Tuesday, November 25

Managed Service for AD Monitoring

The engineers at NetVision were incredible visionaries back in 1995 when they built some of the first identity management tools (for Novell-Microsoft sync) and identity audit tools. (check out their site from 1999) Their directory knowledge is unparalleled and now, that spirit of leadership is alive again.

NetVision recently brought to market the industry's first managed service offering for monitoring and reporting of identity & access information on core network directory platforms (Microsoft Active Directory and Novell eDirectory) and their related file systems.

We have effectively removed all the typical obstacles - software, hardware, configuration, setup, maintenance, etc.. The solution is delivered via an appliance allowing us to handle the heavy lifting (while the data stays close to home):

  • WE do the configuration to match your environment
  • WE install, configure and lock down the OS
  • WE install and configure the supporting software (database, report engine)
  • WE install and configure the solution, including setup of policies, reports, and customizations
  • WE handle all of the patch management and upgrades
  • WE monitor the system for performance
  • WE provide policy and report updates when needed
The only thing left for our customers to do is to enjoy the critical data that they wouldn't get anywhere else (and the extra time they now have on their hands).

Please say hello to SIMON.

Saturday, November 22

U of Rochester IdM Journal

I just stumbled across Mike Conklin's new blog. There's not much there yet, but Mike's promise was enough to make me take note. (No pressure Mike!) It seems he is going to help develop an identity management strategy for a university and also help implement all the supporting technology. That's a story that I look forward to hearing. I hope we get all the details - service providers, product selection, architecture, etc.. This type of blank slate scenario is a fantastic learning opportunity for those involved (and those who get to read about it). Again, no pressure Mike -- I've just always wanted to see someone tell the story each step of the way.

[enter Leslie Nielsen]
"I just want to tell you both good luck. We're all counting on you."

Friday, November 21

Identity Management is Like Watching Paint Dry

This from a Dark Reading article titled Identity Management: Low On Excitement, High On Payback.

On the humorous side, twenty one percent of respondents in an Imanami research report found managing Active Directory to be more boring than filling out expense reports. (It's great that they even included that option in the survey - it could be fodder for OfficeSpace 2?)

On the serious side (from the research):

5.8 person-hours per 1,000 users is spent during a typical week on updating or otherwise managing groups in Active Directory.

81% of respondent organizations manage groups manually, while 55% use scripts and 34% use some sort of automated solution.

And back to the article:

"User provisioning and multifactor authentication are two projects you should keep if you are thinking about cutting back," said Forrester Research's Andras Cser about identity management today. "These are areas where there's a real opportunity to increase efficiency and cost savings."

42% of organizations report that someone has accessed information from Active Directory that they were not authorized to access.

This issue becomes even more acute during difficult financial times, when employees may become disgruntled following layoffs or pay disputes, experts noted. During such times, the ability to quickly provision and deprovision employees may play an important role in the enterprise's overall security, they said.

I've talked about the motivations behind Identity Management projects before, but I wasn't accounting for the current economic climate. There's definitely an argument to be made that the pendulum is swinging back toward cost savings as the prime mover of Identity projects.

Two Kinds of Security Threats

Rich Mogull said it succinctly (a few weeks ago). There are two kinds of threats....

  1. Noisy threats that break things people care about.
  2. Quiet threats everyone besides security geeks ignore, because it doesn’t screw up their ability to get their job done or browse ESPN during lunch.
I noticed it too, but haven't thought to call it out like this. I feel like the distinction between noisy and quiet will become a common part of my vocabulary. It explains why some people just don't care about very high-risk threats that are fairly likely to occur yet they'll dump their piggy banks to cover up threats that don't seem to carry all that much risk. Apparently, it's all about ESPN.

It also helps call out why some people throw money at compliance in a way that just quiets it down without really providing the best risk mitigation or value.

Saturday, November 15

Log Management

Nov. 10th's Information Week has an article on Log Management comparing LogLogic with LogRythm.

The first paragraph gives a nice summary of the log management dilemma:

IT managers–and system admins, for that matter–hate logs, because they seemingly go on forever and often provide an overabundance of useless information. Administrators get lost looking for one or two important log entries scattered through a log file with tens of thousands of entries.
It goes on to discuss how LogLogic and LogRythym attempt to deal with the problem.

