Israeli Software

There is a school of thought that says that you can take any complex problem and break it down like swiss cheese. Risk assessment data collection and analysis with Excel is one of those problems that can’t be swiss-cheesed.  A collection of brittle, unwieldy, two dimensional worksheets is a really bad way of doing multi-dimensional modelling.

Consider that a typical risk assessment exercise will have a minimum of 4 dimensions (assets, threats, vulnerabilities and controls) and I think you will agree with me that Excel is a poor fit for risk assessment.

Here is where PTA (Practical Threat Analysis) comes to the rescue. You can download the free risk assessment software and try it yourself.

Any risk assessment process can be automated using Practical Threat Analysis and the PTA threat modeling database.  PTA is a threat modelling methodology and software tool that has been downloaded over 15,000 times and has thousands of active security analyst users on a daily basis.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled “Practical Threat Analysis for the Software Industry” published online at Security Docs in October 2005. PTA provides a number of meaningful benefits for security and compliance risk assessments:

• Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
• Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
• Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
• Effective: recommends the most effective security countermeasures and their order of implementation. In our experience, PTA can help a firm mitigate 80% of the risk at 20% of the total control cost.

The PTA calculative model is implemented in a user-friendly Windows desktop application available as a freeware at the PTA Technologies web site. A PTA ISO 27001 library is available as a free download and is licensed under the Creative Commons Attribution License.

The need for cost effective risk reduction

Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.

The question is: What security controls should a firm implement after a risk assessment?

Taking ISO 27001 as a baseline security standard with a comprehensive set of controls, the ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

However, implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

How to choose cost-effective controls

A PTA threat model enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of using an  all-or-nothing checklist designed by a committee of experts who all work for companies 100x the size of your operation.

My guess is that the value of software patents is on the decline, taking value as the net of the economic upside of the software patent less the cost of  patent development, application and enforcement.

The dynamic is that the benefit from patent protection in the software industry is less than the cost of the patent development, application and enforcement.   (See Bessen and Maurer – “Patent Failure”). The key area today where IP protection has a positive ROI is chemical formulations, i.e. the bio-pharma industry,    Since most of the patents applied for/issued in the past 10 years have been related to software / algorithms it follows that the adage ‘ You can fool some of the people some of the time but not all the people all the time ” is taking effect.

Protecting software-related intellectual property  is extremely difficult – the boundaries are unclear, the algorithms are similar and people are mobile.

The patent application and registered patents are publicly available for perusal by anyone.  So it is not a privacy/compliance/data security issue at all.  The information is out there.

What is not out there – is the implementation. In the bio-pharma industry, that means the recipe for making the vaccine and in the software industry, it’s writing the software that will be secure, reliable and scalable and friendly to users.

Writing secure, reliable, scalable and maintainable software is a non-trivial exercise.

There is a huge gap between a software  patent and the software implementation.   On one hand, from the perspective of a patent as a digital asset –  the vulnerability of patent disclosure is zero  (since it’s disclosed already by the patent offices) but on the other hand, a company’s actual implementation source code and techniques may be worth a lot of money – the value of the time, know-how and software management invested and the potential downside if a competitor got a copy of the source and implementation technique and jump-started his development process.

My first recommendation to a technology company doing cutting edge software development is to   use DLP to protect your source code  since  this is one of the easiest DLP implementations to do. The prices of DLP  products are going down and $150k of DLP implementation and operations/year is cost-effective when you have a few million invested in the implementation.

There are other security countermeasures against leakage of source code and implementation – methods such as – false flags and changing your source code very quickly through agile implementation. Source code that was stolen 6 months ago is not worth much when a company cycles every day and builds a new release every morning at 830.

There is a reason why GM is in trouble and Toyota has displaced GM in the number one automobile manufacturer.

Here is a piece from a colleague and friend – Todd Walzer, Todd and I worked together at Intel Fab 8 in Jerusalem in the 80′s.

Working at Intel Jerusalem in the 1980′s, we were all in awe of Japan. Quality Circles, Just-In-Time Manufacturing – Japan was way ahead.  20 years later, it’s still a quality-first country, but there are a few chinks in the armor.

Recently I paid a visit to a top-tier auto makers’ factory.  After the factory-floor discussions, we walked over to the office building, which maintains a traditional “lean and mean” atmosphere.  Little more than a tin hall, with lines of desks in open space, lights switched off by sensors above unmanned desks. The small open-space “meeting area” has high tables with no chairs. Meetings are held standing up – short and to the point.

In the meeting area is a bulletin board, and one posting caught my eye.  It was a list of “This Month’s 10 Worst Suppliers”, replete with graphs and defect counts.

I can’t recall this methodology from any of my business school textbooks, and still not sure what to make of it. One way or another, it left an impression on me.  I bet it made an even greater impression on those 10 companies.

The recent Toyota crisis is not without its cultural hypotheses on the Japan side.  ”The U.S. is bashing Toyota for displacing GM as #1.”  ”Toyota’s failure stems from adopting too many foreign parts suppliers as part of its aggressive expansion”.

The Japan economy, stagnant the past 20 years, is in need of positive thinking.  I expect a turnaround with the change of generation, in 5-10 years time. My modest wish: on a future visit to this factory, I hope to see a Best Ten Suppliers List tacked up next to the Worst Ten.

Where the Americans are focussed on finance and bonuses and Obamacare – the Japanese are still focussed on quality and manufacturing – after having adopted Deming’s philosophy of Total Quality after WWII – the Americans are adrift on their own home turf, printing money to fund socialist public policy and setting world records in executive fraud and data security breaches.  The Japanese may need to have more positive thinking but in my opinion, the Americans need to get back to basics of innovation and quality manufacturing.

To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.

The Book of Balance and Harmony

(Chung-ho chi).
A medieval Taoist book

Will security vendors, large to small  (Symantec, Mcafee, nexTier, ANBsys and others..) succeed in restoring balance and harmony to their customers by relabeling their product suites as unified content security (Websense) or enterprise information protection (Verdasys)?

I don’t think so.

Unfortunately – data security is not an enterprise suite kind of problem like ERP. You don’t have harmony, synergy and control over business process; you have orthogonal attack vectors:

• Human error – cc’ing a supplier by mistake on a classified RFP document
• System vulnerabilities – Production servers with anonymous file transfer protocol (FTP) turned on
• Criminal activity – Break-ins, bribes and double agents (workers who spy for other groups or companies)
• Industrial competition/breach of non-disclosure agreements – the actuary who went to work for the competition

After 5 years of hype, most  customers have a high awareness of DLP products but fewer (especially outside the US) are buying DLP technologies  and even fewer are succeeding with their DLP implementations. This stems from the customer and vendors’ inability to answer two simple questions:

1. Who is the buyer?
2. What is her motivation to protect information?

A common question I hear from my clients, is, “Who should ‘own’ data security technology?” Is it the vice president, internal auditor, chief financial officer, CIO or CSO, our security consultants or our IT outsourcing vendor; IBM Global Services?

If there is no clear business need for information protection (the kind that a CEO can enunciate in a  sentence) – the company is not going to buy DLP technology.

The business need for data security derives directly from  the CEO and his management team. In firms with outsourced IT infrastructure, the need for data security becomes more acute as more people are involved with less allegiance to the firm.

To help qualify an organization’s business need for DLP technology, let’s examine the decision drivers, or what compels companies to buy data security products, and the decision-makers, or those who sign off on the products. Let’s look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.

INDUSTRY	TYPICAL DATA SECURITY DRIVERS	DECISION – MAKERS
BANKING	A real event, such as theft of confidential customer account information by trusted insiders Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events	CSO or CIO
CREDIT CARD ISSUERS	Ongoing theft of customer transactional information by customer service reps Data breach threat to credit card numbers that haven’t yet been printed on plastic cards and issued to card holders Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners	The security officer or information security officer (many issuers have separate functions for physical and information security)
INSURANCE	A real event, such as theft of customer lists by competitors Fear of losing actuarial data Exposure to data leakage of credit card numbers in online systems	General counsel, VP of internal audit, CFO
PHARMACEUTICALS	Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings Sensitivity of company records during due diligence processes	General counsel, CFO, chief compliance officer
TELECOM/ONLINE BUSINESS (Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.)	Prepaid code files Pricing data Strategic marketing plans Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect) Customer credit card records	VP of internal audit, VP of technologies
HEALTH CARE	Privacy regulations/HIPAA Need to protect pricing data of drugs and supplies purchased by the health care organization	CSO, VP of internal audit
TECHNOLOGY COMPANIES	Theft of: Source code Designs, pictures and plans of proprietary equipment Strategic marketing plans	CEO, CTO

A recent post by Kevin Conway on LinkedIn drew over 500 responses to his somewhat dramatic statement that Social Media for Business is CRAP -

Maybe because my feeling for the hyped-up benefits of social media was recently confirmed by a top millionaire online guru. If you follow the most successful gurus his name is always at the top of the list. As a matter of fact, he was the first online entrepreneur to make a MILLION $$ in a day. That said, recently he published a PDF where he said “I think social media Su-ks”. When I read that I felt a sigh of relief, “maybe I am not off the tracks after all”. You see when you don’t “follow the pack” you tend to sometimes feel like you are going down the wrong path or at least missing an opportunity. Now, I must admit I use all the major social media outlets including Twitter, Facebook, Squidoo, etc, etc. However, not for direct marketing. And, even though I publish new product releases on Twitter, analytics tells me no convertible traffic comes from that source or Facebook. My primary use of social sites is for building backlinks, but that is for SEO purposes. And, of course the added exposure. i.e. “branding” doesn’t hurt.

I believe that there are several fundamental principles that Kevin and over 500 responses ignored:

ONE – “The media must fit the product”
If you are pitching 6 figure enterprise rights management systems on Facebook – then, yes – social media is crap. But if you are pitching consumer/personal oriented products – like fitness, fashion and self-improvement – you are in the right channel. And even though they are at the long tail – do not forgot that even the geekiest IT managers are on Facebook and they are always in buying decision mode.

TWO – “Social software is not Social media”
It is a common misconception to confuse open undifferentiated/uncontrolled social media like Twitter and Facebook with social networking software which is used for the most serious and professional applications from catching terrorists to helping medical sales professionals interact with their doctor customers.

Social network software can be used in serious B2B domains leveraging the network effect to generate 10x customer contacts – since it works in parallel – not in serial.

THREE – “Better to market to targeted people than to undifferentiated keywords”
My own experimentation using Twitter to build B2B communities in a particular niche showed me dramatically that social media is 3 orders of magnitude more effective at generating leads than google adwords.

The reason is simple – people with well defined interests are much better targets than content keywords.

My research article on “Social software – Reconstructing the market boundaries of pharmaceutical sales” was published on the rapidly growing UK healthcare site PharmaPhorum yesterday -  one of my first forays outside the data security space in a long time but a direction with a potential to make a big change in the way pharmas sell drugs:

Pharmaceuticals and Kirby vacuums: The last bastions of door-to-door sales?

A medical representative operates in the center of a “cluster”¹ of doctors that they personally know and meet with face-to-face. The power of social networking relative to conventional on-line marketing, stems from a social view of learning, where understanding is socially constructed, and the message we get is actually less important than whom we get it from.

Social and medical may be a perfect fit, but how will social influence medical sales?

Read more here

Sophos has announced that they will soon include endpoint data loss prevention functionality in their anti-virus software. Developed in-house, Sophos will have an independent offering – unlike Websense, RSA, Symantec, Trend Micro and McAfee (who all purchased DLP technology) and have integrated it into their product lines with various levels of success (or not).

The Sophos move to include agent DLP functionality for free is a breath of fresh air in a data security industry long known for long-winded, heavy-handed, clumsy and frequently amateurish attempts at exploiting the waves of data breaches into a franchise that would drive sales of products purchased from visionary DLP startups.

Sophos is known to be independent and may not be inclined to partner with other pure-play  data security vendors like the network DLP company – Fidelis Security Systems. They may not have to partner if the play works well.

Beyond strategic speculation, the Sophos move should give customers a very good reason to ask why they should spend $80-150 for a Verdasys Digital Guardian agent, or $40-80 for  McAfee agent DLP software.

If Sophos can do a solid job on detecting and preventing loss of digital assets such as credit cards or sensitive Microsoft Office files at the point of use, then free looks like an awfully good value proposition.

With the recent deal that Trend Micro did at Israel Railroads for almost free ($10/seat) for 2500 seats (Trend can’t be making money on that transaction); but free or almost-free is not a bad penetration strategy if it gets your agent on every desktop in the enterprise and you get footprint and recurring service revenue for anti-virus.

I know I will be taking a close look when the software is released.

I don’t really understand why anyone would want to pay Google money for Adwords.

I ran a little experiment recently to promote our web sites using Google Adwords and Twitter.

Here are the results:

The results of my little online marketing experiment show a huge advantage for Twitter with focused search phrases in bios over Google adwords with carefully chosen keywords.

Google Adwords
650 extra hits in 4 weeks
1 hour setting up 2 ads,
Campaigns ran for 4 weeks, cost 1100 sheqels,
Hit Relevance – none. (the keywords people actually used to arrive at the site were not the keywords I chose)

Twitter
2000 extra hits in 1 day
5′ in Twitter to create a user security_expert
1 hour in Twellow search looking for CSO, CISO, Chief Information Security, Security Director etc… in bios (about 300 people)
5′ posting 5 tweets from my blog
Campaign ran 1 day, cost: 0 sheqels
Hit Relevance – good, no spam on the blog in this 24 hour period (good sign…)

Now – I have to explain to my wife why I wasted 1100 sheqels on Google instead of  (insert requirement here)

I was in Moscow this week and was pretty disappointed with the Beeline WiMax offering – which basically didn’t work in the area where we were staying (not far from Mendeleevska Metro station)

WiMax is not there yet and mobile data is still shaking out. According  my buddy  Todd Walzer (Todd lives in Tokyo and is a managing partner in www.iland6.com Capital and Development Co., Ltd).

Japan’s phone carriers have been managing this recession pretty well. NTT even recovered the #1 position in corporate profits from Toyota Motors.

However the 4th largest mobile carrier – Willcom – is in deep trouble.

Willcom entered the Japanese equivalent of Chapter 11, and the company is being  restructured under legal supervision.

Willcom started in 1990, and has operated a PHS (Personal Handiphone Service) network.  Thanks to cost advantage of this “half-duplex” technology, Willcom could keep a 5% share of Japan’s 100 million subscriber mobile voice market until 2 years ago. It was a pioneer of wireless data services, and an early leader in that market.

But PHS remained a niche technology adopted marginally in Japan and China, while Willcom’s competitors DoCoMo, AU and Softbank adopted CDMA with economies-of-manufacture from worldwide deployment.  Meanwhile, newcomer EMobile leapfrogged Willcom’s data rates with an HSDPA service.

In 2007-8, Japan’s Ministry of Communications made two “Broadband Mobile” licenses available, and Willcom applied proposing a “Next Generation PHS” network. The ministry favored this “Made-in-Japan” technology and awarded Willcom a license. But Willcom has struggled to bring off development of a platform with few prospective users worldwide.  It buckled under the $Billion+ development cost, on top of its existing $Billion+ debt.

Meanwhile the other licensee UQC (a consortium led by KDDI) deployed its WiMAX service on schedule.

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like Symantec’s DLP  “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s like a washing machine cycle that never stops, intent on keeping you from going home.  It’s also a sales cycle focussed on sustaining subscription revenue rather than protecting information.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools from companies like Qualys and Beyond Security are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches that increased nearly 50% in 2008, and security budgets that shrunk drastically in 2009 – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen we will host a free weekly online workshop on data security best practices every Thursday, 15:00 GMT, 16:00 Central European Time, starting Thursday September 3, 2009.

This series of workshops is designed to help you and your team take a leadership role in the board room instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling^(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.