Plausible Deniability

Every time I think of Splunk I think of people really really raring to go about something, and really sorta defensive if you don’t, you know, get it. It’s a bit creepy. However I must say, having downloaded and used the thing, that it just rocks in a number of ways.

One of the things that we really like about Splunk is that its API strategy is truly very good - even its competitors agree with that - and if it keeps going with it, it’s making itself relevant to several sides of the house outside security, such as IT Operations, and people who have to speak with auditors. Today’s announcements show execution on the strategy: the release of Splunk for Windows (capturing registry, event viewer, WMF and other Windows-y stuff) as a free upgrade to the overall Splunk license, and the release of Splunk for Change Management, a Tripwire-y kind of did-the-config-change, has-the-patch-really-been-installed kind of thing which it hopes will cause incremental upsells, taking its claimed average deal size of $30,000 to $40,000.

What we want to salute Splunk for, though, is for speaking English. Have a look at the first sentence of the Splunk for Windows Press Release

Splunk, the IT Search company, today announced Splunk for Windows, an application that integrates Microsoft’s System Center Operations Manager’s command-and-control view of a Windows infrastructure with Splunk’s IT Search.

Note the lack of certain terms there: “Leading.” “Cutting-edge.” “Solution.” “Platform.” “World’s first.” “Only.” Nope, Splunk called itself The IT Search company. That’s powerful stuff. Here’s something better:

Splunk is a Silicon Valley company inventing large-scale, high-speed indexing and search technology for IT infrastructures. The company’s freely downloadable software indexes and makes it possible to search and navigate data from any application, server or network device in real time. Logs, configurations, messages, traps and alerts, scripts and metrics. If a machine can generate it — Splunk can eat it. It’s easy to download, install and use, and is very powerful.

Again, jargon-free, not bragging too much (”high-speed” not “infinitely-scalable”) and it actually - and this is the very strange part - tells you what the company does for a living:

The company’s freely downloadable software indexes and makes it possible to search and navigate data from any application, server or network device in real time. Logs, configurations, messages, traps and alerts, scripts and metrics.

We just want to salute a company for taking the high road of using the English language to express itself in a marketing message. Good onya, Splunk.

Over at the Swedish booth - the one where the beer started flowing at 4PM sharp - I met with several old and some new friends - had a good chat with Maggie from Clavister (UTM, SSL/VPN and SEM); and was very interested to see the guys from both AppGate (VPN, remote access security, secure OS for remote access on a stick, remote administrator application login virtualization and some other cool stuff) and Nordic Edge which despite its name makes identity and access management products and secure FTP -

Oh yeah! I got to shake the hand of Tero Harjula, the director of advanced products at SSH - not OpenSSH, but the commercial, publicly-traded company based in Helsinki. Tero is the guy over there who made what I consider one of the top ten advances in info security last year: an automatic FTP to SSH conversion tool that allows people to think they’re using FTP while they’re using SFTP, or SSH-piped FTP. Or something. Whatever, it’s in my top ten. Anything to get people to stop using FTP, like my idiot ex-bookkeeper I fired this past week after they put my personal stuff on their FTP server. Dingbats. But I digress.

Olov and Peder from BehavioSec (we’re back at the Swedish stand at InfoSec, keep up) make a pretty cool internal security product that basically takes BioPasswordy (I guess that’s now AdmitOney) stuff then blends it with mouse-click and UI-interaction monitoring - correlate these things and you’ve got a nice way of building a user profile to determine whether it’s Paul accessing that application or whether it’s clear that someone’s jumped onto Paul’s machine while Paul’s down at Sakura Bana Sushiand tried to use his login to do something naughty. If it works. Which we’ll find out about.

Earlier this year we spoke once again with Halvar Flake and wrote up the change of name from Sabre Security (now Zynamics) and his cool BinNavi and BinDiff programs (insert obligatory link to the latest pentest/reverse engineer craze, the Automated Patch Exploit Generation paper that’s been so hot on the lists (and is really, really cool - but as Halvar says about it here, it describes a process that “…does not generate exploits. It triggers vulnerabilities.” So read both.) It’s only fair that we finally get around to speaking with the nice people at IOActive to see what they have to say, so I stopped by and said hello, swapped cards and we’ll see what happens there.

One thing I was totally bummed about was the fact that I missed three meetings that I would have really liked to attend - the first with Ivan Ristic at Breach Security - who sold Breach his ModSecurity project last year - the second with OTP vendor Grid Data Security - partly due to my missing a train, partly due to the stormtroopers at the front door who wouldn’t let me in until 9.30 am for a 9 am meeting - and the third was the catch up with Secerno that I mentioned on Wednesday I was going to shoot for on Thursday. Never happened. What did happen on Thursday though was that I met Søren from Inspekt Security, a Danish company with a US subsidiary based near Denver, which has launched a service-based enterprise security information and log management system with behavioral anomaly detection based on stream, not flow, analysis. That was cool. We’re talking more and I hope to write about them soon.

Now I’m on Amtrak back in the states and will write part III next week.

You have to wonder why, at show that is one of the world’s most successful security exhibitions in terms of actual leads gotten and deals done, so many vendors still resort to babes in nurses’ getups or wearing shirts that say, ‘I’ve Been Penetrated’. Flacks here tell me that attendance is up 40% over last year (the show moves from the greenhouse that is Kensington Olympia to the Uglydome at Earl’s Court next year) and vendors giddily speak of lead after lead. This is a great show - in fact it’s my favorite every year.

I spoke with the folks at Core, who tell me that the attitude towards pen testing here is vastly different from that in the states, and I have to agree - in the US, you either do it or you’re scared of it; here you just do it. Actually overall there is a sense in Europe that the security products that you buy should, you know, work as promised, and buyers come prepared to ask serious questions and demand serious answers. A little feud between Sophos, Kaspersky, Trend and McAfee (pronounced, over here, correctly - it’s mc-AFF-ee, not ‘mack-uh-fee’ for God’s sake - yes, I’m telling the founder that he pronounces his name wrong) resulted in a blaring propaganda-fest that I steered well clear of.

Here’s who I met with and a sentence or two about what they do (or at least, what I think they do).

Howard Schmidt sits on the boards of Fortify and Codenomicon and he was in town to talk about secure code training, code testing in development stage and, while he was at it, protocol fuzzing and testing. I also later met with Ounce Labs and talking pretty much about the same thing, sans the fuzzing plus a bit more about the training and then finding out that Jeremiah Grossman was in town - we met on the second floor of the F5 booth - yes, the second floor. Of a booth.

I really enjoyed meeting with Jan Hichert, the CEO of Astaro Internet Security, which makes a cheap and cheerful and good quality unified threat management box from mostly open source stuff (it used to be called Astaro Linux). It started with SuSe then stripped out everything and built up with a mess of open source stuff, now it’s a nice, juicy plug and play box or VM image that shoves commodity stuff into small and mid-sized businesses. They make money.

Along those same lines, I met with three of the folks from GFI - there’s a company I really like, cause they make everything, cheaply and well, a small business might need, and they’re raking in the cash - they did a bit more than $60m last year and say their profit margins are in the 30% range - and now they’ve cut prices from 20 to 45% on everything they sell. Aggressive and cunning in how they approach the problem of getting small businesses the stuff they need.

Udi Mokady from Cyber-Ark and I discussed how his product line is expanding from privileged password management to identity management and some of the directions that that can go - they’re doing well with Israeli banks - not known to buy rubbish very often - and expanding their US operations.

Avishai Wool, the co-founder and CTO iof AlgoSec, showed off his firewall management system that does a kind of Skyboxy, Red Sealy, Tufiny kind of thing, he says, better than Skybox, Red Seal or Tufin, and his technology and approach to managing heterogeneous firewall configurations looked very interesting indeed, especially including a pre-generated firewall audit feature that you will like and your auditor will grudgingly respect.

Spanish vendor S21Sec was probably one of the mot interesting companies I spoke with - they started several years ago taking log management software developed by a Spanish bank, then moved into security assessments and consulting, legal advisory, digital protection of the ‘horse-has-left-the-barn’ type done by folks like Cyveillance and others, which chase down digital intellectual property around the world. They do lots more, and we look forward to speaking with them at length.

I’m excited to meet back up with Secerno, which does database transaction anomaly detection, a key thing we’ve been looking at - but it seems that they may be doing it a bit differently from competition such as Guardium, Tizor, Imperva and Application Security Inc. I’m going back to the show to meet with Secerno today.

Bradford Networks was at the show showing off its new Guest and Contractor only lite version of its NAC, and the booth was packed. Looked as if Bradford was having a good time - I also ran into Ray from ForeScout but didn’t get a chance to stop by the booth.

Last year I spent time at the worst product demo of what looked to be the most interesting product at the show, the Swiss strong encryption vendor InfoGuard. This year it’s got its act totally together, a new look and a stonking great, absolutely awesome encryption product which I am now going to take a long look at. Speaking of encryption, I had dinner last night with two of the Thales e-Security, which likes to refer to itself as the biggest security company that no one has ever heard of. They’re serious people with serious stuff that costs a serious amount of money and I really liked what I heard. We spent a great deal of time talking around the issue of securing information in the cloud - around it because they had to speak slowly to me and use very simple words - they’re on-another-planet smart, and we’re pleased to say that they will be joining us at our Enterprise Computing Strategies Europe show, and appearing in a panel I am moderating on that subject - should be awesome because, after all, cloud is all about security.

More later - I’m heading back to the show.

There’s more evidence of a shakeout in the antimalware space, as sources tell us that UK based Sophos landed a 120,000 seat deal for endpoint security software at defense contractor Northrop Grumman, displacing its larger competitor, Symantec. The deal is just the latest of this sort. We wrote last year about GE ousting Big Yellow in favor of Sophos, citing that company’s integrated NAC and endpoint agent.

Anecdotal evidence we’ve heard suggests you should expect to see more bloodletting in the months ahead — and not just at the tip of Sophos’s spear. McAfee, Kaspersky Labs and a whole host of other competitors tell us that they’re doing well at the expense of “Big Yellow”.

Why all this turmoil in enterprise accounts that were once pretty static? We think the antimalware software (fka “antivirus software”) industry is at the tail end of what has been a buoyant, decade-long run that saw well-positioned players like Symantec Corp. increase revenues from $472m in 1997 to $5.1 Bn in 2007. Today, the bedrock on which endpoint security was built is starting to crumble. The research teams that keep threat signature detection engines current are being overwhelmed by the volume of new viruses, worms, spam and other malicious programs. On the customer end, frustration is growing both with fat uber-agents that have developed in recent years, as well as with the cumbersome infrastructure of update servers and signature updates to support them. In short: enterprises have had it and are ready to look around, either at other endpoint security companies or at out of the box solutions like application whitelisting or patch and configuration management solutions that obviate threat detection.

Symantec’s acquisition -heavy strategy has left them particularly exposed in such an environment, with a mountain of “not developed here” code and huge integration challenges. Of course, those challenges are true of almost every acquisition, but it’s acute at Symantec because that company’s reliance on “buy” versus “build” in the last decade was, itself, so lopsided. How lopsided? Just for kicks, I did a search on The 451 Group’s M&A Knowledgebase. Since January 1, 2002, McAfee has completed 14 deals for around $869m, including the $350m purchase of encryption vendor Safeboot last year, and another $200m or so on IPS vendors Intruvert and Entercept back in 2003. During that same time period, Sophos has done two deals for a total of $48m — antispam outfit ActiveState Software and NAC firm Endforce. Trend Micro has done six deals for a paltry $21m since the start of 2002 ($15m of that was spent to acquire spyware and content filtering firm Intermute in 2005.) Symantec? Since 2002, the company has completed 25 deals totalling $16.7b. Even factoring out the $13.5b acquisition of storage vendor Veritas in 2004, Symantec has outspent its closest rivals by 3:1, spending twice as much on NAC startup Sygate, for example, as Sophos and Trend did on all their acquisitions during the same time period.

Is that a problem? Not at all — so long as Symantec’s bankroll and acquisitions have the effect of pushing its smaller competitors off the playing field. But just the opposite seems to be happening: smaller competitors — even private firms, like Sophos — are making inroads into large enterprise accounts that were once Symantec’s bread and butter. Sophos’s 100,000+ seat deal with GE was an icebreaker, now other large enterprises like Northrop are following suit.

Price is surely a deciding factor in many of these accounts. (Sophos gave GE a sweet deal to GE to claim that large enterprise scalp.) But its not the only one, and not adequate to explain the blood in the water in the antimalware space. Agent size, update size and frequency, quality of detection, management tools and feature set all play a part. Having wow features like anti data leakage and device control are great, but its more important that the stuff works without hosing the XP machines your employees need to be productive. History has shown that flying the Vontu banner at RSA is one thing, and getting the Vontu code baked into your agent is something very different.

Symantec, itself, seems to realize this. Newly appointed COO Enrique Salem is reportedly shaking up a corporate hierarchy that had become sclerotic and inefficient, abolishing the Group President position within the enterprise product groups and moving things around to try to encourage cross-product integration. Furthermore, the company’s Altiris acquisition could prove to be prescient, in a way that Veritas was not, as the endpoint security market tips toward better endpoint management and away from threat detection and blocking.

Maybe it’s us, but we’re just not seeing the beef in the governance, risk management and compliance ‘industry,’ or GRC. We have heard vendors shouting GRC from the rooftops – mainly as a catch-all phrase to describe everything from vulnerability analysis to security dashboard and metrics plays (e.g., Agiliance and Clearpoint Metrics) to ESIM to log management. And when we asked around, no one was able to tell us what the heck it is. We certainly don’t think that the phrase has any meaning when attempting to describe a single product, and are herewith and hereby writing it off as marketing razzmatazz designed to imply a platform where none exists.

I had a great time yesterday at the ZD Enterprise Security Summit at the phenomenally uncool Grand Hyatt Hotel above Grand Central (1 musty cube, 100 square feet, one working phone out of two, view of an office building seven feet across an alley = $600) . Finally got to meet a couple of people I’ve really wanted to meet for some time, including Gadi Evron and Ryan Naraine, and got to make predictions on stage and engage with some really smart people. Ryan takes my view on the decreasing value of the anti malware vendor incumbency with a grain of salt - actually he says I’m just wrong - but still, when we see people like Panda and Sophos and Kaspersky kicking SYMC butt, the numbers tell the story.

ZD throws a good event, and there were plenty of people, a good mixed crowd of pros, consultants, admins, business folks and of coure a full complement of ZD star journalists like Ryan, Larry, Wayne et al. I’m looking forward to more of the same.

As of Friday, the people at attrition.org have stopped updating the excellent Data Loss Database - Open Source, better known throughout the world as DLDOS. In an understandably moody statement the DLDOS maintainers said,

In the past few weeks, it has come to our attention that too many people are more concerned with making a profit off of our work without any offer of acknowledgement or compensation.

Now, we at The 451 Group have just used the database for some research and fully credited the organization - as a matter of fact I mentioned their fine work on stage at the Americas Growth Capital Conference, and within our upcoming report, Mind The Gap. In fact, we based a great (if I do say so myself) piece of analysis on the fact that security professionals don’t seem to be defending against what’s actually happening - check this out:

Note the credit.

So now we have to say, to all the people at Attrition, thank you for maintaining this fantastic source of information, for your hard work and efforts, and ask, is there anything we can do? Can we help maintain it? Is your decision final?

One of the most frequent questions industry analysts get asked at big events like this week’s RSA Conference is “what’s hot.” It’s a natural question to ask — what with hundreds of companies gathered in the same place to show off their wares. It’s also an almost impossible one to answer. For one thing, we industry analysts bide our time at events like RSA meeting with both vendors and customers, attending cocktail mixers and panel discussions, and otherwise being feted by IT firms and their legions of public relations minions. It’s a great opportunity to network, make connections and get introduced to new companies — but it’s not the best vantage point from which to survey the landscape. Second, big trade shows like RSA tend to take on a kind of fun house mirror quality, what with the outlandish booths and other attention-grabbing gimmicks that crowd the show floor. Finally, most every company will tell you that conferences like RSA are less useful in generating sales leads than they are in generating partnership opportunities with other tech firms, resellers and the like. With most of the real “action” happening in hotel suites, restaurants or closed door conference rooms, the real “business” of the RSA Conference is mostly invisible. Seeds sown at shows like RSA may not bear fruit for weeks or months.

What do big industry shows like this week’s RSA Conference can do is act as a rough barometer that indicates what technologies are spurring interest among the IT buyers, sales professionals and others who ply the show floor. How can you tell? For one thing, you can look and see where the crowds are. Which booths are attendees streaming to? Of course, vendors do all kinds of crazy stuff to draw foot traffic to their booths: T-shirt giveaways, drawings for iPods, and the ubiquitous “swag” — stress balls and breath mints and the other gee gaws that we acquisitive humans like to stockpile. Then there are the booth babes who lure the (mostly male) attendees — siren like — into stimulating conversations with sales reps and marketing managers.

But RSA’s about technology, not biology, so you’ve gotta screen for this stuff. I look product demonstrations by otherwise unremarkable characters in chinos and collared shirts — that are drawing big crowds nonetheless. What plunked through the otherside of the filter this year? Encryption, for one. Entrust’s booth was consistently jammed, as were the booths of other vendors offering products for whole disk encryption, PKI and other data protection wares. NAC also was a big draw. Despite generally pessimistic news coverage of the space since the failure of Lockdown Networks, competitors like Bradford Networks (who came over the top with a 20′ by 20′ booth in a prime location on the show floor) were drawing big crowds for their NAC demonstrations. Patch and configuration management vendors like Lumension also appeared to be doing well, as did the Grand Poohbahs, like Cisco and Microsoft. It’s an unscientific survey, at best, but may give an indication of where IT security dollars will be flowing in the months ahead.

Shows like this can also serve as a thermometer, if you will, that tells which companies are heating up and increasing their marketing spend, and which are cooling off, cutting back or even fading away. I call this “booth truth,” and its hardly a science — but let’s face it: shows like RSA are tremendously expensive for the tech companies that exhibit there. How expensive? A small, 10′ by 10′ patch of carpet on the floor of Moscone Center might run you $20,000 or more for the week long show — and that’s just for floor space. Add in the cost of a booth, and travel and lodging expenses for the employees who will staff it, and the price can easily double — or triple. But these are the table stakes, if you will, that you’ve got to pay to play in the industry. One CEO of a leading (but privately held) IT security company told me that his company purposely bought a much bigger booth than was needed this year, with the express intent of conveying the message “we’re not going anywhere” to customer prospects who might stop by.

What else does it get you? Some traffic — maybe a few sales leads. If one or two of those turn into sales (depending on the price of what you sell, obviously) you may make back the money you poured into the Moscone’s carpeting. More important: you get to answer “yes” to the persistent “are you going to be at RSA” questions you’ll get from business partners, channel partners, prospective clients, reporters and other industry wags in the months and weeks leading up to the event. That has a business value all on its own. Got a company that’s keeping its chips off the table and pulling back on its presence? It matters. We noted the absence of NAC vendor Consentry (though the company did have a token presence in a larger vendor’s booth) and wonder whether the company is rethinking its message and focus, a la Autonomic Networks — or something worse.

Just some thoughts.

A condom.

From GTB Technologies.

Inscribed,

A leak can be expensive

Just read Aaron Turner & Michael Assante’s excellent article in CSO Magazine, Freedom of the Cyber Seas, in which they compare and contrast the response in the 18th century by the United States to pirates on the high seas with today’s federal response to Internet crime.

This is a fascinating essay, prepared by two of the more cogent thinkers in the space today - Turner (with whom I work at the Institute for Applied Network Security and with whom I am working on a book) and Assante work at the Idaho National Laboratory - Turner manages security technology transfer and commercialization and Assante is INL’s infrastructure protection strategist.

The (somewhat) buried lead is:

[T]he nearly ubiquitous availability of powerful computing systems, along with the proliferation of high-speed networks, have converged to create a new version of the high seas–the cyber seas. The Internet has the potential to significantly impact the United States’ position as a world leader. Nevertheless, for the last decade, U.S. cybersecurity policy has been inconsistent and reactionary. The private sector has often been left to fend for itself, and sporadic policy statements have left U.S. government organizations, private enterprises and allies uncertain of which tack the nation will take to secure the cyber frontier…

That in itself is not a news flash - back in 2004 MIT Technology Review published a terrific piece by Eric Hellweg, Cyber Security’s Cassandra Syndrome which discussed the stalled and possibly addle-headed Bush administration approach to the problem of leadership of the effort to protect the nation’s computing infrastructure.

But Turner and Assante’s article is among the first mainstream media (well, mainstream industry media) pieces to clearly articulate not just the problem, but also to set forth specific steps that the next president of the United States (whomever that may be) should take, beginning with a pronouncement at the first State of the Union address:

…The president’s policy statement should open up a dialog to consider private- and public-sector initiatives to begin working on creative approaches to the growing number and severity of cyber incidents. Most importantly, a presidential declaration outlining the unalienable right of all nations and peoples to conduct commerce on global networks will set the tone for all cyber security efforts undertaken in the next administration.

Highly recommended reading, well thought-out and well done.

Virus Bulletin, one of the antivirus/antimalware industry’s trusted sources on product testing, warned today that a number of leading AV vendors failed to detect known threats in their latest round of tests on the new Vista SP1 platform. Their labs report is fairly damning: McAfee, Trend Micro and Sophos all fail to get the VB100 seal of approval on the Vista SP1 platform, as did products from Alwil, BitDefender, Norman, PC Tools and VirusBuster.

They aren’t alone. Out of 37 AV products tested, we learn, 17 failed to obtain VB100 certification, which requires that they detect 100% of the malicious programs listed as “in the wild” by the WildList Organization. Companies must also scan a list of known clean files maintained by VB without generating any false positives.

Finally, the products that are tested have to do all this in their default configuration — no “optimizing” allowed. There are other tests as well, which you can read about here. They include performance tests and scans of other malware lists, etc. etc.

Of course, when you read behind the press release about popular AV programs falling flat on their face, there are a couple asterisks worth noting. First of all: the platform in question — Vista SP1 — was released shortly after the deadline for product submissions to VB. VB reviewer John Hawes - -a very smart guy — is up front about that fact that not every antimalware vendor was even able to get a copy of SP1 for testing before submitting their wares to VB for certification.

Also, given the large number of submissions (40), VB tester Hawes shelved those that couldn’t “provide usable results after the standard three install (attempts).”

Still, that didn’t stop VB from raising the alarm in its press release, with Hawes quoted saying that “Threats several vendors failed to detect in this test have been circulating in the real world for some months now,” and “it’s disappointing to see so many products tripping up over threats that are not even new–computer users should be getting a better service from their AV vendors than this.”

What’s going on? A couple things. With all respect to the folks at VB, who provide a valuable service to the antimalware industry, part of this is marketing. Certifications like the VB100 add prestige and visibility to the magazine and help with subscriptions, and nothing drives attention in the press like a little controversy. Ordinarilly, VB100 ratings wouldn’t get a mention. With some big vendors falling down, these just might.

Second, vendors chase after VB100 certifications and others like it because they’re something tangible they can point to in their marketing and product promotions, and because they seem to make something very fishy and subjective (the quality of antimalware products) seem concrete.

Is that really a bad thing? Well, frankly, yes. It is. Certifications like VB100, which are based largely on static file analysis have gone a long way towards sustaining the signature based detection model when others might serve consumers and enterprises better. True, most companies already do blend behavior and signature based detection methods, but companies that rely heavily on the former (like BitDefender) tend to do worse on tests like the VB100. Does that mean BitDefender provides inferior protection to a company like, say KingSoft, which did receive the award? Hardly, but the lack of certification still becomes a hook on which to hang competitive claims. Bottom line: you get punished for not using signatures, even if that’s the right or most effective thing to do.

It’s not as if nobody noticed these things before. I’ve been attending the annual Virus Bulletin Conference for years, and there’s always been heated discussion about testing methodology. As far back as 2003, in fact,the VB Conference had a panel discussion about anti-virus testing with West Coast Labs, ICSA Labs and VB. The conclusion: Wild List detection rates are only one measure of an effective antimalware product, but that time and resource restrictions limited broader testing.

However, as the malware problem has exploded in recent years, the problems with the industry’s narrow focus on signature matching became too obvious to ignore. At long last, changes are coming to VB and other testing organizations. For one thing, the industry-sponsored Anti-malware Testing Standards Organization (AMTSO) will soon release new guidelines for evaluating and certifying anti-malware products. Those standards are expected to radically reduce the importance of static file analysis (i.e. signature matching) in determining the overall effectiveness of antimalware products — pretty much the only thing keeping the signature game going. We also note closer cooperation between previously disparate testing labs such as AV-Comparatives, AV-Test.org and the Russian Anti- Malware Test Lab (AMTL) will also result in more uniform (and hopefully thorough) vetting of antimalware suites.

In short, new testing methods will end the illusion of competence that current testing models perpetuate. They’ll also raise the bar on malware detection for established vendors, and may very possibly reshuffle the ranks within the antimalware business. Stay tuned!

Before his turn in the cinematic tour de force Ferris Bueller’s Day Off, Matthew Broderick starred in a movie called War Games that was possibly my introduction to the world of identity management. The details are hazy, but I recall that Broderick’s character hacked onto the US national security network and inadvertently set the world on the path to nuclear meltdown and mutually assured destruction. The conceit of the film was essentially one of identity fraud - the system assumed that a user was authorized and entitled to launch ICBMs based on his presentation of a (stunningly simple) set of credentials - a little more serious than fooling a system into thinking you are both an administrator and equity trader. Obviously, security has taken strides since the early 1980s, but taking the squishy, human idea of identity into the world of systems is still a work in progress.

Of course, a user always has to prove they are who they say they are within well-defined parameters, but who they are can also be driven by the context, and what level of access is required for their function. The context can change by application - examples abound in verticals like healthcare and financial services - and level of access is not always consistent with function - it may also relate to organizational seniority or external considerations like regulatory compliance. The scope of the challenge of managing identities with multiple facets related to how to an organization functions has given wings to any number of marketing terms and technology descriptions: composite identities, converged identities, identity cubes, role management (and the list goes on). All this implies that there are bits of identity sprinkled across an enterprise infrastructure that must be consolidated, reconciled and aggregated. And, we are only at the tip of the iceberg in terms of communicating the semantics of these identities across domains - although as Chris Swan notes the mechanism for cross-domain authentication exists. The realization that user identities are some way incomplete or too fragmented is driven by the need for visibility and control mandated by regulatory compliance but also presents an opportunity to rethink identity management from the ground up.

It may misleading to define, however, to characterize an identity as whole or partial. A user’s identity should be the sum of the parts, otherwise the concept of identity doesn’t have any meaning - rather it’s a system-level association of a directory profile with a set of entitlements with no organizational context. But having a partial identity doesn’t imply that it’s inherently deficient. There is a subset of user-system scenarios where a system has to know everything about the user and a subset of of users that must be subject to constant control. For the most part, an identity management system is dealing with relatively benign user-system access patterns.

Instead, a more appropriate metaphor might be ‘heavy’ and ‘light’ identities, that populate a continuum defined both by organizational hierarchies and level of risk associated with any particular action. As we’ve noted in our Market Insight Service, heavy identities are defined by nature of the privileges and permissions associated and the role of the user but also the risk that they represent if not protected. As the degree of access requires more information on the user – not simply ‘are you a company employee’ or ‘can you satisfy a challenge for your Active Directory credentials’ – the identity becomes heavier. In order to scale systematically and limit management, identity management must implement controls in tandem with the ‘heaviness’ of the identity.

This all assumes a modular approach that involves some form of communication of data from a dedicated application repository to a centralized policy - something approximating a directories 2.0 approach - rather than conversion of data into a single, monolithic identity store and some form of policy engine with rules on when to invoke ‘heavy’ identity management processes. An open, modular approach may seem like a bridge too far until you consider the implications: rather than forcing all identity data through a bottleneck, it can remain distributed in order enable flexibility and access and policy rules can be defined hierarchically. For instance, where an individual identity has access to credit card data as part of their application entitlements, the local policy must be marked and subordinated to a centralized policy engine before it can be approved. Other elements of the policy related to authentication and access control can remain localized.

This approach also allows for the persistence of disparate identity stores, but a greater degree of communication between them based on cross- and intra-domain federation models, providing far more flexibility in managing fluid identities, and reducing the amount of data (and by extension management complexity) that has to reside in one single, consolidated identity store.

There are obviously some interesting pieces of the puzzle that are emerging to facilitate this type of ‘SOA for identity’. One element, of course, is standardized protocols to communicate data and higher-level concepts such as attributes and entitlements between identity stores (XACML and SAML spring to mind). Another is new ways of organizing the relationships within directories such as the Higgins Data Model or providing an overlay onto existing identity management systems in the form of role management (although this is more a vendor-specific approach from companies such as Aveksa, Courion, Eurekify and Sun through its acquisition of Vaau). Role management allows for a more granular definition of the spectrum between heavy and light, and identify what specific elements move the dial.

This concept of heavy vs light links nicely with what I believe could be an interesting model for security – creating a flexible balance between availability of resources and fine-grained policy enforcement by enforcing granular access controls based on the escalation of privilege levels. At each step, the identity gets heavier, and more security controls can get invoked. Most human organizations are organized hierarchically – it makes sense to structure identity management in the same way. This model implies extending directories in a manageable, systematic fashion and much more transparent policy enforcement between applications and identity management data. Agents probably won’t scale, and the model can’t involve vendor-specific methods of speaking to application components. metadata policy engine. None of this is trivial, but the fact that identity management license price points are heading in one direction suggests that it’s time to start seeing how the pieces of the puzzle fit together.

Even though the dateline on this news item read 4/1, it appears that published reports that Google VP of Engineering Douglas Merrill is leaving to join EMI as the head of digital initiatives are accurate. This is a blow to GOOG on a couple of levels. First of all, it is yet more proof that the brain drain at Google is real and is showing no signs of letting up. Just last week, there was news of Ethan Beard, Google director of social media, leaving to be the new director of business development at Facebook. Beard announced his departure on the same day that Sheryl Sandberg, GOOG’s former VP of Global Sales and Operations started work as Facebook’s chief operating officer. And for every high level departure, you can bet there are plenty more departures of core engineering talent who have vested and decided to go chase their dream job, go to cooking school, or what have you.

Just as important: Merrill’s departure deprives Google of one of its top security minds at a crucial time in the company’s development. As we’ve noted, a rising tide of Web based attacks is increasingly on the minds of enterprises and, to a lesser extent, consumers. Despite its reputation as the best coding shop in the world, Google has found itself caught in the middle of some of these attacks. In just the last month, for example, we’ve seen the company’s search engine leveraged in a massive Web attack that combined using Web-based iFrame injection attacks and search engine optimization (SEO) to send malicious code to untold numbers of Web users who were visiting a host of perfectly legitimate Web sites (Walmart.com, news.com, usatoday.com and so on). Google’s role in this was passive: it was the Web sites, not Google’s engine or apps that were vulnerable to attack. In the end, however, Google was forced to go on the offensive: scrubbing search results for XSS and iFrame attacks and alerting vulnerable Web site administrators.

What’s clear is that attackers now see Google, its search engine and its growing stable of Web based apps as fair game for propagating malicious code. Left unchecked, these kinds of attacks could undermine the value of Web based computing, or cast the entire idea into doubt.

Going forward, then, Google will find it nearly impossible to sit on the sideline, or limit its security focus to just its own code and apps, as it has mostly done to date. Google will need to take a more active role in promoting Web app security and, if necessary, cracking down on sloppy behaviors that make it easy for attackers to At the same time, Google will have to walk a fine line between passing the buck (i.e. pushing responsibility for Web attacks on to vulnerable Web sites and their administrators) and becoming the world’s annoying security drone (i.e. by cracking down unilaterally on what it deems unsafe practices, thereby pissing everyone off). Merrill was a smart enough guy whose background working for Rand and some of the big financial and consulting firms, I think, gave him an appreciation of that kind of nuance. We’ll have to see whether or not his successor can walk that thin line as well.

Chris Swan makes a few great points in his blog post of 22 March. His post brings up a number of things that we are thinking about, and I will let my colleagues Paul Roberts and Steve Coplan address issues one and two, but for issues three and four, I agree basically and can offer some specifics. First of all:

Manual classification of information assets can (painfully) be made to work in a small silo, but to make anything to scale to an enterprise it needs to be highly automated.

Whoa, there Nelly! Automated? Since I know that Chris is someone who thinks about the really really big big picture, I will say that looking at the big picture before we start automating in the manner Chris is putting forth, we need to look at what it is that we’re classifying - our research shows that enterprises have no idea whatsoever what it is that they have or do, let alone, what kind of data they’re sucking and blowing.

I think at a core level we agree with Chris and disagree with most vendors and other analyst companies in saying that data loss will eventually end up as part of enterprise rights Management, But the fact is that we’re talking about a family of technologies here. First I am going to list them then I am going to say how they don’t stand a chance.

The technologies we think are the center of data loss prevention are:

• Anti Data Leakage (sniff/crack/grep-awk-regex/shout-block
• Disk encryption
• Database transaction monitoring
• Port and device control

And can be expanded upon to include enterprise search, content management and the kind of who-touched-what-when-and-should-they-have kinda thing from people like IBM (Consul) and Varonis.

But what does this give us in terms of the fact that, as we said in this post:

Our survey showed that only 37% of commercial enterprises had done work to determine where, physically, data resided within its organization, and 26% had created a data classification scheme with data classifications such as ‘public’, ‘confidential’ and ‘regulated’. Yet enforcement of those classifications was terrible (more than half admitted that it was non-existent). Only 22% if organizations surveyed had conducted any analysis into interdepartmental communication at all.

If we recognize that our data shows that 70% of companies don’t even bother knowing whom their employees are speaking with now, we can state that this is not a technology but rather a cultural problem. Further, when we look at the DLDOS database of known data breaches run by Attrition.org, we see that the channels of leakage for the past year and a quarter are not exactly the ones that we are expecting. Get a load of this chart:

This is showing something kind of cool - there’s quite a delta between actual and expected, and this is itself proof only of that! Do we believe that email is such a small channel of data leakage? Can any of the technologies I mentioned above protect against leak or theft by fax machine or snail mail? And how can we engrain more context - from a standpoint of identity, from a standpoint of ERM or DRM - into the process? And how can we make people actually tie the processes by which we do business to the creation of our data to the problem of data loss? These last questions are where things get messy.

embryophagy

• The act of one embryo cannibalizing another for food in utero; at present only characterized in some species of sharks.

My oldest daughter is a natural history buff and has all kinds of books about animals. Just the other night we were reading about sharks and how little sharks are born. The book mentioned that, in some shark species, there is competition in utero between developing sharks, with larger, stronger embryonic sharks devouring their smaller, weaker siblings. Sand tiger shark embryos are known to do this. It’s been ascribed to Great White sharks, as well — though inaccurately, it is believed.

It’s quite a gruesome image — little babies feeding on each other before they’ve even had a chance to leave the womb. But I think it’s a fitting one to describe what’s going on now in the market for network access control (NAC) technology, following the sudden collapse of NAC startup Lockdown Networks last week. Just today, Lockdown’s competitor Forescout Networks announced a buyback program aimed at Lockdown’s customers (receive a credit for your Lockdown boxes when replacing them with Forescout NAC boxes). That follows similar efforts by other vendors: StillSecure has had a promotion allowing companies to receive dollar for dollar credits to upgrade to StillSecure’s products if they have doubts about the “commitment or viability” of their NAC vendor.

StillSecure’s Alan Shimel reiterated that the option is available to Lockdown customers in a recent blog eulogy for the company. Finally, Enterasys wrote us to say that they will provide “best effort” support for any of their customers who are using Lockdown’s products and a trade-in credit offer for 100% of the value of the Lockdown product for any customer who is willing to migrate to Enterasys’s NAC product.

In a twist on the “their success proves our business model” trick, Enterasys said that Lockdown’s failure proves theirs, to wit:

This situation is unfortunate for Lockdown and its customers, but it is a clear example of the consolidation trend that often follows a new technology as it gains acceptance in the marketplace. It’s also indicative of the risks associated with an enterprise customer investing in emerging technology from a startup vendor. Enterasys firmly believes that NAC is a technology best sourced from network infrastructure companies with a proven track record of meeting customer needs over decades.”

It’s hardly surprising to see competitors leap into the void caused by Lockdown’s abrupt departure from the NAC field. NAC sales cycles are looong, and proven customers are at a premium, so going after them by whatever means necessary is B-School 101. Of course, the question lurking in back of all the rebate offers and other posturing is whether Lockdown (and Autonomic and Caymas) are merely companies that were badly managed or conceived, or if they’re where things in the NAC space are going, generally. We’ve heard variations on that question from more than one VC in the last week.

We here at The 451 are inclined to think that its a little bit of both. On the one hand, we continue to hear from end users that NAC, as its traditionally been defined, is still something they want, need and are budgeting for — especially around guest and remote user access. On the other hand, its clear to pretty much everyone at this point that, when it comes to hot tech sectors, NAC is not the next network firewall or IDS. It’s a complex technology with a lot of moving parts. Similarly, there are a lot of companies with a dog in this fight — including two of the biggest, most powerful IT firms around: Cisco and Microsoft. As we pointed out in our recent Security Quarterly on NAC, that means a few things: existing NAC startups are going to have trouble justifying their level of funding. (Lockdown, at around $20m in venture funding was on the low end of this scale compared to companies like Autonomic/Vernier, at more than $70m, and a few other NAC competitors). Similarly, the NAC companies that survive on their own are going to need to find a way out of the NAC ghetto that Lockdown found themselves in.

When are you in the NAC ghetto? When you’re at the wrong end of three or four funding rounds, but still addressing a circa 2003 problem — endpoint posture assessment, say — without a convincing story about circa 2008 or 2009 problems that companies have: regulatory compliance, unmanaged devices, virtualization, data leakage, insider threats, and so on. Companies that anticipate going it alone need to find a way to play within larger schemas like Microsoft NAP as drop-in devices that can talk to non-Windows systems, say, or do various forms of post admission posture assessment and policy enforcement.

We’re inclined to believe that fewer NAC startups crowding the field is a good thing for those that remain — if only in that it limits the choices that potential customers have and, perhaps, shortens the sales cycle. But Lockdown’s failure is certainly going to be on the agenda as NAC firms look for follow-on funding rounds this Spring and Summer, like a bad case of indigestion for the companies that feasting on Lockdown’s remains today.

As customers of Hannaford stores digested the news that, “Hannaford has contained a data intrusion into its computer network that resulted in the theft of customer credit and debit card numbers. No personal information, such as names or addresses, was accessed. Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions,” the Barre Montpelier Times Argus reported that the breach exposed 4.2 million cards and that company officials had said that about 1800 instances of fraud had been reported.

Whooooo, child! Of course, we’re getting set to roll out our new 451 Group Security Quarterly, Mind The Data Gap, which addresses how businesses can start to look at the problem of leakage, loss and indeed of data security from a standpoint of business processes, not of retroactive technology. The thing is, the news last week that the breach at the US Department of State that the passport files of the three leading candidates for president of the United States had been viewed by unauthorized people? The investigation so far reveals the kind of cultural issues we’ve been railing about for more than a year: people doing really, really stupid things. Let’s read, the State Department transcript of spokesman Sean McCormack explaining this debacle, shall we? (you could, if you prefer, watch)

We had talked earlier this morning about our doing a search to see whether or not there were any other unauthorized accesses of any of the other remaining presidential candidates, and our searches turned up two: one incident this past summer where there was a trainee in the Passport Office who had an unauthorized access of Senator Clinton’s passport file. The context in which this happened was that last summer, when we were training new people to come online to help work through that backlog of passports that we had, we brought somebody online. Usually, in these training circumstances, people are encouraged to enter a family member’s name just for training purposes. This person chose to enter Senator Clinton’s name. It was immediately recognized. They were immediately admonished, and it didn’t happen again.

Ah, so as a training exercise, the United States Department of State encourages trainees to breach the privacy of family members. I see…Go on, Sean….

Now, in the case of Senator McCain, we detected earlier this year - I don’t have the exact date for you - one of the same people who accessed Senator Obama’s passport file also accessed Senator McCain’s passport file. This is the same individual who was disciplined but, at this point in time, still remains working with the contractor. So we are reviewing our options with respect to that person and his employment status. [emphasis added]

Currently, Pat Kennedy as well as some other State Department officials are up on the Hill now briefing Senators Obama, Clinton and McCain’s staffs on these incidents. Secretary Rice has, as I said, spoken with Senator Obama. She has also spoken with Senator Clinton. And shortly here, she will be speaking with Senator McCain, who is currently in Paris.

[I especially like the utterly irrelevant reference to Senator McCain being in Paris.]

But wait: the government takes seriously their inability to protect the personal data of the rich and famous…It equally neglects average people like me.

And I have to tell you that we take very seriously the trust that is put in us in safeguarding American citizens’ personal data. It is — there’s a trust relationship there when somebody hands over a passport application or any other sort of application to the U.S. Government. We take that trust very seriously. And we try to put in place sophisticated and elaborate safeguards to make sure that if people break the rules — and we don’t want to see them break the rules, but if people break the rules, that that’s detected and that we can act to punish those people. And that holds not only for notable personalities such as presidential candidates or any other notable people in American society, but for every citizen.

Words fail me. Who’s your data, baby?

The drip, drip, drip in the NAC sector that started with Vernier Networks hard reboot as Autonomic Networks in late 2007 continued on Tuesday when Lockdown Networks, a Seattle-based NAC appliance vendor posted a notice on its Web site that it was ceasing operations, effective immediately. The notice, which looked more like a defacement a la Zone-H than a proper piece of business communications confirmed much of what we and other NAC industry watchers have been saying for a while:

“Due to overall economic trends and slower than predicted adoption of Network Access Control (NAC) technology, the company was unable to raise additional sufficient venture capital to continue. Lockdown is contacting customers and partners directly to provide more information.”

Putting aside the stuff about “overall economic trends” — ’cause I don’t know how $4 gas really impacts the network access control market — the crux of Lockdown’s problem was slower than anticipated adoption of NAC technology, coupled with a long and expensive sales cycle. As we noted in our recent NAC Quarterly Report, “without a compelling reason to rush NAC into place, and given the confusion over what NAC architecture – infrastructure, appliance (in-line, out-of-band), client or ‘other’ – would win out, most enterprises decided to wait out the storm of competing vendor claims, acronym-hobbled standards groups and shoddy 1.0 product releases. That left vendors like Nevis and Autonomic sucking air with slow customer growth (Nevis still counts fewer than 100 customers) and taking lots more investment rounds to stay afloat.”

We anticipated a gradually improving market for NAC technology vendors, but rough waters for companies — like Autonomic, Lockdown and others (we could name Consentry, Nevis, and others) that have staked their survival on broad, enterprise-wide adoption of NAC technology — something we don’t see happening in 2008, or even 2009. The shakeout in the NAC industry is upon us. The only question is which will be the next apple to drop from the tree.

I’m writing from the floor of the Source Boston 2008 security conference here in Cambridge, Mass (would it have been more accurate to call it Source Cambridge?). I had the honor to participate in a panel discussion, Web Application Security from the Front Lines, with a distinguished bunch, including Jeff Williams of OWASP, Jeremiah Grossman of Whitehat Security and Robert Hansen of SecTheory.

As the show’s organizers rightly noticed: this is a space with a lot of hype. Just in the last year, we’ve seen close to $250 million in M&A around Web application security — and that with just two companies: Watchfire and SPI Dynamics. It’s widely expected that there will be more activity in this space in the coming years, and also more players (such as Qualys and Outpost24) throwing their hats in to the Web application testing ring.

But, like any crowded market, there’s also a lot of confusion. There are source code analysis companies, Web application scanning companies, vulnerability scanning companies, and application firewall companies, just to name a few. And that’s as it should be — after all, the application security problem is a child with many fathers: loose application coding and quality assurance practices, the balkanization of the networking, endpoint management and security practices within many enterprises, wide open protocols and overly engineered standards, poor user awareness, lack of accountability, toothless (and toothy) regulations…professional and profit-minded hackers, just to name a few.

There’s a lot to debate (”Which is better: white box or black box app testing?”) and a lot not to debate (”Is the PCI DSS driving interest in application security?”). Do you focus most on SDL strategies or better QA and audit? Or do you focus on security around deployment? The answer, frankly, is “yes.” The larger question — and the one that was most hotly debated — was “What is it going to take to change the culture of good enough application security that currently holds sway?” Answers from the panel varied, with some folks suggesting that lawsuits (that tried and true “change agent” in American culture) would force companies to accept legal liability for the consequences of software hacks and data breaches, and thus force the vendors that sell to them to get serious about developing secure products. Jeremiah thought that a big enough Web application attack might wake companies up, just as outbreaks like Code Red, Blaster and Slammer did. Others (Jeff, I believe) hypothesized that a major hack of SCADA systems could paralyze critical infrastructure and wake society up to the dangers of loosely written and managed applications. I — and others on the panel — were of the opinion that it would take a major financial collapse linked to compromised systems to drive home the point about application security, just in the way that the illegal futures trading that brought down venerable Barings in the UK raised alarm about the need for better internal controls and risk management. To date, we haven’t seen that. In fact, even mind blowing compromises like that at The TJX Cos. have barely affected earnings or stock price.

Or perhaps the answer is that there will never be wide acceptance of the need for application security testing and secure coding practices –maybe the costs will always outweigh the benefits for the rank and file. After all, as more than one Source Boston attendee pointed out to me — we never got security right in Web 1.0, so why should we expect things to be any better for Web 2.0?

We’re not that pessimistic. In our conversations with vendors and with bleeding edge enterprises, many with their own, internal software development groups, we see tremendous changes: more emphasis on secure coding practices and wider use of a variety of testing tools. Security testing is moving from post deployment to QA to development, increasing the quality of finished products. Fast, cheap and out of control app development might never go away, but we expect that in the years to come they’ll be more the exception than the rule.

We here at The 451 are generally suspicious of vendor-sponsored research — those supposedly objective surveys and studies that are underwritten by one technology vendor or another. That shouldn’t be any surprise — after all, the results of those surveys often track closely enough to the product pitch of the sponsoring company to make you wonder whether they weren’t preordained, or whether the questions asked weren’t tailored to produce responses that reinforce the sponsor’s marketing message. (”McDonald’s survey of 1,000 diners finds strong support for beefier, cheesier burgers!”) Still, in the IT sector, these surveys sometimes can capture a kind of zeitgeist among enterprise IT personnel, especially if you read across them to see the kinds of things companies are surveying, rather than down to see what conclusions they reach. The recent Communications Intelligence Report from Google/Postini is one example.

At a very basic level, this report is about stoking the fires under security SaaS (software as a service), such as antispam and messaging security services, which Postini sells. There are lots of graphics and factoids to suggest that enterprises are overwhelmed by the volume of messaging bound attacks, and fed up with the overhead and cost of point solutions to deal with them. (The solution: SaaS products from Postini! Ta Da!) But there are some interesting conclusions in here, as well. One item worth noting is the stress that rapid increases in malicious spam traffic is putting on IT departments. Postini’s own data shows that spam volume increased more than 100% in just one seven day stretch in August, 2007. More troubling: spikes in spam volume are intense and random, making it nearly impossible for companies to plan. The survey of 575 global CEOs, CIOs and CTOs notes that keeping up with messaging volume was the biggest single concern among messaging experts.

The depth of compliance woes that enterprises are facing also popped off the page in Postini’s report. Regulatory compliance was the most oft-cited productivity drain for IT personnel (46%), outpacing even system upgrades. Furthermore, compliance was the top priority listed by respondents in the finance and healthcare verticals, while stopping malicious code outbreaks was still the top priority in the government and professional services verticals.

As for what’s ahead:  Postini predicts that spam volume will stabalize and maybe even decrease in 2008 as spam attacks get more targeted. Given that the company just got through saying how unpredictable they were, however, I’m not sure how they could possibly back up such a conclusion.

More important: Postini expects more businesses to look into technology for filtering outbound messaging content and doing policy enforcement on outbound traffic to stop data leaks. In a related note: Google expects more adoption of encryption and message archiving.

Again, many of these conclusions seem tailored to reinforce Postini’s marketing message that security SaaS is in its ascendancy. But there’s a fly in the ointment, as well: a bare majority of respondents (53%) said that they don’t use any form of SaaS, with 32% of those saying that they feared a loss of control over a specific IT function. Another 26% of those surveyed said they couldn’t think of a reason to switch to a SaaS solution.

In other words, even if Postini is right about what’s coming in 2008 (and we’re inclined to believe that they’re more right than wrong), the company and its SaaS brethren will still have some selling to do to convince enterprise IT folks to turn on the “devil they know” and go with a SaaS alternative.

Taking a page (literally) from Dan Geer and Dan Conway’s article in the January / February issue of IEEE Security & Privacy, we’re gonna make like Pablo Picasso and steal – well, not steal, but at the very least reference - yeah, that’s it – Geer and Conway’s new 0wned Price Index (the 0PI). This is a fabulous piece of work that Geer discussed on Andrew Jaquith’s popular Security Metrics mailing list.

(Jaquith, a Yankee Group analyst, is author of Security Metrics: Replacing Fear, Uncertainty, and Doubt, which we recommend highly.)

Not to steal the Dans’ thunder, the 0PI has been selected with a basket of g00ds thusly:

To initiate our 0PI we chose what’s given on day one, a verified Pay Pal account with email access, up through day 12, a compromised Juniper router, to have the same ordering by unit price as the items found in the [PriceWaterhouseCoopers Christmas Price Index, or XPI] and/or the famous “12 days” song.

The piece and concept is fantastic, and free to subscribers and IEEE members. The Dans promise to seed their future For Good Measure columns with gems of metrics, like the three they put in this month - including:

[T]otal value of extant US social security numbers at today’s black
market price: $8.375B.

This is great stuff and possibly itself worth joining IEEE to see regularly.