, it is much stronger on the “what” then on “how.” Still, I suggest that people buying, using and building SIEM products, get their own copy and read at least a few chapters relevant to them. You will likely not be disappointed.

Book Review “Cloud Security and Privacy”

Amazon just posted my review for “Cloud Security and Privacy” by Tim Mather, Subra Kumaraswamy and Shahed Latif.

It is reposted below for posterity – and my esteemed blog readers :-)

It goes without saying that I was very excited to pick up the first book on cloud security and privacy. Due to my Cloud Security Alliance (CSA) involvement, I was extremely interested in Tim’s take on the subject. The book is indeed a comprehensive treatise on everything cloud, and everything cloud security. The author team covers the topics based on IaaS/PaaS/SaaS (SPI) for infrastructure, platform, and software as a service model. They address stored data confidentiality, cloud provider operations, identity and access management in the cloud, availability management as well as privacy. My favorite chapter was of course the one on audit and compliance - chapter 8. Another fun chapter was chapter 12 on conclusions and the future of the cloud (which is, BTW, all but assured…).

One of the most important things I picked from the book was a very structured view on separation of security responsibilities between the cloud provider and the customer for all of the SPI scenarios. This alone probably justifies getting your own copy.

As far as technical contents, the book stays fairly high-level even though it touches on the details of SAML and other authentication protocols.

The only downside of the book is its extremely dry writing style. There are only a few examples and case studies. Following “just the facts” model sometimes might lead the reader towards losing interest, no matter how important the subject is – and this subject is pretty darn important. To put this in the context, I do read security books for fun, not only for work.

Enjoy the book!

Possibly related posts:

• Other book reviews on my blog
• My old book review site.

Book Review: “The myths of Security” by John Viega

My review for “The myths of Security” by John Viega has been posted to Amazon; I gave it 4 out 5 stars.

Think about this book as a printed collection of blog posts – some a dozen pages, some half a page. John’s essays – all 48 of them - read like a typical blog: fun views on hot subjects, controversial opinions, new ideas for the future, dispelled myths, cool technology ideas, etc. I definitely enjoyed reading the book, even if most of the material was at least somewhat familiar to me.

For starters, this was the first time that I have seen a book written by somebody employed by a major antivirus company, who would agree that antivirus solutions don't work too well and slow down systems. It was very impressive to read that the author himself does not use an antivirus solution and didn’t even use one when he' was in charge of building one! (Understandably, he does recommend that consumers use one on their systems)

The following are some of my fave chapter highlights. “Security:”Nobody Cares” is one of my favorites; it covers why people, on average, don’t care about information security. His analysis matches that of some other industry thinkers, but it is presented well in the book.

I also enjoyed his thinking about why Microsoft antivirus solution would never pick up and never present a threat to the big AV vendors. In his opinion, most people do not trust Microsoft as a security brand. He thinks that customers would always go to security specialist and not to MS for antivirus tools, even if such specialist is located in Russia or Czech Republic. Also, it looks like the 30% success ratio for antivirus solutions is pretty much a commonly accepted number nowadays; it is mentioned in the book more than a few times.

One chapter that made me angry was chapter 7 on Google. He basically makes the insinuation that the Google in particular and pay-per-click advertising in general motivates people to hack into systems; a view as illogical as it is silly.

In chapter 26, John has an interesting idea for a Social Security number replacement scheme. Many other chapters contain ideas for improving major parts of security technology, even if in some cases the author has to disclaim them with his disbelief about their implementation potential.

It is quite interesting that in chapter 28 John dispelled the myth that including security early in the application design is cheaper. Compared to ignoring the problem until notice from customers, it is certainly more expensive. He touches most other known security industry “pain points” such as vulnerability disclosure. He proposes to replace “responsible disclosure” with a new scheme from my view looked kinda similar, less dangerous for the world at large but less motivating to software vendors. He also discusses whether disclosing vulnerabilities reduces or increases the risk for consumers (in his view seems to increase it).

Closer to the end of the book chapters get shorter and shorter. For example, chapter 42 ends up being half of a page in length. It pretty much states that he would sacrifice some privacy for more functionality and so would most of the others, which seem to be a very popular view nowadays.

I was very happy to find that he devoted an entire chapter - 2 pages in length - to criticizing academic security research (one of my pet peeves!). He says “lots of academics are reinventing what security industry has been doing for years. “ [They are also reinventing a lot of “epic FAIL”, proven to not work.] The book also mentions that there is nowhere near enough data sharing between security industry, where the problems are, and academia, where - supposedly - the brains are.

Other reviewers have pointed out that it is not clear what is the audience for the book. Many of the chapters seemed written for the “curious consumer” while others are clearly intended for security practitioners or even security managers and imply a degree of IT industry savvy.

Finally, I have to say that multiple mentions of McAfee did not annoy me at all. I fully realize that if somebody employed by the vendor criticizes the very livelihood of that vendor (classic signature AV, in this case), you must throw your employer a major bone. You absolutely have to mention your employer positively to counterbalance the criticism and he does – in many chapters.

To conclude, I read books on information security for fun. This book was a lot of fun to read even if I did not agree with some of his opinions. It is well-written, has light writing style and touches most if not all controversial issues in security; the book also has a lot of fun novel ideas for the future to think about.

Book Review: “Into the Breach”

“Into the breach” by Michael Santarcangelo is actually a fun read; it seems to be a useful book on security for management. It is non-technical by design since it is about the people side of security. In fact, he presents security itself as “a human issue.”

One of my favorite sections in Part 1 reminds that many policy violations happen because people just want to do their jobs better (the author also claims that people “want to do the right thing” if such choice is easy enough). I loved the “compliance is not a video game” theme, where your faults do not have real world consequences, as well as “security as something inflicted upon the organization” and “security as a crash diet” themes. What is also interesting is that the book seeks to solve one of the key problems of “what is risky?” vs “what is only perceived as risky?”

The part of the book is Part 2 where author’s “strategy to protect information” is unveiled. The author then goes into some level of details on how to implement the strategy (run a pilot, “build a flywheel”, etc).

On the negative side, I was saddened that Michael succumbed to a popular insider myth (on page 11 – “70% of attacks are by insiders”) while trying to dispel another security myth. That is the risk anybody runs while quoting too many questionable surveys. Also, the book sounds too fluffy at times (e.g. the strategy is “understand-engage-optimize”, frequent advice to “be effective”, etc), but does seem to convey its message pretty well.

Overall, if you are managing security on a high level, or manage IT or even the whole business, read this book. It is short enough so that such people will read it and get the ideas! If you are a security pro and can handle a non-technical volume, grab it as well and keep in mind that this is a management book. After reading it, please give it you your manager!

Possibly related posts:

• My other recent book reviews
• My Amazon book reviews
• My old book reviews

Book Review “Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century”

“There is no spoon.”

“Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century”  by Ryan Trost–but-not-really (it is claimed to contain contributions by five other folks, but exact chapters they wrote are unknown) is not a book: it is a collection of papers about security and intrusion detection. The book bears unfortunate, but noticeable signs of being written by multiple people who didn't talk to each other much.

I just finished reading the book and I can say I enjoyed it. It does have interesting ideas peppered in some places. Overall presentation consistency, however, is not lacking – it is absent. Also, the book is not terribly practical if you define practice as “protection of systems and networks from attacks.”  Many chapters are shallow and make the impression of being added to get the book to 450 pages threshold.

So, some chapters are fun and insightful (“Geospatial ID”, “Physical IDS”, the sections on signature tuning), some are funny (example: one chapter talks about SIEM, SIM and SEM, but errs about what “M” in those stands for… seriously!) and some are sad (example: the one that mentions IDMEF), while others are very shallow (“Wireless IDS/IPS”). The chapter on ROI made me fall under my desk; I experience an actual literal ROFL – more on this below.

