Research

A few days after returning from DEF CON my family experienced an inevitable life-changing event you cannot really prepare for. Kindergarten. That’s right. If you have been following this site since it started 8 years ago, you have watched as I went from a newly married dude in his 30’s traipsing around the world, to a… and I find this really hard to say… responsible parent with school-aged children. My life schedule is now officially defined by the State of Arizona and the Paradise Valley Unified School District. So long off-week Disney trips; hello PTO, early dismissal days, and parent/teacher meetings. To be honest, it’s pretty exciting. For some reason American society thinks that if you manage to keep your kids alive for the first five years, then the state should step up and provide a little support and education. Those of you who ran through the private daycare gauntlet know exactly what I am talking about. The thing my daughter is most excited about? The idea of a teacher sticking around for more than three months. We actually went ahead and got our 5-year-old accepted to a charter school that’s closer to our home than the school she would normally go to (due to the vagaries of subdivisions). It’s actually a normal public school, but they get a little extra funding and have a STEM program, and it is considered an in-district transfer. We got our 3-year-old into the pre-K program at the same school. I have already experienced some highs and lows with the STEM program. It was very important to me – even if my kids go into non-technology careers, a solid technical foundation will help in whatever they do. Also, I hoped going to a STEM-enhanced school would help compensate for the many issues with technology and science education for girls. I wasn’t certain how often they had STEM class, but quickly learned they attend every week. Not bad for a group of kids who generally cannot read yet. Then again, last week our conversation went like this. “How was school? What did you do?” “We did this thing called STIM?” “Awesome! That’s STEM! It’s science and technology! What did you do” “We colored a picture of a scientist.” “Oh.” This week they talked about what scientists do. It wasn’t terrible, and she learned that science is about asking questions. On the other hand, over the weekend we played Robot Turtles and started learning about how that board game teaches programming. And how we can use it to program our Lego robot. And the next day the kids begged me to do science, so I pulled out our polymer lab kit and we experimented with making fake snow, absorbing water, and making goo. The weekend before they asked to go the the Arizona Science Center and we had a total temper tantrum pulling them out of the paper airplane exhibit because her helicopter design wasn’t working. Heck, I took them to HacKid and they loved it, even the 3-year-old. I really hope the classes go hands-on soon, because talking about something is no way to foster lifelong interest. We live in a golden age for science and technology education. Instead of learning to program to move a fake turtle on a screen (let’s be honest, it was barely a pixel), our kids can move real robots in the real world… without knowing how to read. 3D printers, microscope lenses for phones, cheap bio sensors, drones, microprocessors – technology has never been more accessible (at least if you live in an affluent area – let’s be honest). My kids will get this all at home. Those are my hobbies, and I hope my love of science and technology influences them. It will be nice if school reinforces that, but I will not rely on it. There is one exception to my golden age comment – it’s a crappy time for chemistry sets thanks to terrorists and meth dealers. Or an overly-paranoid government and stupid DHS rules. Or something like that. On to the Summary: Favorite Securosis Posts Adrian Lane: CISO’s Head Asplode. Mike Rothman: Firestarter: You Can’t Handle the Gartner. I’ll admit it. I don’t watch other folks videocasts or listen to their podcasts. But I would watch/listen to ours. Mostly because it’s entertaining, and even helpful. And yes, we actually have a good time recording it. Rich: APT hits the ER. There is much more to this than you think. I know of some big healthcare breaches that originated overseas but haven’t been made public. Other Securosis Posts Incite 8/20/2014: Better get a Bucket. 21st Century Shakedown. Favorite Outside Posts Adrian Lane: 96% decline in NYC car theft. Interesting how a single innovation can thwart an entire class of security issues. Mike Rothman: Visualization for Security. We (as an industry) aren’t very good at visualization. So check out this deck from Raffael Marty, who is one of the leading visualization dudes in the industry. And learn some stuff. Rich: Apple begins storing user data in China. It’s going to be interesting to see how Apple handles user privacy overseas, considering their intense focus on privacy as a competitive differentiator here in the US. The fact is you simply cannot offer these services in some countries without opening them to the local government, in ways you don’t have to here, even with all our recent NSA concerns. Gunnar Peterson: Michael Daniel’s Path to the White House: CyberSec Coordinator Tells Why Lack of Tech Know-How Helps. What’s next? A Treasury Secretary who brags about not knowing about banks? You can’t make it up. I get that execs (a czar counts as an exec, right?) cannot be down “in the weeds” but you have to be able to tell a weed from a flower or a vegetable. Rich adds: this astounds me. It shouldn’t but it does, and the fact that he sees this as an advantage means he is completely unqualified for his job. Dave Lewis: The Puerile

So I am finally home for a few weeks, coinciding with the kids starting school. As usual I grab my messenger bag first thing in the am and head out on my nomadic journey. With about 10 local Starbucks with Google WiFi, I am typically in one of those. I get faster Internet at Starbucks than I do at home (57mbps down FTW). It does make me a little more predictable, so that’s a bit alarming. But I’ll trade 50mb downloads for the anemic DSL speeds of AT&T WiFi every day of the week. After a long day of reading tweets, drinking coffee, and trolling the team in our chat room, I come home to see the kids outside with a bucket. Yes, they were challenged to the Ice Bucket Challenge, an awareness campaign originated by Pete Frates – a former Boston College baseball player – suffering from ALS that has gone viral over the past week. There is a great ESPN profile of Pete and the challenges of ALS. NFL coaches and players, celebrities, families, and evidently school-age kids are dumping buckets of ice water on their heads. Though to be candid, I was kind of annoyed. Most of the celebrities and sports stars mention ALS and talk about the cause – if only for a few seconds. But do these kids even know why they are doing it? I asked, and they had no idea. So I saw a teaching moment. I dictated that before any ice water was dumped, they would need to understand about ALS and commit to not just dousing themselves, but to giving money to the cause. After extracting a $20 commitment each, and making sure they read the online description of the disease, they dumped the water. And all was right in the universe. Then I remembered that I saved the fantastic “A Football Life” episode on Steve Gleason because it was awesome and inspiring. The former New Orleans Saint suffers from ALS, and that show documented his life and his adventure climbing Machu Pichu. Yes, I forced the kids to watch that too. I am good with viral campaigns. I’m ecstatic that this campaign has increased donations to research for an ALS cure tenfold. That is awesome. And it would be even more awesome if everyone who dumped a bucket of ice water on their heads actually understood why they were doing it. Then instead of just being funny, it would be educational as well. –Mike PS: The picture above is Bill Gates (yes, that Bill Gates) doing the ice bucket challenge. Click here to see the full clip in all its animated GIF glory. Photo credit: “Bill Gates ice bucket challenge” originally uploaded by Waseem Ashraf The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Incite 4 U The path of least resistance: Clearly the easiest way to pwn an organization is just to find some Windows XP and use old malware. In our App Control paper we said there are a bunch of reasons XP may still exist in your environment. But if you still have unpatched XP you just suck at operations and security. Again, there are some mitigating circumstances (perhaps you cannot patch), but then you need some kind of whitelisting on the device to lock it down. Seriously – it’s 2014, folks. MSFT is trying their best to stop supporting the product. It’s time to upgrade. – MR Form letter: “Company {name} was the victim of unauthorized access to our customer systems, and attackers stole {number} of credit cards between {date1} and {date2}. Company {name} said: ‘Our customer’s trust is a top priority, and we’ve taken steps to address the {vulnerabilityXXXXXx10^3} and help law enforcement catch those naughty, malicious evil-doers that are now looting your bank account. As an added precaution we will make available {worthless-service} to protect your identity, and ask all of our customers to reset their passwords ASAP.’” There you go: an open source breach letter

Everyone wants to be special. When I’m chatting with a company that doesn’t fit the typical profile for a state-sponsored attacker target, sometimes they seem disappointed. I certainly don’t mean to hurt their self-esteem, but the reality is that most businesses just don’t have anything of interest to a nation state. For the most part, I would have included healthcare in that group. It’s hard to see how Beijing could use the flu diagnosis of John Doe. Although that’s a pretty myopic view – healthcare shops hold a lot of personal data. You know, Social Security numbers, addresses, birth dates, and other stuff useful for identity theft. Reuters is reporting on the Community Health breach, which impacted 4.5 million patients. Both Mandiant and Crowdstrike traced the attack back to a specific nation-state affiliated hacker group. The sexily named “APT 18” has been in action for a while, usually targeting human rights groups and chemical companies. On the surface an advanced attacker targeting a healthcare shop is counter-intuitive, but given the multi-phase and staged attacks used by nation-states it makes sense. The attackers can use this information to more effectively target employees with phishing messages to gain a foothold in their real target. So the moral of the story is that you need to think three or four steps ahead to understand the real mission behind many of these attacks. Odds are Community Health was a means to an end, so they could target a big company or ten with information gleaned from the hospital. Though the only way you will be able to really connect the dots is through a forensic view of the eventual data breach. Have we talked about incident response lately? Yeah, maybe it’s time to make sure your IR/M process is where it needs to be. Photo credit: “Emergency room” originally uploaded by KOMUnews Share:

Just in case you felt it was only you as the CISO who had an overwhelming amount of stuff to do, it’s not. This mind map on the Security Advisor Alliance site should bring that message home. And this is the best quote: The initial branches could also be expanded to include many other priorities for a CISO. Yeah, no wonder you can’t see the forest for the trees. So what do you do? You could try to be Pragmatic to get things going. You need to make sure you are setting the expectations properly about what you will do – and more importantly what you won’t. Also be very candid about the resources you will need for success. So take a look at the mind map and note the things you are doing now (perhaps not as well as you need to) and the things that have been on the list for a while, which you never seem to get to. Clear you mind and then be honest with yourself about whether your priorities are aligned to achieve successful outcomes for your organization. If so you should feel good. For maybe 5 minutes – then get back to work. This list doesn’t get done by itself. If not, it’s probably time to blow up what you have been doing. Doing the same stuff and expecting different results is crazy. So take the opportunity to recalibrate and communicate new priorities, and start tracking them. Yes, easier said than done. But in the face of an overwhelming number of tasks and responsibilities, you need to prioritize fiercely and make sure your limited time is spent on the stuff that matters. Starting right now… Photo credit: “71/365 – Uh-oh” originally uploaded by Josh Connell Share:

After our little Black Hat and DEF CON induced hiatus, the boys are back to talk about the latest vendor suing Gartner. Yes, there is a Gartner Tax. No, it isn’t what you think. No, there is no pay for play. Yes, there are better ways to handle this. Yes, end users love Magic Quadrants no matter how much you trash talk them. And yeah, somehow we know a bit about how all this works from all sides. The audio-only version is up too. Share:

Over the past year or so we have done a bunch of research into denial of service attacks, at both the application and network levels. Tactics are one thing, but we usually start with adversary analysis. You know: who wants to pop your environment and steal your stuff. Or maybe just knock you down so you can’t get up. Not that this is news, but shakedown via DDoS is still alive and well. And even the mass media is catching on, as evidenced by this BBC article. This quote from the CEO of CloudFlare describes the attack is language even I can understand. In the physical world, you could think of it as a sit-in, or if you had all of your friends going to a store, fill the entire space and not actually buy anything. So what do you do? Do you pay the ransom? I suspect many organizations do. Over and over again. Can you fight? Yup. There are a ton of services out there that can help defend you against a DDoS. Some are enterprise-capable, with all sorts of networking kung fu to move traffic into their scrubbing centers at the onset of the attack. Others provide this service as part of a CDN or performance optimization service. Either way, if you have an important site that can’t go down, you need to make sure you protect it from 21st century mobsters, doing the 21st-century equivalent of throwing a brick through your window. How you doin’? Photo credit: “The Godfather” originally uploaded by Alex Eylar   Share:

One of the noteworthy activities coming out of BlackHat/DEF CON was the open letter to the auto industry from I am the Cavalry espousing 5 principles for making the computers in cars safer – before someone gets hurt. As our pal Josh Corman says in a CSO article on the initiative: “This initiative is not only about finding bugs,” Corman said. It’s about building relationships between researchers, industry and government, which is much harder, he said. [sic] It is indeed all about the relationships. Researchers (most notably Charlie Miller and Chris Valasek) have hacked the crap out of cars, because all these fancy car tech systems are just computers with WiFi and/or Bluetooth. Egads! Of course they can be hacked. The question is whether auto makers will get ahead of the issue. The principles are pretty straightforward. Things like building security in, having independent researchers try to break it, updating software remotely, and isolating important stuff (such as the steering system and power train). This isn’t brain surgery and some auto makers (notably Tesla) are hiring teams to do a lot of this research on their own cars. I applaud the efforts of the Cavalry and other organizations which work to build these relationships and progress based on mutual interest, without an adversarial relationship. There was a bunch of trolling on Twitter earlier this week, which was largely about the futility of these movements. Just because it’s hard doesn’t mean it’s not worth doing. Of course security will get better in cars and other areas where connectivity is expected (like medical devices). It can happen via productive discussions with organizations like the Cavalry. Or it can happen after someone dies, when Congress gets involved to grandstand and hijack the conversation. The choice lies with industry. We’ll see how it goes. Photo credit: “cavalry charge” originally uploaded by The U.S. Army Share:

Oddly enough my big takeaway from the Black Hat security conference was not about security – it was about innovation. It seems many of the disruptive trends we have been talking about are finally taking hold, finding mainstream acceptance and recognition. We have been talking about cloud computing for a long time – Rich has been teaching cloud security for four years now – but people seem to be really ‘getting’ it. It takes time for the mainstream to fully embrace new technologies, and only then do we see disruption fully take effect. It is as if you need to step fully into the new environment before what’s really possible takes shape and starts to manifest itself. Fo example, when the Internet hit big in 1996 or so, we talked about how this would hurt “brick and mortar” retail, but it was a good 7 to 10 years before that reality fully manifested. Only then did the change take full effect, and few industries were left untouched. We are just now reaching that point with the cloud, mobile, and NoSQL databases, and getting here has been exciting! When I talk about security analytics it is nearly impossible for me to do so without first talking about NoSQL and the value of “big data”. NoSQL enables me to inexpensively scale up to collect all the data I need. NoSQL allows me to easily pull new and complex data types for analysis. NoSQL facilitates more programmatic use of stored data, and my choice of NoSQL architecture lets me tailor a solution to analytics or real-time response. Security analytics is the goal, and you don’t need to have NoSQL, but the disruptive innovation of NoSQL makes it better and cost-effective. NoSQL has been around for a long time, but the possibilities for security analytics are only being widely considered now that most firms have taken their first steps into the new world. The same is true for DevOps, which is the culmination of several technology advancements reinforcing each other. The API economy is making the cloud, mobile, and various other services accessible. It is being driven by development teams who need to be more agile and efficient. DevOps offers virtual on-demand resources. DevOps does not depend on the cloud, but the cloud makes it better. This evolution of several pieces has suddenly created something bigger than the sum of its parts. Even better, all these new technologies build in security components. I was more amazed to see disruptive innovation manifest, but there were significant efforts to build security into each of these trends. Life will be very interesting over the next 4-5 years. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted on context-aware security in SearchNetworking. Mike quoted in coverage of Wendy Nather as a “Power Player” in IT Security. Wendy is awesome and one of our favorite people in the industry. Mike couldn’t be happier to be quoted. Mike’s “Change Agent”: Trusted Information Systems. Mike did a blog post/video for Digital Guardian naming a “change agent” with an impact on how security has evolved… Check it out. Adrian and Mort talk Big Data with George Hulme. Mort quoted in “Communicating at the speed of DevOps”. Favorite Securosis Posts Mike Rothman: Suing Gartner. I’m surprised I didn’t get more comments on this post. Kind of counter-intuitive. Unless maybe it’s not and everyone else figured out that NetScout is grandstanding before I did… Adrian Lane: Butterflies. Morphing. It’s this week’s theme. Dave Lewis: Trolling Mass Media. Other Securosis Posts It’s not a problem until someone dies…. Cloud File Storage and Collaboration: Additional Security Features. Friday Summary, August 1, 2014: Productivity Metrics edition. Favorite Outside Posts Mike Rothman: Mark Twain’s Top 9 Tips for Living a Kick-Ass Life. Adrian Lane: Military Companies Brace for Rules on Monitoring Hackers. It’s one thing to disclose a breach to a partner – it’s another to let the partner conduct the forensic analysis. Most firms don’t trust their business partners enough to give them unfettered access to their systems. And the government has many interests outside supplier agreements. We will see how this shakes out. James Arlen: SEC failed to guard sensitive information. Dave Lewis: Weak Passwords: Mel Brooks Warned Us. David Mortman: Multipath TCP speeds up the internet so much that security breaks. <– Ooops. AKA stateful firewalls break multi-homed BGP if you don’t architect correctly…. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts Espionage programs linked to spying on former Soviet targets. Dan Geer’s Blackhat Keynote. The Lie Behind 1.2 Billion Stolen Passwords. Is Amazon Web Services Really Down and Out? Facebook Buys Security Firm PrivateCore. 8 Patterns For Continuous Code Security. Safari for OS X gets “click-to-own” security holes patched. Tenn. Firm Sues Bank Over $327K Cyberheist via Krebs. Last Hacker Standing, Episode IV – The Last Hope. Martin’s new podcast. Snowden says NSA was responsible for 2012 Syrian internet blackout. Dead Simple Encryption. Forget encryption: Why won’t anyone build an open-source key manager? Security Kahuna Podcast: Las Vegas Edition. ERP: Protecting the pipeline by focusing on business-critical platforms. Improving Malware Detection in Firefox. Share:

A couple weeks ago we went to see the kids at camp on visiting day. They have so much fun, learn new skills, and grow as individuals at camp – despite being away from the watchful eyes of their parental units. Go figure – let your kids spread their wings, and they do. One of the new skills both XX2 and the Boy tried out was waterskiing. So during visiting day they get to show off for the folks. So we walk down to the lake, and have a few minutes before the kids get into the water. I sit down in a nice white gazebo next to the lake. Up flies a butterfly to perch on the rail right next to me. It’s basically just staring at me. No fear. No need to go anywhere else. Just hanging out. I bust out my camera and take a few pictures. The butterfly doesn’t move. My dad comes over and takes a few pictures – butterfly still doesn’t move. I don’t think much of it, and then we go see the kids ski. XX2 even gives us a wave as she motors on by. The Boy does get up on the skis. For about 4-5 seconds. Guess he can work on that some more next summer. Then I was at Black Hat last week, and it was crazy how much the conference has changed over the past 5 years. The hallway booths are now an exhibit hall. The audience is much larger, and now a bunch of senior security folks show up as well. It reflects the crazy growth of the security business. Though it seems many hands-on practitioners still attend, which is the key to maintaining the show’s value. During my meetings at Black Hat I was constantly talking about the change that is coming to security. We have been thinking a lot about what the future of security looks like, and we have some ideas. We will be right on some things, and wrong on others. But things will change. That much I can guarantee. On Monday we put the kids back on the bus for another year of school. Lots of change happening at school as well. The twins are now broken up into 4 groups this year, with different teachers to specialize by subject. And there is a new principal in the elementary school, so no telling what else will change. Then I can reflect on my own physical and mental evolution over the past few years. Lots of change there too. You seeing a theme here? The only constant is change. Then the butterfly from visiting day flew back into my consciousness. Butterflies represent change. Starting life as a caterpillar, molting, and then emerging as a butterfly: a perfect representation of everything. Constantly changing and growing into something new. You cannot stop change. Just like you cannot force a caterpillar to remain a caterpillar. You can resist but that will not end well. Change always wins. So embrace it. Lean into it. Don’t fear it. Treat every change as an opportunity to grow. Because that’s what it is… –Mike Photo credit: “Butterfly eye – canon 550d” originally uploaded by @Doug88888 The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five March 24 – The End of Full Disclosure Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Incite 4 U If I ran the zoo: Dan Geer provided keen insight on several critical computer-related public policy debates during his keynote at BlackHat last week, and posted his full full talk. On net neutrality he provided the simplest – and sanest – solution I have heard to date. Dan suggests making network carriers choose to be either just a telco passing bits, or an ISP working at the content layer. If they are inspecting content, then they can decide what to throttle (such as Netflix), but that requires accepting liability for content as a “content carrier”. On the other hand, bit pushers neither throttle nor inspect – they just let the content flow. Dan put his considerable

It happens every couple years. Some vendor is really pissed at their placement in the Magic Quadrant, and they decide to sue Gartner and make it right. Inevitably the suit involves the words pay to play, and the vendor thinks they will be the company to make things right in the world. They will get justice for all those companies relegated to the loser niche quadrant. They will unmask the evil analysts for the shakedown artists they are. The latest is NetScout, who filed a suit recently claiming all sorts of stuff. “Gartner is not independent, objective or unbiased,” NetScout claimed in its lawsuit, “and its business model is extortionate by its very nature. Its substantial success is due to the worst kept secret in the IT industry: Gartner has a ‘pay-to-play’ business model that by its design rewards Gartner clients who spend substantial sums on its various services by ranking them favorably in its influential Magic Quadrant research reports and punishes technology companies that choose not to spend substantial sums on Gartner services.” Of course they are wrong. On a number of fronts. First the pay to play angle. Rich covered that a while back, so go see his arguments. Secondly, the MQ is Gartner’s opinion. An opinion can be biased. It can be wrong. It can be anything. None of those things are illegal. But maybe NetScout already knows this. What if they know this is a battle they cannot win? Maybe they don’t expect to win a legal verdict. They should be worried about winning deals in the field, and how a poor placement in the MQ impacts that. This legal action might actually be cover for their reps. Let me explain a bit. When you have to deal with a crappy MQ, you go into spin mode quickly. You have to distribute information to your sales force and partners about why Gartner is wrong. How they missed things and don’t understand the market. It’s a big pain in the butt, and it has sales folks running scared because they know every competitor will be using Gartner and the MQ to put their company into a box. But what if your sales reps could go to customers, saying they vehemently disagree with Gartner’s findings. So much so that they felt forced to legal action. Would that help? Will it make a difference? The biggest issue is generally getting your sales force to tell a consistent message, so having everyone talk about the suit certainly gets everyone on the same page. And better to come off as aggressive and willing to fight for leadership, rather than embarrassed and defensive. Some customers will respond well to that, and keep NetScout in the deal. A lot of others can’t give less of a crap, and will toss them out because in their organization it’s too hard to buy products without the MQ stamp of approval. NetScout was going to lose all those latter deals anyway – now maybe they stand a chance in the others. Though probably not. So what will happen? NetScout will lose the suit. In fact it will likely be dismissed with prejudice, and NetScout will likely have to cover Gartner’s legal fees. Because how can you win a lawsuit over someone’s clearly stated opinion? It’s not like they are making libelous statements. But NetScout might see a net gain because they will stay in deals longer. At least some deals. And if they close one deal they would have lost, they are likely to cover their legal fees. So maybe they are smart and looking at this suit as a sales & marketing expense. Or maybe they are knuckleheads who actually expect some kind of favorable outcome from this legally nonsensical suit. Either way, they got a lot more folks talking about NetScout. Public relations for the win! Photo credit: “Sue the Bastards” originally uploaded by Lloyd Doppler Share: