Security.Exe powered by The CISO Group with Alan Shimel

The NoSQL market has grown at a torrid pace over the last few years. Like many red hot tech sectors the leaders are so busy running at full speed ahead, no one has time to stop and smell the flowers. Capturing customers and market share in order to seize the market leadership. Responding to customers requests to close the sale is paramount.

Usually it is only later that additional features get layered in. Of course we in the security industry have seen all too often when security is one of these afterthoughts that gets layered in after the fact. Usually when it is too late and some bad things have already happened.

In the NoSQL space the debate about security has already begun. There have been several articles about whether or not NoSQL is in fact secure enough for its mission.

Against this backdrop I have a great panel for today's Open Network podcast. From the NoSQL space, Dwight Merriman, CEO and founder of 10Gen, makers of MongoDB and James Phillips, founder of Couchbase. From the security space we have none other than Rich Mogull and Adrian Lane of Securosis.

It was a great discussion, but some of the frustration of the security industry about not making security a higher priority came to the surface. Dwight and James did a great job explaining how they are running as fast as they can to keep up, but the customer is king.

This is a longer podcast running about 40 minutes. But I think it is well worth your time. Enjoy!

Continuing my series on Risk,I am very lucky to have another great panel on this episode of the Security.Exe podcast. I am joined by HD Moore, founder of Metasploit and CSO of Rapid7, Ron Gula, CEO and CTO of Tenable Network Security and last but not least, once again, Jody Brazil, founder and President of Firemon.

Ron, HD, Jody and I discuss Risk, CVSS, pen testing as part of a risk management strategy and what are some of the biggest issues around risk management today.

It is always great to have intelligent people to discuss the issues with and this panel is top notch!

Hope you enjoy.

This episode of the Open Network is with John Schroeder, founder and CEO of Map R, who distributes a high powered version of Hadoop. Hadoop and Big Data is red hot and getting hotter. What does 2012 have in store for it? What about whispers around the security of Big Data? With so many players, consolidation is bound to happen.

Listen in to this 15 or so minute conversation and hear what John, a pioneer in the Hadoop industry has to say!

In order to manage risk correctly we have to be able to measure it. In order to measure risk correctly, we need to be able to define it. Even something as elementary as defining risk can create questions and ambiguities. So where do we begin and how do we figure this out?

I am joined by a great cast to discuss these questions and more on this episode of Security.Exe. Alex Hutton, formerly of Verizon and now with a top 25 financial institution joins me, along with Ben Tomhave(@Falconsview) and Jody Brazil of Firemon.

We spend just over a half hour defining risk, talking about ways to measure and manage it and what you can do.

I am always invigorated when I listen to smart people discuss a subject I am interest in. I was very invigorated and excited being part of this podcast.

Enjoy!

Blazemeter announced today that they have closed on a 1.2 million dollar series "A" round of financing to bring the first enterprise class SaaS based load and performance testing to market.

Using the cloud and based on the popular Apache Jmeter project, Blazemeter will make life much easier for testing and QA teams.

Alon Girmonsky, CEO and founder of Blazemeter says, "In the same way that AWS introduced EC2 based on XEN and Heroku created a cloud focused on Ruby, BlazeMeter has created a cloud that focuses on load testing and is 100% compatible with the open-source JMeter. We’re using the cloud to answer the need for a powerful, inexpensive, do-it-yourself load testing solution.”

I had a chance to sit down with Alon and discuss Blazemeter, SaaS, the cloud and open source.

Enjoy!

Most of us in the information security industry long ago recognized that we could not eliminate every risk and threat to our data and networks. Instead we have tried to manage that risk to acceptable levels, with acceptable being in the eye of the beholder. An entire information security risk management industry has sprung up over this time. But, have we missed the boat on risk? Has the risk management space been hijacked by the vulnerability management crowd?

We have settled on a formula for risk being:

Risk (R)= Threat (T) x Vulnerability (V)

But is that the correct formula to use? Are there other factors that need to be considered?

I am joined on this podcast by Jody Brazil, President of Firemon and Gary Fish, CEO of Firemon to discuss these questions in light of Firemon's new Risk Analyzer product.

Risk Analyzer offers a new way to look at risk, using risk based scenarios. Introducing concepts such as reachability, exposure and asset value into the equation, give us a better measure of risk. Risk Analyzer also gives us another way of prioritizing different risks to make us more efficient.

As many of you know, I have been working with Firemon for a few months and have watched Risk Analyzer develop. I am very excited by what it offers and I think you will be too.

Have a listen as I discuss this with Jody and Gary.

Also be advised that there was a clicking in the recording (which we obviously didn't know about). I have done my best using my not very considerable sound engineering skills to remove them. It is still there, but it is the best I can do and I thought the quality of the conversation was much more important than the quality of the sound.

Enjoy!

Security by the cloud for the cloud and via the cloud is an idea whose time has come. Simon Crosby, CTO of cloud security start up Bromium thinks so anyway. Of course Crosby knows something about cloud, virtualization and security. His previous stints include beomg CTO of Xen and Citrix's virtualization divisions.

Simon was one of the first people talking about cloud security and has been a leader in the space ever since. He says that virtualization and the isolation features which are part of it, give us a chance to do security better than ever before. This is why security in the cloud represents a chance to do security better.

Listen in as Simon talks to me about virutalization, security, the cloud and open source.

This will be posted on Network World as well, but Secure Cloud Review listeners are getting this early peek.

This week I wrote about CM-aaS (cloud management as a service). I was talking about the private cloud edition of open stack offered by Rackspace Cloud Builders. Find out more about this from the GM and de facto CTO of Cloud Builders

Metrics in security have been a hotly debated topic for some time. But this episode our panel takes another look. I am joined by Raf Los of HP, Elizabeth Martin of Red Legg, Eric Irvin of Alert Logic and Will Gragido of TippingPoint/HP to discuss what metrics make sense.

Of course we could probably talk all day and night and not come to a definitive conclusion. But it is a fun and informative 30 minutes with some really bright people.

Enjoy!

Having been in the infosec world for more than 10 years, I have learned the hard way that there are some real issues around effective security for everyone. One of them is that security is hard and seems to be getting harder. As a result security is also very expensive. So expensive that only the largest of organizations who put a high value on securing their assets can afford it. In fact some studies show that large organizations spend on average of about 3.5 million dollars a year on security. Frankly, even that is not enough given the current state of cybersecurity. But even assuming that number is adequate, who has 3.5 million to spend today?

The fact is that most organizations live "below the security poverty line". One of my friends in the infosec world and someone who many follow is Wendy Nather, director of research for enterprise security at the 451 Group. Wendy has real world experience as a CISO at both private and public organizations. She is extremely bright and dialed into the infosec scene. She wrote a report titled "Security Below the Poverty Line". Wendy's research shows that most organizations don't have anywhere near the resources required to do security right.

I actually wrote a follow on to Wendy's report on Secure Cloud Review (another place I blog) titled, "Brother Can You Spare A Dime: Life Below The Security Poverty Line". In it I detailed that like the real poor today, security poor organizations may make due on a "high carb" diet of security that lacks "protein". By that I mean they have minimal security that gets them "fat" but doesn't really do the job. Anyone who is working in security recognizes this as a real problem we all face.

I wanted to speak to Wendy about what role open source security can play to raise organizations above the security poverty line. The open source security community has always been an innovative and dynamic one. In just about every security area there is a viable open source project. So could open source be the secret weapon in the war on security poverty?

Wendy and I discuss just this and what her research shows. You can listen to our 15 minute discussion below. But let me give you some insight even if you don't listen to the podcast. The costs of security are not only the hardware and software of the security products. The human costs of security are equally expensive. Even deploying open source security projects will take experienced, qualified security know how. That costs money, more money than many organizations can afford. So open source in and of itself is not going to be a panacea here.

You can learn more listening to the podcast or visit my blog on Network World and read the full interview article.

Martin Roesch and the company he founded, Sourcefire are almost legendary in open source security circles. Roesch is the creator of Snort, the open source intrusion detection/prevention system that became the de facto standard for the entire category. Sourcefire is the company that Roesch formed to both commercialize and continue Snort as an open source project.

Now Sourcefire is launching an entire new approach to today's complex security challenges. They call it Agile Security. With Agile Security Sourcefire says the challenge is to remove beyond static security. They have outlined a process to Agile Security which goes like this:

1. See. Traditional security solutions are mostly blind to their environment and the threats they face. An agile approach provides clarity and vision, reflecting the reality of an environment, as it exists right now.

2. Learn. Applies intelligence to data to improve understanding and decision-making.

3. Adapt. Static approaches limit the ability to tailor protection. Agile Security allows automatic evolution and modification of defenses in response to change.

4. Act. Agile Security provides decisive, flexible and automated responses to events.

I had a chance to meet with Marc Solomon, SVP of marketing and product management for Sourcefire to discuss this new Agile approach to security.

Listen in as Marc and I discuss Agile security, today's security challenges and Sourcefire's continuing commitment to open source.

Enjoy!

I am happy to be joined today by the new VP of business development at Firemon, Ward Holloway. Ward is a veteran of the security industry having served many years at Crossbeam Systems working with their many partners. Prior to Crossbeam, Ward was with Checkpoint as well.

Ward just joined Firemon and he talks to us about why he joined, what gets him excited by the company. I have been doing some consulting for Firemon so am of course very excited to have Ward on board.

Enjoy

Couchbase the company formed through the merger of Membase and CouchOne (developers of the open source CouchDB)announced that they have raised 14m in new venture capital. This was their C round and was led by new investor Ignition Partners, as well as being joined by their existing VCs.

A very impressive raise for the NoSQL, Big Data solution used by companies such as Zynga (which is also an investor), AOL and others.

I had a chance to sit down with Bob Wiederhold, CEO of Couchbase to discuss the new capital, their commitment to the open source and general state of the NoSQL and Big Data market.

Enjoy!

The CloudBees platform is the first Platform as a Service that lets companies build, test and deploy Java web applications in the cloud. With CloudBees, software teams can move their development and production activities instantly to the cloud, without restrictions or infrastructure costs.

I had a chance to sit and chat with Sacha Labourey, the CEO and founder of CloudBees about the company, as well as the cloud market and opportunity.

It is only a short 13 minute interview that I think you will enjoy!

I have known Jody Brazil at Firemon for a long time. Recently I have been doing some consulting for the company. Jody is always a pleasure to speak with. We could probably go on all day if we were allowed

In this episode Jody tells us about what is new at Firemon including the forthcoming risk analyzer product. We also talk about the state of security and a few other things.

Enjoy!

Next Page