You guessed it; Alert Logic is at Defcon again. Normally we do not blog about our trips but I was feeling social and decided to share this year. We landed early today and spent some time hunting for the registration area. There were no signs or ay useful information, thankfully we found a guy with a Unix beard who pointed the way.

The badges this year seem slightly more interesting. We have the addition of a SD card reader along with an interred transmitter. The card is able to turn off all TV’s within range and transfer 128kb files to other badges. We haven’t had any luck with the TV’s in our room but we just started playing. I’m sure it can probably do more but we haven’t done much with them yet.

If you’re a client and here for the weekend drop us a line so we can hang out.

Stay tuned…..

Anyone who combs the press for security breaches will quickly find out there isn’t much going on. At least, nothing the press wants to write about. And who can blame them? Running the same old same old stories about how some company got compromised and customer data, social security numbers, shoe sizes, etc. are all being leaked to the underground economy.

The reality is that they’re still happening. And they’re still hitting unsuspecting businesses, many of whom either thought they were protected or just kept putting off the decision to put the appropriate solutions/policies/procedures in place to prevent them. After all, who wants to spend money on something that may or may not be put into use? It’s like buying insurance.

Studies like the latest Verizon Security Breach Report are great sources to learn about how some breaches occur and why, but they don’t accurately reflect the vast amount of other breaches happening every day, across the globe. Nobody can monitor all that. It’s why compliance mandates like PCI, although perceived by many to be too harsh, are necessary. As is shown by this weeks’ news about a major credit card ring being indicted, there is still clearly a need to protect consumers from poor security practices. Some businesses look at PCI as a necessary evil, some look at it as plain evil. And then there are those who actually embrace it for what it is – clearly defined guidelines for protection. Guidelines. Because it changes with your business. Sure, it’s going to cost you, but it could be a lot less (painful) than the repercussions of a breach.

So make it easy on yourself and embrace it for what it is. And get a good night’s sleep for once.

If any one of you has read a paper or watched a newscast over the past couple of days, you probably heard about this little tropical storm we had heading our way to our hometown of Houston. Edouard, or so they call it. Now besides the fact that this was a real letdown for the local media (this hasn’t been much more than a steady rain and a strong breeze – we’re used to thunder and lightning in the summer months) it was a great opportunity to remind everyone in the area that a good DR plan is worth the effort. Given, while driving into work on Monday, I saw the potential panic factor, where all the traffic billboards stated “Storm approaching, fill your gas tank” and my wife calling me to let me know the local grocery store was out of pretty much everything, so it was a bit over-hyped. But in a positive light, while riding down the elevator on Monday evening, one of the other building occupants asked me if we had a DR plan in place.

Of course we do. And yes, your data has never been safer nor more available.

I’ve been reading LogLogic’s recent blog posts about the “perils of SaaS” with some amusement. Of course the obvious thing that we as a SaaS-based provider of security and compliance offerings think first is, “Wow, they must be feeling some heat!” But beyond that, their thinly-veiled attempts to disparage SaaS as a delivery model just seem kind of silly on multiple fronts.

1. They seem to be either confused or completely missing the point. They claim that SaaS-based products aren’t really gaining market acceptance. They cite: “A [CIO] survey by Merrill Lynch (June 2008) found that Security is the Top 1 spending priority (36% of votes). SaaS did not make the Top 10.” Well, yeah. SaaS isn’t a “thing” that you buy, it’s a delivery model. That would be like asking consumers how they will allocate their household budgets next year, having Housing, Healthcare, and Transportation come back as the top priorities, then concluding “Buying online isn’t popular - it doesn’t even make the top 10!” Of course the Merrill Lynch study does go on to confirm that 50% of companies are using SaaS-based products today, with that number projected to be 72% in another 3 years. No wonder that, as an appliance vendor, LogLogic seems a little worried…
2. A key LogLogic strategy is to enable “cloud-based” log management by selling their appliances to MSSPs, who then provide the capability as a managed service. I don’t think I’d be too happy if I was one of these partners providing “managed log management services in the cloud” and read the recent blogs about why this is a bad idea. But maybe that’s just me…
3. Their new CEO spent a few years at Salesforce.com, where she presumably believed that the SaaS delivery model was a good one. From there she went to SurfControl, where she implemented Salesforce.com as their CRM tool (http://www.cioinsight.com/c/a/Past-News/How-Companies-Swiftly-Deploy-Apps/ ). Did she get a new religion now that she is at an appliance company? Could all this “SaaS is bad, and here’s why” blogging just be a smoke-screen to buy time until they can develop their own SaaS offering?

Pretty amusing stuff, all in all. The reality is that SaaS is a delivery model with many benefits an appliance model will never be able to achieve. The blogs LogLogic is posting strike me as reminiscent of articles written by some brick and mortar merchants in the early days of e-commerce: “Oooh, it’s dangerous! Don’t take the risk of buying online!” But the reality is that some trends are so compelling you’re simply not going to stop them. IMO SaaS is one of those trends. And it sounds like that reality is beginning to make somebody over at LogLogic pretty nervous.