October 26, 2006 - #143

Good Morning:
Overcast Thursday. Not as overcast as in St. Louis, where it's not clear they are ever going to finish the World Series, but overcast nonetheless. Makes me want to go back to sleep. But there are presentations to finish, blog posts to catch up on, customer deliverables to get done, and world domination to plot. So there will be no sleep til Brooklyn at Incite Central.

In security-land, we have earnings and deals aplenty. Symantec, SonicWall and SafeNet all announced yesterday and the news was mostly good (here). Symantec didn't beat the numbers by enough, so their stock will suffer a bit. But it seems they are executing better (they couldn't execute much worse), and the scale and leverage of their business is becoming apparent. Vasco is no longer "the authentication company" since they now have a UTM platform after buying a few Belgian guys, a coffee maker, some Aeron chairs and a UTM product for $6 million (here).

I'd also be remiss in not pointing out another technology that is now pervasive enough to cease being a differentiator (here). Pretty much every email security vendor has a reputation service now and since many of these players also have other perimeter devices, you are seeing reputation bleed into all sorts of security technologies. It was a novel idea back in 2004, but not so much now. At this point, customers will be asking why you DON'T have reputation, if you haven't done the obligatory reputation press release.

In blog-land, I need to swim upstream a bit about the Counterpane/BT deal (here). I don't think it was a "fire sale." How is 2x revenues for a slow growth services company a "fire sale?" For a product company, yes - 2x sales is a bad deal, but not for services. The economics are just different. I also delve a little into taking positions on incomplete data (here), since the Mogull got taken to task for making a statement about the number of zero day attacks. There are people that are comfortable taking positions based upon a few data points, a dose of gut feel, and a ton of experience. There are also people that are not. The latter camp shouldn't become analysts because you'll never have enough data to meet a customer's timeframe. By the time you do, the decision is in the rear view mirror.

Have a great day.

Technorati: Information Security

Top Security News

Earnings: Symantec, SonicWall, and SafeNet
So what?- The Security S's announced earnings yesterday, and all were at or above Wall Street expectations. Symantec met expectations, but was expected to beat them, but they had problems in EMEA. SYMC showed strength in consumer and the VERITAS business is picking up. Of the $1.2 billion in revenue, they did 280 deals over $300k and 66 deals over $1 million. Many of those large deals were multi-product deals, so their sales force is figuring it out. But the stock will be down today because they just met the number. SonicWall showed about 33% growth from 2005 to $45.2 million in the quarter. They are starting to see contribution from the backup (Lasso Logic) and email security (MailFrontier) products they bought in 2006, expecting about $5 million in the upcoming Q4. Finally, SafeNet showed 22% growth from 2005 and did $76.8 million on the top line. There is still the options backdating investigation going on, so the numbers were preliminary, but the new management seems to be keeping the ship moving. We'll see how things go over the next two quarters to figure out if that's really the case.
Symantec (here), SonicWall (here), SafeNet (here)
Link to this

Deal: Vasco goes UTM
So what? - In addition to announcing their quarter (here), Vasco has acquired a Belgian UTM software company called Able, NV. Right, I've never heard of them either. But they are Belgian, so the Vasco folks a minimizing relo for the personnel. Reality is, if you aren't buying installed base, you may as well just get some technology and not pay a lot for it. Vasco paid about $6 million for the company and they did about $1 million in revenues. The real question is whether Vasco's channels will know what to do with a UTM product. Authentication and perimeter defense are related (typically the authentication product must interoperate with the firewall/VPN), but usually bought at different times by the customers. Secure Computing is the only other player in authentication to also have a UTM platform, so we'll see how that works out. It's also interesting to see Vasco move in the direction of more traditional security, as opposed to acquiring something more established in the next gen authentication space. I'm a fan of focus, so I'm not sure this deal makes sense to me, especially since Vasco's tag line is "the authentication company."
http://www.vasco.com/about/press/fullstory.html?press=449
Link to this

Low and slow gets the money
So what? - The recent E*Trade and Ameritrade hacks (which cost on the order of $20 million to E*Trade) showed a new type of attack on the online brokers. There was lots of tech trade coverage, but I found this article on the Motley Fool, which I thought did a better job of summarizing the attack and the motivations of the hackers from the customer's viewpoint. What's different now is that these brokerage account attacks are not about milking your account dry, it's about pumping and dumping micro-caps. So basically it eliminates the need to launder the money that is taken from an account. If the hacker gets access to your account, they sell some stuff and then buy some of their manipulated stocks in your account to drive the price up. Then they sell at the higher price and it's all good for them. So how do you stop it? Basically they are getting account logins via 0wn3d machines. So it's the same old, same old. Anti-spyware, AV and don't fall for a stupid phishing attack. But it is interesting to see how the back end crimes are evolving.
http://www.fool.com/news/commentary/2006/commentary06102503.htm
Link to this

Reputation is no longer novel
So what? - Back in 2004, sender reputation was pretty novel in the email security space. Most vendors were relying on some kind of cocktail of various techniques to figure out if email was spam or not. Then evaluating the type of mail sent by IP's around the world was added to refine the mix. Why? Because IP addresses that send spam are more likely to send more spam. So you can make a pretty good guess about a sender based just on their IP address. No it's not foolproof, but it's pretty good. IronPort and CipherTrust (my former employer) were early to this game. But now everyone's got one. Symantec never really branded theirs, but it's there. Borderware announced theirs back in May, and now CommTouch (which provides the spam engine for a lot of email security gateways out there) has one too. So this is no longer a differentiator and you need to wonder how much longer folks like Proofpoint can stay in this business without having one. Here's the other kicker, it's all marketing. You can't really know which reputation system is better. It would be ill advised to make a decision entirely based on reputation. The effectiveness of these services is based on how the data is combined with everything else to determine if a message is good or bad. So put a list of IP addresses in an Excel spreadsheet and track how many messages they send. Now you've got reputation.
http://www.commtouch.com/Site/News_Events/pr_content.asp?news_id=773&cat_id=1
Link to this

Revisiting the firewall architecture
So what? - Don't firewalls just work themselves at this point? Gosh, the technology has been around for over 10 years, you figure you wouldn't need to continue "architecting" a firewall implementation. Plug and play, no? Of course not, life is never that simple though many of us just take for granted that the firewall is there, configured correctly and protecting us from the attacks that don't come over port 80 or 25. This article on TechTarget's new SearchSecurityChannel (disclosure: I'm a contributor to SSC) goes through some of the firewall issues. Choosing a firewall, figuring out how to deploy it, and auditing activities are all part of the mix. If you are a VAR, this is a good reminder of the stuff you probably do every day. If you are a user, you should be looking at this stuff, even if you have VARs do most of the work. Remember, the educated customer is the best customer.
http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1220368,00.html
Link to this

Top Blog Postings

AV is not a failure
But it ain't the cat's ass either. Over here at the anti-virus rants blog, Kurt Wismer makes a couple of good points. People believe AV is a failure because it doesn't catch everything. To be clear, nothing catches everything. AV is good at what it's supposed to do, which is catch the things we already know about. The AV vendors make all sorts of noise about heuristics and zero-day attacks, but the reality is you use AV (and should continue using AV) because it does a good job at catching the stuff we know about. You need other defenses for the stuff we don't know about, but I'm with Kurt here, AV as a technology is not a failure. Once again, it's about mismatched expectations. The AV vendors claim their products do everything, and clearly they don't. So that's more of the problem than anything else.
http://anti-virus-rants.blogspot.com/2006/10/myth-of-avs-failure.html
Link to this

Why was Counterpane a "fire sale?"
I've seen the term fire sale used a number of times referring to the Counterpane/BT deal. Firstly, if any deal under $50 million is considered a fire-sale, then I get it. But there are lots of deals in that range that are clearly not fire-sales (like Meetinghouse/Cisco). I look at things from the standpoint of deal size to revenues ratios. Counterpane was allegedly doing about $20 million a year and they sold for about $40 million. For a slow growth services company, I think 2x revenues is fair. Unless they were out of money and had to sell in distress (which I don't think was the case), this is not a fire-sale, but rather an exit for a company that wasn't going to be able to compete on their own. A lot of folks have also bandied about the fact that Counterpane's investors put up close to $80 million over time. So what? They started investing before the bubble and did at least one recap. That pre-2000 money is gone, flushed down the toilet like many VC investments. Actually what's really behind this is posturing (Shimel's post here). Anything at a "fair" valuation has got to be a fire-sale because many security start-ups are banking on getting 6-8x revenues. It's bad to see companies like Preventsys and Counterpane go for much less because it hurts valuations across the board. Just call me Columbo...
http://episteme.ca/cblog/index.php?/archives/79-Counterpane-Fire-Sale.html
Link to this

Winkler on ethics
Ira Winkler writes a pretty thought provoking column here for ComputerWorld about ethics and it's place in a security awareness program. I actually hadn't thought much about whether security awareness is about security or if it's more generally about doing what's right. I can see Ira's point that to be effective communication vehicles need to be focused and not deal with extraneous stuff (especially ratholes like ethics). Ultimately one of the things I advise to be in a security awareness training is a bit about the company's security architecture and usage policies. Why? because I want the employees to know that I can (and do) watch what they are doing. If they know I know whether they are doing BitTorrent or downloading music, they may not do it. Some will be stupid and you make an example of them. But a big part of security awareness is ensuring employees don't do stupid, unethical things. If they know I'm watching, that is a deterrent.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004387
Link to this

Data vs. gut feel
At times analysts make statements based on a combination of feel, intuition, and experience. Some people don't get that. The Mogull had a case in point after Dr. Anton takes him to task for saying there are aren't many true zero day exploits. How do we know? Well we don't have blood flowing through the streets, so therefore Rich must be right and he is, sort of. I also suspect that many zero days are now being used to own machines, as opposed to take down networks. So whether an attack is a zero day, or a known attack that a bozo hasn't patched, the end result is the same, no? The machine is compromised. But let's get back to Analyst 101. A position based on anecdote and a few data points doesn't make it wrong. It's just hard to prove, so you can't beat back skeptics with reams of data as they would like. Guys like Rich and I get paid to take positions on incomplete data. Customers rely on our experience and skills to help them understand what's going on. Of course, sometimes we are wrong, so analysts need to be flexible enough to adapt positions in the face of more contrary datapoints, but that is part of the game. 
http://securosis.com/2006/10/25/how-i-know-there-are-very-few-true-or-less-than-zero-day-exploits/
Link to this

Recently on the Security Incite Rants Blog

OHMYGOD - Sourcefire to IPO
Wonders will never cease and a security company may go public. Not seen since 2001 when Netscreen initially went public, Sourcefire filed an S-1 yesterday to start the process. Of course, this could be a tactic to get some movement from potential acquirers (like Brightmail and Sybari). Only time will tell on that. Taking a quick look at the S-1, I reveal Sourcefire's revenue and earnings numbers and the holdings of some of the major investors (and founder). Coming off the heels of what looks to be a pretty strong Q3 in security-land, it would be another indication of market health if Sourcefire can get the deal over the finish line early next year.
http://securityincite.com/blog/mike-rothman/ohmygod-sourcefire-to-ipo

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-10-25