Here are some of the highlights. Ch3 has a lot of useful Bro NIDS tips; if you have never used Bro in production, give it a try. In Ch4, I liked vulnerability-based signature definition worklfow, which takes into account sig performance tuning. Ch5 was written by an academic, who doesn’t get out much; if works great if you want to really know what the word “befuddled” means (it also mentioned IDMEF for extra punch :-))  Ch6 is fine if you never dealt with network flows; not a bad intro. Ch7 is a very shallow intro to web application firewalls, while ch8 is the same for wireless IDS/IPS.  Ch9 deals with physical security and I loved; such information rarely shows in IT books and it was great to learn it. Ch10  that deals with geospatial intrusion detection is another good one; the approach looks a bit weird (example: all events with the sources address close to a company facility are considered “false positives”…). Ch 11 on visualization mentions all the right books on the subject, but then chooses to makes itself a bad comparison to them.

Now, ch12 (“Return on Investment: Business Justification”) is pure freakshow; I have not laughed that hard for a few months a least. After I had a chance to think about, I realized that maybe it was intended for humorous relief since it is the last chapter. Also, I am proud to be mentioned there (on page 404 – is this numerologically significant? :-)) In any case, the work computes the precise ROI for any IDS system, like that:

Gain  [IDS] from investment = ALE = SBE x ARO = $517,580

SBE comes from 2007 (!) CSI survey data, SBE = $345,005. ARO comes from risk  probability x expected number of incidents  = 0.46 x 3.2 = 1.5.  IDS is assumed to prevent all breaches (!), for computational simplicity, I am sure.  … Anyhow, you get the drift.

Overall, if you want a moderately interesting security read with some good ideas, get it. If you are looking for information on practical intrusion analysis in whatever century, skip it.

Finally, Addison-Wesley provided me with a review copy.

Possibly related posts:

• All book reviews on this blog
• My older book reviews
• My Amazon reviews

MUST READ: Best Chapter From “Beautiful Security” Downloadable!

This is pretty much a repost from Mark’s blog, hopefully he doesn’t mind that I am highlighting his awesomeness ;-)

So,  “Tomorrows Security Cogs and Levers” by Mark Curphey, by far the best chapter from “Beautiful Security” book (my book review here), is now downloadable in PDF form.

It is hard to decorate this post with a representative quote, but how about this:

“The security tools and technology available to the masses today can only be described as primitive in comparison to electronic gaming, financial investment, or medical research software. […]  the information security management programs that are supposed to protect trillions of dollars of assets, keep trade secrets safe from corporate espionage, and hide military plans from the mucky paws of global terrorists are often powered by little more than Rube Goldberg machines (Heath Robinson machines if you are British) fabricated from Excel spreadsheets, Word documents, homegrown scripts, Post-It notes, email systems, notes on the backs of Starbucks cups, and hallway conversations. Is it any wonder we continue to see unprecedented security risk management failures and that most security officers feel they are operating in the dark?”

or

“I was once accused of trivializing the importance of security when I put up a slide at a conference with the text “Security is less important than performance, which is less important than functionality,” followed by a slide with the text “Operational security is a business support function; get over your ego and accept it.””

and

“The areas I’ve pulled together in this chapter—from business process management, number crunching and statistical modeling, visualization, and long-tail technology—provide fertile ground for security management systems in the future that archive today’s best efforts in the annals of history.”

If you are not buying the book, please at least read Mark’s chapter. It exudes pure awesomeness.

Possibly related posts:

• Book Review “Beautiful Security”

Review of My 2008 Security Predictions

OK, so other bloggers are not doing it, maybe they are too shocked by The Death of the Internets, 2008 Edition, Rel. 2.0. I will, however!  Namely, I am going to revisit my 2008 predictions, posted here. BTW, I disagree that year-end predictions and reflection are a waste of time. I think  whenever you do it, it is useful to think and reflect about the long term.

So, here are the predictions (in italic) and how they did (in regular) after about 12 months of “facing reality.”

Platform security:

• Vista makes us secure = no. People start to actually use it (in large numbers) = maybe. And then get 0wned = yes! The volume of Vista hacking (and then Win 2008 hacking) will increase as the year progresses.

This prediction was too safe; and also not too specific! Vista definitely did not make us secure. I can suggest that the part that “people start to actually use it” was a failure and Vista is NOT yet in wide use (definitely not on the corporate side). There was not much public ”Vista hacking” and few critical Vista vulns. On the other hand, Vista is not a security failure; it is just a regular one :-) So, is Vista the new OS/2?

• Increase in Mac hacking = yes. The story is that Vista drives Mac adoption -> Mac increase in popularity will drive a new wave of Mac "0wnership"

Just as the previous one of his prediction was not too specific. I think we can claim that Mac hacking has increased and few critical Mac vulns crept up.  However, I don't have the metrics to prove it.  Definitely, the idea that “Mac = secure” has shrunk in popularity down to its minimum value: the size of a Mac fandom :-)

• Web application hacking still on the growth path = yes. As they say, 'it will get worse before it gets better.' I am predicting that 2008 is still the year when it continues to be getting worse.

Yes, yes and yes! As Jeremiah said, web application hacking has finally arrived (after a few false starts).  However, I will call this “a pussy prediction” since it was so easy to get right.  In any case, go check your website for SQL injection, it is probably 0wned already :-)

Vulnerabilities:

• 0days use becomes mundane = yes. This will be especially true for those browser-hacking folks who "need" to earn some cash off phishing and other data theft. Thus, "0day use" will no longer constitute news!

I’d say, “a miss,” despite all those fine folks 0wned thru IE 0days: a good zero day attack story still makes news. BTW, check Pete’s “0day tracker” here.

Hacking, data theft, etc:

• Loss of trust towards legitimate Internet sites = yes. This is manifested by things like this point by the WS guys - more 0wned than malicious sites are used to spread malware. Even now I shudder from the thought that ANY site I visit might be displaying a malicious banner ad which is either bought or "hacked in" by the attackers. The implications of this are pretty horrifying!

I wanted to link to Rich’s  Amex example here, but why bother?  The whole root CA fakery is a much, much, much better example (brief, details, for laymen) Fake sites –> fake SSL sites is definitely an ominous possibility (even though this particular issue is not that scary [more cool than scary!], but it illustrates the point)

• Major utility/SCADA hack = no (not yet). Everybody predicts this one forever (as Rich mentions), but I am guessing we would need to wait another year or so for this ...

This one makes for interesting thinking about why it did not happen; surely there is a massive fun factor in sending some sewage towards your enemies.  I'm happy to be correct here, but I was predicting that something major and world changing would NOT happen so Feynman paradox is on my side.

• Cyber-terrorism = no (again, not yet!) Will it be a reality in the future? You bet! Just not now ...

Do I really have to comment on this one? Is there anybody with a semblance of a brain who expected 2008 to be the year of “cyber terrorism?” This was a safe one; an ultimate “pussy prediction." Easy to get right for the same reasons as the previous one, about SCADA.

• A massive data theft to dwarf TJX = yes. And it will include not some silly credit card number (really, who cares? :-)), but full identity - SSN and all.

Ok, I missed this one – no “TJX 2.0”  this year.  I seemingly forgot about the famous Feynman paradox (see book), which says that if you predict the status quo, you’d be right more often than not. Still, I think that the current onslaught of security breaches is not the worst we have seen,  not by far.

Malware:

• The year of mobile malware = no (not yet, if you insist!). As I discussed here, mobile malware is "a good idea" (for attackers) provided there is something valuable to steal (not the case yet in the US)

This one was a no-brainer; another “Fuzzer prediction.” In fact, I think that everybody who predicts it either is retarded or has something to sell.

• More fun bots = yes. Bots are here to stay: they follow an overall trend for IT automation (seriously!). Think of bot infrastructures as "shadow IT" with their own SLAs, business model innovation, performance optimization tactics, etc
• Fewer worms and viruses = yes (why write one if you can make money off bots?) As the share of "conventional" viruses and worms in the whole malware universe decreases, so will the popularity of "legacy" AV vendors ...

These two go hand and hand! Worms did NOT come back while bots proliferated. Unless folks invent new and cool ways of making money with worms, we are looking at further bot development. I’d say that it slowed down a bit since our defenses are so far behind. BTW, what was the latest infection numbers for bots? 30% of all desktops? 60%? 87%?

• Facebook malware/malicious app = yes . This one will be fun to see (others agree), and current malware defenses will definitely not stop this "bad boy."On the flip side, there is not that much to steal off Facebook accounts ...

A miss. My guess is that there is still not much to steal from Facebook accounts (well, maybe that picture :-)) I think social networks will become more than an insignificant source of malware, just not today.

Compliance:

• PCI DSS continues its march = yes. In fact, I bet PCI DSS frenzy will spread downmarket - there is sooooo much more Level 3s and Level 4s compared to Level 1 merchants. They all take CCs, they are all insecure - thus, they will all be 0wned! And then hopefully fined :-)

I am proud of this one, actually, and not only because of my job title. So many sore losers has predicted that PCI momentum will fizzle. No such “luck.”  While some people criticize it for specific requirements or missing things here and there, I swear that those who paid ABSOLUTELY NO attention to security now do it ONLY because of PCI. As a result, PCI DSS –> the world is a safer place for everybody!

• ISO17799, ITIL, COBIT frameworks = maybe (again); they likely won't be 'hot,' at least not in the US; ad hoc approach (with some use of ideas from the above frameworks) to security management will still rule.

Ok, I took the cowardly route here too, I should have said “no” (not “maybe”) and I’d still be correct.  In fact, I think that even all this work on ISO2700X will NOT make ISO popular in the US.

Risk management:

• Will we know what risk management actually is in the context of IT security = no. Some people (e.g here) might, but not the majority. And don't even get me started on security ROI :-) This part of security realm will continue to be occupied mostly by loudmouths who will spout, but never define; rant, but never explain; blab, but never clearly state. Sorry to those who are not like this, but you will continue to be in the minority in 2008.

Darn it, I stand by it. We still don’t know jack about how to apply “risk management” (aka “sometimes you think you manage risk, and sometimes the risk manages you” :-)), but there are some really good attempts at it.

Security technologies:

• eVoting security will flare up = yes. Expect big and bad stories about evoting in preparation to the US elections. Maybe another "chad story", but with an "e-" added to it? Fun, fun, fun! :-)

Yeah, there was some noise, but not as much as I thought. So, maybe we’ll call it a miss.

• Full disk encryption becomes popular = no. In fact, I predict that in 2008 encryption would be "the new firewall" - more and more people will hide from reality behind "we have encryption - we are safe now!" (check out my piece on encryption mistakes, while you are at it)

Not happened yet, so we will call it a hit. I do think that in 2009 it will get there though (I am typing this on a laptop with an encrypted hard drive! :-))

• NAC= huh. Huh? The451Group said it best: "NAC has been the 'next big thing' for about four years now – that's a long time in the IT world." Others just say "NAC fallout has started." NAC vs insider attacks? Gimme a break... :-)

A hit, for sure. Was I the first to predict the demise of NAC? Probably not. In fact, Gartner folks make fun of some NAC predictions here. “You know what we said about NAC becoming a $2B market that will achieve 100% enterprise penetration in 2008?” Bua-ha-ha-ha.

• More whitelisting for host and network security = yes (but combined with blacklisting, which is certainly not going away!) As malware landscape becomes even more diverse, application whitelisting for security will start to shine even more.

Hard to say; I am tempted to say that it is a hit, but the inertia of “Big AV” is still too huge.

• Academic security research stays ridiculous = yes. Wrong problems, wrong solutions, wrong speed (as in: solving solved problems of day before yesterday...). There will be some exceptions: for example, some of the Project Honeynet academic participants deliver a punch!

Seriously? As ridiculous as ever. I will NOT be shocked if some academic will invent a new anti-worm solution :-) Ya know, to stop Blaster, Slammer and their ilk.

• Secure coding becomes mainstream = no (definitely, 'not yet' on this one) It pains me to say that that I think that while this ball definitely started rolling (e.g. SANS is pushing it hard now) it won't be hurtling down the highway at full speed. 2009? Sure, may be!

Again, this was an easy one. The tricky part is to predict when it will become mainstream or will the economics keep it in the niche. Here is a thought:  maybe it will become mainstream WHEN somebody will make it easy!

• IPv6 = no (while most think 'not yet', some start thinking 'not ever') In other words, Internet 'secure by design' = pipe dream in 2008.

No, no and no. A hit, for sure. Please remind me the latest DoD deadline for IPv6? 2004? :-)

Security market:

• Mid-market and SMB security = yes! I think 2008 is the year when smaller organizations will start buying the types of security solutions that were only looked at by the large enterprises before. After all, they have the same problems to solve! They have compliance too. They lose data

Well, PCI is making it so, but sooooooo slowly. I guess I phrased it safely (“start buying”)  and so it is a hit, but I’d say that it will take more development before smaller organization will even get a chance to become secure.

• More security SaaS (software as a service) = yes. It is not just Qualys anymore ... More companies will figure out ways to sell security software as a service. This is especially true due to the SMB security spending increase predicted above!

He-he, funny you’d mention that :-) Of course! Yes, definitely a hit. The question is who will make it work next.

• 'Consolidation' = no. Whaaaaat? You just said 'no' to consolidation in security market? :-) Well, Vendor X might buy Vendor Z and Vendor N might go down in flames, but I predict that we will celebrate 2009 with just as many security vendors as we have today ...

A hit, a counter-intuitive one for some.

Logging and log management:

• Database logging = yes. 2008 is the year when database logs will be collected and analyzed just as Unix syslog, Windows event logs and firewall logs are collected and analyzed today by just about everybody.

This is true to a large extent, but I will not say that “everybody is doing it” so it is a partial.

• Application logging will start = yes. People will start collecting (at least collecting at first) application logs, not just firewall and server OS logs (and database logs, as mentioned above). Maybe ERP, CRM logs, maybe other large enterprise applications will lead the way. Major 'application logging waterfall' will occur later, however ...

Starting – yes, but definitely not en masse. I think log standards work (CEE) has to be more advanced before application logging and log analysis will spread.

• Now that collection and management are 'taken care of' in many organizations, log analysis will (again...) come to the forefront = yes. In the end of 2008, we will be doing log analysis in a large number of fun, new ways - it won't just be about rule-based correlation and keyword searching anymore (Andrew agrees)

A nice fat piece of wishful thinking on my behalf. Log storage is still largely the state of the art, even though I trust splunk folks will help advance this one.

Dark horses, that will influence security in a major but unknown way in 2008:

• Virtualization = people talk about hypervisor security and virtual security appliances as well as other fun stuff (e.g. this), but, in all honesty, we can't yet fathom the impact that the coming virtualization wave will have on information security.

This one give a lot of people  a lot of reasons to talk about fun stuff (Hoff comes to mind) Will I call 2008 a year of virtualization security? No, probably not.

• Privacy = I predict that privacy issues, also privacy laws and public outcry due to privacy violations will impact the world of information security in 2008. However, my crystal ball is refusing to share the details on how exactly, citing "privacy concerns" :-)

This one will also have to wait. If you think about a) security b) privacy and c) compliance, then c) holds MUCH more mindshare today, sadly.

Conclusion: my personality type is hereby labeled “successful but cowardly predictor” :-)

2009 predictions are coming soon!!! Yes, they are!!

Review of my Database Logging Paper

Thanks to Paul Melson for a thoughtful review of my database logging paper. I enjoyed reading his review almost as much as I enjoyed writing the paper :-) The part I liked the most is where he goes over the categories of log use for change management, threat detection, etc (and disagrees with logs being the best tool for some of them ...)