[SecurityRatty] tag: mature

Is PCI DSS "Too Prescriptive"?

Mon, 22 Sep 2008 11:43:00 +0000

I did this fun panel on PCI compliance at SecureWorld Bay Area the other week. What is interesting is that almost every time there is a discussion about PCI DSS, somebody crawls out of the woodwork and utters the following: "PCI is too prescriptive!", as if it is a bad thing (e.g. I mentioned it before here)

I used to react to this with "Are you stupid?! PCI being prescriptive is the best thing since sliced cake :-) Finally, there is some specific guidance for people to follow and be more secure!" BTW, in many cases end users who have to comply with PCI DSS still think it is "too fuzzy" and "not specific enough" (e.g. see "MUST-DO Logging for PCI"); and they basically ask for "a compliance TODO list." (also see this and especially this on compliance checklists)

But every time it happens, I can't stop but think - why do people even utter such utter heresy? :-) And you know what? I think I got it!

When people say "PCI is too prescriptive," they actually mean that it engenders "checklist mentality" and leads to following the letter of the mandate blindly, without thinking about WHY it was put in place (to protect cardholder data, share risk/responsibility, etc). For example, it says "use a firewall" and so they deploy a shiny firewall with a simple "ALLOW ALL<->ALL" rule (an obvious exaggeration - but you get the point!) Or they have a firewall with a default password unchanged... In addition, the proponents of "PCI is too prescriptive" tend to think that fuzzier guidance (and, especially, prescribing the desired end state AND not the tools to be installed) will lead to people actually thinking about the best way to do it.

So the choices are:

Mandate the tools (e.g. "must use a firewall") - and risk "checklist mentality", resulting in BOTH insecurity and "false sense" of security.
Mandate the results (e.g. "must be secure") - and risk people saying "eh, but I dunno how" - and then not acting at all, again leading to insecurity.

Take your poison now?! Isn't compliance fun? What is the practical solution to this? I personally would take the pill #1 over pill #2 (and that is why I like PCI that much), but with some pause to think, for sure. I think organizations with less mature security programs will benefit at least a bit from #1, while those with more mature programs might "enjoy" #2 more...

BTW, this post was originally called "Isn't Compliance Fun?!" I had a few fierce debates with some friends and all of them piled on me to convince me that "compliance is boring, while security is fun!" The above does illustrate that there are worthy and exciting intellectual challenges in the domain of regulatory compliance. It is not [only] a domain of minimalists (who just "want the auditor to go away") and mediocrity, as some think. What makes security fun - the people aspect, the ever-changing threat landscape, cool technology, high uncertainty, even risk - also apply to compliance ...

So, need a cool marketing slogan BUT hate "making compliance easy"? Go for "Making Compliance Fun!" :-)

All posts on PCI - some are fun:-)

From the Executive Women's Forum on Information Security

Thu, 18 Sep 2008 15:29:34 +0000

The theme of the 2008 Executive Women's Forum on Information Security, Risk Management & Privacy is "risk convergence is inevitable." The risks associated with information security, privacy, physical security and so forth are converging such that an integrated management approach is required from within the firm.

Interestingly enough, business continuity management was not a key risk area mentioned by all panelists of the session titled "Convergence: The Good, The Bad & The Ugly." There were two pieces of strategic program management advice from the panelists. The first point is that you have to partner with all of your lines of business and corporate support areas. Since risk is related to the delivery of the business, no one department can address all of the issues. And, you might find that there are good practices already in place within your firm, so that you are not reinventing the wheel - leverage the good stuff throughout the firm. The second point is to focus on the budget issue - how many risk-related activities are already in place in your organization that could be combined, and possibly duplicated, so that more work gets done with less money spent? Pooling of already limited budgets can go a long way toward developing a program that is more mature, delivers more benefit to the organization and eliminates a lot of duplicative work.

But all of this convergence comes at a price - mainly in fear, uncertainty and doubt of the workforce. Some feel that they will lose authority (especially in siloed risk approaches); others might lose their jobs as a result of the convergence. This human aspect was mentioned as the key challenge of an integrated approach. Therefore, communicating not only up within the firm but down to the workforce is critical to achieving a well-run and integrated program.

And finally, for those areas that just don't want to "play the game," use your internal audit department as the "stick" that can get them to act. When I was an IT risk manager, I always said that I was management's best friend - let me tell you the gaps in your risk program rather than having them come from the audit department, which then become part of the records of the firm.

Summarizing August's Threatscape

Wed, 10 Sep 2008 02:57:32 +0000

Following the previous summaries of June's and July's threatscape based on all the research published during the month, it's time to summarize August's threatscape.

August's threatscape was dominated by a huge increase of rogue security software domains made possible due to the easily obtainable templates for the sites, several malware campaigns targeting popular social networking sites, Russian's organized cyberattack against Georgia with evidence on who's behind it pointing to "everyone" and a few botnets dedicated to the attack making the whole process easy to outsource and turn responsibility into an "open topic", several new web based botnet management kits and tools found in the wild, evidence that the 76service may in fact be going mainstream since the concept of cybercrime as a service is already emerging, and, of course, a peek at India's CAPTCHA solving economy, where the best comment I've received so far is that every site should embrace reCAPTCHA, so that while solving CAPTCHAs and participating in the abuse of these services in question, they would be also digitizing books. As usual, August was a pretty dynamic month for the middle of summer, with everyone excelling in their own malicious field.

01. McAfee's Site Advisor Blocking n.runs AG - "for starters"
False positives are rather common, especially when you're aiming to protect the end user from himself and not let him gain access to "hacking tools", but you're flagging security tools as badware and missing over half the SQL injected domains currently in the wild due to the fact that SiteAdvisor's community still haven't reviewed them - that's not good

02. The Twitter Malware Campaign Wants to Bank With You
Twitter, just like every Web 2.0 application, isn't and shouldn't be treated as a unique platform for dissemination of malware, since it's dissemination of malware "as usual". This particular malware campaign was not just executed by a lone gunman, but also, was taking advantage of a flaw allowing the author to add new followers potentially exposing them to the malicious links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts are the very last thing a malicious attacker is interesting in puchasing accounting data for, but how come? It's all due to the oversupply of automatically registered accounts at other popular services, whose ecosystem of Internet properties empower cybercriminals with the ability to launch, host and distribute malware in between abusing the very same company's services for the blackhat SEO campaign and redirection services. Theoretically, a distributed network build upon the services provided by a single company is faily easy to accomplish due to the single login authentication applied everywhere. A singly bogus Gmail account results in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a couple of thousands of spam emails sent automatically sent through Gmail in order to abuse it's trusted email reputation

03. Compromised Web Servers Serving Fake Flash Players
If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at legitimate sites next to on purposely introduced malware oriented domains, was perhaps the most aggressive one during the month. Fake flash players, fake windows media players and fake youtube players are prone to increase as a social engineering tactic of choice due to the template-ization of malware serving sites for the sake of efficiency

04. Pinch Vulnerable to Remotely Exploitable Flaw
With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cybercriminal's Zeus botnet, private exploits targeting the still rather popular at least in respect to usefulness Pinch malware are leaking, allowing everyone including security researchers to take a peek at a particular campaign running unpatched Pinch gateway

05. Phishers Backdooring Phishing Pages to Scam One Another
Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal wanting to scam another cybercriminal is going to take. The far more beneficial approach that I've encountered on a couple of occassions so far, would be to backdoor a proprietary web malware exploitation kit, release it in the wild, let them put the time and efforts into launching the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web malware exploitation kits in order to take advantage of the momentum while introducing a non-existent kit has always been there at the disposal of malicious attackers. One thing's for sure - there's no such thing as a free web malware exploitation kit, just like there isn't such thing as a free phishing page

06. Email Hacking Going Commercial - Part Two
In between the scammers promising the Moon and asking for anything between $20 to $250 to hack into an email account, there are "legitimate" services taking advantage of web email hacking kits consisting of each and every known XSS vulnerability for a particular service in an attempt to increase the chances of the attacker. And given that the majority of these have been patched a long time ago, social engineering comes into play. Do these services have a future? Definitely as more and more people are in fact looking for and requesting such services, in fact, they're willing to pay a bonus considering how exotic it is for them to have any email that they provide hacked into and the accounting data sent back to them

07. The Russia vs Georgia Cyber Attack
Event of the month? Could be, but just like every "event of the moth" everyone seems to be once again restating their "selective retention" preferences. What is selective retention anyway? Selective retention is basically a situation where once Russian is attacking another country's infrastructure, you would automatically conclude that it's Russian FSB behind the attacks and consciously and subconsciously ignore all the research and articles telling you otherwise, namely that the FSB wouldn't even bother acknowledging Georgia's online presence, at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks indicates "selective retention", talking about FAPSI indicates better understanding of the subject.

In times when cybercrime is getting ever easier to outsource, anyone following the news could basically orchestrate a large scale DDoS attack against a particular country in order to forward the responsibility to any country that they want to. In Russia vs Georgia, you have a combination of a collectivist society that's possessing the capabilities to launch DDoS attacks, knows where and how to order them, and that in times when your country is engaged in a war conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not an option.

Selective retention when combined with a typical mainstream media's mentality to "slice the threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible combination. Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives

08. 76Service - Cybercrime as a Service Going Mainstream
The reappearance of the 76Service allowing everyone to log into a web based interface and collect all the accounting and financial data coming from malware infected hosts across the globe for the period of time for which they've bought access, indicates that what used to be proprietary services which were supposedly no longer available, are now being operated in a do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analysis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime

09. Who's Behind the Georgia Cyber Attacks?
If it's the botnets used in the attacks, they are known, if it's about who's providing the hosting for the command and control, it's the "usual suspects", but just like previous discussion of the Russian Business Network, it remains questionable on whether or not they work on a revenue-sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that every newly born RBN expert is positioning them to be.

Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, there's a RBN alternative in every country, but the only thing that remains the same are the customers, tracking the customers means exposing the RBN and the international franchises of their services, making it harder to identify their international operations. And given that the "tip of the iceberg", namely RBN's U.S operations remain in tact, talking about taking actions against their international operations in countries where cybercrime law is still pending, is yet another quality research into the topic building up the pile of research into the very same segments of the very same ISPs.

Just for the record - these "very same ISPs" are regular readers of my blog, and if you analyze their activities, they're definitely reading yours too, ironically, surfing through gateways residing within their netblock that are so heavily blacklisted due to the guestbook and forum spamming activities that their bad reputation usually ends up in another massive blackhat SEO campaign exposed.

10. Guerilla Marketing for a Conspiracy Site
Conspiracy theorists may in fact have a new wallpaper to show off with

11. Banker Malware Targeting Brazilian Banks in the Wild
When misinformed and not knowing anything about a particular underground segment, a potential cybercriminal would stick to using such primitive compared to the sophisticated banker malware kits currently in the wild. These sophisticated banker malware kits are often coming in a customer-tailored proposition, with their price increasing or decreasing based on the specific module to be included or excluded. For instance, a module targeting all the U.S banks that has been put in a "learning mode" long before it was made available to the customers can be requested and is often available with the business model build around the customer's wants

12. Compromised Cpanel Accounts For Sale
Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming from malware infected hosts seems to be once again coming into play, which isn't surprising given the filtering capabilities and log parsing tools today's botnet masters are empowered with. These very same compromised Cpanel accounts and the associated domains often end up so heavility abused that it's tactics like these that are driving the underground multitasking mentality, namely, abusing a single compromised account for each and every malicious online activity you can think of - even hosting banners for their blackhat SEO services

13. A Diverse Portfolio of Fake Security Software - Part Two
In August we saw a peek of fake security software, neatly typosquatted domains whose authors earn revenue each and every time someone installs the software. The vendors behind this software are forwarding the entire process of driving traffic to those excelling in aggregating traffic and abusing it. As anticipated, underground multitasking started taking place within the fake security software domains, with the people behind them introducing client-side exploits in order to improve the monetization of the traffic coming to the sites

14. DIY Botnet Kit Promising Eternal Updates
There's no such thing as a (quality) free botnet kit. What's for free is often the leftovers from a single feature of a more sophisticated proprietary botnet kit. This one in particular is however trying to demonstrate that even a plain simple GUI botnet command and control software can achieve the results desired by an average script kiddie, and not necessarily satisfy the needs of the experienced botnet master

15. A Diverse Portfolio of Fake Security Software - Part Three
As far as trends and fads are concerned, the majority of the domains are currently parked at up to four different IPs, with most of them going into a stand by mode once they get detected and reappear back couple of weeks later

16. Fake Celebrity Video Sites Serving Malware - Part Two
Due to the template-ization of fake celebrity video sites, and simple traffic management tools combined with blackhat SEO tactics, these sites are also prone to increase in the next couple of months

17. Web Based Botnet Command and Control Kit 2.0
It's releases like these that remind us of the amount of time, efforts and personal touch that a malicious attacker would put into such a management kit, currently acting as a personal benchmark as far as complexity and features indicating the coder's experience with botnets is concerned. What's he's failing to anticipate is that this kit is sooner or later going to turn into the "MPack of botnet management"

18. A Diverse Portfolio of Fake Security Software - Part Four
Keep it coming, we'll keep it exposing until we end up getting down to the "fake software vendor" itself

19. Automatic Email Harvesting 2.0
Email harvesting is slowly maturing into a vertically integrated service provided by vendors of managed spamming services. This email harvesting module is aiming to close the page on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting such publicly available emails. From a psychological perspective though, the end users who bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the obfuscation speaking for a relatively decent situational awareness on how they emails end up in a spammer's campaign

20. Fake Porn Sites Serving Malware - Part Three
As a firm believer in sampling in order to draw conclusions on the big picture, an approach that has proven highly accurate in modeling historical and upcoming tactics and behavior, a single fake porn site serving malware campaign usually exposes a dozen of misconfigured redirectors, which thanks to their misconfiguration despite the evasive features available within the kits, expose another dozen of malware campaigns

21. Facebook Malware Campaigns Rotating Tactics
With no particular flaw exploited other than the social engineering tactic of using already compromised Facebook accounts who would automatically spam all their friends with links to flash files hosted at legitimate services, the more persistent the campaign is, the higher the chance that it will scale enough. This campaign in particular is mainly relying on rotation of tactics, namely different messages, different services and file extensions used in order to trick someone's friend into visiting the URL. With the number of users increasing, the most popular social networking sites are naturally going to be permanently under attacks from cybercriminals

22. Fake Security Software Domains Serving Exploits
Despite that it's a single brand, namely the International Virus Research Lab that's introducing client-side exploits within it's portfolio of domains, the opportunity for abuse may be noticed by the rest of the brands pretty fast

23. Exposing India’s CAPTCHA Solving Economy
Taking into consideration the mentality surrounding a particular country's cybercriminals, how they think, how they operate, what do they define as an opportunity, and how much personal efforts are they willing to put into their campaigns, I wouldn't be surpised if a Russian vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account registration process to Indian workers, paid them pocket change and is then reselling them ten to twenty times higher than the price he originally paid for them.

The text based CAPTCHAs used at the major Internet portals and services, are so efficiently abused by this approach that continuing to use is directly undermining the trust these email providers and services often come with as granted

Modelling Air Traffic Control

Mon, 08 Sep 2008 09:27:26 +0000

Today I will discuss a general approach to model air traffic control (ATC) using our CEP/EP reference architecture which is an application of the mature JDL multisensor data fusion model.

ATC is an excellent working example of complex event processing. Radar and GPS provide the basic sensory information to accurately track and trace the position of each aircraft in the area of responsibility (AOR) of a particular control tower/zone. Naturally, sensory information is preprocessed and formatted in such a way that the data can be processed upstream by multiple real-time applications.

Before we look at complex ATC scenarios, such as “potential collision” or “aircraft off approach vector” we must trace and trace individual objects, aircraft-objects, accurately with very high confidence. In addition to tracking aircraft-objects, there is a database of information about the aircraft (ideally), such as make, model, age, range, passengers and other properties about the aircraft-object. In addition, there is a state-model for each aircraft, for example the aircraft might be “on the ground”, “approaching the runway”, “cleared for takeoff”, “cruising altitude”, “approaching runway”, “final decent” etc.

Tracking and tracing individual aircraft is what is generally referred to as “object refinement” in our CEP/EP reference architecture. The reason we call this function “object refinement” is that system engineers are focused on optimizing the situational knowledge about individual objects. Sometimes we refer to this function as “track and trace” because that is what we are doing to each object in the model. In Marc Adler’s recent shoplifting scenario, Marc was interested in tracking and tracing people in a store using imaging processing techniques to estimate their behavioral patterns. In the same way, before we can process for scenarios such as “potential shoplifter” or “suspicious criminal gang activity” we must be able to accurately process (track and trace) individual object, such as people or merchandise.

Back to aircraft and ATC, the “complex event processing” begins when we are looking about object-object relationships, in this model, aircraft-to-aircraft, but this is an overly simplistic model, as we have not yet added (to our model) ground features (towers, buildings, power lines), weather (storm cells, wind) and other flying objects (known migratory bird paths, swarms of insects) to our simple model.

Complex event processing occurs when we are processing multiple objects in our model looking for threats in real-time. Practically speaking, all ATC applications are CEP applications. This means that vendors and integrators who build ATC applications are also CEP vendors.

Editorial Note: CEP/EP has been around for a long time and was not recently invented in the past decade as some “inventors” would like for us to believe.

As you can imagine, there is considerable “complex event processing” that goes on “behind the scenes” to provide air traffic controllers and pilots situational knowledge into the “friendly skies”. As you might further imagine, the situation is more complex when the skies are “not so friendly”, for example, in air combat situations.

Processing myriad objects is not the end of the processing “chain”. For example, decisions are being made constantly about potential damage, alternative airports, and more. In our reference model, we refer to this, generally speaking, as “impact assessment” because we must take an estimated detected complex event, for example “aircraft collision,” and estimate potential damage based on numerous factors such as, the amount of jet fuel in the aircrafts and the location of the aircrafts (over a large city or rural area, near a hospital and emergency services). Regardless of the scenario, an impact assessment is normally required before optimal decisions can be made.

This is true, by the way, for our shoplifting example (the impact is different if a piece of gum is stolen versus a $1,000,000 diamond necklace or weapons-grade nuclear material) and other scenarios and models. Static data (information about objects) is required for accurate decision processing.

Impact assessment is not the end of the “knowledge chain”. Decisions are constantly being made that effect resources. For example, suggestion an alternative route for an aircraft is a resource management decision. Turning on and off radar or switching to alternative tracking devices is a resource management function. In our CEP/EP reference model (based on the JDL data fusion model), we call this “resource management”. This function includes contacting emergency services and directing them to a potential crash location or sending out a message to instruct all aircraft to stay off a certain radio frequency. Resource management is critical.

Our simple ATC model today is by no means complete, it just scratches the surface. In fact, I have a very close friend, Mark Secrist, who is a former Marine fighter pilot and currently a senior captain for American Airlines. I have asked Mark to read this post and help me further refine this crude “laymans” ATC model (Thanks Mark!).

More on Why Routing is Not Complex Event Processing

Thu, 04 Sep 2008 05:38:58 +0000

Interestingly, CEP is Not BPM, BAM, BRE, BRMS or SOA stimulated many great comments and the rebuttal Smart Order Routing and CEP - Made for Each Other. James Taylor responded with Business rules, decisions and events. I followed up with CEP is Not Low Latency Messaging, EAI or ESB and James replied in turn with Still More on Event Processing. It’s great to see the blogosphere doing so well. Continuing, I would like to discuss smart order routing (SOR) a bit more and why routing is not CEP.

First of all, let’s ground the discussion a bit by translating “smart order routing” to “rule-based message routing” since in this application “smart” translates to “using rules” and “order” translates to “message”. Basically, Mark (and other “new on the routing scene” stream processing players) argue that rule-based message routing is CEP. I will argue that routing is not even close to CEP. Here is why,

Let’s take a look at a router on the backbone of the global Internet. A backbone router has very sophisticated software developed over many decades. These routers run sophisticated, mature algorithms to determine how to route messages (packets) and use these algorithms to build complex routing tables.

In addition, these routers process messages (packets) from countless sources and route messages (packets) to countless destinations. Using some of the terms in early posts (above), there is a great “confluence of events” processed by routers. Futhermore, there are normally quite complex authentication, authorization and other security parameters managed in a router, all in real time. Routers do much more, but I don’t want to get too deep into routing in this post.

My point is that, without any doubt, global Internet routers process very “cloudy” “confluence of events” with much more sophistication than order routing applications. However, we do not call Internet routing “CEP”, regardless of how many connections are processed or how much sophisticated processing occurs. The reason is because the “C” in “CEP” defines a complexity that is at a higher abstraction than messaging and routing.

If you study the literature on CEP, some of which I posted recently, CEP was envisioned to solve complex event processing problems “on top of the routing layer” because the routing layer is a mature technology layer. We can route, pure and simple. Of course, we are always seeking faster, more scaleable and more secure routing.

I admire some of the startups in the CEP/ESP/EP space for working hard to make money and for aggressively positioning their products and attempting to build market share. However, issues surface when these same companies seem to believe they are the first companies to work in the event processing or message routing space and that they can define whatever they want as “complex event processing” as long as it benefits their sales targets.

There is no doubt that a router does much more sophisticated event processing than the new rule-based stream processing systems running continuous queries across streaming data. There is no doubt that a router processes a complex “confluence of events”. However, we don’t call routers “CEP”.

We do not call routers “CEP” because CEP is about a higher level of knowledge processing. CEP was created to detect the “complex events” that happen above the mediation and routing layer. The literature and original examples on CEP are quite clear on this.

The Kum Bai Ya of Event Processing

Mon, 01 Sep 2008 08:58:40 +0000

Kindred spirit Marc Adler mentions being a bit ”turned off” by the sniping back-and-forth in the CEP/EP blog-o-sphere. This was exactly how I felt in early 2006 when folks were sniping back and forth about SQL standards and event stream processing (ESP). A group of vendors had created some stream processing engines and all were in “power positioning” mode with the acronyms “ESP” and ”CEP”, hoping to ride what they perceived as a future event processing gravy train.

My goal at that time was to show everyone that there was a very mature (functional) reference architecture with decades of maturity that applies to (complex) event processing, adapted from the JDL model for information fusion. Kum Bai Ya.

There is plenty of room for everyone in this model. Kum Bai Ya.

The model is inclusine not exclusive. Kum Bai Ya.

The JDL model is based on years of operational maturity. Kum Bai Ya.

The model is functionally and technically accurate. Kum Bai Ya.

Everyone at the first event processing symposium (March 2006) seemed to agree with this model, at least publicly, because there was no “push back” at the symposium. Kum Bai Ya.

Professor David Luckham did not discuss architecture in his book, The Power of Events. Kum Bai Ya.

David’s research at Stanford, some CEP related, was funded by DARPA, who also support the JDL information fusion model. Kum Bai Ya.

TIBCO Software adopted the JDL model (Note: I worked for TIBCO the time.) Kum Bai Ya.

We built a functional reference architecture around this mature model. Kum Bai Ya.

We did not claim we invented it. Kum Bai Ya.

We did not patent the model, only shared it. Kum Bai Ya.

The model is free and open for everyone to use. Kum Bai Ya.

The folks in the military and government totally agree with this model for CEP/EP. Kum Bai Ya.

Complex operational problems are addressed every day with this model. Kum Bai Ya.

Air traffic control uses this model. Kum Bai Ya.

Missile defense uses this model to protect us from harm everyday. Kum Bai Ya.

Intrusion detection and network management now use this model (Note: I published an ACM paper on adapting this model for cybersecurity 10 years ago). Kum Bai Ya.

Oh, blog-o-sphere. Kum Bai Ya.

Mainframe Mindset

Wed, 13 Aug 2008 17:18:17 +0000

You might think a mature industry like mainframes means low growth, but IBM is still selling mainframes like hotcakes. IBM said its mainframe business rose 32% in the second quarter compared to overall sales growth of 13%. How many 1960s technologies are putting up these numbers in 2008? The reality is that what mainframes do, they do well. While some companies invest 8 figures in moving to a supposed latest and greatest ERP or CRM solution, many would be better served by putting a Web services gateway in front of the mainframe to address the mainframe's chief weakness - distribution.

From a security point of view, mainframes are interesting because they were designed for a closed environment. Their advocates generally talk about the beauty of RACF and so on, and that is all well and good until people go and put them on the web! Approaches vary, but it usually amounts to MQ Series with not authentication, sitting in front of the mainframe with a J2EE server talking to the queues. What happens then is a major shift, because the mainframe security model is designed (rightly for its time) to be focused on the resource owner (remember the R in RACF). There is a minimal effort on securing the subject, the claim and so on.

Again the mindset is fine when its your own employees in a room using a terminal, but its another thing altogether when you are integrating with a distributed system. This is where we need more focus on securing the subject and the claim, not just the resource. This is of course where new standards and technologies such as SAML and Information Cards come in. Its not enough to protect the object resource and assume a benign controlled (or controllable) subject and claim, you have to add layers of protection to the subject and claim as well.

EPTS: An Event Processing Marketing Society (EPMS)

Wed, 13 Aug 2008 04:02:57 +0000

A number of months ago we posted Some Comments on the EPTS Member Agreement where we concluded, in summary:

“I have quite a few other concerns the with EPTS Member Agreement. Basically, the agreement needs to be written with an eye toward a more flexible, open and inclusive process that puts the future of the EPTS square into the hands of the event processing community, not a small group of well intended folks who represent a small part of the overall event processing community and worldview.”

Opher’s reply was to just dismiss these comments, a bit surprising since I served the CEP/EP community on the EPTS steering committee; worked quite hard as a matter of fact, for a number of years. Opher’s appreciation for the years of work is to just off-handly dismiss my comments.

Then in On faithfull representation and other comments and On Top Down and Bottom Up Opher does the same thing, he simply dismisses my comments, defensively, adding humor, sarcasm and fallacy.

I am sorry Opher is so defensive of his narrow society; however I will not yield, because I do not need to resort to sarcasm, fallacy and ad hominums; the facts obviously support my view. For proof that Opher has a narrow view of event processing, go no further than look at the companies he hand-picked for his EPTS Steering Committee; most startups (or with startup products) in the event processing space, working on common messages to distinguish themselves in a market with much more mature players excluded - classic “not invented here,” isn’t it?

Opher’s claims the EPTS view on event processing is quite general, but the majority of vendors on the EPTS Steering Committee members are selling similar platforms, a very narrow segment of the CEP/EP space. Opher claims that he agrees that other domains (like sensor fusion) are significant to CEP/EP, but he simply dismisses my advice to create a true, general EPTS, inclusive of the prior-art and science of CEP/EP (before the marketing folks took over). He insists on having the EPTS “reinvent the wheel” and develop their own vocabulary, as if event processing did not exist prior to one book on CEP.

Opher’s fun-to-read blog counterpoints to my concerns are evolving to a mixture of ad hominums and sarcasm, sometime wrapped in a defensive tone. I think we can do better and we must be more inclusive of the other prior-art. I say we, because I am also a founding member of the EPTS, althought I suspect Opher will banish my name from the membership for trying to diminish the “not invented here” attitude that seems to dominate the EPTS since inception.

The truth of the matter is that the EPTS has a relatively narrow view of event processing, evident by the makeup of the steering committee and the focus of their discussions. It is not a technical society about event processing, per se; it is a marketing society with a narrowly focused membership that discounts most of the prior-art in the event processing space, it is really, an Event Processing Marketing Society (EPMS) for a narrow group of niche players.

The event processing domain is much, much larger. The art-and-science of event processing is deep and mature, much more mature (and inclusive) than what we see in the EPTS.

I think Opher (and the EPTS committee) should take these comments seriously and not discount them with sarcasm and subtle ad hominum replies.

The Secret Life of CEP

Tue, 05 Aug 2008 14:32:44 +0000

Catching up on the blogs, I couldn’t help but comment on, Is CEP Mature? Or a Curious Case of Information Asymmetry by Mark Tsimelzon, President & CTO, Coral8. Mark says,

“I know for a fact that every major CEP vendor has several dozen paying customers.”

Somehow Mark, I don’t find a dozen paying customers by the top CEP vendors very impressive.

Then, as to somehow justify the lack of public reference clients, Mark takes the position of a Coral8 customer and says,

“We believe that the use of Coral8 gives us a strategic advantage over our competitors. Why would we want to clue them in?”

Naturally, the same thing could have been said about the first desktop computer, or the first back-office banking system, or the first calculator, or the first telephone, frankly speaking.

Of course, when the technology is mature, then it is “Hey we have lots of computers!” “Hey, look at my fully functional sexy iPhone!” “We have the best back office banking systems on the planet by !”

Well, all this CEP Solution Secrecy (CEPSS) might just be similar to why the government keeps many IT projects a secret; the main reason is so we don’t know how much taxpayer money they are spending!

So, folks, the debate counterpoint that there is some “Secret Life of CEP” and that the CEP solutions today are somehow changing the way C-Level executives, and corporate America, thinks is just wishful thinking.

Companies don’t need to keep their strong technical solutions a secret. Like, Wow! I am using Coral8 and it is so impressive that I have to keep it TOP SECRET. (Sorry Mark, nothing personal, you simply gave me a big red target and painted “fire when ready” on it)

Note: I happen to like Coral8, and Coral8 Studio, as an event stream processing platform.

Back on point, I consider my laptop and cellphone more indispensable than most of the first generation rule-based stream processing engines out there today, and I am sure most CEOs agree.

The Secret Life of CEP…. you just have to just love it

On CEP as a Discipline

Tue, 05 Aug 2008 04:46:27 +0000

In CEP as a Discipline, David Luckham wrote:

“Actually, it is fair to say that some of CEP can be found in other disciplines. Event processing has been going on in one form or another, for the past 50 years. Simulation, Networking, Active DBs, Middleware.

{ …. }

CEP has only just begun. The foundations are unexplored. Its an open field of research issues.”

Actually, on slide 12 of this presentation from 2006 Processing Patterns for PredictiveBusiness, we show that the foundations for complex event processing have been in place for many years and in many disciplines such as multisensor data fusion, control theory, sensor management, planning, correlation, estimation, tracking, information fusion, data fusion, data mining and more.

One obvious problem (or at least obvious to many of us) with the current group think marketing CEP is that many have ignored the established foundations for event processing and complex event processing that have been mature for many decades. It is not very efficient (nor good for customers) to pick a phrase, or concept, like “CEP” and ignore the relevant mulitiple disciplines that have been used to solve complex classes of distributed event processing problems for decades.

Therefore, “CEP has only begun” is only true for those who have ‘drank the CEP koolaid” and do not understand (yet) that they are “reinventing the event processing wheel” and ignoring (by accident or purposely, I have no idea of the motives) the prior-art and/or selectively picking the prior art or research associated with their company, byline, favorite researcher, CEO, etc. This is a fundamental issue (and constraint) with CEP, in my opinion. Complex event processing does not stand alone as an art or a science, nor should it, nor should it be based on single dimensional, or small groups of single dimensional, technologies.

If you want to see many of the foundations of CEP, you don’t need to go much further than slide 12 of this presentation from 2006, Processing Patterns for PredictiveBusiness.

Based on my observation, it reminds me of a small group of folks on a discovery mission where their ship lands on the shore of a distant land and they call this “new land” — “CEP” because they feel they have discovered a new land. Nevermind the big cities that already exist or the many people already “in the fields” of their new land. These ”CEP explorers” are seemingly in some kind of modern day epic struggle to define themselves as “discoverers” or “founders” and they are coming up with new names of the lakes, rivers, streams and mountains that defined the landscape long before their ship arrived.

Note: It is encouraging to see folks slowly “catching up”…. maybe in a few years we will move CEP beyond the “not invented here” mind share that we see today.

Also note that, recently we saw a flurry of posts where many people rightly stated that “CEP was overhyped” - but then in rebuttal the EPTS community leaders came back with “Is CEP a mere hype?” or “Is CEP a hype?”. spinning the discussion to an extreme position that is wildly different than “CEP is Overhyped”.