Research

Last week I posted an outline for a patch management cycle to base Project Quant metrics on. Based on some feedback, I think we need to hear from those of you who actually do this for a living (you really don’t want to know the crappy process we used back in my sysadmin days). If you have a moment, please pop over to the forums and let us know what you are using for your process. (If you want to leave anonymous feedback, instead of the forums you can leave it as a comment on the main post; this is a weird limitation of our platform). Thanks Share:

Sometimes the most energizing thing you can do is absolutely nothing. Last week at RSA was absolutely insane, in a good way. It’s kind of like being a kid and going to summer camp. You get to see all the friends who live in other towns, you all go nuts for a week with minimal supervision, and then everyone staggers home all excited. Between the Recovery Breakfast, 4 official RSA panels, a Jericho panel, my 160+ slide Friday morning session with Chris Hoff, and the nonstop speed-dating during the day, and parties at night, I should really be in much worse shape. But I found this year’s RSA to be incredibly motivating on multiple levels. First, I think this is absolutely one of the best times to be in information security. Yes, major crap is hitting the fan all over the place, including massive national security, financial, and infrastructure breaches, but security is also hitting the front pages and reaching into the common consciousness. This is exactly the kind of environment true security professionals thrive on – with challenges and opportunities on all sides. As someone who loves the practice and theory of security, I find these challenges to be absolutely energizing and I wouldn’t want to be doing anything else. Well, except for maybe being an astronaut. Next, RSA was extremely motivating from a corporate standpoint. I won’t say much, but it validated what we’re trying to do, and how we are positioning ourselves. Finally, it was a very motivating week on a personal level. I used to have friends at work, and acquaintances in the industry. But these days I find some of my closest friends are scattered throughout the world in different jobs. I realized I spend more time interacting with many of you than I do with my local ‘meatspace’ friends outside of the industry. I especially appreciated the group that took me out for my birthday on Monday night – it really eased the pain of spending yet another family event away from my wife and (new) daughter. After RSA I took 4 days off, and the combination of intensity followed by relaxation was a major recharge, but didn’t leave me much content for this week’s summary. Except stay away from, like, every Adobe product on the planet since they are all full of 0days. One reminder – if you’d like to get our content via email instead of RSS, please head over and sign up for the Daily Digest (it goes out every night). We’re also thinking of creating a Friday Summary-only version, so let us know if that would be of interest. And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences Martin and Rich on the weekly Network Security Podcast. I did a series of three videos and an executive overview on DLP for Websense. It was kind of cool to go to a regular studio and have it professionally edited. The videos (all about 2 minutes long) and Executive Guide are designed to introduce technical or non-technical executives to DLP. It’s all objective stuff, and cut-down versions of our more extensive materials. I show up in the Sydney Morning Herald, based on some TidBITS/Mac writing. Speaking of TidBITS, I wrote up some thoughts on how to read Mac security articles. I was quoted in a TechTarget article on cloud computing, based on my involvement in the Jericho panel. Favorite Securosis Posts Rich: The latest Project Quant post – we really need your feedback on the patch management cycle! Adrian: Rich’s post on the Security Industry Anti-Disambiguation Movement. Having watched this first-hand at a couple of startups, I know how well the mere mention of a competing technology by one of the major competitors could halt your POC process in an instant. Favorite Outside Posts Adrian: Favorite external was Greg Young’s comment on Becoming the Threat … An excellent analysis of something we see in society, and certainly something that is a problem here in Phoenix. Oddly, this is something I do NOT see with most corporate IT. Why is that? Rich: Chris Eng’s Decoding the Verizon DBIR 2009 Cover. Very cool. Top News and Posts Joint Strike fighter plans nicked. Will someone in charge WAKE THE FUCK UP! Good: Microsoft removes ‘AutoRun’ option for Memory sticks. Bad: Pushing 8 out through auto-update? What if I don’t want it? Targetted worms and banking scams. Adobe is having a seriously bad run. More 0days. Interesting take on WAF+VA. The Black Hat call for papers is extended. Blog Comment of the Week This week’s best comment was from Ant in response to Rich’s post on Security Industry Disambiguation Movement. Well I mint not have chosen those terms, but I personally* fully endorse the sentiment! A different problem arises where a perfectly serviceable term is pressed into use in several different but not wholly dissimilar markets, leading to ambiguity and confusion – e.g., identity management, policy management. So… it’s not strictly anti-disambiguation, but it some vendors are guilty of disingenuously using a term which doesn’t apply to them in their market. – Ant * i.e., this is not (necessar Share:

