Another Day, Another Vendor
Posted July 10th, 2007 by rybolovSo I got “roped into” another vendor presentation yesterday. I should have done a little bit of research beforehand because then I would know that the product they pitch is Yet Another Technical Policy Compliance Tool (YATPCT)(tm) and I could have safely skipped it.
From my standpoint, this market is getting crowded, but the nature of the beast is that it’s low sales volume but high cost. Ie, it’s a market that will forever be make-or-break. Not a good place to be as a vendor, and I have a feeling that the majority of them will die a horrendous death but to the business leadership one sale looks pretty good.
One thing that I did see is that the typical YATPCT has now evolved. Most of them have incorporated workflow now so they’re aiming for “security team in a box”.
Now for people who know what they are doing, the people that I refer to as “clueful”, these tools are pretty good at keeping you on track. The problem is that there is a shortage of clueful people, so they’re buying tools to compensate for the lack of skill. The end result of this game is that you end up broke with no adequate security–not exactly what I would call “effective security”.
One of these days I’ll find a vendor who “gets it” and is worth my time to teach them how to do the last 5% of what they need to work for me. God knows I’ve taken hours to explain it to anyone that wanted to hear. This is what I want to see:
- Grouping assets together
- Determining a criticality for the group based on the Business Reference Model (SP 800-60)
- Yes, a baseline of controls from 800-53 but the ability to add my own controls and do tailoring because I have to distill the control into an exact requirement that people can build to
- The ability to extract a complete System Security Plan to hand to an auditor
- An engine to build a test plan and record results
- Workflow for Plan of Action and Milestones so I can get funding from Congress and actually get things fixed. Exhibit 300 format would be highly superb.
The problem is that a tool adds to the effort involved, not detracts from it–you still have to use the thing in addition to all the people-power. If you still need the people with the wetware to use the tool, what has the tool effectively saved you? Probably not much. In fact, I ask the basic question: what does automation really provide for something that is perpetually a one-off system? You only get efficiency when you optimize the parts of a process that are repeated–ask any programmer about it. Yet at the same time, if you have a set of systems that habitually have a large amount of shared controls between them, why aren’t they lumped together into the same system already?
In the meantime, all I see are SoX technical compliance solutions kluged into FISMA compliance solutions. We think differently here inside the beltway. I don’t assign dollar values to individual servers, and I don’t care about ALE calculations. To be bluntfully honest, I don’t really care about compliance, I care about risk management (both security risk and project risk), so at the end of this exercise, no matter what the scope of it is, I want to know what the residual risk is and if we should do one of the following:
- Leave it as-is
- Pump more money into it
- Kill it or at least investigate feasible alternatives
- Beat people about the head with the giant foam cluebat until they fix a small subset of problems
- Fire the staff
- Fire the evaluation staff
- Go fishing (trick answer, I was going to do that anyway) =)
Similar Posts:
Posted in FISMA, NIST, Risk Management | 5 Comments »
July 10th, 2007 at 10:35 am
Its coming, but then again you kinda know that. I used to blog about how I would do this, then decided I was tired of doing free PM for some companies so have kinda gone under ground about it until we can release. But trust me its coming and you will be able to have your exact wishes.
July 10th, 2007 at 3:43 pm
Heh, no one knows the falsity of “we must buy this tool and it will save us!” more than security and compliance guys. I’ve long been a fan of getting process/skill fixed before trying to buy tools to fix problems.
July 10th, 2007 at 4:05 pm
Ah, but that’s the problem with the products–they start at the bottom and try to work their way uphill instead of starting at the top and gathering momentum.
But then again, starting at the bottom is probably the easiest way to build a product, starting with something that is relatively easy to automate like vulnerability scanning and then working your way to include the “soft controls”.
July 10th, 2007 at 5:10 pm
Swap out the giant foam cluebat for something a mite stronger 😉
July 10th, 2007 at 6:05 pm
And perhaps an assistant (zombie?) to refer the hard-sell types to…