We (NetVision) don't compete with these vendors because we don't take a horizontal approach attempting to cover every system under the sun that can produce a log. We're focused on core network directories (Active Directory and eDirectory) and related file systems. But, we take a different approach to the overabundance problem.

Rather than trying to streamline the search into a huge mountain of useless information, we process events very carefully so that you never even create a mountain. Instead, you create a streamlined set of highly relevant information.

Because of our focus on core platforms, we're able to really excel at depth and provide unparalleled filters and capabilities -- such as capturing lots of information that doesn't even exist in the logs. We get user names, before and after values, any combination of objects or attributes, and even failed attempts.

And if you're enterprise still needs enterprise log management, we can contribute highly relevant event information about arguably the most important security component in the environment - the network directory (Active Directory) and its related file system (Windows). ...which ultimately makes the mountain easier to navigate.

Events we cover? User accounts, access rights, administrative changes, and user activity. In addition to platform focus, we're also focused on what events we care about -- identity and access. We answer Who Has Access to What? and monitor any changes that affect the answer to that question.

Tuesday, November 11

Outsourcing Security is NOT Riskier

Network World posted an article yesterday titled Myth or truism? Security experts judge conventional wisdom. I really love the idea of putting a panel of security experts together for a single question - it gives you multiple points of view on an issue. I also like that it wasn't conversational. Without hearing the other expert answers, people were free to wildly disagree with the crowd.

Expert Advice

The first take-away is that there is almost never consensus. So, add your own perspective to whatever security advice you hear. There will usually be someone smart who disagrees and you'll need to find your own middle ground based on your individual needs.

Outsourcing Security

The other really interesting thing I took away is on the topic of Outsourcing Security. Other than one, all of the experts seem to acknowledge the potential for better security in outsourcing. I often hear the argument that outsourcing has benefits in spite of security concerns. But, this panel had good reasons why outsourcing may create better security. Here are a few of the responses:

People are risky, whether they get a paycheck signed by you or one signed by the outsourcer... Often, an outsourcer has more security measures in place than you do.
- Bruce Schneier

If you need 24/7 coverage, choose a solid managed security service provider, and choose the right services to outsource.
- John Pescatore

Outsourcers can hire better people and because they see more real bad things, they are better at reacting.
- Richard Stiennon
As I said above, think about your own needs and make your own analysis, but hopefully we can agree to stop assuming that outsourced security is less secure.

Thursday, November 6

SC World Congress - New York City

Want to get the latest info on Information Security, Compliance/Audit, Risk Management and Policy?

The SC World Congress will happen Dec. 9-10 at the Jacob Javits Center in NYC. New York is a great place to visit in December - let me know if you plan to be there. Maybe we can meet for a drink. Also, NetVision will be there as a sponsor. Stop at the booth - we'd love to talk to you about our latest accomplishments.

I'll also be blogging about the event as part of the Security Bloggers Network. The SBN is pleased to offer our readers a 35% discount on conference rates. It could be just what you need to get approval to attend the event. To take advantage of the discount, just use the promotional code BLOG1 (for one day pass) or BLOG2 (for two day pass).

For more info, go to the SC World Congress site.

Monday, November 3

FREE Pass: CSI 2008 (DC Area)

The CSI 2008 Security Conference will happen two weeks from now in the D.C. area. It actually starts on Sat., 11/15 and runs through Fri., 11/21, but the main conference runs three days - 11/17 - 11/19. It will be held at the Gaylord National Resort and will cover Identity 2.0, NAC, Anti-Virus, and Virtualization, just to name a few.

I have been authorized to give away a FULL 3-Day Conference Pass FREE (an $1895 value).

I only have one to give, so I'll have a small contest. Here's how to enter:

CONTEST DETAILS

You must enter by Thurs. 11/6. I will contact the winner on Fri. 11/7.

To enter, send me the most creative, interesting, unusual, funny, or exciting thing that you've seen, heard-of, done, or would-like-to-do with Active Directory.

Be sure to include email, phone, company name and title in your response.

If you want to win, but can't think of anything, try something like "use it to store network credentials". - you never know. That might be enough to win ;)

Those of you who don't win, can still take advantage of a 25% Discount!
The 25% Discount code is: BLOG25

You can also go directly to the site for a FREE Exhibition-Only pass.

I look forward to reading your entries!