Tuesday, February 24

Project Communication

Matt P makes some good points about project communication.

I agree with each of his four bullet points. And I would add that when they collectively fail, the #1 reason is that people aren't being honest with each other. Sometimes, consultants aren't honest with clients about lack of expertise or resources. Other times, someone on the client side isn't being honest with the consultant because of some defensiveness (they don't want to admit inability to get something done, or they're playing CYA).

The reality is that we're all human. Clients shouldn't expect consultants to be super heroes. And if both sides set realistic expectations and allow for faults, imperfections, and mistakes, it's much easier to achieve an honest dialog toward success. Consultants need to avoid both (1) the arrogant assumption that client personnel is less capable and (2) the assumption that client personnel should know everything they do. And clients need to be forgiving of human/imperfect consultants who can't possibly know everything about everything.

There is a very human side to project management. It's not just charts and methodology. It's about making the problems, roadblocks, and challenges expected and OK. ...instead of trying to cover them up. So, don't just have regular status meetings, demand open and honest dialog and create an environment where it's OK to make mistakes. It's all part of the process.

Friday, February 20

NetVision - Actionable Intelligence

When I last wrote about SIEMs and Actionable Intelligence, I promised to tell you how NetVision sees the problem. ...post available at the NetVision blog:

Actionable Intelligence

Verisign's File Vault

Today, I configured my File Vault at Verisign's Personal Identity Portal.


If you read this blog, you probably know that nothing is 100% safe. And you probably distrust this type of offering. But, Verisign knows encryption as well as anyone. Verisign spun off from RSA (then RSA Data Security) in 1995 with some of RSA's public- and private-key cryptography technologies. They're really good at authentication and encryption which are exactly the two specialties I expect from an online storage vendor.


They're giving you 2GB of storage space free - it requires Two-Factor authentication to get in and encrypts data on the back end. And it's an easy-to-use UI with no software install. It's probably a better option than backing up my docs on a USB key (subject to damage and loss) or using some other non-security-focused vendor.

Smart Business

I also like the business model. We all wonder how OpenID providers will make a profit. Verisign seems to be ahead of the pack in providing value-add to users. You get more than just an OpenID credential. You get strong authentication, secure storage, and a personal identity page (probably the least interesting, but still somewhat fun and on the right track).

So, they can sell 100 million tokens to customers who get real value above and beyond reducing the number of credentials they need to remember. And of course, Verisign can license this technology to banks, governments, or anyone else who wants to resell online safety deposit boxes along with secure two-factor authentication solutions under their own brand. Paypal already re-brands the token to protect their customer accounts.

I could easily imagine brick and mortar banks handing out tokens with every new on-line bill pay account and/or offering a virtual safety deposit box to every physical box customer. It's value for the customer and a business model that makes sense. I'd even pay for a new token every few years just to maintain a secure place to archive my important files.

I knew there was a reason I never setup that Amazon S3/JungleDisk account.

Tuesday, February 17

Blog Housekeeping

Just a few housekeeping items:

- I continue to find and add new members to my blogroll. My criteria is that they should consistenly write content relevant to my audience, generally maintain a positive attitude (no bashing), and have something worthwhile to say.

- I didn't recently shorten my blogroll, but to clean things up, I now only show the 10 most recent postings. You can click "more" to see the entire list.

- Members of my blogroll are also searchable via the SEARCH box under the my content area in the upper right area. For example, try searching for "virtual directory cache". The first results you'll see are a collection of my related content from blog, twitter, flickr, etc. Next, select the Network tab and you'll get results from everyone in my network (my blogroll).

- You can also search across the entire list of the Security Bloggers Network by using the SBN badge on the right. The SBN boasts the brightest minds in the industry. It's not Identity focused, but covers all aspects of information security.

- I'm no longer doing any advertising on this site. I tried a few things in the past, but found it intrusive and not worthwhile. I may choose to use a small space for highly relevant ads in the future, but I will hand-select something that will be relevant to my audience (no adwords or auto-generated-content ads).

- I recently started a NetVision blog. This site will be the home for NetVision-specific posts. It will take some of that content away from here, but many of you might see that as a good thing. I'll provide pointers when I think it makes sense.

Thanks for reading and please let me know if you have suggestions for me.

Friday, February 13

Weighing in on Persistent Cache

Ash, my experience says that Mark is correct. I believe the top vendors can all brag about similar throughput. But, my understanding is that's only what the VD puts on top of the process. There's still the back end data lookups, etc. To Mark's later point, that may not be a big deal either if those sources perform well.

Let's use a telecom example:

In a scenario where the VD serves an attribute that is a composite of multiple attributes from various sources (a mixed ODBC and LDAP call) or across numerous sources (customer databases from companies that merged or partner) and the attribute is needed to make a decision (does the subscriber get this feature) in real-time (the time between hitting "send" and hearing a ring) for millions of requests each second, effective use of cache can help – even though throughput is already relatively quick. In many (perhaps most) enterprise identity infrastructure uses, cache may not be of enormous value – or at least it's not the most compelling reason to use a Virtual Directory.

I can tell you that customers ask for it whether they need it or not. Probably because they have performance or availability concerns. But, from what I've seen the performance concerns are usually unfounded (unless the back end systems have serious problems). And VD cache isn't a great way to provide redundancy because it's implemented at an attribute level and cached based on use. If the idea is to put the entire data set somewhere else, you could argue that it'd be better to just have another directory instance there and do real-time synch (replication).

My opinion is that it's a nice feature to have in the tool bag when needed, but it's not always needed.

Tuesday, February 10

Security Audit: 10 things

My daily visit to RiskStop.org led me to a presentation titled 10 Things the Security Auditor Saw. The presentation is based on data from Deloitte's 6th Annual Global Security Survey.

Number one on the list? Excessive Access Rights. Will I be accused of FUD for pointing out that this is a problem? View the presentation for yourself to see how numbers 1, 3, 4, 6, 7, & 8 are tightly related and even solved with the same swoosh of your magic wand (or samurai sword, depending on what type of geek you are).

Tuesday, February 3

Actionable Intelligence the Achilles Heal of SIEM

Today, I watched the fourth in a series of video discussions moderated by Richard Stiennon on various security topics. This one was focused on ESM (Enterprise Security Management) and SEM (Security Event Management). I combine the acronyms as 'SIEM'.

The panelists (Amrit Williams, Martin McKeay, and Mike Murray) covered a number of aspects of ESM-SEM solutions. My one line summary conclusion of the discussion is that:

SIEM's are not able to effectively correlate information and provide actionable intelligence.

A few of the supporting statements:

Murray: They lack the ability to "take data and pull information out of it"

Williams: The problem "can't be solved in a centralized way." The only way SIEMs would meet their goal is via "cooperation, communication and cognizance distributed out so the agents are essentially communicating with each other and responding to events that are being provided to each other" "I've talked to customers that are 18 months in and still can't get it properly deployed"

Murray: "there are vendors out there that you still have to manually setup every agent... the cost is staggering"

McKeay: "when I think SIEM, I think glorified log management"

Williams: "rarely are these things being used to detect and respond to incidents in real time... the market driver [...] is compliance... it is unfortunate"

McKeay: "it comes down to being able to understand your own environment... it's the definition of the problem that we don't have yet"

The consensus seemed to be that vendors do a good job of gathering and storing logs to meet compliance requirements that mandate storage of those logs. What customers really need and want from these vendors, however, is actionable intelligence.

Williams concisely defined the goal of information security:

"to limit the possibility of an incident from occurring... and when it does occur, to limit its impact (by identifying it quickly and responding)"
He continued "...what the ultimate goal of an intelligence system would be is that it's able to detect what are seemingly innocuous events and provide some actionable level of intelligence that shows that that's actually an incident occurring and you can respond to it and limit its impact on the environment - that's what they'd like to be, but they're not that"

Murray added that customers want the solution to "just tell me the five things I need to do - that's what SIEMs should do"As an industry, we're "really good at generating reams of data, but we're not very good at handling information... turning it into 'here's the 5 things'..." SIEM tools are great if "you have defined the problem that you're trying to solve and you know what the information is that you're trying to manage and you can setup a way to manage that."

It was a really interesting discussion. I've enjoyed each of the video discussions in this series so far which have also covered DLP and Firewalls/IPS.

Next, I'll tell you what NetVision is doing about the problem. We're not a SIEM vendor, but we beat the SIEMs to the finish line of actionable intelligence. Actionable Intelligence has been our internal mantra for the past year or so and it is the motivator behind our latest solution to market (as well as a few that are still on the road map).