Even thought TIBCO’s BusinessEvents does not yet support Bayesian Classifiers, Artificial Neural Networks and other advanced decision support algorithms, it is just a matter of time before TIBCO will add these advanced features “out of the box”.  On the other hand, the extensible nature of TIBCO’s BE makes it possible to add probabalistic computing functionality, however this requires quite a lot of programming and integration work.

When I see a great release like this for TIBCO, it makes me a little nostalgic for “the good old days” travelling the world in the front of the aircraft for TIBCO.   TIBCO has a rich and diverse customer base.  This customer base includes financial services companies; however, TIBCO is much less dependent on financial services than other event processing companies.   So, with TIBCO you not only get great technology, but rock-solid stability in an unstable and uncertain business world.

As a side note, an S&P analyst recently downgraded TIBCO’s stock (TIBX), primarily due to chao in the financial services sector.    Because of TIBCO’s global reach and stability, plus forward vision, advanced technologies and many years of commericial success, the S&P downgrade will create a buying opportunity for TIBCO stock.

For example, the “Average Joe Investor” does not care about “best order execution” or “smart order routing,” this is for “the big boys.”  As we all know, saving a few pennies or dollars per transaction to “Average Joe Investor” does nothing for them when their retirement nest egg is lost due to corporate greed and negligence.     The folks who “really care” about shaving a few milliseconds off market execution are the companies that are trading high volumes of exotic derivatives and baskets who have, for the most part, zero interest in the personal financial portfolio of “Jane in Iowa” or “Joe in Kansas.”

I am really amazed to see the dominance of greed in corporate America and the lack of corporate social responsibility.  Risk taking and “split second trading” does little for any small. individual investor and has proven to destabilize our society.    Who cares about saving a few pennies or dollars in market executive?

The answer: Only the greedy corporations, the same people responsible for the current destabilization, chao and near collaspe of our entire financial system.   Homes lost, unprecedented bankruptcies. and money market funds less than par value!   You no doubt have read that folks in the Reserve Money Market funds cannot even withdraw their “safe money.”  Investors in the Reserve Funds are being told that for every dollar they invested in a money market, they now only have 97 cents and cannot withdraw their capital as the Reserve waits for a government bailout.

What is to blame? Greed and profits over corporate social responsibility are to blame.

I read where some folks think the government needs to regulate market-related news, supposedly to stabilize trading based on news.   Regulating news has another name -  “censorship” - but who cares about the US Constitution when money and split second algo trading is involved?    I am amazed.   Folks in financial services just will say or do anything to make a buck, or keep from losing one, even at the expense of society and our basic constitutional freedoms.  News is not regulated in our democratic society, nor should it be to make algorithmic trading “better”.     What we need is less split second, computerized algo trading and more stablity.   Machine processing should not dicate nor mandate changes to our democratic principles.

Nor should our lives in a free society be censored or regulated because of the trading requirements for split second transactions that benefit large corporations.    The average investor does not need an unstable financial system trading exotic derivatives and baskets at the speed of light.  This requirement is driven by corporate greed that destabilizes the core economy and fabric of our society.

Of couse, many of the same folks would like for us to believe that technology is the answer.  This is a fallacy.

Corporate greed is destabilizing society.   What need to be regulated is not the news, but corporate risk taking and corporate goverance.  Individual investors do not need lightspeed transactions in an unstable world.   Citizens and families need a secure, stable economic infrastructure, something that has been lost in the culture of corporate greed, but hopefully not forever.

With that in mind, I thought I’d write a couple of posts about communicating risk.  In this week’s post, I’ll talk about “risk qualifiers” that can be critical in helping management understand the true nature of some risk scenarios.

“I can live with this…”

Let’s say that you’ve done an analysis and the results look something like what’s shown in the charts below (I’ve included both a qualitative and a quantitative version):

At first glance, a decision maker might think “This doesn’t look so bad.  I can live with this level of risk.”  But that’s not necessarily the whole story…

Unstable conditions

An unstable risk condition exists when the following characteristics co-exist:

• Threat event frequency is low
• Vulnerability is high
• Probable loss magnitude is significant

When these conditions exist, the low loss event frequency is driven solely by the low threat event frequency.  In other words, we’re not actively managing loss event frequency; we’re just trusting to luck.  If threat event frequency changes (or an event occurs at all), then significant impact will likely occur.  An example might be an internal application that handles a significant volume of sensitive consumer records, but that has little or no authentication or authorization control in place.

Now, if all we provided management was a qualitative “Medium/Low” risk statement or a quantitative statement that “probable loss event frequency is roughly once every ten years with a probable loss magnitude of $500k”, then we haven’t really allowed management to make an informed decision.  

This additional information about the unstable nature of the risk condition is critical for a couple of reasons:  1) it allows management to decide whether they want to gamble, and 2) instability can reflect poorly from a due diligence perspective.  

Fragile conditions

A fragile condition exists when the following characteristics co-exist:

• Threat event frequency is high
• Vulnerability is low, but dependent on a single effective control
• Probable loss magnitude is significant

At a glance, this will look similar to an unstable condition.  In this case however, a single control is all that prevents a high loss event frequency.  An example might be a single layer Internet architecture, where the volume of threat events is high but the firewall is generally quite effective.   

Differentiation

One big advantage these qualifiers provide is to be able to differentiate between risk conditions that, from a risk chart perspective, look the same.  This differentiation allows us to prioritize better, which leads to more cost-effective risk management.  

Another advantage is that it provides nomenclature for expressing what our intuition has probably already recognized.  In other words, the experienced information security professional would intuitively recognize the difference between an unstable or fragile condition and one that isn’t (but that may look the same on a chart).  In my experience, what we tend to do in those instances is label the condition “high risk”.  The problem with this is that it  lumps these scenarios in with those where loss event frequency and loss magnitude are high, which erodes management’s ability to prioritize effectively.

At the end of the day, effectively managing any complex set of issues requires an ability to differentiate.  These qualifiers have proven to be extremely useful in that regard.

How many times have security products been the blame for network outages?  Many right? 

If something goes down and the network team gets a call, they immediately point their finger at the Firewall.  If a user can't access something on the network, its the Firewall.  If something is running slow on the network, guess what! 

Its the firewall.

And with Intrusion Prevention products, because they were very unstable during the early years and would crash or generate false positives a lot, customers started demanding that these devices had some failure mechanisms in them.  Customers demanded "Fail Open".  Fail Open to a security guy doesn't make a whole lot of sense because it basically says, if there is a problem with the metal detector at the airport, it should just "Fail Open" and let everyone into the gate area to board airplanes!

I'd rather block all traffic until I know it was secure, but I live in a world where most people don't think like me.  So.... Why the heck am I blogging about this in a virtualization blog?

Well, I know that Virtual Networks function much like Physical Networks and since network engineers don't always trust security devices I understand that the same set of requirements placed on physical security products will be placed on virtual security products.

Why wouldn't the networking guys demand that virtual security products have either "Fail Open" or what I feel is a better solution "Fail Over".

"Fail Open" is not really possible with virtual security products because true fail open means that you have some sort of physical relay or in the case of optical networks, mirrors that short circuit software to allow bits to bypass and flow around the software application.

"Fail Over" however is possible and customers are going to ask for the same things I believe when it comes to uptime on a virtual network as they do a physical network.

Take a look at the attached picture.  It depicts a software solution that has two firewall type products running in Active / Passive. 

CLICK PIC TO ENLARGE

So, as you are looking at security solutions for your virtual environment, you should ask the question of whether or not they provide any high availability and if so, what level of high availability.  Active / Active, Active / Passive, Statefull, Stateless, and everything you've asked of your physical vendors.

My guess is that if you ask and they don't have it, they will start developing it and marketing its ability.  Its a battle that cant be won completely.  Customers will always want high availability be it virtual or physical.

Until the next post...

JP

How many times have security products been the blame for network outages?  Many right? 

If something goes down and the network team gets a call, they immediately point their finger at the Firewall.  If a user can't access something on the network, its the Firewall.  If something is running slow on the network, guess what! 

Its the firewall.

And with Intrusion Prevention products, because they were very unstable during the early years and would crash or generate false positives a lot, customers started demanding that these devices had some failure mechanisms in them.  Customers demanded "Fail Open".  Fail Open to a security guy doesn't make a whole lot of sense because it basically says, if there is a problem with the metal detector at the airport, it should just "Fail Open" and let everyone into the gate area to board airplanes!

I'd rather block all traffic until I know it was secure, but I live in a world where most people don't think like me.  So.... Why the heck am I blogging about this in a virtualization blog?

Well, I know that Virtual Networks function much like Physical Networks and since network engineers don't always trust security devices I understand that the same set of requirements placed on physical security products will be placed on virtual security products.

Why wouldn't the networking guys demand that virtual security products have either "Fail Open" or what I feel is a better solution "Fail Over".

"Fail Open" is not really possible with virtual security products because true fail open means that you have some sort of physical relay or in the case of optical networks, mirrors that short circuit software to allow bits to bypass and flow around the software application.

"Fail Over" however is possible and customers are going to ask for the same things I believe when it comes to uptime on a virtual network as they do a physical network.

Take a look at the attached picture.  It depicts a software solution that has two firewall type products running in Active / Passive. 

CLICK PIC TO ENLARGE

So, as you are looking at security solutions for your virtual environment, you should ask the question of whether or not they provide any high availability and if so, what level of high availability.  Active / Active, Active / Passive, Statefull, Stateless, and everything you've asked of your physical vendors.

My guess is that if you ask and they don't have it, they will start developing it and marketing its ability.  Its a battle that cant be won completely.  Customers will always want high availability be it virtual or physical.

Until the next post...

JP