While we don’t plan on posting every Project Quant update here on the main blog, we will be cross-posting some of the more significant project updates, as well as other content we relevant to our broader readership. (For these posts we will turn off comments to consolidate them all in the Project Quant area.) So here is our first pass at defining a patch management process for the project: Although we posted some of our initial thoughts, and have been getting some great feedback from everyone, Jeff and I realized that we haven’t even defined a standard patch management cycle yet to start from. DS, Dutch, and a few others have started posting some metrics/variables, but we didn’t have a process to fit them into. I’ve been researching other patch management cycles, and here’s my first stab at one for the project. You’ll notice it’s a little more granular than most of the other ones out there – I think we need to break out phases in more detail to both match the different processes used by different organizations, and to give us cleaner buckets for our metrics. Here’s a quick outline of the steps: Monitor for Release/Advisory: Anything associated with tracking patch releases, since all vendors follow different processes. Acquire: Get the patch. Evaluate: Initial evaluation of the patch. What’s it for? Is it security-sensitive? Do we use that software? Is the issue relevant in our environment? Are there workarounds or dependencies? Prioritize/Schedule: Prioritize based on the nature of the patch itself, and your infrastructure/assets. Then build out a deployment schedule, based on your prioritization. Test and Certify/Accredit: Perform any required testing, and certify the patch for release. This could include any C&A requirements for you government types, compliance requirements, or internal policy requirements. Create Deployment Package: Prepare the patch for deployment. Deploy. Confirm Deployment: Verify that patches were properly deployed. This might include use of configuration management or vulnerability assessment tools. Clean up: Clean up any bad deployments, remnants of the patch application procedure, or other associated cruft/detritus. Document and Update Configuration Standards: Document the patch deployment, which may be required for regulatory compliance, and update any associated configuration standards/guidelines/requirements. This is a quick and dirty pass and meant to capture the macro-level steps in the process. I know not all organizations follow, or need to follow, a process like this, but it will help us organize our metrics. Let me know what you think – I’m sure I’m missing something… To comment on this post, please see the original over in the Project Quant area. Share:

With all the recent talk about cloud security, I’ve really been struck by the blatant deliberate confusion promulgated by various industry stakeholders. For example, last week around RSA I saw a nonstop stream of press releases containing the word “cloud” for products and services that were merely the same old beloved security tools, now rebranded to ride the froth of the cloud marketing wave. But ‘cloud’ is only the latest example – from NAC to DLP to GRC and other technologies of yore, we see often-deliberate message dilution and confusion so certain poorly-positioned individuals or companies can avoid being left behind by market innovators. We don’t just see this in security; calling yourself “green” is an instantly classic example (hello “green” bottled water), but I do think we see it more in security than other areas of IT. When you think about it, we are probably the farthest reaching area of IT- spanning everything from development to storage to desktops to networking, and as such have a fair bit more running room. You might be able to rebrand your storage solution “green”, but it isn’t like you can call a hard drive a WWAN SAN just to hop on a trend (having been to many non-security conferences, I think this is a reasonably safe statement). And what I’m focusing on today isn’t mere bandwagon hopping, but purposeful efforts by laggards to create confusion in a market and defeat clarity. I call it the Anti-Disambiguation Movement, and it follows a predictable path. The movement is led by vendors, press, and analysts; with end-users (and some innovative vendors) suffering the consequences. Here’s how it works – when a vendor is late to the party, they start issuing a bunch of marketing chaff to distract everyone from the real innovation. This takes a number of forms (which we will talk about in a moment), which result in one of several outcomes (which we’ll also detail). Interestingly enough, I think this tracks very nicely with the Gartner Hype Cycle (I love the Hype Cycle, and am sad I don’t get to use it anymore). Let’s start with the methods (I’d apologize for the language, but you should be used to it by now): The Marketing Cock Block: A large vendor claims that they are bringing a product to market within a nebulous time frame, when they have no existing product in that market. The goal is to Osborne effect any direct competitors or small vendors in the space by creating a belief that the “official” solution from a stable supplier is just around the corner. In some cases the vendor has a product, but it isn’t close to competitive. Example: Microsoft and Cisco with NAC. Neither had a viable solution until relatively recently (and that’s still debatable), but that didn’t even slow down their marketing efforts and interoperability announcements. The PR Territory Piss: A variant of the Cock Block in which the vendor issues extensive press releases on their ownership of a trend, which they may or may not later buy or build into. Example: AV vendors and antispyware. Malicious Confusion: Vendors know they don’t have an offering in that market/trend, so they expand or otherwise deliberately misuse the definition of that trend to include their products under the hot umbrella. The goal isn’t to produce anything for that market, but to create enough confusion that whatever they already had on the shelf can be marketed with today’s cool term. They purposely and maliciously create confusion for their own benefit. Ideally, they even convince some press or analysts to include them in a market list or product evaluation. Example: DLP and USB port blockers, endpoint encryption, and about a dozen other things that have nothing to do with DLP. The Glom-on: A trend starts hitting and clumps of vendors start piling on for the ride, making a subconscious but collective decision to link their market to the trend until the trend/market definition becomes so diluted as to be worthless. Examples: Cloud and information-centric security. The Lemming Roller Coaster: A trend becomes hot, and less-intelligent vendors jump on, usually late, without really knowing where they are headed. The lemming is less deliberate than some of our other examples, and typically the result of a brain dead marketing/PR type. It’s usually smaller companies, and may lead to their death once users figure out the product doesn’t help with that problem, or after they score poorly in magazine/analyst ratings. Examples: Seeing this a lot with DLP and a bit in GRC. Unintelligent Design: Some ass-clown of an analyst invents their own term for something, often issuing some sort of market report, triggering one of the other methods listed above. Examples: The Anti-Disambiguation Movement… and GRC. The result falls into these categories: Death: The trend/market becomes so toxic that it dies, taking the slower companies with it. Example: PKI. Clarity: The ambiguities fade away and clear definitions emerge, although often not until after a few early innovators die. Example: NAC. Redefinition: The term/market is redefined, but doesn’t necessarily resemble its original form. Example: I think cloud security is headed this way. Meaninglessness: The term becomes so diluted it’s essentially worthless, even though there might be some nuggets of truth in there. Example: GRC. I’m having a bit of fun here, but the simple truth is that very often market terms are atrociously abused by laggards, often (deliberately) damaging the real innovation and innovators. Share:

Hey folks, Just a quick note that we had a few people ask if we were going to hold a meeting on Project Quant out here at RSA. We know it’s last minute, but if you are interested in hearing more about the project and providing some input, we’ve decided to hold a Town Hall meeting right after the Securosis Recovery Breakfast on Wednesday morning at Jillian’s. The breakfast runs until 11, and we’ll gather up all the Quant people right after that and find a quiet corner. The WASC meetup is at 12, so if you plan things right you can probably hang out at Jillian’s all day and never head over to Moscone. Feel free to drop a comment if you think you might show, but otherwise we’ll see you there… Share:

Yesterday, our friends over at Marker Advisors shared some information on what they see on the financial side of the IT security world. Today they follow up with a brief conclusion about how this is playing out. We’ve seen a ton of M&A activity ourselves, and have even written about it before. We’re seeing exactly the same trend- from a valuation standpoint it’s a buyers market, but many sellers are hanging on, hoping for a better exit. I think it will be fascinating to watch this dance play out at RSA this year, and plan on asking Randy and Russ for a follow-on post once we all get back from the show. M&A activity happens in cycles that are directly related to major product buying cycles. In times of slow growth, larger companies that can invest in the future try to project the ‘next big thing’. They then identify and purchase technology / expertise that will hopefully prepare them for the next upswing. The software business has always been one where ‘the rich get richer’. Large companies have the cash and cash flow, the sales organization, and the market presence to use downturns to augment their product lines. We have seen both traditional software companies (ORCL, MFE, SYMC, QSFT, OTEX, CA, BMC) grow via acquisition, as well as nontraditional buyers (IBM, EMC, HPQ) enter the market. As we came out of the 2001 – 2002 slowdown, M&A activity increased materially. However, in the last couple of years, as that cycle waned, combinations slowed. Marker believes another M&A cycle is imminent. Today, we have many interested buyers, but few sellers willing to entertain today’s valuations. Although we are not going to the valuations of 2006 / 2007 anytime soon, they should trend higher in time, and buyers and sellers will meet somewhere in the middle. Smaller public and private organizations desiring to be acquired should be preparing their business for this next M&A wave. How a company reacts and positions itself in the short term will eventually determine whether or not they are one of the prize catches, or one of the throwaways. About Marker Advisors: Marker is a research consultancy firm specializing in the software industry. We work with senior company management as well as sophisticated industry investors to create shareholder value. We provide detailed market intelligence, business and product strategy, and M&A advisory services. Share:

When I first started Securosis I was a little surprised at the number of due diligence and other investor-related projects that started flowing through the door. At Gartner we couldn’t engage in these kinds of projects (for some very good reasons), but being independent allowed me more flexibility. Since then we’ve continued to work closely with a variety of investment partners and clients. One of our partners is Marker Advisors, a boutique financial analysis and consulting firm here in Phoenix/Scottsdale. We like them for their dead-on analysis, and habit of buying us Mojitos on Friday afternoons. I wish I could tell you some of the stuff these guys are up to, but suffice it to say they have an extremely good pulse on the market. (We also suggest you follow Peter Kuper, who is blogging over at IANS and is another one of our favorite partners). We asked the guys at Marker for their take on the security software market, and they were kind enough to let us post their response. Some of this information is counter-intuitive, and shows why the economy isn’t the only issue the security market faces. We’ve broken it into two parts: # 2008 was a tough year economically, but most software companies discovered ways to grow revenue. The 20 companies we are closest to and favor (what we call our “coverage” list) grew revenue 18% (organically) YoY in 2008; an outstanding performance given both the environment and an overall market that grew at less than half that pace. Our larger “universe” of the 75 software companies we follow grew ~16% (including acquisitions). However, growth in both groups slowed in the 2H08 to ~9% YoY. The big question that needs answering is at what rate will revenue grow in 2009, and then 2010? To best determine this answer, let’s first take a look at why revenue grew last year: New product cycles. The first major new product cycles since 1999/2001 spurred investment in 2006 > 2008. 2008 capped a multi-year reinvestment cycle, as many companies managed to finally complete the move to Web-based technologies (from client server) in most applications/infrastructure, as well as upgrade to the latest generation of IP networking products. Existing vendor spend. Software companies with large customer bases were able to sell these new products (often at a discount) into a market that wanted to spend with existing vendors. Add-ons increase ASPs. New add-on products (product line extensions) helped increase ASPs, as customers looked to improve the productivity and broaden the use of new installations. Support costs increased. Many vendors pushed through 2007/2008 increases in maintenance and support charges, as pricing power shifted back to the vendors (for oh so short a time). International growth. International growth helped overcome a relatively difficult U.S. market. Budget Shifts. Budgets allocations shifted towards our favored sectors – Security, Web Content Management and Virtualization. Weak dollar. The dollar’s weakness pushed growth up in the 2H07 and the first half of 2008. M&A boosts results. Acquisitions in late 2007 and early 2008 boosted 2008 revenue results by a couple of percent. However, most of the factors that made 2008 a solid growth year are no longer present in 2009: We are at the end of this decade’s major product introductions. The next round of innovation appears to be focused on “cloud” computing, not data center computing. As customers evaluate where to install their next server and whether to rent or own software, they will spend less now. The economy will only make it easier to consider this a “transition” year. The large customer bases that were heavily mined throughout 2008 are nearing exhaustion. Although they did not overspend like they did in 2000/2001, they are appropriately stocked. Add-ons are slowing. Add-on products continue to get shipped, but it’s going to be a slow year for innovation. There will be no major new product cycles until 2010-2011. Moreover, the future product cycles will be more cloud-based and subscription priced, so look for evolution in business models. International growth will not be as much assistance in 2009, as EMEA, APAC and China all slow spending. We have picked up a growing number of channel checks that suggest all three regions are now slowing materially. Budgets will shift towards a much smaller set of projects in 2009. If you are a strategic vendor and make the short list, the year will look decent (low double digit growth). If not, it will be a struggle (flat to declining revenue YoY). Security and WCM will continue to outperform, but ratcheted down a full notch. Applications will continue to underperform. Basic infrastructure will be mixed – virtualization will be solid, but communications and networking will be slowed by both “cloud computing” marketing and major vendor “next big thing” sales campaigns. It is no longer clear where organizations should invest… In their own data centers? Or should they outsource basic infrastructure like email, collaboration, and data services to the emerging cloud vendors? Or outsource it to their software vendors’ SaaS offerings? 2009 will be a good time to evaluative these options, while not making a major investment decision. It’s hard to predict the dollar – however, it’s unlikely to provide much tailwind given 1H08’s prolonged weakness. We believe acquisitions will pick up as the year progresses, as potential sellers understand we are in for a rough couple of years and valuations are not coming back strongly. In fact, we think many of the best investment opportunities will come in the form of M&A. In December 2008, Street analysts had 2009 revenue growth at around 9% YoY for our coverage names, and close to that for our universe names. SaaS and virtualization companies have higher expected growth rates, and application companies lower growth rates. Today those same analysts have cut growth projections to around 5% YoY. In examining the quarterly forecasts, it appears investors and analysts are looking for a 2H09 recovery in capital spending. The crux of our question is how could they possibly know

This is a great day for security researchers, and a bad day for anyone with a bank account. First up is the release of the 2009 Verizon Data Breach Investigations Report. This is now officially my favorite breach metrics source, and it’s chock full of incredibly valuable information. I love the report because it’s not based on bullshit surveys, but on real incident investigations. The results are slowly spreading throughout the blogosphere, and we won’t copy them all here, but a few highlights: Verizon’s team alone investigated cases that resulted in the loss of 285 million records. That’s just them, never mind all the other incident response teams. Most organizations do a crap job with security- this is backed up with a series of metrics on which security controls are in place and how incidents are discovered. Essentially no organizations really complied with all the PCI requirements- but most get certified anyway. Liquidmatrix has a solid summary of highlights, and I don’t want to repeat their work. As they say, Read pages 46-49 of the report and do what it says. Seriously. It’s the advice that I would give if you were paying me to be your CISO. And we’ll add some of our own advice soon. Next is an article on organized cybercrime by Brian Krebs THAT YOU MUST GO READ NOW. (I realize it might seem like we have a love affair with Brian or something, but he’s not nearly my type). Brian digs beyond the report, and his investigative journalism shows what many of us believe to be true- there is a concerted attack on our financial system that is sophisticated and organized, and based out of Eastern Europe. I talked with Brain and he told me, You know all those breaches last year? Most of them are a handful of groups. Here are a couple great tidbits from the article: For example, a single organized criminal group based in Eastern Europe is believed to have hacked Web sites and databases belonging to hundreds of banks, payment processors, prepaid card vendors and retailers over the last year. Most of the activity from this group occurred in the first five months of 2008. But some of that activity persisted throughout the year at specific targets, according to experts who helped law enforcement officials respond to the attacks, but asked not to be identified because they are not authorized to speak on the record. … One hacking group, which security experts say is based in Russia, attacked and infiltrated more than 300 companies – mainly financial institutions – in the United States and elsewhere, using a sophisticated Web-based exploitation service that the hackers accessed remotely. In an 18-page alert published to retail and banking partners in November, VISA described this hacker service in intricate detail, listing the names of the Web sites and malicious software used in the attack, as well as the Internet addresses of dozens of sites that were used to offload stolen data. … Steve Santorelli, director of investigations at Team Cymru, a small group of researchers who work to discover who is behind Internet crime, said the hackers behind the Heartland breach and the other break-ins mentioned in this story appear to have been aware of one another and unofficially divided up targets. “There seem, on the face of anecdotal observations, to be at least two main groups behind many of the major database compromises of recent years,” Santorelli said. “Both groups appear to be giving each other a wide berth to not step on each others’ toes.” Keep in mind that this isn’t the same old news. We’re not talking about the usual increase in attacks, but a sophistication and organizational level that developed materially in 2007-2008. To top it all off, we have this article over at Wired on PIN cracking. This one also ties in to the Verizon report. Another quote: “We’re seeing entirely new attacks that a year ago were thought to be only academically possible,” says Sartin. Verizon Business released a report Wednesday that examines trends in security breaches. “What we see now is people going right to the source … and stealing the encrypted PIN blocks and using complex ways to un-encrypt the PIN blocks.” If you read more deeply, you learn that the bad guys haven’t developed some quantum crypto, but are taking advantage of weak points in the system where the data is unencrypted, even if only in memory. Really fascinating stuff, and I love that we’re getting real information on real breaches. Share:

We spend a lot of time talking about security metrics over here, and I’ve been pretty critical of both overly-broad initiatives that don’t help people get their day to day jobs done, and “fluffy” models that try to put hard numbers on risks/threats and such. Well, it looks like it’s time for me to put up or shut up. I’m pleased to announce our latest metrics project, which we’re currently calling Project Quant. (Yes we need a better name). We were approached by Jeff Jones at Microsoft to help build an independent model to measure the costs and effectiveness of patch management. This will be a hard metrics model, focused on measuring the operational processes associated with patch management. The goal is to provide IT organizations a tool they can use to measure how effective they are, and track that over time. I’m excited about this project for two main reasons: We get to focus on hard, practical metrics people can use to improve operations. We are following a “radical” version of our Totally Transparent Research process to ensure objectivity. We’ve set up a dedicated landing area for the project at http://securosis.com/projectquant where we will be posting all the materials. Here are the bits you might care about: We are soliciting as much participation in the project as possible- including competing vendors, end users of all sizes, consultants, whoever. The project has a deadline of late June, so this won’t drag out indefinitely. The first version may not be perfect, but come the end of June there will be a first version. We really need you to get involved. We’ll be asking for survey participants, reviewers, and just plain ‘ol grumpy commenters to keep us honest, and help produce a useful result. The results will be released under a Creative Commons license in an open format. We have the first two posts up at the landing site. The first, Introducing Project Quant, provides an overview of the project and the research process. The second, Project Quant: Goals delves into the project goals in more detail. This is a pretty huge project, even though it’s laser focused on one single operational area. Hopefully you like the idea, and are interested in participating. Share:

Things are so crazy this week, getting ready for RSA, that I nearly forgot we record this little podcast thing every week. Sure, I’ve only been doing it every week for over a year, but you’d think I’d learn to remember. This week we start by reviewing all the happenings at RSA, before talking about the cable cuts in the Bay Area and the Twitter worm. Martin and I will be doing our best to push out shorter daily shows (usually interviews) every day at RSA, and these tend to be some of our more popular episodes. The Network Security Podcast, Episode 146. Share: