Research

Holy 0day Batman! What started as a quiet week definitely got a little more interesting yesterday as Microsoft released an out-of-band patch for a critical vulnerability affecting most versions of Windows. It’s been a while since MS had to push out an emergency fix like this, and boy was it a whacky vulnerability. For those of you who haven’t kept up on it, it is a flaw in the RPC service that allows remote code execution without authentication. What’s really interesting is that this flaw is in a part of the code base that was patched already for a very similar problem. What’s even more interesting is that this was discovered due to active exploits in the wild. I’ve been known to be a little persnickety about definitions, and I’ve never liked that we call all unpatched vulnerabilities zero-days. In my book, a true 0day is a vulnerability that is being actively exploited but we don’t know about it. The bad guys have information we don’t and are using it against us. When the details are public, but no patch is available, I just consider that an unpatched vulnerability. But who am I to say- I still consider hackers good guys. On a totally different note, I think I found a minor security flaw in the RSA Conference session submission system. It appears that if you submit a session and add a speaker, you can overwrite some of the attributes of that speaker if they are already in the system. Minor, but annoying since I was submitted for something like 10 sessions and part of my bio kept changing while I was submitting my own stuff. On that note, it’s time to head off and start decorating for our annual Evilsquirrel Halloween Party. We have about 13 tubs of decorations we’ve collected since my old roommates and I started holding parties around 1995 or so. I even have homemade animatronics I built using microcontrollers and other geeky stuff. Yeah, I fear for my impending children too, but the neighborhood kids love us. At least the ones who don’t pee themselves when the motion sensor kicks off. Webcasts, Podcasts, and Conferences: The Network Security Podcast, Episode 124. Jacob West from Fortify joined us to rail against electronic voting. If Dick Cheney wins the election, we’ll all know why. I participated in a virtual conference put on by InformationWeek and Dark Reading. I was on Ten Security Threats Your Organization May Be Unable to Prevent, with H D Moore of Metasploit and BreakingPoint and Trey Ford of WhiteHat Security. I felt a little weird talking about XSS and SQL Injection with H D following me, but it was a pretty good panel. Favorite Securosis Posts: Rich: Your Simple Guide to Endpoint Encryption. I’ve been writing a lot about market issues lately, and I really enjoy it when I can give out practical advice. Adrian: WAF vs. Secure Code vs. Dead Fish. Look folks, we’re far too polarized politically in this country to fight out over which of these things solves our problem better, when both are equally good and bad. Favorite Outside Posts: Adrian: Rsnake captures the everyman experience and puts the fun back into Internet browsing. I mean, can’t we all just get along? Rich: Andy reminds us what it’s like to work in the real world. Researchers, analysts, and vendors often forget what it’s like to be in the trenches, even though most of us have been there. I think it’s refreshing to read about Andy’s pain. Er… maybe that wasn’t the best way to say that. Top News: Microsoft Security Patch was released this week. We covered it a bit ourselves. Princeton posts a guide to hacking Sequoia voting machines. Jimmy Buffett for President! FTW! Australian government massively censoring the Internet. I love that country and have spent a lot of time down there, but the government is really whacky. Did you know that hard core pornography is illegal everywhere except the Australian Capital Territory (you know, where all the politicians are). Guess writing censorship bills is boring work. Voting machines flipping votes. Notice a trend? (Thanks to Dave at Liquidmatrix, who does a great daily summary). Blog Comment of the Week: Windexh8er’s comment on the Microsoft vulnerability post: So even though this sort of thing is less common as SDLs mature further (honestly Microsoft is doing a much better job in this space — but legacy code that’s in the OS is still there). This just goes back to the position wherein do corporations really need client side processing? Some may have valid reasoning (i.e. graphics / architecture / modeling / etc), but for the majority of the end users out there in corporate America they really don’t need a fully functional end system. In a Microsoft environment I’d like to see the next iteration of OS go to stripped down systems like you can leverage in Server2k8 – obviously most “work” today from a variety of different locations and the laptop has overwhelmingly displaced the standard desktop workstation for day to day business. With that respect the standard installation should be minimalistic at best. Stripped stack, host based filtering (in and out), no user rights with the exception of approved applications and then strictly managed socket / protocol connections to approved devices. Give them what they need through established connections. At that rate client processing goes way down and visibility and control sky rockets. It’s far too much for any given internal IT / IS departments to manage numerous deployed apps and multiple desktop configurations in the state business as usual is running today. Everyone I know has a corporate laptop (these are big businesses right) but all of these users can pretty much all connect to outside networks and do casual computing – even if it’s restricted, it’s still wide open enough to let the user infect themselves unknowingly. I’d love to do a formal PoC, like this, with one of my large clients. Cost savings

If you don’t already know, Microsoft is releasing an out of band critical update today. Rumor is it is not related to the TCP DoS issue, and may involve an 0day with remote code execution. Here’s the link to the webcast where they will detail what’s going on. We don’t normally jump on a bandwagon like this, but it sounds like a big one you’ll want to fix ASAP. UPDATE: Woops- literally 2 minutes after I posted this, Ryan Naraine posted details and a link to the official advisory. It’s a nasty vulnerability in the Server service that allows remote code execution without authentication. You should already be blocking TCP ports 139 and 445 at the perimeter, so nothing unusual to change on the firewall. But this is totally wormable, requires no authentication, and allows arbitrary code execution. It’s the evil trinity of vulnerabilities. You should pay extra attention to your mobile users and friends and family- have them update ASAP since the odds are they aren’t blocking those ports. Don’t get too cocky if you have a firewall- like Slammer it will only take one infected sales dude to plug back in at the office and ruin your day. These are the kinds of vulns NAC is made for. Also, don’t forget about those virtual versions of Windows running on your Mac. It looks so easy to exploit, that by the time you read this it’s probably too late 🙂 Share:

I’ve been slowly catching up on my reading after months of near-nonstop travel, and this post over at Imperviews caught my eye. Ignoring the product promotion angle, it raises one of my major pet peeves these days. I’m really tired of the Web Application Firewall vs. secure coding debate, never mind using PCI 6.6 to justify one over the other for security effectiveness. It’s like two drunk cajuns arguing over the relative value of shrimp or pork in gumbo- you need both, and if either is spoiled the entire thing tastes like sh&t. You also can’t dress up the family dog and fish in a pinch, use them as substitutes, and expect your kids to appreciate either the results or use of resources (resulting gumbo or the loss of Rover). Here’s the real deal- Secure coding is awesome and you need to adopt a formal process if you produce any meaningful volume of code. But it takes a ton of resources to get to the old code (which you should still try to do), and can’t account for new vulnerability classes. Also, people screw up… even when there are multiple layers to detect or prevent them from screwing up. On the other hand, WAFs need to get a hell of a lot better. We’re seeing some positive advancements, as I’ve written about before, but they still can’t stop all vulnerabilities, can’t stop logic flaws and certain other categories of attack, can’t deal with the browser end, and I hear a lot of complaints about tuning (while I think liking WAFs with Vulnerability Assessment is a great start on this problem, we’re just at the start of that race). I absolutely hate to tell you to buy more than you need, but if you have a major web presence you likely need both these days, in the right combination (plus a few other things). If you don’t have the resources for both, I suggest two options. First, if you are really on the low end of resources, use hosted applications and standard platforms as much as possible to limit your custom coding. Then, make sure you have kick ass backups. Finally, absolutely minimize the kinds of information and transaction you expose to the risk of web attacks- drop those ad banners, minimize collecting private information, and validate transactions on the back end as much as possible. If you do have some more resources available, I suggest starting with a vulnerability assessment (not a cheap ass bare-bones PCI scan, but something deeper), and using that to figure out where to go next. Yes- we are eating our own dog food on this one. The blog is hosted using a standard platform. We know it’s vulnerable, so we’ve minimized the attack surface as best we can and make sure we have backups of all the content. I’ve been pleasantly surprised we haven’t been nailed yet, but I expect it to happen eventually. None of our sensitive operations are on that server, and we’ve pulled email and our other important stuff in house. Early next year we’re going to be launching some new things, and we will again go with remote hosting (on a more powerful platform). This time, we are switching to a more secure platform than WordPress (Expression Engine) and will pay for a full vulnerability assessment and penetration test (at least annually, or when any major new components come online). We may perform some financial transactions, and we’ll use an external provider for that. A WAF is out of budget for us, so we’ll focus on minimizing our exposure and manually fixing problems discovered by ongoing assessments. We also plan on using as little custom code as possible. But seriously- I’m tired of this debate. Both options have value, they aren’t exclusionary, and which you need depends on what you are doing and how many resources you have. Eventually we’ll get a better lock on this problem, but that’s a few years out. Share:

Want to talk about electronic voting? We did. So we invited Jacob West from Fortify to talk with us about a paper he just published with a couple of engineers at Fortify. Guess what- they found electronic voting using DRE voting machines are the least secure way to vote. Makes me feel good going into the election. It’s a good thing we’re fairly self-policing when it comes to time; this is a conversation that could have gone on for a couple of hours. We had a number of technical issues tonight, so be glad we’ve got a podcast up at all. Network Security Podcast, Episode 124, October 21, 2008 Show Notes: Dear Mr. President: Let’s talk tech – We desparately need a geek in the Cabinet! Miley Cyrus Hacker Raided by FBI – Don’t brag to the press when you’re already in the cross-hairs! Flash Suckage: Eat your cookies – Now you can be tracked through Flash too. VeriSign and ICANN square off over the DNS root – Let’s just give it to Dan K. and let him manage it. Judge Suppresses Report on Voting Machine Security – Which brings us to why we’re really here Fortify’s paper on e-voting Share:

I missed including this in the Friday summary. The Electronic Frontier Foundation is challenging the legality of telecom’s being granted immunity in their participation of NSA’s warrant-less spying on US citizens, claiming the executive branch of the government has overstepped it’s authority. Indirectly they will open the entire program up for scrutiny as well. EFF Senior Staff Attorney Kevin Bankston: “In our constitutional system, it is the judiciary’s role as a co-equal branch of government to determine the scope of the surveillance and rule on whether it is legal, not the executive’s. The Atto ey General should not be allowed to unconstitutionally play judge and jury in these cases, which affect the privacy of millions of Americans.” Seems to have a point. This is going to be a very interesting and very important fight for personal privacy, as well as an interesting inspection of the close relationship between industry and sections of our government. And this case will be argued in a political climate that has less 9-11 fear and more annoyance with corporations misbehavior, so I think that EFF will have traction and we will be seeing this in the headlines for some time. Share:

What did you think of the new MacBook? I think they are nice, I don’t want a new one bad enough to upgrade. I bought my MacBook last month knowing full well that they were going to release the new models on the 14th of this month, but the advancements would not be enough for me to wait. Most of the articles & analysis I read were a little harsh, with much of the focus on the price drop, or lack of drop, when I was focused on usability. Maybe they are right, and with the economic slowdown the price reduction is not enough to capture larger appeal and Apple will get hammered. Still, I think this is a nice advancement. I had seen the leaked photos of the Aluminum case and that looked a lot nicer and more durable that the plastic one; when you travel as much as I do, that seems to be a very nice upgrade. And as it has proven to be with my aluminum desktop cases, I am sure that the heat loss through the case itself will be valuable in keeping the machine cooler with faster processors that we will be made available in the future. If you have ever over-clocked machines before, you know how much Aluminum cases help dissipate heat and improve the lifespan of electronic components. The biggest problem I have with my MacBook is the mediocre video quality. It’s not just that the graphics card in the current model is under-powered, rather the color, contrast and sharpness it is just ‘Blah’! The new LED backlit display should solve much f this problem. Yeah, the graphics engine is a big boost as well, but really, what hard core gamer is going to use a laptop for a first person shooter? I thought not. I am going to call the Mini-display port a wash. Why? It will be awesome when attached to the new 24 inch monitor, no doubt about that. But how many MacBook owners are going to buy a $900.00 Monitor? If the analysts are complaining the price $999.00 point is too high for the MacBook, doubling the price makes this option miss the target buyer. Nice technology, perhaps not appropriate for the current generation of buyers. Personally I am glad that the BluRay player was not included in the new MB. This, in my opinion, is the current generation of Laserdisc players. Yes it offers better performance, but few want it. Did you see that only some 8 million Blu-Ray disks have been sold this year? They have sold almost that many Blu-Ray players if you take into account the current generation of Playstations; this is a dismal adoption rate. And if you are like me, I would rather have video on demand as it seems like a more dynamic & efficient way to get movies and television. And I am not lugging around Blu-Ray player that will probably be obsolete within months. All of which is in line with Apple’s strategy (http://www.apple.com/appletv/whatson/movies.html). That takes us to my one disappointment: Firewire. This is how I will hook up my Drobo. This is how I hook up my camera. This is how I update the maps on my Garmin. It’s fast. It’s nice to have the option. Sure I can get adaptor cables and use USB, but I would have preferred a dedicated port. Removing this was probably not such a good idea, and I wonder if we will see its return in future models. All in all, I think the MacBook made three steps forward and one back; couple that with a price drop and I say that is pretty darn good! Share:

On the surface endpoint encryption is pretty straightforward these days (WAY better than when I first covered it 8 years ago), but when you start matching all the options to your requirements it can be a tad confusing. I like to break things out into some simple categories/use cases when I’m helping people figure out the best approach. While this could end up as one of those huge blog posts that ends up as a whitepaper, for today I’ll stick with the basics. Here are the major endpoint encryption options and the most common use cases for them: Full Drive Encryption (FDE): To protect data when you lose a laptop/desktop (but usually laptop). Your system boots up to a mini-operating system where you authenticate, then the rest of the drive is decrypted/encrypted on the fly as you use it. There are a ton of options, including McAfee, CheckPoint, WinMagic, Utimaco, GuardianEdge, PGP, BitArmor, BitLocker, TrueCrypt, and SafeNet. Partial Drive Encryption: To protect data when you lose a laptop/desktop. Similar to whole drive, with some differences for dealing with system updates and such. There’s only one vendor doing this today (Credent), and the effect is equivalent to FDE except in limited circumstances. Volume/Home Directory Encryption: For protecting all of a user’s or group’s data on a shared system. Either the users home directory or a specific volume is encrypted. Offers some of the protection of FDE, but there is a greater chance data may end up in shared spaces and be potentially recovered. FileVault and TrueCrypt are examples. Media Encryption: For encrypting an entire CD, memory stick, etc. Most of the FDE vendors support this. File/Folder Encryption: To protect data on a shared system- including protecting sensitive data from administrators. FDE and file folder encryption are not mutually exclusive- FDE protects against physical loss, while file/folder protects against other individuals with access to a system. Imagine the CEO with an encrypted laptop that still wants to protect the financials from a system administrator. Also useful for encrypting a folder on a shared drive. Again, a ton of options, including PGP (and the free GPG), WinMagic, Utimaco, PKWare, SafeNet, McAfee, WinZip, and many of the other FDE vendors (I just listed the ones I know for sure). Distributed Encryption: This is a special form of file/folder encryption where keys are centrally managed with the encryption engine distributed. It’s used to encrypt files/folders for groups or individuals that move around different systems. There are a bunch of different technical approaches, but basically as long as the product is on the system you are using, and has access to the central server, you don’t need to manually manage keys. Ideally, to encrypt you can right-click the file and select the group/key you’d like to use (or this is handled transparently). Options include Vormetric, BitArmor, PGP, Utimaco, and WinMagic (I think some others are adding it). Email Encryption: To encrypt email messages and attachments. A ton of vendors that are fodder for another post. Hardware Encrypted Drives: Keys are managed by software, and the drive is encrypted using special hardware built-in. The equivalent of FDE with slightly better performance (unless you are using it in a high-activity environment) and better security. Downside is cost, and I only recommend it for high security situations until prices (including the software) drop to what you’d pay for software. Seagate is first out of the gate, with laptop, portable, and full size options. Here’s how I break out my advice: If you have a laptop, use FDE. If you want to protect files locally from admins or other users, add file/folder. Ideally you want to use the same vendor for both, although there are free/open source options depending on your platform (for those of you on a budget). If you exchange stuff using portable media, encrypt it, preferably using the same tool as the two above. If you are in an enterprise and exchange a lot of sensitive data, especially on things like group projects, use distributed encryption over regular file/folder. It will save a ton of headaches. There aren’t free options, so this is really an enterprise-only thing. Email encryption is a separate beast- odds are you won’t link it to your other encryption efforts (yet) but this will likely change in the next couple years. Enterprise options are linked up on the email server vs. handling it all on the client, thus why you may manage it separately. I generally recommend keeping it simple- FDE is pretty much mandatory, but many of you don’t quite need file/folder yet. Email is really nice to have, but for a single user you are often better off with a free option since the commercial advantages mostly come into play on the server. Personally I used to use FileVault on my Mac for home directory encryption, and GPG for email. I then temporarily switched to a beta of PGP for whole drive encryption (and everything else; but as a single user the mail.app plugin worked better than the service option). My license expired and my drive decrypted, so I’m starting to look at other options (PGP worked very well, but I prefer a perpetual license; odds are I will end up back on it since there aren’t many Mac options for FDE- just them, CheckPoint, and WinMagic if you have a Seagate encrypting drive). FileVault worked well for a while, but I did encounter some problems during a system migration and we still get problem reports on our earlier blog entry about it. Oh- and don’t forget about the Three Laws. And if there were products I missed, please drop them in the comments. Share:

Rich is off to see Jimmy Buffet in southern California and get some R&R, so I have blog duties this week. It’s briefing season in the analyst community. I probably should not be surprised given we typically launched our PR tours with my previous employers this time of year, but even Rich has been a little surprised with the volume of discussions. We have been in full swing with a packed calendar during the last couple of weeks and it shows no sign of letting up through November. If I am a little slow returning your email in the morning that is why. And I got to admit it is more interesting being on the receiving end of the equation that delivering the same information 100 times. The breadth of technologies and companies is very exciting, for me at least, and as a result I am digging deep into a number of technologies I have not had a chance to play with while working for a vendor. I have been seeing a lot of solid advancements from several companies, so that makes the calls interesting as well. I have to further comment on the comments last week that the OS X Server Wiki/Blog software we switched to internally has been great for us. For a small team like us the ability to collaborate and keep information centrally has been an great convenience as we can work independently yet still catch up on what the other is doing by scanning the internal blog and wiki. Easy to use and still more functions than we really need at this point. Highly recommended! The Drobo Rich ordered looks very, very cool … yes, I am jealous. Given the number of photos I have been taking I think I am going to order one as well. Going to hook it up between the iMacs via Firewire. I will keep you posted. On a personal note I was watching IronMan last night on DVD. Great movie. But how many of you saw the movie trailer with Samuel L Jackson at the end? No? Surprised the heck out of me that after the credits have finished, there is a little teaser was where no one … practically no one, would see it. Pretty cool! Oh, and Rich may have seen two coyotes in the park near his house, but I have discovered a ‘family’ of Tarantula’s living on my back porch. We were having drinks on the patio when this 7 inch fuzzy spider cruises by us a few nights ago. Last night a couple smaller ones were climbing the wall about 10 feet off the ground as if gravity simply did not apply to them. They are fascinating to watch. Webcasts, Podcasts, and Conferences: Nada this week for me. Favorite Securosis Posts: Rich: Your WPA-PSK Wireless Network is at Risk … If You Are An Idiot. Processing capacity is cheap and plentiful, and this is a new use for idle resources, but nothing more. Weak passwords are weak passwords. Adrian: Real life three stooges star in ‘Credit Card Craziness’. Favorite Outside Posts: Adrian: Over on the Network Security Blog, Martin has an excellent post on a topic that should get far more attention than it does: Why Is Your Company Storing Credit Card Numbers? Rich: Hoff continues to be ahead of the curve on developments in the Virtualization Security space, as well as coverage on the VMWare acquisition of BlueLane. VMWare may not have hired the Hoff, but they seem to be taking his advice. Top News: The Obama-McCain debate was Wednesday night. High definition television was not kind to John McCain. Stocks continue to fluctuate, with a nice early week rally as many investors ‘double-down’ on the firms they have confidence in. Oracle released their big fall patch update. BEA users take note! Did you hear? We are at risk of entering a recession! Really, I could not make this stuff up! Blog Comment of the Week: Jim Hietala’s comment on My “Will Database Security Vendors Disappear” post: I don’t know that database security market all that well, but it strikes me that all of the points you made can be applied to every individual security segment, including NAC, endpoint security, DLP, e-mail security, and on and on. Certainly the trust one applies to all, breadth of function in most cases applies, and too many choices I think does as well. Doesn”t bode well for the health of the security start-up market in the next couple of years   No Securosis company meeting this week, so I am off for a little recon work. More on this later. Share:

Rich and I got into a conversation Friday about database security, and the fate of vendors in this subsegment, in light of recent financial developments. Is it possible that this entire database security sub-market could vanish? Somewhat startled by the thought, we started going down the list of names, guessing who would be acquired, who was profitable, and who will probably not make it through the current economic downturn without additional investment- it seems plausible that the majority of today’s companies may disappear. It’s not just that the companies’ revenue numbers are slowing with orders being pushed out, but the safety blanket of ready capital is gone, and the vendors must survive a profitability ‘sanity check’ for the duration of the capital market slowdown. And that becomes even harder with other factors at play, specifically: Trust. The days of established companies trusting the viability of small security startups are gone. Most enterprises are asking startups for audited financials to demonstrate their viability, because they want to know their vendors will be around for a year or two. Most start-ups’ quarterly numbers hinge on landing enterprise clients, with focused sale and development efforts to land larger clients. Startup firms don’t keep 24 months of cash lying around as it is considered wasteful in the eyes of the venture firms that back them, and they need to use their money to execute on the business plan. As most startups have financials that make public company CFOs gasp for breath, this is not a happy development for their sales teams or their VCs alike. Breadth of function. Enterprises are looking to solve business problems, and those business problems are not defined as database security issues. Enterprises customers have trended towards purchase of suites that provide breadth of functions, which can be mixed and matched as needed for security and compliance. The individual functions may not be best of breed, but the customer tends to get pieces that are good enough, and at a better price. Database security offers a lot of value, but if the market driver is compliance, most of vendors offer too small a piece to assure compliance themselves. Too many choices. I do this every day, and have been for almost 5 years. It is difficult to keep up with all the vendors- much less the changes to their offerings and how they work- and get an idea of how customers perceive these products. Someone who is looking at securing their databases, or seeking alternative IT controls, will be bombarded with claims and offerings from a myriad of vendors offering slightly different ways of solving the same security problems. For example, since 2004 (or their more recent inception) I have been tracking these companies on a regular basis: Application Security Inc. Lumigent Imperva Guardium Tizor Secu o Sentrigo NGS Embarcadero (Ambeo) Symantec Quest IPLocks And to a much lesser extent: Phulaxis Idera DBi (Database Brothers) Nitro Security (RippleTech) SoftTree Technologies Chakra (Korea) Performance Insight (Japan) For DB security product vendors, there are just too many for a $70-80M market subsegment, with too large a percentage of the revenue siphoned off by ancillary technologies. Granted, this is just my list, which I used to track for new development; and granted, some of these firms do not make the majority of their revenue through sales of database security products. But keep in mind there are a dozen or so IDS/SIM vendors that have dabbled in database security, as well as the database vendors’ log analysis products such as Oracle’s Audit Vault and IBM’s AME, further diluting the pool. There have been services companies and policy management companies who all have claimed to secure the database to one extent or another. Log file analytics, activity monitoring, assessment, penetration tests, transactional monitoring, encryption, access control, and various other nifty offerings are popping up all the time. In fact we have seen dozens of companies who jump into the space as an opportunistic sortie, and leave quickly once they realize revenue and growth are short of expectations. But when you boil it down, there are too many vendors with too little differentiation, lacking implicit recognition by customers that they solve compliance issues. Database security has never been its own market. On the positive side it has been a growing segment since 2002, and has kept pace almost dollar for dollar with the DLP market, just lagging about a year behind. But the evolutionary cycle coincides with a very nasty economic downturn , which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those who earn most of their revenue from other products or services may be immune, but DB security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire sales, or bankruptcy, depending upon how and when they act. Rich will give his take tomorrow, but although both of us believe strongly in the value of these products, we are concerned that the combination of market forces and economic conditions will really hurt the entire segment. Share:

Yesterday, Adrian posted his take on a conversation we had last week. We were headed over to happy hour, talking about the usual dribble us analyst types get all hot and bothered about, when he dropped the bombshell that one of our favorite groups of products could be in serious trouble. For the record, we hadn’t started happy hour yet. Although everyone on the vendor side is challenged with such a screwed up economy, I believe the forces affecting the database security market place it in particular jeopardy. This bothers me, because I consider these to be some of the highest value tools in our information-centric security arsenal. Since I’m about to head off to San Diego for a Jimmy Buffett concert, I’ll try and keep this concise. Database security is more a collection of markets and tools than a single market. We have encryption, Database Activity Monitoring, vulnerability assessment, data masking, and a few other pieces. Each of these bits has different buying cycles, and in some cases, different buying centers. Users aren’t happy with the complexity, yet when they go shopping the tend to want to put their own car together (due to internal issues) than buy the full product. Buying cycles are long and complex due to the mix of database and security. Average cycles are 9-12 months for many products, unless there’s a short term compliance mandate. Long cycles are hard to manage in a tight economy. It isn’t a threat driven market. Sure, the threats are bad, but as I’ve talked about before they don’t keep people from checking their email or playing solitaire, thus they are perceived as less. The tools are too technical. I’m sorry to my friends on the vendor side, but most of the tools are very technical and take a lot of training. These aren’t drop in boxes, and that’s another reason buying cycles are long. I’ve been talking with some people who have gone through vendor product training in the last 6 months, and they all said the tools required DBA skills, but not many on the security side have them. They are compliance driven, but not compliance mandated. These tools can seriously help with a plethora of compliance initiatives, but there is rarely a checkbox requiring them. Going back to my economics post, if you don’t hit that checkbox or clearly save money, getting a sale will be rough. Big vendors want to own the market, and think they have the pieces. Oracle and IBM have clearly stepped into the space, even when products aren’t as directly competitive (or capable) as the smaller vendors. Better or not, as we continue to drive towards “good enough” many clients will stop with their big vendor first (especially since the DBAs are so familiar with the product line). There are more short-term acquisition targets than acquirers. The Symantecs and McAfees of the world aren’t looking too strongly at the database security market, mostly leaving the database vendors themselves. Only IBM seems to be pursuing any sort of acquisition strategy. Oracle is building their own, and we haven’t heard much in this area out of Microsoft. Sybase is partnered with a company that seems to be exiting the market, and none of the other database companies are worth talking about. The database tools vendors have hovered around this area, but outside of data masking (which they do themselves) don’t seem overly interested. It’s all down to the numbers and investor patience. Few of the startups are in the black yet, and some have fairly large amounts of investment behind them. If run rates are too high, and sales cycles too low, I won’t be surprised to see some companies dumped below their value. IPLocks, for example, didn’t sell for nearly it’s value (based on the numbers alone, I’m not even talking product). There are a few ways to navigate through this, and the companies that haven’t aggressively adjusted their strategies in the past few weeks are headed for trouble. I’m not kidding, I really hated writing this post. This isn’t a “X is Dead” stir the pot kind of thing, but a concern that one of the most important linchpins of information centric security is in probable trouble. To use Adrian’s words: But the evolutionary cycle coincides with a very nasty economic downturn, which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those that earn most of their revenue from other products or services may be immune, but the DB Security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire-sale or bankruptcy, depending upon how and when they act. Share: