Security Industry

The Security Industry Anti-Disambiguation Movement

By Rich

With all the recent talk about cloud security, I've really been struck by the blatant deliberate confusion promulgated by various industry stakeholders. For example, last week around RSA I saw a nonstop stream of press releases containing the word "cloud" for products and services that were merely the same old beloved security tools, now rebranded to ride the froth of the cloud marketing wave. But 'cloud' is only the latest example -- from NAC to DLP to GRC and other technologies of yore, we see often-deliberate message dilution and confusion so certain poorly-positioned individuals or companies can avoid being left behind by market innovators.

We don't just see this in security; calling yourself "green" is an instantly classic example (hello "green" bottled water), but I do think we see it more in security than other areas of IT. When you think about it, we are probably the farthest reaching area of IT- spanning everything from development to storage to desktops to networking, and as such have a fair bit more running room. You might be able to rebrand your storage solution "green", but it isn't like you can call a hard drive a WWAN SAN just to hop on a trend (having been to many non-security conferences, I think this is a reasonably safe statement).

And what I'm focusing on today isn't mere bandwagon hopping, but purposeful efforts by laggards to create confusion in a market and defeat clarity. I call it the Anti-Disambiguation Movement, and it follows a predictable path. The movement is led by vendors, press, and analysts; with end-users (and some innovative vendors) suffering the consequences.

Here's how it works -- when a vendor is late to the party, they start issuing a bunch of marketing chaff to distract everyone from the real innovation. This takes a number of forms (which we will talk about in a moment), which result in one of several outcomes (which we'll also detail). Interestingly enough, I think this tracks very nicely with the Gartner Hype Cycle (I love the Hype Cycle, and am sad I don't get to use it anymore).

Let's start with the methods (I'd apologize for the language, but you should be used to it by now):

• The Marketing Cock Block: A large vendor claims that they are bringing a product to market within a nebulous time frame, when they have no existing product in that market. The goal is to Osborne effect any direct competitors or small vendors in the space by creating a belief that the "official" solution from a stable supplier is just around the corner. In some cases the vendor has a product, but it isn't close to competitive.
  Example: Microsoft and Cisco with NAC. Neither had a viable solution until relatively recently (and that's still debatable), but that didn't even slow down their marketing efforts and interoperability announcements.
• The PR Territory Piss: A variant of the Cock Block in which the vendor issues extensive press releases on their ownership of a trend, which they may or may not later buy or build into.
  Example: AV vendors and antispyware.
• Malicious Confusion: Vendors know they don't have an offering in that market/trend, so they expand or otherwise deliberately misuse the definition of that trend to include their products under the hot umbrella. The goal isn't to produce anything for that market, but to create enough confusion that whatever they already had on the shelf can be marketed with today's cool term. They purposely and maliciously create confusion for their own benefit. Ideally, they even convince some press or analysts to include them in a market list or product evaluation.
  Example: DLP and USB port blockers, endpoint encryption, and about a dozen other things that have nothing to do with DLP.
• The Glom-on: A trend starts hitting and clumps of vendors start piling on for the ride, making a subconscious but collective decision to link their market to the trend until the trend/market definition becomes so diluted as to be worthless.
  Examples: Cloud and information-centric security.
• The Lemming Roller Coaster: A trend becomes hot, and less-intelligent vendors jump on, usually late, without really knowing where they are headed. The lemming is less deliberate than some of our other examples, and typically the result of a brain dead marketing/PR type. It's usually smaller companies, and may lead to their death once users figure out the product doesn't help with that problem, or after they score poorly in magazine/analyst ratings.
  Examples: Seeing this a lot with DLP and a bit in GRC.
• Unintelligent Design: Some ass-clown of an analyst invents their own term for something, often issuing some sort of market report, triggering one of the other methods listed above.
  Examples: The Anti-Disambiguation Movement... and GRC.

The result falls into these categories:

• Death: The trend/market becomes so toxic that it dies, taking the slower companies with it.
  Example: PKI.
• Clarity: The ambiguities fade away and clear definitions emerge, although often not until after a few early innovators die.
  Example: NAC.
• Redefinition: The term/market is redefined, but doesn't necessarily resemble its original form.
  Example: I think cloud security is headed this way.
• Meaninglessness: The term becomes so diluted it's essentially worthless, even though there might be some nuggets of truth in there.
  Example: GRC.

I'm having a bit of fun here, but the simple truth is that very often market terms are atrociously abused by laggards, often (deliberately) damaging the real innovation and innovators.

–Rich

Impact of the Economic Crisis on Security

By Rich

As I write this, the Dow is down nearly 600, Congress struggles to pass a bailout bill, and both the Broncos and Buffs lost over the weekend.

Bad times my friends, bad times.

Like many of you, although my current financial situation is pretty solid, I can't help but wonder what the future holds. We're not merely entering uncharted territory, we're headed straight for that big black circle marked "There Be Monsters Here". That doesn't mean we won't make it to the other side, but the journey is fraught with danger and challenge.

First, a couple of assumptions:

1. Some sort of bailout package will pass.
2. Times will get tough, but we won't enter a full depression.

If we hit a depression all bets are off- since, at that point, much of society essentially collapses. But short of total economic collapse, or a miracle economic recovery, we can somewhat effectively follow the trends and postulate some conclusions.

I lost my crystal ball years ago during a wild night with Hoff and Amrit involving some bottles of 40 year old scotch, the real Travelosity gnome, and a Vegas cab driver snorting pure ground Brazilian sugar cane, but if we step back we can probably make a few guesses as to the collective future of the security world.

First, our starting assumptions:

1. We'll continue to see severe credit restrictions- even tighter than now.
2. With limited credit and a weak stock market, the economic effects will spread beyond the financial sector. Retail, auto, and other credit-heavy industries will suffer the most.
3. We will see no decline in security threats, but the threats will morph to adapt to changing market conditions.

We don't need to get fancy; belts will tighten, credit will be harder to obtain, the bad guys will keep adapting, and business will continue, albeit more slowly.

These lead directly to some conclusions about the security market:

1. Startup cash will dry up, and IPOs are no longer an exit strategy option. There will be less security product innovation, and what is created will be bought earlier, and cheaper, by established players who can't afford big acquisitions anymore.
2. We will see continued, massive, consolidation as small companies struggle to survive and larger players can't create growth. These won't be big buyouts with happy founders retiring on the beach, but survival consolidations. Think Symantec buying Checkpoint, or Oracle buying Symantec. More middle players will consolidate as well, like the Sophos/Utimaco deal. We'll have a few big generalists, a smattering of middle-sized guys glomming together, and the occasional small company that bootstrapped with a couple paying clients and isn't dependent on external financing.
3. Best of breed loses to security suites. Users will demand more suites from their vendors, and "good enough" will be the name of the game. If you have a technologically superior solution no one will care. To be honest, no one really cares today, but they'll care less in the future.
4. Large price pressure. Users will demand these suites at no (or minimal) additional cost. Vendors will grind over each other in a race to the bottom just to keep customers. It may not look like it on the surface price sheets, but in the nitty gritty street battles on deals you'll see sales guys tossing in their firstborn essentially for free.
5. A continued obsession with compliance, cost reduction, and obvious threats. If a tool isn't required by the auditors, doesn't reduce ongoing operational costs, or stop a threat (like spam/viruses) that knocks people offline, it won't sell very well. Vendors who don't solve a clear and present business problem are in trouble. It will be nearly impossible to get budget for anything else.

We'll also see some threat evolution:

1. Tighter credit issuing will reduce new account fraud. If it's harder for the good guys to get credit, it will also be harder for the bad guys.
2. Existing account fraud will increase. It isn't like the bad guys will go get some non-existent legitimate jobs. They'll hammer the financial system, especially phishing/preying on financial fears. As any historian will tell you, fraud tends to increase during times of economic extremes- good and bad.
3. Major attack vectors will be similar to what we see today- clientside and web application. I don't see anything in an economic downturn that changes the technical nature of the attacks we see today- they'll continue to get more sophisticated, but that's happening regardless of any economic issues.

And, of course, this will impact security professionals and how we do our jobs:

1. The bad guys will keep us employed, but salaries will be under pressure. "Good enough" applies to us as much as it does to our tools. We'll see a little professional erosion as underexperienced newbies enter the market to stay employed, and non-security IT folks take added security responsibility. Now will be a good time for a diverse skill set to survive fat trimming.
2. We'll have to do more with less. That's so obvious I'm embarrassed to write it.
3. We'll be under even greater pressure to justify what we do, and what we spend on. Again, really obvious, but as we've been talking about long before these economic troubles, the most successful security professionals will be those who can clearly communicate with the business and articulate their value.
4. Get used to accepting more risk. We'll have to take hits on the small stuff to focus our efforts on the biggest risks.
5. Pragmatic wins. The broader your skill set, the less you cost the company while stopping most of the bad stuff; and the better you can communicate all of this the happier you'll be. It's always been about getting the job done, but let's be honest and admit that it isn't always about getting the job done. While internal politics and BS will never go away, odds are those who take a practical approach will survive better, and perhaps thrive, during tough economic times.

In other words, get used to people trying to nibble at your job, tighter belts in general, and doing more with less. Pet projects will fade and you'll be forced to use suites more, as we try to reduce both what we spend on tools, and the people to manage those tools. Threats won't fade, and we'll focus more on the large obvious stuff that doesn't obviously affect the balance sheet. Compliance won't go away (it will be worse in some sectors) and will continue to define much of what we do.

The need for security doesn't diminish, but the way it's delivered has to change during tough times. Security practitioners, vendors, and bad guys alike will be pressured to solve obvious business problems while proving their value (preferably with numbers and pretty charts). In other words, the more practical you are (except for you back stabbing wizards of internal politics), the better you'll be. Focus on the basics, keep the skill set up, and learn to talk to management and make nice looking charts.

As for me? I, like everyone, worry. As an expectant parent I'm starting to worry in ways I never imagined before. But I also know that if I continue to focus on helping my readers and clients save money, and am able to articulate said savings, I should be fine. I'm fairly pragmatic myself.

Oh- and I think we need a complete reboot of our fracking country and government, and fully intend on voting that way.

–Rich

Our Take On The McAfee Acquisitions

By Rich

I'll be honest- it's been a bit tough to stay up to date on current events in the security world over the past month or so. There's something about nonstop travel and tight project deadlines that isn't very conducive to keeping up with the good old RSS feed, even when said browsing is a major part of your job. Not that I'm complaining about being able to pay the bills.

Thus I missed Google Chrome, and I didn't even comment on McAfee's acquisition of Reconnex (the DLP guys). But the acquisition gods are smiling upon me, and with McAfee's additional acquisition of Secure Computing I have a second shot to impress you with my wit and market acumen.

To start, I mostly agree with Rothman and Shimel. Rather than repeating their coverage, I'll give you my concise take, and why it matters to you.

1. McAfee clearly wants to move into network security again. SC didn't have the best of everything, but there's enough there they can build on. I do think SC has been a bit rudderless for a while, so keep a close eye on what starts coming out in about 6 months to see if they are able to pull together a product vision. McAfee's been doing a reasonable job on the endpoint, but to hit the growth they want the network is essential.
2. Expect Symantec to make some sort of network move. Let's be honest: Cisco will mostly cream both these guys in pure network security, but that won't stop them from trying. They (Symantec and McAfee) actually have some good opportunities here- Cisco still can't figure out DLP or other non-pure network plays, and with virtualization and re-perimeterization the endpoint boys have some opportunities. Netsec is far from dead, but many of the new directions involve more than a straight network box. I expect we'll see a passable UTM come out of this, but the real growth (if it's to be had) will be in other areas.
3. The combination of Reconnex, CipherTrust, and Webwasher will be interesting, but likely take 12-18 months to happen (assuming they decide to move in that direction, which they should). This positions them more directly against Websense, and Symantec will again likely respond with combining DLP with a web gateway since that's the only bit they are missing. Maybe they'll snag Palo Alto and some lower-end URL filter.
4. SC is strong in federal. Could be an interesting channel to leverage the SafeBoot encryption product.

What does this mean to the average security pro? Not much, to be honest. We'll see McAfee and Symantec moving more into the network again, likely using email, DLP, and mid-market UTM as entry points. DLP will really continue to heat up once the McAfee acquisitions are complete and they start the real product integration (we'll see products before then, but we all know real integration happens long after the pretty new product packaging and marketing brochures).

I actually have a hard time getting overly excited about the SC deal. It's good for McAfee, and we'll see some of those SC products move back into the enterprise market, but there's nothing truly game changing. The big changes in security will be around data protection/information centric security and virtualization. The Reconnex deal aligns with that, but the SC deal is more product line filler.

But you can bet Webwasher, CipherTrust, and Reconnex will combine. If it doesn't happen within the next year and a half, someone needs to be fired.

–Rich

Don’t Sell “Compliance” If It Isn’t A Checkbox

By Rich

Perusing my blogs this morning I caught a post by Anton on DLP and compliance. That's the blogging equivalent of chaining a nice fat bunny to a stake in the middle of coyote territory here in Phoenix (in other words, the park behind our house). I, as the rabid coyote of DLP-ness, am compelled to respond.

Anton starts by wondering why he doesn't see compliance more in DLP vendor literature:

Today I was thinking about DLP again :-) (yes, I know that "content monitoring and protection" - CMF - is a better description) Specifically, I was thinking about DLP and compliance. At first, it was truly amazing to me that DLP vendors "under-utilize" compliance in their messaging. In other words, they don't push the "C-word" as strongly as many other security companies. Compliance dog doesn't snarl at you from their front pages and it doesn't bite you in you ass when you read the whitepapers, etc. Sure, it is mentioned there, but, seemingly, as an after-thought.

Then, he nails the answer:

But you know what? I actually think that it is something different, much more sinister. It is the ominous checklist mentality (here too)! You know, DLP is newer than most regulations (PCI DSS, HIPAA, FISMA, etc) and - what a shock! - the documentation for these mandates just doesn't mention DLP (or CMF) by name. Sure, they talk about data protection (e.g. PCI DSS Requirements 3 and 4), but mostly in terms of encryption, access control, logging (of course!). Also, PCI DSS directly and explicitly says "get a firewall", "deploy log management", "get scanned", "install and update AV" - but where is DLP? Ain't there...

I've spent a heck of a lot of time working with DLP vendors and users, and this is a problem that affects technologies beyond just DLP. Early on, the DLP vendors all talked about how they'd make you SOX, HIPAA, or XXX compliant. Problem was, there isn't a regulation out there that requires DLP. The customer conversations went like this:

Vendor: PCI compliance is bad. Buy DLP. User: Okay, is that section 3.1 or 3.2 that requires DLP? Vendor: It's not in there yet, but... {sales guy monkey dance} User: Ah. I see. Can you come back after we finish remediating our audit deficiencies? Say in 2012? Q3?

The truth is that DLP can help significantly with compliance with a variety of regulations, but none of them require it. As a result, vendors have softened their message and the good ones adjust it to show this value. I don't know if I really influenced this, but it's something I've spent a lot of time working on with my vendor clients over the years.

Other markets face this same challenge, and if you look back they almost always start by hitting compliance for the apparently easy cash, and are then forced to adjust messaging unless they are explicitly required. Users also face the same problem:

User: We need to do X for compliance with Y. Money Guy/Boss: Okay, where is that on the audit report? User: It's not, but {monkey dance}. Money Guy/Boss: Ah. I see. Maybe we can discuss this during your annual review.

Be it a vendor or an end user, the compliance sell is either the easiest or hardest you'll ever face. If the regulation (or your auditor) explicitly requires something, there's an immediate business justification. While there's a lot more to compliance, if it isn't on that list you can't sell it with merely the C word.

Instead, evaluate the tool or process in the context of compliance and show the business benefits. Does it reduce compliance costs? Does it reduce your risk of an exposure? For example, DLP content discovery, by identifying where credit card data is stored, can reduce both audit costs and the risk of non-compliance. Database Activity Monitoring can reduce SOX audit costs and the cost of maintaining appropriate logging on financial databases. There are a ton of internal process changes that improve audit efficiency and reduce the burden of generating compliance reports last minute every year or quarter.

When something is on the checklist, sell it as compliance. When it's off that list, sell it as cost or risk reduction. If it doesn't hit those categories, buy a monkey to do the dance- it's cuter than you are and more likely to get the banana.

–Rich

The Good (Yes, Good) And Bad Of PCI

By Rich

I'm still out at SANS, in a session dedicated to PCI and web application security.

Now, as you readers know, I'm not the biggest fan of PCI. The truth is (this is the "bad" part) it's mostly a tool to minimize the risk of the credit card companies by transferring as much risk and cost as possible to the merchants and processors.

On the other hand (the "good" side), it's clear that PCI is slowly driving organizations which would otherwise ignore security to take it more seriously. I've met with a bunch of security admins out here who tell me they are finally getting resources from the business that they didn't have before. Sure, many of them also complain those resources are only to give them the bare minimum needed for compliance, but in these cases that's still significant.

When it comes to web application security, it's also a mixed bag. On the "good" side, including web application defense in section 6.6 is driving significant awareness that web applications are a major vector for successful attacks. On the "bad" side, 6.6 places code review and WAFs as competing, not complementary, technologies. These tools solve very different problems, something I hope PCI eventually recognizes. I don't totally blame them on this one, since requiring both in every organization within the compliance deadlines isn't reasonable, but I'd like to see PCI publicly recognize that the "either/or" decision is one of limited resources, not that the technologies themselves are equivalent.

One take-away from the event, based on conversations with end users and other experts, is that WAFs are your best quick fix, while secure coding is the way to go for long-term risk reduction.

–Rich