Software vs. Appliance: Appliances

I want to discuss deployment tradeoffs in Database Activity Monitoring, focusing on advantages and disadvantages of hardware appliances. It might seem minor, but the delivery model makes a big first impression on customers. It’s the first difference they notice when comparing DAM products, and it’s impressive – those racks of blinking whirring 1U & 2U machines, neatly racked, do stick with you. They cluster in groups in your data center, with lots of cool lights, logos, and deafening fans. Sometimes called “pizza boxes” by the older IT crowd, these are basic commodity computers with 1-2 processors, memory, redundant power supplies, and a disk drive or two. Inexpensive and fast, appliances are more than half the world’s DAM deployments. When choosing between solutions, first impressions make a huge difference to buying decisions, and this positive impression is a big reasons appliances have been a strong favorite for years. Everything is self-contained and much of the monitoring complexity can be hidden from view. Basic operation and data storage are self-contained. System sizing – choosing the right processor(s), memory, and disk are the vendor’s concern, so the customer doesn’t have to worry about it or take responsibility (even if they do have to provide all the actual data…). Further cementing the positive impression, the initial deployment is easier for an average customer, with much less work to get up and running. And what’s not to like? There are several compelling advantages to appliances, namely: Fast and Inexpensive: The appliance is dedicated to monitoring. You don’t need to share resources across multiple applications (or worry another application will impact monitoring), and the platform can be tailored to its task. Hardware is chosen to fit the requirements of the vendor’s code; and configuration can be tuned to well-known processor, memory, and disk demands. Stripped-down Linux kernels are commonly used to avoid unneeded OS features. Commodity hardware can be chosen by the vendor, based purely on cost/performance considerations. When given equal resources, appliances performed slightly better than software simply because they have been optimized by the vendor and are unburdened by irrelevant features. Deployment: The beauty of appliances is that they are simple to deploy. This is the most obvious advantage, even though it is mostly relevant in the short term. Slide it into the rack, connect the cables, power it up, and you get immediate functionality. Most of the sizing and capacity planning is done for you. Much of the basic configuration is in place already, and network monitoring and discovery are available without little to no effort. The box has been tested; and in some cases the vendor pre-configures policies, reports, and network settings before to shipping the hardware. You get to skip a lot of work on each installation. Granted, you only get the basics, and every installation requires customization, but this makes a powerful first impression during competitive analysis. Avoid Platform Bias: “We use HP-UX for all our servers,” or “We’re an IBM shop,” or “We standardized on SQL Server databases.” All the hardware and software is bundled within the appliance and largely invisible to the customer, which helps avoid religious wars configuration and avoids most compatibility concerns. This makes IT’s job easier and avoids concerns about hardware/OS policies. DAM provides a straightforward business function, and can be evaluated simply on how well it performs that function. Data Security: The appliance is secured prior to deployment. User and administrative accounts need to be set up, but the network interfaces, web interfaces, and data repositories are all set up by the vendor. There are fewer moving parts and areas to configure, making appliances more secure than their software counterparts when they are delivered, and simplifying security management. Non-relational Storage: To handle high database transaction rates, non-relational storage within the appliance is common. Raw SQL queries from the database are stored in flat files, one query per line. Not only can records be stored faster in simple files, but the appliance itself avoids have the burden of running a relational database. The tradeoff here is very fast storage at the expense of slower analysis and reporting. A typical appliance-based DAM installation consists of two flavors of appliances. The first and most common is small ‘node’ machines deployed regionally – or within particular segments of a corporate network – and focused on collecting events from ‘local’ databases. The second flavor of appliance is administration ‘servers’; these are much larger and centrally located, and provide event storage and command and control interfaces for the nodes. This two-tier hierarchy separates event collection from administrative tasks such as policy management, data management, and reporting. Event processing – analysis of events to detect policy violations – occurs either at the node or server level, depending on the vendor. Each node sends (at least) all notable events to its upstream server for storage, reporting, and analysis. In some configurations all analysis and alerting is performed at the ‘server’ layer. But, of course, appliances are not perfect. Appliance market share is being eroded by software and software-based “virtual appliances”. Appliances have been the preferred deployment model for DAM for the better part of the last decade, but may not be for much longer. There are several key reasons for this shift: Data Storage: Commodity hardware means data is stored on single or redundant SATA disks. Some compliance efforts require storing events for a year or more, but most appliances only support up 90 days of event storage – and in practice this is often more like 30-45 days. Most nodes rely heavily on central servers for mid-to-long-term storage of events for reports and forensic analysis. Depending on how large the infrastructure is, these server appliances can run out of capacity and performance, requiring multiple servers per deployment. Some server nodes use SAN for event storage, while others are simply incapable of storing 6-12 months of data. Many vendors suggest compatible SIEM or log management systems to handle data storage (and perhaps analysis of ‘old’ data). Virtualization: You can’t deploy a physical appliance in a virtual network. There’s no TAP or SPAN

Read Post

Incite 4/20/2011: Family Parties

The last two nights, we have celebrated Passover. Basically, we have a big dinner commemorating the escape of our forefathers from bondage and slavery in Egypt. At least that’s how the story goes, although I wasn’t there, so I maintain a healthy skepticism regarding burning bushes, parting seas, and plagues. But the point remains whether or not the stories are true. It’s really an excuse to party with friends and family, and enjoy some time together outside the craziness of day-to-day existence. I’m not unique in having a pretty hectic existence. For instance, the twins play baseball/softball, which means we were at the field both Saturday and Sunday, for a total of 5 games. Combined with the oldest one preparing for a dance show in a few weeks, we hardly had time to hit the head all weekend. But a close friend had a birthday party to celebrate her 40th Friday, so we had to take a break and celebrate. I did not squander the opportunity, and got rather festive with the help of some vanilla rum. OK, it might have been a lot of vanilla rum. If you find my liver, feel free to mail it back to Securosis Central. Adrian the mailman likes that kind of care package. Many of us don’t intentionally party enough. So I actually appreciate the religious holidays interspersed throughout the year. For me it’s not about the dogma, or whether what we are celebrating actually happened or not. And most of the time we don’t spontaneously start throwing food at each other. It’s about turning off the distractions and focusing on family and friends, if only for a night or two. We actually talk, as opposed to planning the next day’s activities. We eat (too much) and until you’ve experienced it, you can’t appreciate a Manischewitz Concord Grape hangover. A lot of our personal history is tied to these holiday celebrations, providing stories we tell for a lifetime. Like when – despite Mom’s stern warning not to get dirty – I fell into a stream behind my babysitter’s house, fancy corduroy pants and all. It was great fun but Mom was not amused. I think she’s still fuming. And it didn’t even involve Concord Grape. We can even make the wacky traditions fun. For instance, on Passover the kids hunt for a piece of Matzoh hidden in the house (it’s called the Afikomen), and if they find it they get a couple bucks. Which is huge progress, because I was lucky to get a piece of chocolate from my grandfather back in the day. Given this year’s bounty ($2 for each kid), and my oldest daughter’s big spending plans, she was very concerned that I wouldn’t make good on my financial obligations. I’m afraid I didn’t help the situation when I mentioned my new policy of charging $2 per month for rent. Imagine that – I can be difficult sometimes. Obviously I made good on the gift, but not before I had her unknowingly play back one of my favorite movie scenes. I asked her to say “I want my $2” about 10 times, and she didn’t understand why I was rolling on the floor. Too bad it was a school night, or I would’ve made her get on her bike and chase me around the neighborhood screaming “I want my $2.” Really, that’s not bad parenting, is it? Some folks figure they are Better Off Dead than suffering through yet another family holiday. But not me – I can make almost any occasion a big party. And I do. -Mike Photo credits: “La Tomatina / Spain, Bunol” originally uploaded by flydime I would be negligent if I didn’t call attention to a major milestone that one of us hits today. That’s right, the baby of the bunch, the rich mogul turns 40. Today. I’d say that’s old, but I still have 2+ years on him, and a lot more gray hair. Rich is taking a vacation day (as he should) and my hope is that he’ll take a step back to appreciates all he has and has done over the past 4 decades. He has a great wife and kids, he’s building a great business, and he’s one of the top dogs in this little game we play. So when you have your nightcap, after a typically hard day in the trenches of security, raise your glass to Rich and know that the next 40 will be better than the last. Incite 4 U Understand the real threat: Given all the (justified) bluster around the Verizon Data Breach Report, we can’t forget the need to understand what’s really at risk and how it is most likely to be compromised. Ax0n does a great job of reminding us by talking about the real insider threat, reminiscing about the hoops he’s had to jump through in order to remotely manage a server (legitimately, apparently). Then he contrasts that against the fact that other folks take the company’s most sensitive data outside on laptops and USB keys, posing a much more serious risk than a conscientious admin trying to fix things from home. Especially when the internal controls make life hard for people who don’t care about security. His point is that we need to match the controls (and security rhetoric) to the threat, and make sure it’s not onerous to drive creative folks to find a way around security. Remember, most folks believe security is not their job – it’s yours. You can make the case that it’s everyone’s job and you wouldn’t be wrong. But sales guys have to meet their quota each quarter, and that’s more important than meeting your rules. – MR DBIR poop commences: It took about a nanosecond, but as Rich predicted, the Verizon Data Breach Investigations Report is already being misquoted and misinterpreted. More breaches being investigated does not necessarily mean there were more breaches, but that’s the poop already hitting the wire. I understand the rush to get an article live, but they should at least read some of the report before editorializing. The general public

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.