Tuesday, November 24

Windows File System Access Rights

I recently did some research into how Windows networking environments apply access rights across file systems. I've been in the IT business for more than a decade. So, if asked, I probably would've told you that I already know how it all works. But, there are a number of intricacies and things I didn't know -- like how security policy can override local NTFS permissions or how Windows doesn't always enforce the most restrictive policy. It seems that Windows enforces permissions based on what it believes to be the administrator's intent, which is interesting.

I published a whitepaper describing all the details. It describes how the controls work and covers the affect of group memberships, inheritance, deny ACEs, the owner attribute, and more. And of course, it provides some guidance for taking control of all that complexity.

You can register for a copy here:
http://www.netvision.com/offer

Thursday, November 12

The End of Internet Security

Remember all that stuff I said about how we already have an end-to-end security solution that ensures that users are connected to the right web site and that there's no eavesdropping going on? Well, you can scratch all that.

I knew there was a User Experience problem with SSL in that most people ignore that it's happening and therefore don't notice when it's not happening. I also knew that there are known potential attacks on SSL, but it seems there's a newly discussed renegotiation problem that makes the whole system seem suspect. This posting from RSA does a good job at providing an explanation.

This is a big deal. SSL really IS web security. So many other security solutions rely upon it -- assuming that communication is safe and secure because it's done over SSL. Even if all the major vendors get a fix out tomorrow, we'll probably see this problem around for years to come.

Monday, November 9

Implication of Cisco MARS decision on SIEMs?

Notice the question mark first. I'm interested in what you think this means. This isn't me trying to make any great claims.

Cisco has acknowledged that it will stop adding support for additional devices on its MARS SIEM platform. While the plan is to continue providing updates for already-supported devices, it's difficult to argue that this isn't a strategic move toward completely dropping support for the product (in it's current form).

I, of course, wanted to use a title like "The END of SIEM", but it's hard to make that leap given that one of the biggest SIEM players was ranked among Deloitte's 2009 Technology Fast 500 with over $100 Million in revenue for 2008. And ArcSight has shown 32%, 34%, and 25% year over year growth in its last three quarters respectively.

Still, Cisco is thought to be the most widely deployed SIEM with over 4000 installations. For them to make a strategic move to discontinue addition of future platforms means (and read this with your favorite accent) something doesn't smell right in Denmark.

As I speak to organizations about NetVision (and we are clearly NOT a SIEM player), I hear concerns about SIEM tools and log management applications that are big, complex, difficult to implement, expensive, and not user-friendly. I have nothing against SIEM tools or the role they play. In fact, many of our customers integrate our product with SIEMs. ...which is why the topic comes up. But, I've been wondering if the fire-hose approach to data collection is proving to be too much. i.e.) too much data and too much complexity given the problem at hand.

I sense that the SIEM approach is troublesome and that SIEM vendors who can't adapt to changing market expectations for more readily available answers will start making announcements like Cisco's indicating that they won't be around forever continuing to support an ever-growing number of devices. There will likely continue to be a market for large scale event data collection into the foreseeable future. I'm not arguing against that. But a segment of the market seems to be defining itself as a group that wants easy answers in lieu of a data flood.

Am I reading too much into it? What do you think?