Securosis

Research

New White Paper: DAM Software vs. Appliances

I am pleased to announce our Database Activity Monitoring: Software vs. Appliance Tradeoffs research paper. I have been writing about Database Activity Monitoring for a long time, but only been within the last couple years have we seen strong adoption of the technology. While it’s not new to me, it is to most customers! I get many questions about basic setup and administration, and how to go about performing a proof of concept comparison of different technologies. Since wrapping up this research paper a couple weeks ago, I have been told by two separate firms that, “Vendor A says they don’t require agents for their Database Activity Monitoring platform, so we are leaning that way, but we would like your input on these solutions.” Another potential customer wanted to understand how blocking is performed without an in-line proxy. These are exactly the reasons I believe this paper is important, so I’m glad this is clearly the right time to examine the deployment tradeoffs. And yes, these questions are answered in section 4 under Data Collection, along with other common questions. I want to offer a special thanks to Application Security Inc. for sponsoring this research project. Sponsorship like this allows us to publish our research to the public – free of charge. When we first discussed their backing this paper, we discovered we had many similar experiences over the last 5 years, and I think they wanted to sponsor this paper as much as I wanted to write it. I hope you find the information useful! Download the paper here (PDF). Share:

Share:
Read Post

New White Paper: Understanding and Selecting a File Activity Monitoring Solution

A while back I got the weird idea that Database Activity Monitoring is useful enough that it would make sense to do the same thing for file repositories. I’m not talking about full DLP – but about granular tracking of user access to major file servers and document management solutions. I added “File Activity Monitoring” to the Data Security Lifecycle and figured someone would develop it eventually. And that day is finally here, and the tech is way cooler than I expected – tying in tightly (in most cases) to entitlement management for some nifty real-time security scenarios. This is pretty practical stuff, with uses such as detecting a user snagging an entire directory and catching service accounts poking around inappropriate files. I am excited to launch our white paper on the topic, Understanding and Selecting a File Activity Monitoring Solution. That’s the landing page, or you can download the PDF directly. Special thanks to Imperva for licensing the report, and I hope you like it. Share:

Share:
Read Post

Incite 6/1/2011: Cherries vs. M&Ms

Queue up the Alice Cooper and get ready. Last Friday was the last day of school for the kids. That means school’s out for summer, and it’s time to get ready for the heat in all its glory. Rich and Adrian live in the desert (literally), so I’m not going to complain about temperatures in the 90s, but thankfully there is no lack of air conditioning and pools to dissipate this global warming thing. There are plenty of things about summer I enjoy, but probably best of all is being able to let my kids be kids. During the school year there is always a homework assignment to finish, skills to drill, and activities to get to. We are always in a rush to get somewhere to do something. But over the summer they can just enjoy the time without the pressure of deadlines. They spend days at camp, then head to the pool, and finish up with a cook-out and/or sleep-over. Wash, rinse, repeat. It’s not a bad gig, especially when you factor in the various trips we take over the summer. Not a bad gig at all. But enough about them – one of my favorite aspects of summer is the fruit. I know that sounds strange, but there is nothing like a fresh, cheap melon to nosh on. Or my favorite desert, cherries. Most of the year, the cherries are crap. Not only are they expensive (they need to fly them in from Chile or somewhere like that) – they just don’t taste great. Over the 3-4 months of summer, I can get cherries cheap and tasty. There is nothing like sinking my teeth into a bowl of cherries at the end of a long, sweaty day. Nom. It’s been said that life is like a bowl of cherries. I’ve certainly found that to be the case, and not because some days are the pits. It’s also that some folks always chase the easy path. You know, getting pre-pitted cherries. Or buying one of those pitting devices to remove the pits. In my opinion that basically defeats the purpose. Over the summer I enjoy moving a little more slowly (though not too slowly, Rich, settle down). And that means I like to enjoy my dessert. It’s not like grabbing a handful of M&Ms and inhaling them as quickly as possible to get to the next thing. It’s about taking my time, without anywhere specific to go. Really just taking a step back and enjoying my cherries. Hmmm. If I think a little broader, that’s a pretty good metaphor for everything. We spend most of our lives snacking on M&Ms. Yes, they are sweet and tasty, but ultimately unsatisfying. Unless you are very disciplined, you eat a whole bag quickly with nothing to show for it. Except a few more pounds on your ass. But I’d rather my life be more like a bowl of cherries. I have to work a little harder to get it done and I’ve learned to enjoy each pit for making me slow down. Although in the summer, my dessert takes a bit longer, in the end I can savor each moment. Not a bad gig at all. There is some food for thought. – Mike Photo credits: “Cherry Abduction” originally uploaded by The Rocketeer Incite 4 U Thinking about what “cyberwar” really means: Professor Gene Spafford wrote a pretty compelling and intriguing thought piece over the weekend about cyber war, whatever that means. One of his main points is that our definition is very fuzzy, and we are looking at it from the rear view mirror rather than through the windshield. Many folks joke about the security industry “solving yesterday’s problems tomorrow,” but Gene makes a pretty compelling point that these issues can impact the global standing of the US within a generation. One of Gene’s answers is to start sharing data about every intrusion right now, and I know that would make lots of us data monkeys very happy. There is a lot in this piece to chew on. I suggest you belly up to the table and start chewing. We all have a lot to think about. – MR Battle for the cloud: So you’ve heard of OpenStack, right? That amazing open source cloud alternative that’s going to kick VMware’s ass and finally bring us some portability and interoperability? Well I’ve spent a few weeks working with it, and have to say it’s a loooonnnnng way from being enterprise ready (long in Internet years, which might be a couple weeks for all I know). It’s rough around the edges, relies too much on VLANs for my taste, and the documentation is crap. On the other hand… it’s insanely cool once you get it working, and the base architecture looks solid. And heck, Citrix is going to use it for their cloud offering, and has already contributed code to support VMware’s hypervisor. Kyle Hilgendorf has a good post over on his Gartner blog about the battle for enterprise cloud dominance. Like Kyle, I’m “optimistically skeptical”, but I do think Citrix has way too much at stake to not offer a viable and compatible alternative to VMWare. – RM Payment pirates: A popular refrain from CEOs I have worked for was they did not want to spend money on training because employees would just leave and take new knowledge with them. They know they don’t own what’s in their employee’s brains, so they view educational investment as risky. Gunnar Peterson pointed out last week that it could be worse – you could not train employees, and have them stay! There is no loyalty between businesses and their employees. Companies replace employees like they were changing a car’s oil filter, paying for new skill sets because they prefer to or because they can’t retain good people. Employees are always looking for a better opportunity, taking their skills to another firm when they feel they can do better. That’s the modern reality. Last time

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.