We have written a lot about Oracle’s acquisition of Secerno: the key points of the acquisition, the Secerno technology, and some of the business benefits Oracle gets with the Secerno purchase. We did so mainly because Database Activity Monitoring (DAM) is a technology that Rich and I are intimately familiar with, and this acquisition shakes up the entire market. But we suspect there is more. Rich and I have a feeling that this purchase signals Oracle’s mid-term security strategy, and the Secerno platforms will comprise the key component. We don’t have any inside knowledge, but there are too many signals to go unnoticed so we are making a prediction, and our analysis goes something like this:
Quick recap: Oracle acquired a Database Activity Monitoring vendor, and immediately marketed the product as a database firewall, rather than a Database Activity Monitoring product. What Oracle can do with this technology, in the short term, is:
- “White list” database queries.
- Provide “virtual patching” of the Oracle database.
- Monitor activity across most major relational database types.
- Tune policies based on monitored traffic.
- Block unwanted activity.
- Offer a method of analysis with few false positives.
Does any of this sound familiar?
What if I changed the phrase “white list queries” to “white list applications”? If I changed “Oracle database” to “Oracle applications”? What if I changed “block database threats” to “block application threats”?
Does this sound like a Web Application Firewall (WAF) to you?
Place Secerno in front of an application, add some capabilities to examine web app traffic, and it would not take much to create a Web Application Firewall to complement the “database firewall”. They can tackle SQL injection now, and provide very rudimentary IDS. It would be trivial for Oracle to add application white listing, HTML inspection, and XML/SOAP validation. Down the road you could throw in basic XSS protections and can call it WAF. Secerno DAM, plus WAF, plus the assessment capabilities already built into Oracle Management Packs, gives you a poor man’s version of Imperva.
Dude, you’re getting a WAF!
We won’t see much for a while yet, but when we do, it will likely begin with Oracle selling pre-tuned versions of Secerno for Oracle Applications. After a while we will see a couple new analysis options, and shortly thereafter we will be told this is not WAF, it’s better than WAF. How could these other vendors possibly know the applications as well as Oracle? How could they possibly protect them as accurately or efficiently? These WAF vendors don’t have access to the Oracle applications code, so how could they possibly deliver something as effective? We are not trying to be negative here, but we all know how Oracle markets, especially in security:
- Oracle is secure – you don’t need X. All vendors of X are irresponsible and beneath consideration.
- Oracle has purchased vendor Y in market X because Oracle cares about the security of its customers.
- Oracle is the leading provider of X.
- Buying anything other than Oracle’s X is irresponsible because other vendors use undocumented APIs and/or inferior techniques.
- Product X is now part of the new Oracle Suite and costs 50% more than before, but includes 100% more stuff that you don’t really need but we couldn’t sell stand-alone.
OK, so we went negative. Send your hate mail to Rich. I’ll field the hate mail from the technologists out there who are screaming mad, knowing that there is a big difference between WAF policies and traffic analysis and what Secerno does. Yes and no, but it’s irrelevant from a marketing standpoint. For those who remember Dell’s “Dude” commercials from the early 2000s, they made buying a computer easy and approachable. Oracle will do the same thing with security, making the choice simple to understand, and covering all their Oracle assets. They’d be crazy not to. Market this as a full-featured WAF, blocking malicious threats with “zero false positives”, for everything from Siebel to 11G. True or not, that’s a powerful story, and it comes from the vendor who sold you half the stuff in your data center. It will win the hearts of the security “Check the box” crowd in the short term, and may win the minds of security professionals in the long term.
Do you see it? Does it make sense? Tell me I am wrong!