Research

In the 4 years since I started Securosis, this is absolutely the most bat-sh** crazy time I have experienced. Between cramming for the cloud security training class, managing a software development project, keeping our infrastructure up and running, hitting writing deadlines, and keeping up with prospects and clients, I barely have time to breathe. Add in a couple young kids who have done their best to ensure I don’t get a good night’s sleep at home for the past 6 months… and it’s no wonder I finished last week alternating between passing out and participating in commode-based religion. But I’m loving it. Right now I have the exact same feeling as when I hit the last couple miles in a triathlon. It’s painful. Oh so painful. But the endorphins kick in and you start thinking about life after the race. But now isn’t the time to lose focus. So time to bang this out and move on to the next item on the list. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich contributed Mac Defender: Pay attention but don’t panic to Macworld. Oracle 11G Available On Amazon AWS: Adrian’s Dark Reading post. Favorite Securosis Posts Mike Rothman: Cloud Security Training: June 8-9 in San Jose. If you need to know about cloud security, we’ll teach you. A few spots remain. The curriculum kicks ass. Adrian Lane: Planning vs. Acting. Rich: Sowing the Seeds of Token Panic. Other Securosis Posts End Users, Fill out Our Security Marketing Content Survey. Incite 5/25/2011: Rapturing the Middle Ground. Favorite Outside Posts Mike Rothman: Mac Defender: Pay attention but don’t panic. Love it when a post Rich writes is highlighted on Techmeme and Daring Fireball. Especially when it’s posted on MacWorld. 🙁 But the traffic is well deserved – great perspectives on the next wave of Mac attacks. Adrian Lane: Siemens Downplaying Serious SCADA Holes. Thought they would have taken a lesson from Oracle and Microsoft – I guess not. Chris Pepper: Dilbert deals with [firewall] managment. “Keep me informed.” Research Reports and Presentations React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Network Security Operations Quant Metrics Model. Network Security Operations Quant Report. Understanding and Selecting a DLP Solution. Top News and Posts New version of Mac malware doesn’t require password. Siemens Working On Fix For ‘Security Gaps’ In Logic Controllers. Keys to the cloud castle. The rise of the chaotic actor: Understanding Anonymous and ourselves. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Shack, in response to Planning vs. Acting. Except that i’m not. I’ve been there, and appreciate the whole “water cooler” thing. However, i see way too many security managers who wrap themselves in “governance” and rhetoric. C’mon. I’m not ignorant to understanding the risk and threat landscape. But all talk, and reciting the latest incedible “news story” does … What? Ours is a discipline technical in nature, and relies on technical acumen to fully understand and articulate risk. If your career is built on “water cooler” topics, i’ll likely be reading about your organization in the news in the future. I for one have had enough of the “strategists” with no tactical knowledge or understanding. Share:

It was just a matter of time. After the EMC/RSA breach in March, the clock started ticking relative to the seeds being used to gain access to something important. According to Bob Cringely, that has now happened with a very large US defense contractor having their remote access network compromised. Since it had been a pretty slow news week (how long can we talk about the LinkedIn IPO?), now every beat reporter will write 10 articles on the impact of this new attack. It’s just a matter of time before we see picketing at RSA HQ, demanding new tokens for all. We’ll see the old timers talk about the good old days to time sharing. Security folks will be called before the executive team to discuss the exposure and whether the tokens are still worth a damn. Wash, rinse, repeat. We’ve seen this movie before. Now I don’t have any inside information about this new attack. But the reality of two factor authentication means you need both something you have and something you know. If 2FA is based on an RSA token (and the seeds were stolen), then the attackers have the token. But they don’t have the code (something you have) required to gain access. Unless the device was compromised separately using a different attack, mostly likely a key logger to capture the passcode. The loss of the seed does not compromise your network. But the loss of the seed and the passcode will. That’s an important distinction. Is the inevitable panic justified? Of course not. We are presumably dealing with APT, which means they will get into a network by whatever means necessary. Advanced or not. They got the seeds, and then compromised a device with remote access. Game over. They are in. Let’s just say a company tossed all their RSA tokens and brought in someone else. Guess what? Then the attackers would compromise a device already on the network, taking the 2FA out of play. And that’s really the point. Remember the words by any means necessary. Sure, RSA will likely have to stamp out millions of new tokens. Customers will demand no less. Yes, it will cost them money, but it’s a drop in the bucket for a company like EMC. Yes, issuing new tokens will stop this specific attack vector. But it will not stop this specific attacker. So panic all you want. They are still going to get in. Which underlines the key point in Cringely’s article. “The good news here is that the contractor was able to detect an intrusion then did the right things to deal with it.” We’ve been talking about reacting faster and better for years. Significant network and system monitoring, and if you are specifically a targeted organization, network full packet captures are not options anymore. What should you do? Use the panic to your advantage. These are some pretty good data points to push through the funding for that full packet capture gear or a new network/systems monitoring service, eh? Or maybe the application white listing technology for those devices with access to critical stuff. Whatever the specific controls you need to add, strike while panic is cresting. Now that’s what I call making lemonade out of a bunch of lemons. Photo credits: “Panic!” originally uploaded by Memphis CVB Share:

The sun rose today. As it has every day for a couple billion years. Though plenty of people thought they would not be around on Sunday for the sunrise. Yes, I’m talking about the Rapture. Either it didn’t happen or we all got left behind, which is fine by me – I still have stuff to do. You may think the whole concept is wacky, but I’m the last guy to criticize someone else’s beliefs. What you believe is your business. I’m certainly not going to try to convince you I’m right. Especially about matters of faith. But the Rapture preacher didn’t consider that he could be wrong. He dug in and didn’t leave any wiggle room. That didn’t work out very well. His followers awoke Sunday, confused and flabbergasted. Some haven’t paid their bills. Others took fancy vacations with money they didn’t have, figuring it would be the bank’s problem and they’d be laughing from heaven. These folks didn’t have a contingency plan. But you have to hand it to the preacher. He’s a true believer with a flexible and robust calendar. Some may snicker about the lunacy of the whole thing, but that misses the point. The real lesson is that even if you are a true believer you need to leave your options open. Even if you know you are right, it’s probably a good idea to think through the unfathomable scenario that you could be wrong. I know, it’s hard. None of us want to believe we are wrong, especially folks of conviction and passion. But in the face of overwhelming evidence (like waking up on Sunday) that you are indeed wrong, you need to be able to move forward. This remains a challenge for me too, by the way. I think in a pretty binary fashion. Right and wrong. Good and evil. Black and white, with very little gray. Though the gray area is increasing, which is kind of predictable. When you are young, you haven’t screwed up enough things to believe you could be wrong. Over time, you gradually realize not only your own limitations, but also that right/wrong is an interpretation. Now do a little homework to start using this lesson in practice. Look back to your last 2-3 arguments. Did you leave yourself an out? Did you respond poorly because you had no choice but to defend your position to the bitter end? Did you need to fall on your sword to save face? I’m all for taking a position and defending it passionately, but 20+ years in the salt mines have taught me to find the middle ground. Because most likely the sun will rise tomorrow, and you need to move forward. – Mike Photo credits: “Caught up in the rapture” originally uploaded by Analogick Incite 4 U Target Practice: Life is about relationships. Pretty deep but true. Whether you are talking about family, friends, colleagues, even people you don’t like, your reality is based upon the relationships you have with these folks. That’s true in security as well, as Chris Hayes points out. There is a good quote here: “IT and business executives are craving value-add from information risk management functions.” Which is true, so how can you add this value? By defining success and then delivering it. It’s not your definition of success – you need to agree with other folks on what security can do to further business objectives. Find the target. Hit the target. Then tell folks you hit the target. Easy as pie. – MR Hostage Situation: A Venafi study finds admins could hold data hostage from their employers if they chose to withhold encryption keys and passwords. To which I have to say “Well, duh!” Not everyone in an organization will have control over pieces of critical infrastructure, but you have to trust someone, so place control in the hands of a select few. This variety of insider threat rarely materializes, but is especially damaging when companies over-leverage key management solutions (so, for example, every key in the organization is stored in a single key server) or fail to implement separations of duties for key management. If you are worried about this type of scenario there are several things you can do: keep a master key stored off-premises so you can regenerate and rotate the working keys if an admin goes rogue. Think about separating duties for key management, so no single admin can take control of the key manager functions. Use different key servers for different applications or functions, minimizing the scope of potential damage. Do better background checks on your admins prior to employment, and have better employee departure processes to make sure all credentials and access points are changed as part of the termination process. Or maybe treat your employees better so they don’t get too pissed off – yeah, that last one’s probably not going to happen. – AL There is no control for stupid: A fact that is mostly glossed over by security folks is that all the technical controls in the world can’t protect a stupid user with access. That’s the point of George Hulme’s story, and it’s a good one. Yes, we have to make it hard for user stupidity to bring down valuable systems – hat’s what technical controls are for. But we also need to anticipate some number of self-inflicted wounds, and be able to quickly respond and recover. That’s what Reacting Faster and Better is all about. So whether it’s a human FAIL, technical FAIL, or an attacker that kicks your butt, it’s all the same in the end. You need to handle the issue. – MR Unless you are the lead dog, the scenery never changes: I love that concept. Most folks spend their life looking at someone else’s backside. Which is fine – not everyone can lead. But what does it mean? We all have our own ideas, but Bejtlich’s post defining Five Qualities of Real Leadership clarified a lot of the stuff

We got great response to our Categorizing FUD post. Obviously many of you are as frustrated with marketing idiocy as we are. So let’s band together to prove to the vendor community that some of their security marketing tactics hurt them more than they help. We put together a little survey to get your opinions on the value of a number of different kinds of marketing content, to help understand how you use these tools and whether these tactics negatively impact your perception of the vendors using them. With this analysis, we can go back to the vendors and poke them in the eye about the stupid stuff they do. If you want your opinion heard, and are an end user, please head over the survey and fill it out. It should take less than 10 minutes. Although we have no way to enforce this, we’d prefer only folks directly involved in buying security products for end user organizations respond to the survey. The questions are structured to help understand how these different content types impact perception of vendors, which is why the survey is more appropriate for end users. Direct link: http://www.surveymonkey.com/s/SecurityMarketingContent Thanks for your help. Share:

You might have noticed I haven’t been blogging much for a couple months. That’s because I’m spending nearly every waking hour on our training class for the Cloud Security Alliance. This is a pretty big deal for us and I’m psyched it’s almost finished. The class is the Cloud Computing Security Knowledge course, tied to the CCSK certification. I just checked, and we have about 10 slots left for the first full class we’ll be giving June 8-9 at the eBay North campus. You can sign up online. This version is evolved and seriously revised from our February test class at RSA. Actually, it is now three classes: CCSK Basic: A one-day lecture to cover the core material and prepare you for the CCSK exam. This is close to what we delivered at RSA, a firehose of material on all things cloud security – from defining the cloud, to encryption models, to IAM. CCSK Plus: This includes the first day, then adds a day of additional lecture and hands-on activities. This is what’s killing my time, and where we get into the meat of cloud security. We start with threat models, move into creating and securing EC2 instances (and understanding the EC2 security model), encrypting EBS volumes, building an application infrastructure with availability and security zones, building an OpenStack cloud, IAM, and so on. It’s designed so you don’t need to be a tech god, but there’s room to explore for those of you with stronger skills who don’t want to get bored. And be honest: how many of you have installed MySQL in an encrypted EBS volume? Train the Trainer: Yes, you can get certified to teach the class yourself (note that you’ll need to sign an agreement with the CSA). This is a third day to go into more depth, including walking through all the scripts and tech used in the class, how to set up your instructor system, and deeper Q&A on the material. The class is pretty broad, but we do get as in-depth as we can in the limited time. And not to worry, we’ll be hitting the road with it soon, and we know a bunch of training organizations will also be picking it up. Share:

I’m all for thought leadership. Folks driving our security thinking and activities forward benefit from it. Josh Corman is one of those leaders. He’s a big thinker – he can suspend disbelief and reality long enough to envision a different outcome, and make his points with passion. I’m also all for action. As a CEO I worked for once told me, “Nothing gets done until someone sells something to someone.” In security that means at some point the controls have to be implemented, the flanks monitored, and the attacks defended. Dave Shackleford gets things done. Quickly. He thinks fast. He talks fast. He’s always moving. He’s like the Tasmanian Devil. These two got into a Tweet ‘fight’ (whatever that means) last week over Josh’s CSO article The Rise of the Chaotic Actor, Understanding Anonymous and Ourselves. Dave sat down long enough to bang out a response, Less Talk, More Action. I had nothing better to do on a flight home, so why don’t we investigate the gray area between them. Some aspects of both their positions make sense to me. And some don’t – depending on agenda and perspective. Josh is an analyst. He’s not hands-on anymore. If he hacks anything, it’s in his spare time, which I know is limited. We analysts cannot spend 60% of our time fixing things like Dave. There is too much pontificating to do. We have to influence behavior by writing thought provoking pieces to shake folks out of their day-to-day misery, into thinking a bit more strategically and broadly. That’s what Josh’s piece was about. He makes the case that, once again, our adversaries’ motives are changing – to defend against them we need to understand the new reality. But Dave has a good point too. Time spent obsessing about how to defend against a collective like Anonymous is time not spent on more active work, such as patching systems, training users, and implementing new controls. Shack points out that if we could spend 10% more time doing things, we probably wouldn’t be quite so screwed. And we are screwed, as the fine folks at Verizon Business point out every year in their DBIR. As usual, the truth is somewhere in the middle, depending on who you are and what you are responsible for. You don’t always think strategically, and you can’t always be doing things. Dave did toss that into his post. Security architects need to understand the current threats and how to evolve defenses. Those folks need to pay attention to Josh. For them, the chaotic actor is important. But there are many more practitioners doing poor jobs on fundamentals. A lot more. No matter the size of their company, these folks suck at security. They can’t even walk, so asking them to ponder the dynamics of running a world class 200m race is stupid. That’s Dave’s point. These folks need to fix the steaming piles of their security programs before they worry about Anonymous, or anyone else for that matter. A script kiddie can take them down, so a nation state is off the radar. As usual, when you push a targeted message like Josh’s widely – such as through CSO Magazine – you are bound to annoy people. When Dave gets annoyed he tends to fire with both barrels, which I certainly appreciate. I know someone like that. To be clear, most folks working on security should spend more time letting Dave teach them the fundamentals, rather than having Josh expand their viewpoints. I think that was Dave’s point. My point is that it’s up to you to understand whether you should be thinking strategically or tactically at any given moment. There are times and places for both. Fail to recognize your situation and choose the right response, and you will become just another statistic on Kushner and Murray’s survey. You know, the one tracking the average tenure of security folks. Share:

I stumbled on my last employer’s shutdown plans while rummaging around my old email archives. Those messages were from today’s date 3 years ago – not coincidentally the day Rich and I began to discuss me joining Securosis. At milestones like this I tend to get all philosophical and look back at the change, and what I like and dislike about the move. How do I feel about this change in my career? Where are we as a company, and is it anywhere near what we planned? I had no idea what an analyst really did – I just wanted to help people understand security technologies and be involved much more broadly than just database security. I kinda thought I was getting out of the startup game, but Securosis has the feel of a startup – the freedom to follow our vision, the pressure to focus on what’s most important, the agility in decision making and long hours. But it also feels like people appreciate our take on what analysts can be, which makes me think we have a shot at making this little shop a success. Personally, leaving 20+ years of pure technology roles was a big leap. Actually I had no single role – any day it may include architecture, product strategy, development, design, evangelism, and team management. But being able to cover a dozen areas in security – and the independence to say whatever I think – gives me a lot of satisfaction. And I love doing research. Unfortunately the single biggest detriment of the job – and it’s a big one – is writing. It’s what I spend the majority of my day doing, and it’s quite possibly my worst skill. I find writing to be a slow and painful process. It’s common to go two days without writing anything substantive, followed by a single day where I get crank out 15 pages. That’s nerve-racking when you have deadlines – pretty much every day. I never had this problem coding – why the English language causes me problems that neither C nor Java ever did remains a mystery. Learning how to write better is one of the more painful processes I have been through. And for those of you who sent me hate mail early on – one of you called me ‘Hitler’ for atrocities against the English language – you are totally correct. A-holes, but still right. From a business standpoint, if there is one singularly important difference you learn when moving from technology to an analyst role, it is perspective. A vendor’s view of what a customer needs is usually off the mark. Vendors do a lot of searching for the ‘secret sauce’, and constructing very logical arguments for why their particular product is needed – even a ‘must have’. But logical vendor arguments are usually wrong and don’t resonate with customers because they fails to account for the limitations faced by businesses. Customers each work within a set of existing constraints – some mixture of perfectly logical and perfectly absurd – which binds them to a specific perspective and approach to problem solving. I constantly hear vendors say, “Everyone should do X because it makes sense,” to which customers say nothing at all. This is even harder for startups with innovative technologies. How do you know the difference between “Customers just don’t get it yet” and “This innovative product will never be adopted”? The evangelism to educate the market is tough, and it’s easy as a vendor to close your ears to negativity and bad press because they are just part of the evolutionary process. The ability to shine a light on these messaging and strategy issues, and realign companies with customer requirements, is a big part of the value we provide. Vendors are so busy spinning – and get so used hearing to ‘No’ for both good and bad reasons – that they lose perspective. I’ve been there. Several times, in fact. For whatever reason customers tell analysts stuff they would never tell a vendor. I get to see a lot of the inner workings of IT organizations, which has been very educational – and unexpected. Three years later I find I have two great business partners, I get to interact with extraordinary people, and I work on cool projects. I do really love this job. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on Database Security. LonerVamp expands on Adrian’s SIEM: Out with the Old. Adrian quoted on BeyondTrust acquisition of Lumigent. Adrian’s Dark Reading Post on Secure Access to Relational Data. Favorite Securosis Posts Mike Rothman: BeyondTrust Acquires Lumigent Assets. Hindsight is 20/20, and there are lots of lessons in the failure of Lumigent. Adrian Lane: VMware Buys Shavlik: One Stop Shop for Virtual Infrastructure? Especially the bit on patch consistency with VMs in storage. David Mortman: Defining Failure. Rich: SIEM: Out with the Old. Other Securosis Posts Incite 5/18/2011: Trophies. Defining Failure. Cybersecurity’s RICO Suave: Assessing the Proposed Legislation. Favorite Outside Posts Mike Rothman: What I Wish Someone Had Told Me 4 Years Ago. Great post on being an entrepreneur. Ultimately a large part of success is just doing something. This lesson applies to almost everything. Adrian Lane: Marcus Ranum and Gary McGraw talk about software security issues. Gary has deep experience so his perspective is interesting. David Mortman: Attacking webservers via .htaccess. Pure awesomeness Project Quant Posts DB Quant: Index. NSO Quant: Index of Posts. NSO Quant: Health Metrics–Device Health. NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS. NSO Quant: Manage Metrics–Deploy and Audit/Validate. NSO Quant: Manage Metrics–Process Change Request and Test/Approve. Research Reports and Presentations React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DB Quant). Network Security in the Age of Any Computing. The Securosis 2010 Data Security Survey. Monitoring up the Stack: Adding Value to SIEM. Top News and Posts More from Krebs on Point of Sale Skimmers Dropbox Fires Back. And I think they are

As mentioned last week, I’ve been mired in the twins’ baseball/softball playoffs the past 2 weeks. That ended Saturday, with the Rothman clan going 1-1 in championship games. XX2’s team lost a close game and took the runner-up trophy. The Boy’s team eked out a win after dominating the league most of the year to take home the victory. It’s funny, you’d think there would be angst and disappointment coming from the girl, and happiness emanating from the boy. But that wasn’t exactly the case. Both reacted pretty similarly: they loved their trophies and were a little disappointed the season was over, so they won’t be playing any more. I get that they are only 7, and the very American need to win hasn’t yet taken root. And I hope it never does. Both teams made it to the championship game, so they got extra trophies. The Boy’s championship trophy had maybe 3 inches on the runner-up trophy. But they were both very proud to get the extra hardware, and so were we. It’s funny – both games went down to the wire. Both were somewhat impacted by poor officiating. And both games had parents or coaches (or both) in an uproar about mistakes made by 14-15 year-old kids making about $15 per game to umpire. The kids couldn’t care less. Sure they had a little trouble understanding why they were called out or why a run was allowed to score when it didn’t make sense. But they got over it within seconds. Some parents were still stewing two innings later. Part of me feels like I’m getting soft, and that focusing on just doing well, as opposed to winning and beating the competition, will hurt my kids later on. Plenty of kids are being trained by their folks to step on the throat. Maybe those kids will win the game of life, whatever that means. I just know how unsatisfied my quest for victory left me. And it wasn’t like my parents pushed me to win at all costs. I was born with that drive and have had to spend years slowly retraining myself to focus less on winning and more on doing what I love, which will likely always be a work in progress. So far it seems my kids are happy to focus on the trophy and not the win. Maybe that will change and then I’ll have a decision to make. Do I discourage that behavior? I’m not sure, but I doubt I would actively interfere with their desire to win. I had to learn the lesson myself the hard way, and I suspect my kids will likewise need to figure it out themselves. I am not bashful about sharing my experiences, so when they ask I’ll provide my opinion. But ultimately they’ve got to figure out whether the trophy will be enough. Photo credits: “Trophies” originally uploaded by TexKap Incite 4 U Are devices or (lack of) performance killing AV? I’ll preface this entire discussion with the disclaimer that the rumors of AV’s demise are wildly premature. But we in the know all understand that AV isn’t the way to deal with today’s threats. Which is why I chuckled when I read about how Google’s Chromebook may finally kill AV. Ha! Unless some smart Google engineer has figured out how to stop corporate inertia in their 20% unstructured time, or to remove AV from all the compliance mandates, I don’t see Chromebooks killing off AV. To be clear the Chromebook is more a mobile device than a conventional computer. And if they allow plug-ins or other persistent software to run (and I don’t know how they could avoid it), malicious code will still threaten to them. But like iOS devices and even Android (to a point), it’s tough to do this in a weaponized, self-propagating fashion. So it gets back to a point we have been making for quite a while. The issues arising from the increasing mobility and consumerization of the workforce are more system and device management issues than security issues. – MR Lasso the SaaSo: Many organizations want to move various operations to SaaS providers, but balk both at the complexity of managing users and at giving up control of their data. We see two types of solutions appear. Some help manage user credentials and integrate accounts with internal directories, and others are inline proxies to encrypt/tokenize data or limit functionality. Hoff talks a bit about VMware’s move into this area. I suspect the money is on the user management side, and have very mixed feelings on the data protection/encryption products. Sure, you can encrypt customer info and store the token or encrypted value in Salesforce.com, but the more data you block Salesforce.com from processing the less useful it is. And these things are inline proxies which reduce mobility. Back to the VPN, everyone! Seems like the sort of thing people will buy and discard. – RM Compliance Rolling: I got a kick out of Dejan Kosutic’s Management’s view of information security – he captures the essence of the issue. It’s just that his clean prose presents a politically correct version that misses the semi-hostile management displeasure for anything security. Kinda like your defeated resolve when finding you have an incurable disease. In management discussions, I find “Is it really necessary?” really means something more like “Are you sure legal said there was no loophole?” I translate “Does it fit into our company strategy?” to “If we can’t get rid of it, then let’s market it as an advantage.” And I hear “How can we decrease costs?” as “Where can we cut corners and still be compliant?” He’s right that management does not want to invest in security, and Dejan has the right discussion points, but the language is never this civil. It’s more like wrestling with a hostile adversary. – AL There is no answer (singular): I sat in on my friend Ron Woerner’s leadership presentation at Secure360 last week, and

BeyondTrust announced today that it has acquired the assets of Database Activity Monitoring vendor Lumigent. Some of you are saying “Who?” Others, who have been around the DAM space a few years, shake your heads in dismay at what might have been. There was a time – way back in the 2004-2005 timeframe – that Lumigent had a clear leadership position in the Database Activity Monitoring space. They won many head-to-head sales engagements. They had a good sales and marketing team, the best Sarbanes-Oxley reports in the industry, the only viable auditing tool for Sybase, and the only platform that provided “before and after” query values. The latter was the hot feature for forensic audits and regulatory compliance, and every customer wanted it. Greylock, North Bridge, and NetIQ invested. Lumigent was a shining star in the nascent DAM market and they were making a name for themselves. Fast forward 6 years and we have an asset sale. That’s a politically correct term for fire sale. The kind where they’re selling the fixtures off the sinks. So how did it all go so very wrong? There was actually a long series of missteps, so we’ll discuss several major types of FAIL. It’s a classic example of how to plunge into the chasm, land in a fiery mess at the bottom, and get sold for scrap metal: Strike One: Technology. Lumigent never capitalized on their technology lead. Their engineering team must have known that the triggers and stored procedures they used in the early days would not scale, even though early customers preferred them to native audit and tracing – which Lumigent then added to their mix! It seemed like Dumb and Dumber were managing their product roadmap. Sure, they improved data collection over time, but not enough; nor did they ever find a consistent strategy to collect events across all databases. Additionally, they focused on Sybase and MS SQL Server – to the exclusion of Oracle and IBM, who sell a few databases. Competitors quickly provided more – and better – collection options across all the major platforms. Competitors were easier to deploy and did not kill performance. Don’t get me started on the missed Vulnerability Assessment opportunity. Lest you forget, Lumigent acquired nTier, which was a bad assessment product. Nothing was structurally wrong with it, but it needed a lot of work on policies and reporting to be competitive. During the several years assessment was key to winning deals, Lumigent made no visible investments into the nTier technology. It only covered a couple databases, with only some of the needed policies for security or compliance, when it was acquired. They were not the only vendor stuck in the mud for a while, but the upshot is that they failed to upgrade their product to keep pace. Startups have to innovate, you know? Strike Two: Partnerships. Lumigent heavily courted Microsoft and Sybase. They geared their product strategy to work with these two database vendors to a fault. This helped early on, but both partners wanted far better auditing capabilities – specific to their respective database platforms – before they were willing to really get behind Lumigent. Behind the scenes Lumigent thought acquisition was a sure thing. Not so much – Lumigent neither delivered, nor did they hedge their bets with a heterogenous solution. When Lumigent failed to provide better auditing, the rumored Microsoft and Sybase acquisitions halted, and both partners had conversations with just about every other DAM vendor. The recent partnership with Deltek was solid, but simply not enough to carry the company. They didn’t just count their chickens before they hatched, they counted them the first time the rooster made eye contact. Strike Three: Misunderstanding the market. Lumigent’s story shifted from Database Security; to Compliance; to Database Auditing Solutions for Compliance and Security; to Information Centric Security; to Application Governance, Risk & Compliance; and then back to DAM – each step worse than the one before. The App GRC strategy was the most surprising and saddest, as it looked like a desperate attempt to save the firm by re-inventing their market. I appreciated their ingenuity in repackaging DAM into something totally new, and admired the cojones management displayed with their willingness to walk away from their primary market, but I thought they were nuts. And I told them. Rich and I stopped short of begging Lumigent to reconsider their App GRC path, with at least a half dozen reasons it was a bad idea, along with practical experience about how Information Risk Management and GRC messaging missed DAM buying centers. A couple years later that horse died, and Lumigent was back to square one. Very few start-up firms get three strikes. What does this mean for BeyondTrust? The good news is that DAM extends the PowerBroker functionality, providing a means to detect misuse and compromised credentials. The PowerBroker product family is focused on credential and authorization management, but its value is the ability to delegate capabilities without distributing credentials, and fine-grained task-oriented authorization maps. Before the acquisition the PowerBroker platform was geared for preventative security. DAM provides detective capabilities along with a number of compliance reports deeply focused on the database layer. This gives BeyondTrust users some new toys to play with that improve security and broaden the product line. BeyondTrust surely acquired the assets for a song, so they really can’t lose here. And I like the vision. I hope they take a long look at how their customers will use the technology – a few strategic improvements would go a long way to improve customer satisfaction. But there is some bad news. First, the Lumigent technology is way behind the curve. For Database Activity Monitoring or Vulnerability Assessment, Lumigent cannot compete head-to-head against other established vendors. The technology lacks consistency and capabilities across the board, including data collection, database platform support, policies, and platform management. For most acquirers that wouldn’t matter – BeyondTrust can at least sell ‘new’ Lumigent functions to their existing accounts to enhance security

The M&A train gathers steam in the security space. With Lumigent’s assets off the table, the TripWire buy, Sophos/Astaro, and RSA/NetWitness, it seems the busiest guys in town are the investment bankers. VMware has joined the parade by buying configuration management player Shavlik, ostensibly to facilitate the adoption of virtualization in the SMB market segment, though we believe that oversimplifies VMware’s ambition to be a one-stop shop for all things virtual infrastructure. This is actually an interesting deal, particularly considering GigaOm’s excellent VMware is the New Microsoft, Just Without an OS. Think about that for a second. As Microsoft started attacking the enterprise with LAN Manager and then more specifically Windows 2K, their success was accelerated by offering seamless management of the server(s). Enterprise customers scoffed at Microsoft System Manager because it wasn’t OpenView or UniCenter, but it provided small customers with what they needed to lay down a foundation of Microsoft servers. In the small business segment, seamless management is critical thanks to the limited IT resources. And that will be a gating factor to adoption of virtualization in small companies as well. So decisively taking that issue off the table is a smart move for VMware. The ability to claim some security goodness is a bonus. You have to tip your hat to Mark and the rest of the team at Shavlik. They built the company without outside investment by focusing on a core market and not straying from it, even as Shavlik’s more enterprise-focused competitors, such as BigFix (IBM) and ConfigureSoft (EMC), were taken out by big IT players. Shavlik stayed focused on Windows environments, adding anti-virus and power management to the mix within the same management construct. They also invested heavily in spinning a SaaS management service to appeal to small companies (under 100 employees). If you look at Shavlik from an enterprise standpoint, as many of us are guilty of, they don’t measure up. But as VMware looks to go downmarket with virtualization Shavlik is a great fit. But we still need to assess the technology within the context of the entire virtual infrastructure. On one side they might be planning on adding it to VShield Endpoint to enhance VM configuration and tracking – little things like making sure the instance you spin up was patched while in storage, and updates weren’t just applied to VMs running at the time. Or maybe they will skew this more towards managing virtual desktops. Or both. To assume they will only use Shavlik as a lever to get into SMB would be to downplay VMware’s grand ambition. With some R&D investment Shavlik’s technology could be extended to other platforms. And probably needs to be, because a technology like configuration management is core to managing this next wave of hybrid virtual/cloud data centers. VMware has plenty of options for integrating Shavlik, and most inevitably lead to impinging on the territory of its partners. Initially they won’t risk alienating HP, IBM, or EMC, who are significant partners for VMware. But at the end of the day all the Big IT players are competing to control the virtualization/cloud platform and infrastructure. VMware is clearly building itself out as a one-stop virtual infrastructure shop. It’s too early to see how it will fully play out, and a lot of organizations are using multiple virtualization and cloud providers to tackle different parts of the problem (servers, desktops, big iron, etc.). But ultimately, in most market segments, the player that provides the most effective platform will gain the largest market share. And that means they all need to field complete product lines. Which they will, keeping the investment bankers busy. Share: