Research

Here I am, just off the bench after six months of watching from the sidelines, and when I’m still two feet away from the darn batter’s box Hoff lets loose with a hundred mile per hour fastball right at my head. Thanks Chris, it’s not like you didn’t know exactly when I’d be back at bat. I really suggest you go read both of Chris’ posts, but here’s a snippet so I have something to work off of: Known by many names, what I describe as content monitoring and protection (CMP) is also known as extrusion prevention, data leakage or intellectual property management toolsets. I think for most, the anchor concept of digital rights management (DRM) within the Enterprise becomes glue that makes CMP attractive and compelling; knowing what and where your data is and how its distribution needs to be controlled is critical. The difficulty with this technology is the just like any other feature, it needs a delivery mechanism. Usually this means yet another appliance; one that’s positioned either as close to the data as possible or right back at the perimeter in order to profile and control data based upon policy before it leaves the “inside” and goes “outside.” I made the point previously that I see this capability becoming a feature in a greater amalgam of functionality; I see it becoming table stakes included in application delivery controllers, FW/IDP systems and the inevitable smoosh of WAF/XML/Database security gateways (which I think will also further combine with ADC’s.) I see CMP becoming part of UTM suites. Soon. First a little bad news; I mostly agree with Hoff, and this is such a big subject I’m only going to cover part of it today. Consider this the first part of a multipart series on DLP/CMF/CMP. Today I’ll cover a little bit of history and what I look for when figuring out if the latest widget is just a feature of something else, or likely to be a stand alone solution. What most people call DLP started about 5-6 years ago as an extra feature of about the only Acceptable Use Enforcement product on the market- Vericept. Vericept monitored network communications, mostly as a sniffer near the gateway, to detect things like porn, gambling, sexual harassment, and “hacker” research. A lot of people tried to position it as a network forensics tool, but instead of full packet capture it just looked for policy violations and recorded that traffic. It also came with usable business reports, not just lists of IP addresses and packets. Vericept could also detect things like credit card and social security numbers leaving the organization. Vontu, Vidius (later PortAuthority and now Websense), and Tablus started becoming more visible, each with their own somewhat unique approach to the problem. Vontu cleaned up in the early years by really focusing on the business problem of preventing data leaks and building a tool the business guys could grok. Once Reconnex, Fidelis, and a few others appeared the marketing machines really started cranking and bringing more attention to the entire space. In 2005 Vontu had a big lead in a small market, but the competition learned fast and became MUCH more competitive in 2006, after more than a few management changes. Early on we had a hard time naming this space. Not just us analyst types, but the vendors themselves. I even had a phone call with two of the bigger ones in 2003 or 2004 where myself and two competitive marketing managers tried to hash it out. I went with the term “Content Monitoring and Filtering” because I felt the core technology was about a lot more than just leak prevention. New technologies pop up all the time and sometimes it’s hard to figure out which will succeed, fail, or succeed as part of something else. I ask one simple question to place my bets on something being a feature vs. a solution: What’s the business problem, and does the technology solve it? If not, what percentage of the problem does it solve? Okay, I cheat, because this is hard. Something like, “it blocks USB ports” isn’t a business problem; at least not with a capital B. This is also where we tend to see all the BS business-speak like “holistic” and “synergy”. I should probably do some posts just on this alone, so let’s look at DLP. The business problem for DLP is, “tell me where my sensitive information is and help me protect it”. Chris is correct- Data Loss Prevention is just a feature focused on one part of the problem. Monitoring data moving through the perimeter is a throwaway. The DRM part, which all DLP solutions will eventually include, is also a throwaway; let someone else do that part. Content scanning and classification for storage, email integration, internal network monitoring, and so on are all just features somebody can put into something else. The product, and I really like Chris’s Content Monitoring and Protection term, is the policy management server, content analysis, and workflow and reporting tool. It’s the central console for managing all these enforcement points that will be part of UTM, endpoints, and everything else. Today the “DLP” vendors need to build most of this themselves since it’s hard to sell a product when you have to tell your client to buy 20 other components from other vendors. This isn’t part of UTM because the people setting the policies for content and dealing with enforcement aren’t the same as those dealing with inbound threats. This isn’t part of Application Firewalls, Application Delivery Controllers, or database security gateways because those are also managed by different teams, with different responsibilities. Actually, those tools are going to consolidate into a database and application security stack, while DLP evolves into a Content Monitoring and Protection solution. We’re solving the problem of identifying and protecting sensitive content being used by our employees (and other insiders). Those responsible for solving this problem often include non-technical types like corporate legal, risk, and compliance. The problem is different

If you’re reading this, I’m no longer a Gartner analyst. For the past 7 years or so I’ve had the best experience of my professional (and often personal) career. The product of a bad acquisition and short stint in consulting, Gartner gave a young unknown hothead the opportunity to become an industry analyst. I tried my best to run with it. Seems to have worked out okay. Gartner was an amazing experience; I learned more than I possibly imagined when I started, and any success I have in this industry is in large part the product of Big Daddy G. I learned everything from presentation and writing skills, to defending my analysis, to how to analyze in the first place. And that’s not including the massive amount of knowledge imparted by thousands of client conversations and (yes) vendor briefings. Gartner also showed me the world. Before G, I’d been to Mexico; now I’ve been to probably two dozen countries on every continent except Antarctica. I suppose some of you reading this expect me to be disgruntled, but aside from the usual gripes of any long-term employee I have nothing but good things to say. Gartner is as successful as they are for a reason. And no, I’m not just blowing smoke in case my future plans implode- it was a great job and a great company. So why am I leaving? I’m just too darn young and foolish. As positive an experience as Gartner has been, I feel like I’ve gone as far as I can as an analyst. I’m still young, don’t have kids yet, and if I’m going to take a risk now is the time. I’ve been feeling unchallenged and know there’s a lot more in this big world to experience. Back around February I decided to start poking around, but quickly realized there was no way to effectively job hunt while maintaining my integrity as an analyst. A little over 2 weeks ago, thanks to selling my old condo in Boulder, I found the financial freedom to take a little risk. I resigned without a parachute. As of this evening, I’m now out on my own as an independent consultant. I’m the founder, owner, and sole employee of Securosis, L.L.C. I don’t know exactly where all this will end up. Maybe I’ll get that perfect offer. Maybe I’ll stay independent. Long-term I just want to comfortably support my family, travel less, and Do Good Things. I have every intention on staying in the security industry- it’s worked since I was 18, why stop now? I don’t need the big score, just a good race. Thanks to some industry friends I already have some good contracts to start, and despite my initial fears feel pretty good that things are headed in the right direction. The best news (I hope) for you readers is that the blog is back! This time I’m only representing myself, and can write without restriction. I also plan on some other surprises, so stay tuned. It’s been a great run so far; I can’t wait to see what the second lap has to offer. (Post title inspired by Jimmy Buffet covering Harry Nilsson) Share:

Like many frequent travelers, I tend to rely on sleeping pills to help me out with the jetlag. One 30 pill prescription for Ambien CR usually lasts me about 9 months, and definitely gets the job done. Unfortunately, it doesn’t make me any smarter. I accidentally left my little friends at my last hotel, and with a tight travel schedule there’s no way they’ll catch up to me. Fortunately, I’m in Australia. The concierge at the hotel pointed me to the doctor’s office across the street. I walked in and they apologized that there would be a long wait- maybe an entire 30 minutes. This is without an appointment people; my last personal doc usually kept me waiting AT LEAST that long even WITH an appointment. The appointment itself was short, but since I don’t have the national healthcare I had to pay for the visit and the prescription they gave me on the spot. Only $68 for the visit and pills, and it would have been free if I lived here. (Yes, this particular trip is nasty enough it was worth the price). This is the second time I’ve had to use the healthcare system while traveling here and my last experience was pretty much the same, except I was actually sick then. We watched Sicko a few weeks ago and it really hammered home how messed up our system is. Experiencing healthcare in other countries only reinforces our disfunction. Only 6 days till home! Share:

For those that are interested, you can now browse and post comments by going to https://securosis.com. The cert may show up at securiosis.com, which was the original (short lived) name of this domain. I’m working on getting that fixed. Please let me know if you experience any problems. I also tweaked a bunch of other settings and features on the site. Share:

I’m estimating around 60 hours in planes and airports, assuming no flight delays. Can I go back to the dentist instead? Oh wait- that’s the day I get back. Share:

I’m on the 40 minute flight from Phoenix to Vegas for two back-to-back conferences any reader of this blog better already know about. As usual, the drama is already starting with rumors, innuendo, on-stage battles between presentations, the ever-elusive hunt for the next *-gate, and the always popular feats of strength. But I’m not going to talk about that. Drama is one of those nebulous concepts slightly more elusive than porn; sure, you know it when you see it, but unlike porn you have a hard time noticing when you’re in it. Let’s be honest, we’ve all been in the middle of more than a little drama in our lives. The problem with drama is that it doesn’t benefit anyone except the press, and maybe some sadistic bystanders. It certainly doesn’t benefit those involved. Drama raises emotions, lowers reason, and devastates credibility. It’s hard to take someone seriously when they get all “woe is me” on you. I remember one of the more dramatic incidents I responded to in an ambulance. A woman ran over a child outside of a school. She more just bumped the kid with a couple ton car than any actual running-over, and while serious, it was clear the kid was going to be okay. The woman? A friggin’ mess. Hysterical screaming, ranting, and full-body-rending spasms that completely distracted everyone from the kid on the ground who needed medical attention. That drama reduced the care the kid received, at least until we showed up, ended up requiring a second ambulance for the woman (not the cheapest mode of transport in the world), and did nothing but make a serious incident even worse. Another rescue drama was one of the more heart-wrenching calls I ever responded to, with a far worse outcome. I was responding on a mountain rescue call for someone lost in an avalanche. His hiking partner was a total freak-job, evading the truth (out of guilt) and recruiting his college friends to engage in their own private search (big no no). At one point I remember flying up a snow-covered trail, closed due to avalanche danger, in a Jeep driven by a park ranger with an even less-developed sense of self preservation than I have to help the Sheriff’s Officers remove the individual. In the end, the victim wasn’t in the avalanche and probably died of exposure a mile or so away before the first rescuer showed up. The drama of the survivor and his changing stories did nothing more than pull valuable resources from where they needed to be, and destroyed his credibility. To this day I’m convinced his ego killed his partner. Sure, these are extreme examples, but in each case those involved lost credibility and respect while distracting both bystanders and those there to fix the problems from the real issues. In a less-extreme example I’m still embarrassed for some of my own attempts for an Academy Award for Best Victim in a Drama for a couple of bad breakups in college. I let the drama take over, and to this day my friends still occasionally remind me of those antics when I need to be put in my place. Leave the drama for entertainment. When another industry engages in it, all it does is hurt the credibility of those directly involved, and anyone associated with them. It’s hard, but we need to sometimes divest ourselves of emotions and let the facts and events play themselves out. Share:

If you read this, you know why. Arriving Tuesday, departing Monday. Probably at Hotel Paris since I didn’t get my stuff together in time. Share:

Dentist: You shouldn’t feel any pain. Me: Great. Dentist: Now close your eyes to keep the debris out. Me: What? Ah, yet another one of those painful maintenance tasks. The follow up instructions tell me no alcohol tonight, and no drinking from a straw. Which sucks, because that totally blows my usual Thursday night routine. Share:

As I may have mentioned, we moved into a new home about 3 weeks ago. This isn’t the first home I’ve owned, so either things have changed since I bought my last house, or it’s different when you buy a new build. According to our postal carrier, we’ve been getting mail here since long before we moved in. Technically before we knew our physical address (we just had a lot number). What kind of mail you ask? SPAM SPAM SPAM SPAM SPAM SPAM SPAM wonderful SPAM Landscapers. Blinds. Water treatment. Closets. Garage organization. You name it, we got it. Now most of that you get pretty much anywhere, but there’s one kind of snail-mail SPAM that’s really pissing me off. Mortgage stuff. A lot of it. Mostly predatory “mortgage insurance”. “What happens if you or your wife lose your ability to work?” garbage. My favorites are the “mortgage cancellation” programs. “You are not taking advantage of your mortgage cancellation program, contact us immediately”. Cancel my mortgage? Works for me, You gonna pay? What’s annoying is that all of these “services” know who my lender is, and the amount of my mortgage. I figure either my lender probably sold us out, or maybe it’s a subscription service from a credit service. Either way, I figure there must be enough idiots out there for this stuff to work. Snail mail, while cheap, isn’t nearly as cheap as email, and this stuff has to show some kind of returns. Sigh. Where there’s prey, there’s predators. Share:

As I’ve mentioned before, I’ve been doing martial arts for a while; most of my life if you count high school wrestling. I recently switched from Traditional Taekwon-Do to Karate after moving to Phoenix. One of the things I love about martial arts is how many lessons on life you can draw from it. I had another one of “those” experiences Tuesday night. Where I train is more than just a Karate dojo- there are three training floors with a bunch of different instructors from different arts; each a real instructor in their art, not just some dude with a black belt in one style, and 3 random classes under his belt in 8 others. A couple weeks ago they started a Mixed Martial Arts program (MMA). Yep, we’re talking Ultimate Fighting Champion! While I like to delude myself into thinking I’m too pretty to fight full contact at the ripe old age of 36, you can attend the class without going to the nose-bursting extreme. The combination of switching styles and playing with MMA really highlights something about most martial arts. While one goal of sparring is supposed to be a way to simulate a potential real-life fight, most arts end up constrained by whatever rules they decide on for sparring and tournament competition. Problem is that none of those rules exist in the real world. In TKD you can’t grab or throw, so there are a lot of high kicks and multiple kicks. In Karate you can do basic grabs and throws, so I quickly learned to pull that leg back in darn quick. But in Karate certain kinds of techniques don’t score, even though they could do some damage if they connected. For example, there’s something called a hook kick; I’ve noticed in Karate that the version taught is not a version you’d ever use for real- it’s totally worthless outside a tournament. Because of the rules, most tournament matches are won and lost off a few basic techniques, so that’s what you spend most of your time on in class. It’s the same for pretty much everything- boxers don’t have to worry about takedowns or kicks. Wrestlers don’t have to worry about getting kneed in the face. No one has to worry about getting kicked in the nads or fighting more than one person at a time. As one of my instructors in Colorado puts it, “any martial art is only as realistic as the last time it was used in combat”. In nearly every martial art I’ve trained in, the rules for sparring and tournaments have a dramatic influence over the techniques a student learns. Even MMA has rules, and being more of a sport than a specific martial art those rules define how people train, and how you train defines how you will react- be it in the ring or on the street. Now most of us don’t get into all that many street fights anymore, but this is one of those analogies that easily extends. For example, how many of you, in your day to day job, expect your customers to behave according to the arbitrary rules of your business and become upset when they act differently? A customer/client/john might ask you for something simple outside your normal process, and even if it’s easy, even if it’s beneficial to both of you, even if it doesn’t violate policy, your instinct will be to say no. Why? Because you don’t think you can do it. You’ve allowed arbitrary rules to define your capabilities. As Rob Tobin, another master instructor (and great friend who died long before his time) once said while we were doing some business together, “don’t make it hard for people to give you money”. And the worst culprit? Compliance, but I’m not going to talk about that here. As a martial artist I constantly strive to train according to the rules without letting them limit my capabilities. To be honest, it’s a lot easier to do on the training floor than in my professional and personal lives. Keep it real. Share: