1. People
1.1. Bruce
1.1.1. What we need is info
1.1.1.1. 2008 Feb
1.1.1.1.1. Schneier noted that despite the well known impact of emotional and psychological thinking on security decisions, information remains the greatest weapon that we have in creating good security solutions.
1.1.1.1.2. "How do you stop the stupid stuff from outweighing the reality? The way to get people to notice that reality and feeling haven't converged is information. Information is the best weapon we have.
1.1.1.1.3. "For most of my career I would insult ‘security theatre’ and ‘snake oil’ for being dumb. In fact, they're not dumb. As security designers we need to address both the feeling and the reality of security. We can't ignore one.
1.1.1.1.4. In the IT industry, this information is a scarce resource, he said. "In IT there isn’t a lot of data. Our bosses ask us for it all the time. We don't have the data because people don't report or they don't know they've been attacked. "If there's enough information out there, you get a natural convergence between feeling and reality. In the business world, information is how the problem fixes itself," he said.
1.1.1.1.5. seems to saying that if we don't have good data or info then we will be subject to marketing or political people who aree much better at their field than we, if we are dataless
1.1.1.1.6. asymmetric information
1.1.2. Do We Really Need a Security Industry?
1.1.2.1. May 2007
1.1.2.2. this is actually very good
1.1.2.3. how can we apply to G-ITO?
1.2. Marcus Ranum
1.2.1. 2008 Feb
1.2.1.1. Computer security is going to disappear after a while
1.2.1.2. Ranum has found a kindred spirit in Bruce Schneier on this fatalistic view of the security industry
1.2.1.3. But it's a different story when it comes to vulnerability researchers: Ranum is vocal about his distaste for their work. "If they are so freaking smart, they should be writing firewall and free executable software and giving it away," he says. He argues that vulnerability research only hurts software developers and has basically twisted the industry's view on security: "They've managed to convince customers that they are supposed to be grateful," he says. "But it's [vulnerability research] making software vastly more expensive" to buy, he says.
1.2.1.4. What Ranum would like to be most known for: "Telling the truth."
1.3. Peter Tippet, Inventor of AV, 2008 Feb
1.3.1. about one third of today's security practices are based on outmoded or outdated concepts that don't apply to today's computing environments.
1.3.2. "A large part of what we [security pros] do for our companies is based on a sort of flat-earth thinking," Tippett said. "We need to start looking at the earth as round."
1.3.2.1. most other people think the world us flattening
1.3.3. 3% of vulns exploited
1.3.3.1. For example, today's security industry focuses way too much time on vulnerability research, testing, and patching, Tippett suggested. "Only 3 percent of the vulnerabilities that are discovered are ever exploited," he said. "Yet there is huge amount of attention given to vulnerability disclosure, patch management, and so forth."
1.3.3.2. can we verify this?
1.3.4. Many security strategies are built around the concept of defending a single computer, rather than a community of computers
1.3.4.1. Tippett observed. "Long passwords are a classic example," he said. "If you take a single computer and make the password longer and more complex, it will be harder to guess, and that makes that computer safer." But if a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."
1.3.5. titanium seat belts
1.3.5.1. You can't always improve the security of something by doing it better," Tippett said. "If we made seatbelts out of titanium instead of nylon, they'd be a lot stronger. But there's no evidence to suggest that they'd really help improve passenger safety."
1.3.6. rethink for dividends
1.3.6.1. Security teams need to rethink the way they spend their time, focusing on efforts that could potentially pay higher security dividends, Tippett suggested
1.3.6.1.1. using the word dividends is very suggestive
1.3.7. security awareness
1.3.7.1. Security awareness programs also offer a high rate of return, Tippett said. "Employee training sometimes gets a bad rap because it doesn't alter the behavior of every employee who takes it," he said. "But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn't that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?"
1.3.7.2. how did he measure that?
1.3.8. comment
1.3.8.1. 20 years of experience vs. 20 years of data
1.3.8.2. rational sec
1.3.8.3. lots here
1.3.8.4. more
1.3.8.4.1. don^t know why this is calling bullshit out
1.3.8.4.2. The article in question is this one here but I don't know why it's caused so much comment because it says nothing we don't already all know and I've been sold on the value of default deny and security awareness programs for many a year.
1.3.8.4.3. the point I think is that he is saying it not just thinking it
1.4. Richard B of Tao
1.4.1. attacker 3.0
1.4.2. Controls are not the solution
1.4.3. art
1.5. Dan Geer
1.5.1. art
1.5.2. his new book, a review
1.6. zdnet
1.6.1. IT Extinction
1.6.1.1. art
2. Symantec
2.1. Blog
2.1.1. short note really, few points
3. CNET
3.1. Phat desktop security
3.1.1. Antivirus is so 1990s, today's desktop security software must have additional safeguards for Network Access Control (NAC) and data protection. Phat desktop security has given rise to a bunch of acquisitions: McAfee bought SafeBoot, Symantec grabbed Vontu, and Trend Micro snapped up Provilla. Look for phat desktop security to put on additional pounds as desktop security and operations merge in 2008 as well. CA and Symantec/Altiris are already planning new announcements.
3.1.2. sounds like we need the dumb terminal once more
3.2. Public key encryption
3.3. Federated identity
3.4. Ubiquitous encryption
3.4.1. We will remember this as the year of the invasion of encryption algorithms. In 2008, firms will purchase new disk drives, processors, tape drives, file systems, and new databases that support native encryption. Good for data protection but security operations managers must be prepared.
3.5. Key management
3.5.1. This one will happen as a result of ubiquitous encryption. Lots of encryption means lots of encryption keys. If keys are lost or stolen, you either lose some data or a lot of data. Pretty soon users will demand strong centralized key management solutions. Key management leadership ought to be extremely interesting with competitors like Hewlett-Packard, IBM, nCipher, PGP Corporation, and RSA Security. Hopefully, we can agree upon some key management standards in 2008 as well.
3.6. Managed security services
3.6.1. Security is too complex to fool around with and there just aren't enough skilled people available. Managed services just make sense. This will be another market to watch because everyone wants a piece of the action. Look for major announcements from networking leaders (Cisco Systems, Juniper Networks), traditional system vendors (HP, IBM, Unisys), carriers (AT&T, Verizon), security players (Symantec), and systems integrators (CSC, EDS, Wipro).
3.7. Security product consolidation
3.7.1. "Best-of-breed" is another security trend that is growing passe. Users want consolidated administration, logging, and management, not a bunch of point tools. This, too, favors the big vendors. Smaller players will have to look for niche functionality and those opportunities to continue to grow rarer.
3.8. Information governance
3.8.1. There aren't many firms that know a lot about what information they have, how confidential it is, and where it is stored. This needs to change for security and business reasons. Look for lots of user and industry efforts to bridge this gap. Expect lots of hoopla over things like standard data models, meta data tagging, and information classification. Oh, and this is a market that is ripe for lots of professional services, too.
3.9. Stronger enforcement of the Payment Card Industry Data Security Standard (PCI DSS)
3.9.1. Is there anyone you know who has not had his or her credit card number breached? To avoid a "return to cash" movement, look for American Express, MasterCard, and Visa to start cracking the whip with tougher standards and greater fines for vendors large and small. Additionally, expect to see more credit cards equipped with onboard authentication technology and at least one data breach that makes TJX look like an amateur hack.
3.10. Log management architecture
3.10.1. Large firms are experiencing exponential growth in the amount of log data they collect, store, and analyze. This will prompt large organizations to move log management activities beyond security and build enterprise-wide log management architectures in 2008. Henceforth, log management services will be owned by IT departments who then charge-back internal groups for access to the log data. Great news for ArcSight, Log Logic, Log Rhythm, Q1 Labs, and the storage folks.