Security.Exe powered by The CISO Group with Alan Shimel

SQL and the Cloud: Is there a wrong or right?

alan shimel — Thu, 10 May 2012 17:57:34 GMT

The perfect storm of the cloud, big data and mobile has created the environment where we are seeing more choice and more opportunity in the database market then we have seen in a long time. In today's podcast I am joined by executives of 3 different database companies. James Phillips, co-founder of Couchbase, a leading NoSQL company, Razi Sharir, CEO of Xeround, a SaaS MySQL company and Ed Boyajian, CEO of EnterpriseDB, the company behind commercial versions of PostgreSQL database. The four of us discuss how to choose the best database for your cloud applications. It may be that you need more than one. We also discuss the current state of the market and best practices in database design and management today. We also talk about what may be ahead in the DB market. All in all a great discussion on cloud databases! Enjoy

Dave Jilk, CEO of Standing Cloud on Cloud Orchestration Layers

alan shimel — Fri, 20 Apr 2012 17:56:39 GMT

Dave Jilk of Standing Cloud is my guest this week. We discuss what Dave calls the "cloud orchestration" layer. This is what allows apps, developers to talk to cloud infrastructures and allows one cloud to talk to another (at some level anyway). Dave and the folks at Standing Cloud have been playing in this area almost since the beginning. Enjoy!

CompTIA Sponsors SBN and Offers New CASP Certification

alan shimel — Wed, 04 Apr 2012 05:13:21 GMT

CompTIA Advanced Security Practitioner (CASP), is the newest certification from CompTIA who have been offering technical certifications just about longer than anyone. To let people know about this new certification program and the rest of their excellent courses and certification CompTIA is partnering with the Security Bloggers Network and has signed on as a sponsor. We thank CompTIA for the support! I had a chance to speak with Rick Bauer, director of research and development at CompTIA. We spoke about CompTIA, the different certifications they offer and the whole technical certification space. Enjoy!

Apps for Security: Open Source meets Crowd Sourcing

alan shimel — Tue, 13 Mar 2012 15:52:05 GMT

Today we speak with Hart Rossman, CTO for Cyber Security at SAIC and the founder and visionary behind Apps for Security. Apps for Security allows developers and designers to come together in a collaborative setting to work on open source and open APIs to develop better security. Sponsored by SAIC and The Security Innovation Network, the first Apps for Security day will be Thursday, March 22, 2012, 10am-6pm, at the The Computer History Museum, Mountain View, Ca. You can find out more and register by visiting: http://www.security-innovation.org/apps4sec.htm If things go well there are already plans to do hold more innovation days for Apps for Security all over the country.

NoSQL Security - What is the real story?

alan shimel — Wed, 25 Jan 2012 13:06:45 GMT

The NoSQL market has grown at a torrid pace over the last few years. Like many red hot tech sectors the leaders are so busy running at full speed ahead, no one has time to stop and smell the flowers. Capturing customers and market share in order to seize the market leadership. Responding to customers requests to close the sale is paramount. Usually it is only later that additional features get layered in. Of course we in the security industry have seen all too often when security is one of these afterthoughts that gets layered in after the fact. Usually when it is too late and some bad things have already happened. In the NoSQL space the debate about security has already begun. There have been several articles about whether or not NoSQL is in fact secure enough for its mission. Against this backdrop I have a great panel for today's Open Network podcast. From the NoSQL space, Dwight Merriman, CEO and founder of 10Gen, makers of MongoDB and James Phillips, founder of Couchbase. From the security space we have none other than Rich Mogull and Adrian Lane of Securosis. It was a great discussion, but some of the frustration of the security industry about not making security a higher priority came to the surface. Dwight and James did a great job explaining how they are running as fast as they can to keep up, but the customer is king. This is a longer podcast running about 40 minutes. But I think it is well worth your time. Enjoy!

Pen Testing, Vulnerabilities and Risk Management

alan shimel — Mon, 23 Jan 2012 16:10:11 GMT

Continuing my series on Risk,I am very lucky to have another great panel on this episode of the Security.Exe podcast. I am joined by HD Moore, founder of Metasploit and CSO of Rapid7, Ron Gula, CEO and CTO of Tenable Network Security and last but not least, once again, Jody Brazil, founder and President of Firemon. Ron, HD, Jody and I discuss Risk, CVSS, pen testing as part of a risk management strategy and what are some of the biggest issues around risk management today. It is always great to have intelligent people to discuss the issues with and this panel is top notch! Hope you enjoy.

MapR's John Schroeder talks Hadoop and Big Data for 2012

alan shimel — Fri, 20 Jan 2012 13:39:10 GMT

This episode of the Open Network is with John Schroeder, founder and CEO of Map R, who distributes a high powered version of Hadoop. Hadoop and Big Data is red hot and getting hotter. What does 2012 have in store for it? What about whispers around the security of Big Data? With so many players, consolidation is bound to happen. Listen in to this 15 or so minute conversation and hear what John, a pioneer in the Hadoop industry has to say!

Risk, Risk, Risk!

alan shimel — Mon, 19 Dec 2011 16:46:41 GMT

In order to manage risk correctly we have to be able to measure it. In order to measure risk correctly, we need to be able to define it. Even something as elementary as defining risk can create questions and ambiguities. So where do we begin and how do we figure this out? I am joined by a great cast to discuss these questions and more on this episode of Security.Exe. Alex Hutton, formerly of Verizon and now with a top 25 financial institution joins me, along with Ben Tomhave(@Falconsview) and Jody Brazil of Firemon. We spend just over a half hour defining risk, talking about ways to measure and manage it and what you can do. I am always invigorated when I listen to smart people discuss a subject I am interest in. I was very invigorated and excited being part of this podcast. Enjoy!

The Open Network: Blazemeter brings SaaS-based Load and Performance Testing

alan shimel — Tue, 06 Dec 2011 18:50:16 GMT

Blazemeter announced today that they have closed on a 1.2 million dollar series "A" round of financing to bring the first enterprise class SaaS based load and performance testing to market. Using the cloud and based on the popular Apache Jmeter project, Blazemeter will make life much easier for testing and QA teams. Alon Girmonsky, CEO and founder of Blazemeter says, "In the same way that AWS introduced EC2 based on XEN and Heroku created a cloud focused on Ruby, BlazeMeter has created a cloud that focuses on load testing and is 100% compatible with the open-source JMeter. We’re using the cloud to answer the need for a powerful, inexpensive, do-it-yourself load testing solution.” I had a chance to sit down with Alon and discuss Blazemeter, SaaS, the cloud and open source. Enjoy!

Have We Got Risk All Wrong? Risk Analyzer From Firemon

alan shimel — Thu, 01 Dec 2011 14:51:48 GMT

Most of us in the information security industry long ago recognized that we could not eliminate every risk and threat to our data and networks. Instead we have tried to manage that risk to acceptable levels, with acceptable being in the eye of the beholder. An entire information security risk management industry has sprung up over this time. But, have we missed the boat on risk? Has the risk management space been hijacked by the vulnerability management crowd? We have settled on a formula for risk being: Risk (R)= Threat (T) x Vulnerability (V) But is that the correct formula to use? Are there other factors that need to be considered? I am joined on this podcast by Jody Brazil, President of Firemon and Gary Fish, CEO of Firemon to discuss these questions in light of Firemon's new Risk Analyzer product. Risk Analyzer offers a new way to look at risk, using risk based scenarios. Introducing concepts such as reachability, exposure and asset value into the equation, give us a better measure of risk. Risk Analyzer also gives us another way of prioritizing different risks to make us more efficient. As many of you know, I have been working with Firemon for a few months and have watched Risk Analyzer develop. I am very excited by what it offers and I think you will be too. Have a listen as I discuss this with Jody and Gary. Also be advised that there was a clicking in the recording (which we obviously didn't know about). I have done my best using my not very considerable sound engineering skills to remove them. It is still there, but it is the best I can do and I thought the quality of the conversation was much more important than the quality of the sound. Enjoy!

Simon Crosby: Virtualization Is A Great Opportunity For Security

alan shimel — Tue, 15 Nov 2011 16:54:04 GMT

Security by the cloud for the cloud and via the cloud is an idea whose time has come. Simon Crosby, CTO of cloud security start up Bromium thinks so anyway. Of course Crosby knows something about cloud, virtualization and security. His previous stints include beomg CTO of Xen and Citrix's virtualization divisions. Simon was one of the first people talking about cloud security and has been a leader in the space ever since. He says that virtualization and the isolation features which are part of it, give us a chance to do security better than ever before. This is why security in the cloud represents a chance to do security better. Listen in as Simon talks to me about virutalization, security, the cloud and open source. This will be posted on Network World as well, but Secure Cloud Review listeners are getting this early peek.

Rackspace Cloud Builders Bringing OpenStack To A Cloud Near You

alan shimel — Fri, 11 Nov 2011 14:32:59 GMT

This week I wrote about CM-aaS (cloud management as a service). I was talking about the private cloud edition of open stack offered by Rackspace Cloud Builders. Find out more about this from the GM and de facto CTO of Cloud Builders

Metrics and Security - What Should You Focus On?

alan shimel — Fri, 28 Oct 2011 14:43:10 GMT

Metrics in security have been a hotly debated topic for some time. But this episode our panel takes another look. I am joined by Raf Los of HP, Elizabeth Martin of Red Legg, Eric Irvin of Alert Logic and Will Gragido of TippingPoint/HP to discuss what metrics make sense. Of course we could probably talk all day and night and not come to a definitive conclusion. But it is a fun and informative 30 minutes with some really bright people. Enjoy!

Security Below the Poverty Line with Wendy Nather of The 451 Group

alan shimel — Mon, 17 Oct 2011 15:18:49 GMT

Having been in the infosec world for more than 10 years, I have learned the hard way that there are some real issues around effective security for everyone. One of them is that security is hard and seems to be getting harder. As a result security is also very expensive. So expensive that only the largest of organizations who put a high value on securing their assets can afford it. In fact some studies show that large organizations spend on average of about 3.5 million dollars a year on security. Frankly, even that is not enough given the current state of cybersecurity. But even assuming that number is adequate, who has 3.5 million to spend today? The fact is that most organizations live "below the security poverty line". One of my friends in the infosec world and someone who many follow is Wendy Nather, director of research for enterprise security at the 451 Group. Wendy has real world experience as a CISO at both private and public organizations. She is extremely bright and dialed into the infosec scene. She wrote a report titled "Security Below the Poverty Line". Wendy's research shows that most organizations don't have anywhere near the resources required to do security right. I actually wrote a follow on to Wendy's report on Secure Cloud Review (another place I blog) titled, "Brother Can You Spare A Dime: Life Below The Security Poverty Line". In it I detailed that like the real poor today, security poor organizations may make due on a "high carb" diet of security that lacks "protein". By that I mean they have minimal security that gets them "fat" but doesn't really do the job. Anyone who is working in security recognizes this as a real problem we all face. I wanted to speak to Wendy about what role open source security can play to raise organizations above the security poverty line. The open source security community has always been an innovative and dynamic one. In just about every security area there is a viable open source project. So could open source be the secret weapon in the war on security poverty? Wendy and I discuss just this and what her research shows. You can listen to our 15 minute discussion below. But let me give you some insight even if you don't listen to the podcast. The costs of security are not only the hardware and software of the security products. The human costs of security are equally expensive. Even deploying open source security projects will take experienced, qualified security know how. That costs money, more money than many organizations can afford. So open source in and of itself is not going to be a panacea here. You can learn more listening to the podcast or visit my blog on Network World and read the full interview article.

Open Source Security Pioneer Sourcefire Goes Agile

alan shimel — Mon, 12 Sep 2011 13:55:28 GMT

Martin Roesch and the company he founded, Sourcefire are almost legendary in open source security circles. Roesch is the creator of Snort, the open source intrusion detection/prevention system that became the de facto standard for the entire category. Sourcefire is the company that Roesch formed to both commercialize and continue Snort as an open source project. Now Sourcefire is launching an entire new approach to today's complex security challenges. They call it Agile Security. With Agile Security Sourcefire says the challenge is to remove beyond static security. They have outlined a process to Agile Security which goes like this: 1. See. Traditional security solutions are mostly blind to their environment and the threats they face. An agile approach provides clarity and vision, reflecting the reality of an environment, as it exists right now. 2. Learn. Applies intelligence to data to improve understanding and decision-making. 3. Adapt. Static approaches limit the ability to tailor protection. Agile Security allows automatic evolution and modification of defenses in response to change. 4. Act. Agile Security provides decisive, flexible and automated responses to events. I had a chance to meet with Marc Solomon, SVP of marketing and product management for Sourcefire to discuss this new Agile approach to security. Listen in as Marc and I discuss Agile security, today's security challenges and Sourcefire's continuing commitment to open source. Enjoy!