Research

Rich is off to see Jimmy Buffet in southern California and get some R&R, so I have blog duties this week. It’s briefing season in the analyst community. I probably should not be surprised given we typically launched our PR tours with my previous employers this time of year, but even Rich has been a little surprised with the volume of discussions. We have been in full swing with a packed calendar during the last couple of weeks and it shows no sign of letting up through November. If I am a little slow returning your email in the morning that is why. And I got to admit it is more interesting being on the receiving end of the equation that delivering the same information 100 times. The breadth of technologies and companies is very exciting, for me at least, and as a result I am digging deep into a number of technologies I have not had a chance to play with while working for a vendor. I have been seeing a lot of solid advancements from several companies, so that makes the calls interesting as well. I have to further comment on the comments last week that the OS X Server Wiki/Blog software we switched to internally has been great for us. For a small team like us the ability to collaborate and keep information centrally has been an great convenience as we can work independently yet still catch up on what the other is doing by scanning the internal blog and wiki. Easy to use and still more functions than we really need at this point. Highly recommended! The Drobo Rich ordered looks very, very cool … yes, I am jealous. Given the number of photos I have been taking I think I am going to order one as well. Going to hook it up between the iMacs via Firewire. I will keep you posted. On a personal note I was watching IronMan last night on DVD. Great movie. But how many of you saw the movie trailer with Samuel L Jackson at the end? No? Surprised the heck out of me that after the credits have finished, there is a little teaser was where no one … practically no one, would see it. Pretty cool! Oh, and Rich may have seen two coyotes in the park near his house, but I have discovered a ‘family’ of Tarantula’s living on my back porch. We were having drinks on the patio when this 7 inch fuzzy spider cruises by us a few nights ago. Last night a couple smaller ones were climbing the wall about 10 feet off the ground as if gravity simply did not apply to them. They are fascinating to watch. Webcasts, Podcasts, and Conferences: Nada this week for me. Favorite Securosis Posts: Rich: Your WPA-PSK Wireless Network is at Risk … If You Are An Idiot. Processing capacity is cheap and plentiful, and this is a new use for idle resources, but nothing more. Weak passwords are weak passwords. Adrian: Real life three stooges star in ‘Credit Card Craziness’. Favorite Outside Posts: Adrian: Over on the Network Security Blog, Martin has an excellent post on a topic that should get far more attention than it does: Why Is Your Company Storing Credit Card Numbers? Rich: Hoff continues to be ahead of the curve on developments in the Virtualization Security space, as well as coverage on the VMWare acquisition of BlueLane. VMWare may not have hired the Hoff, but they seem to be taking his advice. Top News: The Obama-McCain debate was Wednesday night. High definition television was not kind to John McCain. Stocks continue to fluctuate, with a nice early week rally as many investors ‘double-down’ on the firms they have confidence in. Oracle released their big fall patch update. BEA users take note! Did you hear? We are at risk of entering a recession! Really, I could not make this stuff up! Blog Comment of the Week: Jim Hietala’s comment on My “Will Database Security Vendors Disappear” post: I don’t know that database security market all that well, but it strikes me that all of the points you made can be applied to every individual security segment, including NAC, endpoint security, DLP, e-mail security, and on and on. Certainly the trust one applies to all, breadth of function in most cases applies, and too many choices I think does as well. Doesn”t bode well for the health of the security start-up market in the next couple of years   No Securosis company meeting this week, so I am off for a little recon work. More on this later. Share:

Rich and I got into a conversation Friday about database security, and the fate of vendors in this subsegment, in light of recent financial developments. Is it possible that this entire database security sub-market could vanish? Somewhat startled by the thought, we started going down the list of names, guessing who would be acquired, who was profitable, and who will probably not make it through the current economic downturn without additional investment- it seems plausible that the majority of today’s companies may disappear. It’s not just that the companies’ revenue numbers are slowing with orders being pushed out, but the safety blanket of ready capital is gone, and the vendors must survive a profitability ‘sanity check’ for the duration of the capital market slowdown. And that becomes even harder with other factors at play, specifically: Trust. The days of established companies trusting the viability of small security startups are gone. Most enterprises are asking startups for audited financials to demonstrate their viability, because they want to know their vendors will be around for a year or two. Most start-ups’ quarterly numbers hinge on landing enterprise clients, with focused sale and development efforts to land larger clients. Startup firms don’t keep 24 months of cash lying around as it is considered wasteful in the eyes of the venture firms that back them, and they need to use their money to execute on the business plan. As most startups have financials that make public company CFOs gasp for breath, this is not a happy development for their sales teams or their VCs alike. Breadth of function. Enterprises are looking to solve business problems, and those business problems are not defined as database security issues. Enterprises customers have trended towards purchase of suites that provide breadth of functions, which can be mixed and matched as needed for security and compliance. The individual functions may not be best of breed, but the customer tends to get pieces that are good enough, and at a better price. Database security offers a lot of value, but if the market driver is compliance, most of vendors offer too small a piece to assure compliance themselves. Too many choices. I do this every day, and have been for almost 5 years. It is difficult to keep up with all the vendors- much less the changes to their offerings and how they work- and get an idea of how customers perceive these products. Someone who is looking at securing their databases, or seeking alternative IT controls, will be bombarded with claims and offerings from a myriad of vendors offering slightly different ways of solving the same security problems. For example, since 2004 (or their more recent inception) I have been tracking these companies on a regular basis: Application Security Inc. Lumigent Imperva Guardium Tizor Secu o Sentrigo NGS Embarcadero (Ambeo) Symantec Quest IPLocks And to a much lesser extent: Phulaxis Idera DBi (Database Brothers) Nitro Security (RippleTech) SoftTree Technologies Chakra (Korea) Performance Insight (Japan) For DB security product vendors, there are just too many for a $70-80M market subsegment, with too large a percentage of the revenue siphoned off by ancillary technologies. Granted, this is just my list, which I used to track for new development; and granted, some of these firms do not make the majority of their revenue through sales of database security products. But keep in mind there are a dozen or so IDS/SIM vendors that have dabbled in database security, as well as the database vendors’ log analysis products such as Oracle’s Audit Vault and IBM’s AME, further diluting the pool. There have been services companies and policy management companies who all have claimed to secure the database to one extent or another. Log file analytics, activity monitoring, assessment, penetration tests, transactional monitoring, encryption, access control, and various other nifty offerings are popping up all the time. In fact we have seen dozens of companies who jump into the space as an opportunistic sortie, and leave quickly once they realize revenue and growth are short of expectations. But when you boil it down, there are too many vendors with too little differentiation, lacking implicit recognition by customers that they solve compliance issues. Database security has never been its own market. On the positive side it has been a growing segment since 2002, and has kept pace almost dollar for dollar with the DLP market, just lagging about a year behind. But the evolutionary cycle coincides with a very nasty economic downturn , which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those who earn most of their revenue from other products or services may be immune, but DB security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire sales, or bankruptcy, depending upon how and when they act. Rich will give his take tomorrow, but although both of us believe strongly in the value of these products, we are concerned that the combination of market forces and economic conditions will really hurt the entire segment. Share:

Yesterday, Adrian posted his take on a conversation we had last week. We were headed over to happy hour, talking about the usual dribble us analyst types get all hot and bothered about, when he dropped the bombshell that one of our favorite groups of products could be in serious trouble. For the record, we hadn’t started happy hour yet. Although everyone on the vendor side is challenged with such a screwed up economy, I believe the forces affecting the database security market place it in particular jeopardy. This bothers me, because I consider these to be some of the highest value tools in our information-centric security arsenal. Since I’m about to head off to San Diego for a Jimmy Buffett concert, I’ll try and keep this concise. Database security is more a collection of markets and tools than a single market. We have encryption, Database Activity Monitoring, vulnerability assessment, data masking, and a few other pieces. Each of these bits has different buying cycles, and in some cases, different buying centers. Users aren’t happy with the complexity, yet when they go shopping the tend to want to put their own car together (due to internal issues) than buy the full product. Buying cycles are long and complex due to the mix of database and security. Average cycles are 9-12 months for many products, unless there’s a short term compliance mandate. Long cycles are hard to manage in a tight economy. It isn’t a threat driven market. Sure, the threats are bad, but as I’ve talked about before they don’t keep people from checking their email or playing solitaire, thus they are perceived as less. The tools are too technical. I’m sorry to my friends on the vendor side, but most of the tools are very technical and take a lot of training. These aren’t drop in boxes, and that’s another reason buying cycles are long. I’ve been talking with some people who have gone through vendor product training in the last 6 months, and they all said the tools required DBA skills, but not many on the security side have them. They are compliance driven, but not compliance mandated. These tools can seriously help with a plethora of compliance initiatives, but there is rarely a checkbox requiring them. Going back to my economics post, if you don’t hit that checkbox or clearly save money, getting a sale will be rough. Big vendors want to own the market, and think they have the pieces. Oracle and IBM have clearly stepped into the space, even when products aren’t as directly competitive (or capable) as the smaller vendors. Better or not, as we continue to drive towards “good enough” many clients will stop with their big vendor first (especially since the DBAs are so familiar with the product line). There are more short-term acquisition targets than acquirers. The Symantecs and McAfees of the world aren’t looking too strongly at the database security market, mostly leaving the database vendors themselves. Only IBM seems to be pursuing any sort of acquisition strategy. Oracle is building their own, and we haven’t heard much in this area out of Microsoft. Sybase is partnered with a company that seems to be exiting the market, and none of the other database companies are worth talking about. The database tools vendors have hovered around this area, but outside of data masking (which they do themselves) don’t seem overly interested. It’s all down to the numbers and investor patience. Few of the startups are in the black yet, and some have fairly large amounts of investment behind them. If run rates are too high, and sales cycles too low, I won’t be surprised to see some companies dumped below their value. IPLocks, for example, didn’t sell for nearly it’s value (based on the numbers alone, I’m not even talking product). There are a few ways to navigate through this, and the companies that haven’t aggressively adjusted their strategies in the past few weeks are headed for trouble. I’m not kidding, I really hated writing this post. This isn’t a “X is Dead” stir the pot kind of thing, but a concern that one of the most important linchpins of information centric security is in probable trouble. To use Adrian’s words: But the evolutionary cycle coincides with a very nasty economic downturn, which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those that earn most of their revenue from other products or services may be immune, but the DB Security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire-sale or bankruptcy, depending upon how and when they act. Share:

The Oracle Critical Patch Update for October 2008 was released today. On the database side there are a lot of the usual suspects; DMSYS.ODM_MODEL_UTIL seems to be patched in every CPU during the last few years. All in all the database modifications appear minor so patch the databases according to your normal deployment schedules. It does seem that every time that I view this list there is an entirely new section. It is not just the database and Oracle Apps, but BEA, Siebel, JD Edwards, and the eBusiness suite. As a security researcher, one of the tough chores is to figure out if these vulnerabilities inter-relate, and if so, how any of these in conjunction with The others could provide a greater threat than the individual risks. I do not see anything like that this time, but then again, there is the BEA plug-in for Apache that’s flagged as a high risk item by itself. Without details, we cannot know if the BEA bug is sufficient to compromise of a web server and reach the associated vulnerable databases. The BEA plug-in was awarded Oracle’s highest risk score (10 out of 10), so if you’re using that Apache plug-in, PATCH NOW! I am guessing it is similar in nature to the previously discovered buffer overflow described in CERT VU #716387 (CVE-2008-3257). However, there is no mention of a workaround in this CERT advisory as with this previous attack, and in general Oracle is not very chatty about the specifics on this one. And I love the teflon coated catch-all phrase in the vulnerability ‘description’: “…which may impact the availability, confidentiality or integrity of WebLogic Server applications…”. Helpful! Friends I have contacted do not know much about this one. If you have more specific details on the threat, shoot me an email as I would love to know more. Share:

Thankfully most criminals are not that bright. Article in the Arizona Republic this morning about a group of three Mexican nationals who were on a little shopping spree in the Valley of the Sun. The trio was going to various electronic retailers and making purchased with fake credit cards. The cards appeared to be legitimate card stock from legitimate Mexican banks, but account numbers from valid U.S. accounts. The trouble starts when they buy a laptop from a WalMart, going out to the car, only to find that the laptop was missing. The WalMart employees legitimately messed up, and the box they provided the ‘customers’ was empty, and no one seemed to notice until after the group left the store. In what I assume was an unintentional remake of the classic scene ‘Somebody ripped off the thing I ripped off’, they got mad and went back to the store to complain. Loudly. To the point where the WalMart employees called the cops, panic ensued, with the three running out of the store flinging bogus credit cards around the parking lot … allegedly. Reports of their yelling ‘Whoop-whoop-whoop-whoop’ have not been independently confirmed. The three men were arrested and are being held on forgery and fraud charges pending an investigation. The real question in my mind will be where did the valid credit card account numbers originate from and who provided them. They were stolen from somewhere, and if the crooks had 19 cards made up, that should be enough to provide a statistically meaningful sample to match up with a point of origin. We have seen a lot of credit card number theft over the past several years, which tend to be highly publicized. We see much less on the use/fraud side. I am going to be interested to see what the police uncover … if it makes the news that is. Share:

There was some great hype in the wireless security world this weekend thanks to an article that made it on to Slashdot, and some FUD pumping so-called security consultants. Elcomsoft issued a press release that they can now crack WPA keys WAY faster using the GPUs (Graphics Processing Units) on the latest video cards. It’s kind of cool, and for wireless pen testing the tool sounds useful, but some of the quotes in the article from the security firm GSS (who I never heard of) are the typical garbage: “This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data,” said GSS managing director David Hobson. “As a result, we now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system as well.” … Hobson added that the development could spur a step back from wireless to wired network connection in sensitive installation, such as financial services organisations, particularly concerned about data privacy. Idiots. These guys are forgetting two things- first, this method doesn’t work AT ALL against an enterprise installation (RADIUS) of WPA. George Ou has more on this. Second, as the original article added as an update, this attack only speeds up brute forcing. Use a long, strong passphrase for your WPA key and you’re fine. Rob Graham also has more on this. WPA-PSK still sucks to manage, and keys go stale, but use a good one and you’re fine. GCC should go back to playing Team Fortress or something with those video cards, because they were either misquoted, or clueless. Share:

What a wild, wacky, crazy week. I have a funny suspicion a lot of stock brokers and investors are scraping together their spare change for some major liquid escapes this weekend. As a small business we haven’t felt the impact yet, but we are keeping a close eye on things and preparing to adjust our strategy as needed. Security deals are definitely slowing- we sense an impending rush of acquisitions, and a general feeling of nervousness. The need for security never goes away, but if you aren’t making plans to protect yourself through this crisis, you might go away. Someone responded to a Twitter post of mine that this will be over before the next president takes office; I can’t possibly imagine that happening. Meanwhile, we watched the usual spectacle of the Presidential debate. Since I already know who I’m voting for, I’m not sure why I watch them at all. Like NASCAR, I suppose I don’t want to miss out when someone smashes into the wall and bursts into flames. On the security front, this week we saw more clickjacking details emerge, Apple release a security update, the World Bank get totally pwned, and Symantec make a major acquisition at a good multiple. But don’t get too excited; we also know a lot of investors pushing early exits at low multiples to save what they can. I don’t mean to focus so much on the finance side of the security world, but I think we’re going to see it bleed into our daily operations as the vendor landscape shifts around. Over here at Securosis central I continued to geek out and work on our infrastructure. We may be small, but we’re trying to set up some cool collaboration tools to support us as we grow. For you other small business types, the wiki/blog/calendar/mail group integration of OS X Server works surprisingly well, although I don’t think it would be my first choice for an external web server. I just wish it would index documents attached to the wiki. I also ordered a Drobo for our backups and I’ll let you all know how it works. Oh- and on my run yesterday I saw two coyotes in the park near our house watching me. Very cool. Webcasts, Podcasts, and Conferences: Martin and I have started broadcasting the Network Security Podcast live as we record it. In episode 123 (my luggage combination!) we talk about electronic voting, China spying, and clickjacking. If you didn’t catch it in the October print edition of Macworld, here’s the online version of the firewall article I coauthored with Chris Pepper. I wrote an article on mobile phone networks for TidBITS that made the front page of Slashdot. I think it’s about the 6th time I’ve hit the front page this year, which is pretty wacky. The TidBITS server had a massive failure unrelated to the Slashdot load right after the article was linked (oops). I was quoted over at Dark Reading on the license changes to Metasploit 3.2. I know I wrote that quote, but reading it now it comes off strangely ambiguous. For the record, I think it’s a great change that will really drive some interesting things in the pen testing software world. Adrian and I were invited by Jeremiah Grossman to a lunch event here in Phoenix with his company (WhiteHat Security) and F5. It was nice to finally get a demo of the F5/WhiteHat integration (WhiteHat generates dynamic WAF rules on the F5 box to block validated vulnerabilities; it’s pretty cool). Jeremiah also showed us his clickjacking code/demo. I almost wondered if I downplayed it too much after seeing it at work. On the bad side, some slimeballs from a local ISP decided to show up, enjoy a free lunch, and proceed to hit up every single one of us there as their personal sales prospects. I pretended I was out of business cards, but they snagged one of Adrian’s so he’ll get the call. Talk about low. Favorite Securosis Posts: Rich: Clickjacking Details, Analysis, and Advice. I tried to put some context around it, and talk about the overall impact. Direct from Rsnake is some advice on limiting the exploit. Adrian: Symantec Buys MessageLabs. Symantec pays a hefty price, but they land a leader in SaaS email security and fill out their messaging security portfolio. Favorite Outside Posts: Adrian: I had trouble naming any single post my favorite for the week. There was a most shocking, a scariest, a most depressing and a most sadly illuminating. I am going with the illuminating look into the minds of Sequoia Capital and their reactions to the current financial crisis. This should look a lot like the tech crash of 2001, and frankly, I hope this information was conveyed to their portfolio companies 9-12 months ago as the window to react has passed. Rich: Gunnar Peterson’s Innovators, Imitators, and Idiots. Just a great post that I need to blog about more fully later. Top News: The World Bank is seriously compromised. We need a new word for pwn. Apple releases a big OS X security update. Asus ships EEE PCs infected with a virus. Good job guys. ATM skimmers now include a wireless modem for SMS messages. The bad guys increase their embedded devices skills. Blog Comment of the Week: Christophe’s comment on My “Policies, Plans, and Procedures” post: Alas, I work in a former communist country where people were used to signing awful things, and hide whatever they did from upper eyes. I sure have an agreement, signed by all users, stating their responsibility, but that means almost nothing to them. Time for happy hour with some of out local financial analyst friends. Smart guys who are doing well through this mess, so we plan on getting them loaded and sucking up the advice. Share:

I don’t remember the exact quote from King of the Hill (an animated series here in the US), but it went something like this. Bobby: But how come you don’t want Luanne to go out with guys but you want me to date girls? Dad: It’s called the double standard, Bobby. Don’t knock it – we got the long end of the stick on that one. Alan Shimel clearly got the short end of the stick when his account was hacked. Heck, he got the short end of the nub, and so would pretty much all of us. Odds are high you’ve heard that the college kid that hacked Palin’s account is being indicted and could face jail time. Twitter was all aflutter yesterday with concerns that the potential punishment exceeds the crime. Personally, I believe if you break the law, you face the consequences. I also harbor no illusions that our justice system is blind. It’s clear if you mess with a popular politician, they will frack you as hard as possible, in every way possible Then bury you. Then pee on your grave. Then pee on your dog before they bury it next to you. Your family and friends? You really don’t want to think about that. And when you mess with a maverick Republican? Well, let’s better hope they can’t track down anyone that ever bothered to smile in your general direction. Had the perpetrator broke into a government account I would expect a different set of consequences. But a personal account should be treated the same as Joe Six Pack’s. Heck, Alan’s break in involved documented financial fraud, unlike Palin. Not that I think we should destroy the lives of every college kid that virtually shoplifts a virtual candy bar (punishment should suit the crime), but over-tolerance only breeds contempt. Just call me a dreamer, but as a realist I know I’m just wasting my words on this particular topic. Still, I’ve heard from businesses that unless credit cards or other hard financial losses are clearly involved it is essentially impossible to get law enforcement to take action; they just don’t have the resources. As such we need to focus on our own monitoring and incident response. If you can’t prove someone really stole your cash, you won’t get the attention of law enforcement. If you can’t give them a description, don’t expect the case to go very far. It’s really no different in the physical world. A few years ago, when I moved to Phoenix, we screwed up and left the garage door open at night. One of those silly mistakes when you think the other person took care of it. Neighborhoods are routinely cruised out here, and when I woke up and noticed it was too late. There went my road bicycle, most of my climbing gear, and, worst of all, a small pack containing my original Star Wars figures I’d saved since I was a kid and some other very personal mementos. We filled out a police report but never expected any action (no, they won’t take fingerprints if someone steals your bike), and after our deductible it wasn’t even worth filing an insurance claim. I made the rounds of the local pawn shops, but no joy. Society accepts a certain level of losses, since we don’t have the resources to continue otherwise. That doesn’t, of course, apply when something gets the press attention of the Palin hack. Sometimes it’s about the losses, and other times it’s about looking good in the press. Share:

Someone at Google has created Mail Goggles. It’s a little Gmail utility to keep you from sending out email while, uh, under the influence. Jon Perlow, the author, had this to say … [snip] “Sometimes I send messages I shouldn’t send. Like the time I told that girl I had a crush on her over text message. Or the time I sent that late night e-mail to my ex-girlfriend that we should get back together,” [/snip] And who hasn’t, really? It’s no wonder I am not smart enough to work at Google. I would never have through this up, never mind actually coding it. I checked, and it’s really there, under the Lab’s section, along with a dozen or so other productivity tools. I really think they could be onto something here … just consider this from a ‘Reputational Risk’ perspective; this could be a hot product for Postini. One too many Martini’s with lunch? Drowning your sorrows as you watch your stock portfolio plunge? A little testy that your “spa day” executive retreat was cancelled? No problem, Google will quarantine your outbound email! And if your too drunk to remember to turn this off, your email probably should be sequestered. Hoff was right, Google really is becoming a security company. Now, where did I leave that glass of bourbon … Share:

Well, I did not see this coming. Today Symantec Corp has agreed to acquire Message Labs for $695 million. That represents close to a 5x multiple on $145M in revenue. While market conditions are not rosy, this price is not out of line for a segment leader who is seeing growth in the highly competitive email security market. This appears to be a good strategic move; they address their largest weakness in email security (SaaS), they can leverage the continued convergence of security offerings in messaging and data protection, and there is a substantial cross-selling opportunity. If memory serves, the 19,000 customers of MessageLabs represents an order of magnitude larger customer base Brightmail brought to the table in the 2004 acquisition. It’s hard for me to fault this acquisition. The primary growth opportunity in the email sector appear to be on the hosted services side, and the bet here is being made that SaaS is the model for the future. Today you can get Brightmail as software, hosted email security or an appliance, so it’s not like you did not have the choice, but the focus was clearly not on SaaS. MessageLabs, along with Google’s Postini, are the current leaders in this space with hosted services. The danger for for the vendors who offer email security as a service is the ease of migration from one platform to the next. It’s not like software or hardware purchases where the investment & employee training creates a degree of ‘stickiness’. Migration from one hosted email security vendor to the next is relatively low, and Symantec will be under immediate pressure to keep the MessageLabs customer base happy as they are in serious competition from Postini. Postini is dirt cheap, so failure to convey the overarching vision or a significant alteration to pricing could result in a very quick loss of customers. Still, I don’t see that happening as Symantec offers a low risk choice for many companies. A large stable firm with strong commitment to the segment and the breadth of product offerings makes a compelling choice. Upstarts with better technology just cannot compete with the mature, high availability, low risk vendors. As the other major growth opportunity in this segment is the convergence of messaging, web and DLP security feature sets, customers are more commonly viewing these as similar problems and want to address with a unified solution. It is difficult for companies to offer highly competitive products in all areas, but Symantec is now able to take a leadership role in each. And what does this mean for Brightmail? Undoubtedly this will be rolled out as a hybrid model for now, with at least a short term commitment to existing customers. Symantec can hedge their bets on what the market will want in terms of technology for the short term. In response to John Thompsom’s quoate, yes, today’s customers have a great choice as far as the type of solution they choose, but my guess is the Brightmail investment will slowly atrophy, and Symantec will migrate customers onto the more profitable hosted platform. Share: