Securosis

Research

Translation Machine: Responding to (Uninformed) Bloggers

One of the things I don’t miss about running a marketing team is worrying about responding to negative press. It’s a lot worse today, now that you not only have to spin less informed beat reporters who frequently troll for page views by misrepresenting competitive nonsense. But also bloggers and Tweeters who make things up say things about the product. So I thought I’d do everyone a service and translate this response from Palo Alto Networks’ Scott Gainey to Stiennon’s public supposition that PANW and FireEye violate Microsoft’s license agreement by running instances of Windows in their sandbox environment. I’ll excerpt from Scott’s blog post and provide my translation. Let’s be clear – Scott may or may not have been thinking these things as he was cobbling together his politically correct response. This is what I would be thinking if I were in his shoes. “Richard Stiennon recently wrote an informative article in Forbes…” Translation: Oh crap, what is he pronouncing dead this time? Informative? What I meant to say is “…wrote a speculative, click baiting, ambulance chasing pile of nonsense.” But I’m not Nir, so I can’t say stuff like that in public. Instead, I’ll just anonymously send him this eye chart. “Our solution was simple. Palo Alto Networks licenses every instance of Microsoft software on each WildFire WF-500. There were no shortcuts taken.” Translation: But clearly he took some shortcuts in his research. Boy, if that guy had done any work, he would have figured out that we have to charge a crapton of money for the on-prem version of the sandbox for this very reason. Those friggin’ pirates at Microsoft. They get paid coming and going. But I understand – how is he supposed to generate page views without poking high-flying public companies? “Recently, Microsoft notified us of a new licensing model designed for embedded security devices that use virtual instances of Windows. From our perspective, this decision will not impact our existing customers. We are actively engaged with Microsoft to take advantage of this new licensing model that we’ll transition to as soon as agreements are set.” Translation: I’m not sure if this guy is short our stock or something, but if anything the new licenses will make things more efficient for us from a cost of goods sold standpoint. Win! I’ll tip my hat to Scott. He presented a well-reasoned case, and didn’t get defensive or emotional about it. I probably would have had to write 10 versions of this thing before I could wring all the venom out. On the other hand, he could have just ignored Stiennon… like FireEye did. Photo credit: “Tablica do badania wzroku z reklamy Vision Express” originally uploaded by trochim Share:

Share:
Read Post

Summary: A Thousand Miles

The past week has been a bit of a whirlwind. Last Friday I flew out to Denver for a family thing, then transferred over to Boulder for a DevOps.com advisory board meeting, Camp DevOps (where I presented), and Gluecon. In between I spent a day with the friends who are loaning us their house for the month of July (while they caravan around the US with their kids), snuck in a 30 mile bike ride and 5 mile run, and hit some of my favorite Boulder restaurants (SouthSide cafe, Southern Sun, & Mountain Sun). I also learned I have a bad habit of telling people I’m “from Boulder but I live in Phoenix” when they ask. Camp DevOps was a really great event on multiple levels. First it was pretty great to be back on the University of Colorado campus. I spent 8 years there as an undergrad, and worked everything from low-level student jobs to full-time staff. It is where my IT career started, and I loved getting back and having the opportunity to share some of what I’ve learned in the decades since. Alan Shimel put on a solid first-time event. The very first track talk resolved an issue I have been researching (sending backups and logs to Amazon S3), and I picked up plenty of tidbits through the day. The Boulder tech community has a great vibe. It is very supportive in a way that is hard to replicate in larger cities which don’t shut down on powder days. Gluecon in Denver was also a solid show, although I wish I didn’t have to bail out early in an attempt to avoid some bad weather (more on that in a moment). Camp DevOps was also slightly intimidating for me personally. I was giving a technical security talk to a bunch of developers. The challenge was to keep their interest, provide relevance, and meet their deep content expectations. According to the feedback, I was right on target. And based on other sessions I attended, I have rebuilt a lot of skills I lost when I moved more into the analyst world. We in the security community often talk about developers like we do about Mac users. We assume they don’t care about security or prioritize it. In both cases, as I have become part of these communities I realized that they do care about security, but within a different context. It has to meld with their primary priorities, and we can’t harangue or insult them for their naivete. Participate, don’t preach, and you get a very positive reaction. Everyone wants to stay safe. And speaking of staying safe, Adrian left the event right in time to dodge a tornado at the Denver airport. We were in different terminals when the tornado warning hit, and Adrian texted that he was evacuated to the shelter as I started to wonder if my terminal… was less important. About 10 minutes later we got the order, and as a well-trained emergency responder I found a big window right next to one of the shelter areas. I joined the crowd gawking as the storm clouds started rotating overhead and the hail moved in, followed by blue skies. The tornado touched down 8 miles away, and my flight took off only an hour late. Oh well – I was really hoping to knock that one off the bucket list. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in Do you really think the CEOs resignation from Target was due to security? Favorite Securosis Posts Adrian Lane: Recitals. “The FUD is strong in this one” Mike Rothman: Firestarter: The Wife-Beater (t-shirt) edition. No spouses were harmed in the production of this week’s Firestarter. But we were able to give Adrian a hard time about his attire before we started recording. Which was full of win. The actual video cast was pretty good too, even though Rich was mostly pixelated. Rich: CEO on Line 2. Other Securosis Posts When Security Services Attack. Favorite Outside Posts Adrian Lane: Chip and Skim: cloning EMV cards with the pre-play attack. I am not certain how viable this attack is, but if it’s true you can use an arbitrary nonce value as part of a replay attack, this is a serious flaw. Mike Rothman: Buffett: Teach kids financial literacy to spark entrepreneurship. Adrian and Gunnar’s idol (and I’m a fan myself) has some great perspective on teaching kids about money. This sums it up: “Financial literacy is a base requirement like spelling or reading or something of the sort that everybody should acquire at any early age.” Yup. Rich: U.S. Companies Hacked by Chinese Didn’t Tell Investors (via The Verge). I still believe many, if not most, breaches aren’t reported – even when there is a legal requirement. I have been told in multiple cases that the companies determine it is in their interest not to disclose. Often they use the law enforcement investigation loophole. Gal: Lifelock deletes user data over safety concerns. Then Goldman downgrades them over concerns that their app wasn’t PCI compliant. Security and compliance has impact on the larger business… duh. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts eBay Urges Password Changes After Breach ICS-CERT Confirms Public Utility Compromised Recently. NSA Reform Bill Passes the House–With a Gaping Loophole. Buzzkill: FBI director says he was joking about hiring weed-smoking hackers. There go the Washington and Colorado FBI offices… New IE8 0-day by ZDI. Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.