Research

You can always smell desperation. It has a certain… quality that gently waifs into the nasal cavity, tickling those very nerves that are too oft neglected in our sanitary society. You know, the same ones that pick up the odor of sewer crap. What’s odd is that this smell is extruded not only by the truly desperate, but by those whose self esteem is so battered that they crave every bit of validation they can beg off the nearest passerby. It’s a strange dichotomy. When evaluating vendors and their chances of success, desperation isn’t always a clear indicator of their future. On one side we have the truly desperate, such as the vendor I worked with, who was quietly shopping around for a buyer and could only provide small school districts as references. On the other side was the bully; the successful startup who revelled in sending photos of their gear replacing a competitor’s on a rack. They eventually got bought for big money, but I suspect that marketing manager is blowing it all at a strip joint dropping twenties in the hopes the dancer will make eye contact and call him darling before strutting off stage with enough cash to solve the crisis in Darfur. Today, thanks to Alan Shimel, we see probably the most amusing act of desperation I’ve ever witnessed. One of his competitors, ForeScout, bought the Google AdWords for Alan’s name. Now, every time you search on Alan, the first thing that comes up is: Replacing Safe Access? www.forescout.com/counteract Get CounterACT – Clientless Network Access Control from ForeScout This is the security marketing equivalent of political push polling, but probably a lot less effective. Okay, it’s amusing, but ForeScout has probably given Alan one of the best sales tools he ever asked for. How hard do you think it will be for him to use this to his advantage in a competitive situation? Here’s a note to you marketing folks- take a look at sources like this Security Catalyst Forums thread on vendors. Acting like a used car salesman is a sure fire way to alienate a prospect. I hear this time after time. Yes, as Rothman tells us certain heavy handed tactics work, but if it smells like crap on a simple Google search, odds are the customer will figure out it’s crap. (For the record, I know nothing about ForeScout and haven’t ever worked with them; the product might be great for all I know) Share:

Fresh off today’s Daily Incite I saw that Raytheon acquired Oakley Networks. Oakley is a bit of a strange bird- it’s not really DLP, but they have some interesting monitoring technology that’s well suited for certain environments- especially the federal sector that Raytheon plays in so strongly. Oakley started with an endpoint monitoring tool that’s like keystroke capture on steroids (and centrally manageable), and then bought a network tool vendor for monitoring acceptable use on the wire. It doesn’t have the advanced content awareness of DLP, nor some of the integration required for the filtering and discovery sides, but that’s not really what it’s used for. DLP records only on violations; Oakley is better described as “user activity forensics” (it’s more than that, but that’s the closest bucket). I don’t expect to see Oakley/Raytheon break into the general enterprise market anytime soon, and I hope this ends the confusion of people lumping them into DLP (a lot of that’s their own fault from some decisions they’ve since moved past), but I think the Raytheon acquisition is reasonable and appropriate, and should be successful because of the federal focus. I don’t get to say that often about buyouts. Good luck to Tom and the guys… Share:

Orchestria finally announced their first “true” general DLP product. For those of you who don’t know, Orchestria has danced around this space for a few years now. They started with a product narrowly focused on helping certain financial services firms, particularly broker/dealers, manage compliance issues around insider trading and privacy. Basically you can think about it as a client-centric (with some networking monitoring) DLP solution focused on one category of violations. It didn’t work well as a general DLP solution, but that wasn’t their market. Interestingly enough it was based on Autonomy’s Aungate technology, but then Autonomy started pushing Aungate competitively and Orchestria had to do a little re-working (industry rumor stuff, this didn’t come through confidential channels). Autonomy has since bought Zantaz and are combining the products. Anyway, back to Orchestria. Since I worked with them before and don’t know exactly how much is public about the new product I can’t go into any details. What I’m comfortable saying is that it looks interesting, covers the bases to be considered more Content Monitoring and Filtering than just DLP, and I’ll withhold judgement until we see some deployments and competitive evaluations. But they might not get the chance if their sales guys are as poorly educated on the competition as the press release and their product site indicates. They claim to be the first “next generation” DLP solution; filling the gaps uncovered by others. Let’s look at a few: Unlike first-generation DLP software, Orchestria provides coverage across all points of risk within an enterprise, detects violations accurately with minimal false positives, and can proactively block true infractions. Weird. That’s what customers tell me all the major DLP solutions do. Especially the top five of Vontu, Reconnex, Websense, Vericept, and EMC/Tablus. My assessment is that every one of these products provides that, and some others, like <a href=”http://www.codegree etworks.com”>Code Green (a mid-sized play) also provide it. Orchestria Multi-Layered Defense – Orchestria Multi-Layered Defense leverages multiple network, server, client, import and archive agents to ensure control across all forms of electronic data, including messages with encrypted and password-protected files, internal messages, disconnected laptops, files at rest, and mobile storage devices – most of which are ignored by first-generation solutions. Totally untrue. All the top five do all, or most, of that. Sometimes it takes third-party integration, so maybe that’s the grey area they’re taking advantage of. Orchestria Full-Dimensional Analysis – Limited to content-focused inspection, first-generation platforms falsely flag numerous legitimate messages. These “false positives” create a significant review burden and prevent organizations from implementing controls that block or correct messages before they are sent or files before they are saved. Orchestria’s Full-Dimensional Analysis not only analyzes content, but also dynamically examines content-around-content, message context, the identity of sender and recipients, hierarchy, and user input. This approach can reduce false positives by more than 90% compared to first-generation solutions. I’m unaware of any major DLP product that doesn’t use context as well as content. Actually, they sort of have to in order to work. Orchestria Incident-Appropriate Action – Far beyond passive post-incident review employed by first-generation technologies, Orchestria proactively protects enterprises by matching responses specifically to the type and severity of the violation. In addition to providing the industry’s leading workflow-enabled review capability, Orchestria supports a variety of “before-the-send” actions including blocking, correcting, and quarantining. This solution also automatically classifies, routes, and stores sensitive messages and files to meet a variety of records management and legal mandates. Common features in any successful DLP product. I’ll give them a little credit, most of the other DLP tools don’t focus on compliance archiving and require more manual tuning and technology integration to manage that. But workflow review? Hell, I’ve been working with all the major DLP vendors for years on this (at least the ones that didn’t come up with good systems on their own). Dr. Sara Radicati of The Radicati Group said, “The key advantage with Orchestria DLP is responding to potential violations with automated incident-appropriate actions – from a routine warning, to forwarding to a supervisor, to nothing at all. As it all happens in real time, customers will know that their messages haven’t been banished to a backed-up review queue for hours or even days This is why I’m very careful about the custom quotes I’ll do (none for years now, but never say never); they make you sound like a … well, I’d use the word we’re all thinking if it were a guy, but I’ll never say that about a woman who doesn’t print it on her business card. I hope I get to stay on my high horse indefinitely; now that I’m an independent consultant we’ll see how long I last. “Orchestria’s DLP solution provides a new and different approach that fulfills all requirements for effective protection,” said Bo Ma ing, Orchestria’s president and chief executive officer. “It covers all points of risk within the enterprise, accurately distinguishes violations from false positives, and enables the right action, including proactive protection – all on the industry’s most flexible architecture. Bo, I think you’ve done some cool stuff, but you’re better off focusing on what you really bring that’s new to the market (and you do have a couple things) than exaggerated marketing that won’t stand up once someone glances at a competitor. Your website is even more full of omissions and errors than this release. DLP is probably the ugliest market I covered as an analyst. It’s seriously rough and tumble with over a dozen vendors fighting over what was only $50M last year, and will probably only be $100-120M this year. Unless by “First Gen” you mean products from 2 years ago, you’re in for a surprise once you go into competitive evaluations. Marketing aside I think Orchestria will be one to watch and a few competitive wins could open up some big opportunities. Right now, the jury is out and it’s clear whoever wrote their marketing materials needs to take a close look at the competition. Share:

Cutaway has a good post up today over at Security Ripcord. In it, he suggests that Microsoft should… well, I’ll let him say it: Here is my solution: Microsoft needs to come up with a Central Update Console that software and driver developers can hook to configure automatic updates. They already provide this type of feature through the “Add/Remove Programs” console. Good developers utilize this to help users and administrators manage the software that is installed on their systems. How hard would it be to come up with a solution that other developers could hook to help with centralizing the management of updates and provide a significant positive impact on the overall security of every computer on the Interweb? Although the design, development, testing, implementation, and maintenance of this project would be challenging, I am willing to be that this would be a small project in the grand scheme of Microsoft OS development. They don’t need to take every software vendor into consideration, they just need to come up with one method all of them could use. This is something I’ve actually put some thought into (and not just because Cutaway and I talked about it a couple weeks ago), but I don’t think it can work. At least not today. Managing vulnerabilities and patches is a huge issue, with a moderately sized third party market just to deal with it. While Microsoft provides patches for their own software only (with few exceptions, like a recent ATI driver update), they don’t provide patches for non-Microsoft software. I think this is for two reasons that I don’t expect to change anytime soon. Antitrust- there’s an entire market dedicated to vulnerability and patch management. MS can’t step in an include this in the OS, however useful an idea, without having to face antitrust accusations. Due to past mistakes, they are often restricted from including features other OS vendors don’t blink an eye at. Take a look at all the whining by Symantec and McAfee over Patchguard. Liability- it doesn’t matter how many warnings and disclaimers MS puts on the darn thing; the first time a bad third-party patch propagates through a Microsoft central patch console and blows up systems (which is inevitable), the world will cry havoc and let slip the dogs of alt.ms.sucks- and at least a few lawyers, wanting a piece of the MS pot of valuation. On the enterprise side this isn’t as much of an issue since most organizations don’t use the update function built into Windows (although they do use WSUS (Windows Software Update Server). Consumers, on the other hand, rely heavily on Microsoft for their updates and some sort of central service for third party patches could really help keep their systems current. Especially for device drivers; while applications can build in their own update functions and check whenever they’re used, device drivers represent a huge class of vulnerability that even most enterprises don’t pay enough attention to. Also, as software gets more and more intermingled the risk of relying on application launch to check for patches becomes a problem. Components can represent an exploit risk through a web browser or a virus, even if you haven’t launched the application in a long time. Today, vendors manage this by ignoring it or installing YAASTS (Yet Another Annoying System Tray Service) that runs constantly, draining your system resources. Thus I think Cutaway’s idea of a central patch service could provide a lot of value and help improve security. No argument there. But it represents a risk to Microsoft that I just don’t think the product managers, never mind the lawyers, will let them take. Share:

I’m probably going to swing out to Vegas for a day or two, but haven’t figured out what days yet. If you’re going and want to meet up, drop me a line in the comments or at rmogull@securosis.com. Share: