I have no original thoughts today so I will just point to a series of interesting and emerging blog debates and then make fun of them
The Tao of Security has reviewed FAIR and he doesn’t really like it (here). Alex responds (here) and (here) – Bottom Line: Risk is unique to an organization and no template, framework, or set of guidelines will establish a credible risk management initiative without considerable alignment with an organizations internal structure, business needs, and risk comfort level – not every incident results in loss that is more expensive than the controls in place to prevent, find your companies balance. Establishing a risk management framework from scratch is a considerable amount of work and it is advisable to look to external sources, such as those offered by FAIR, to develop the foundation.
Hoff feels hassled, at least virtually, about the lack of virtualized security (here) and then lobs a bomb at the Mogull stating the DLP is the new NAC (here) and is quickly descending to the trough of disillusionment, Mogull responds (here) although not really disagreeing about DLP he does think that CMF could be huge, baby, huge! – Bottom Line: These technologies, NAC, DLP, CMF, etc are the digital equivalent of a freshly minted yellow-belt in Jiu-Jitsu “let me show you my new moves, grab my arm, no the other arm, no but use your other hand, ok, no wait not so hard, ok now stand like this, no I said stand like this, ok now watch – pretty cool huh!” Talk about over-hyped. Anyway organizations should move cautiously with all these new widgets and never forget that these type of technologies are very policy driven and therefore useless without significant investment in people and process, these are not deploy and depart by any means. Additionally these types of products are really only good for preventing the casual or unintentional violations of policy they are pretty much useless against a well armed malicious actor.
Speaking of Rich, the Mogull has left Gartner, removed the muzzle and is now able to blog (here), he has added a live chat feature to his blog to which layer8 posted the funniest post of the week (here) – Bottom Line: Rich is missing his calling he really should get into hardcore gangster rap. He has the name “Rich Mogull”, he has the adrenaline attitude, platinum filling, gold bling, and a tattoo across his chest in Celtic writing “West-Side Phoenix – Bitch”
Apparently rumors of the IDS death have been greatly exaggerated as Farnum (here), Bejtilch (here), and grumpy smurf (here) have whipped out the acoustic guitars, patchoulli/sage incense, and fired up the hookah spinning tales of seeing it live and in person flipping flapjacks with Elvis at a road-side diner en route from Albuquerque to Las Cruces – Bottom Line: IDS is a function, a process – it is NOT a product (here) IDS is the equivalent of a home burglar alarm, except it doesn’t actually scare the intruder away or notify the police, and every time a bird flies by the house, the wind blows or someone smacks a mosquito in sub-Saharan Africa it fires off an alarm – luckily most organizations are over-staffed and have too many resources so it really isn’t a big deal that there are so many false-positives or that an IDS is easily subverted – not! More thoughts (here)