Incite Redux - July 11, 2007

Good Morning:
Day 3 off the grid. Odds are I spent a good portion of the night shaking and quivering from Blackberry withdrawal. I guess you need to experience the fact that you can live without your Crackberry for a week. That the world will go on, and that your business will actually be there when you return. It's hard to do, but cold turkey is the right way to go about it.

Sure Monday and Tuesday when I return will be painful. Probably a couple thousand emails to delete and even more feeds to sort through. I also figure there will be some collateral damage. I probably won't look through every press release on Business Wire for the week. I doubt I'll read all those wacky posts on TechCrunch talking about start-ups I probably don't care about.

And I will survive. I'm pretty sure I will anyway.

Have a great day.

Incite #5: You (Mal)ware It Well

The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

Read the original Days of Incite post on this topic.

6-month grade: B+

The first half of 2007 has been all bots, all the time. Of course, the FBI’s Bot eradication efforts don’t hurt the acknowledgment of the problem, but we are not any closer to getting an answer. Cut the head off one bot master and 3 others are there to 0wn the machines. There are still stupid users clicking on things and getting 0wned. That is still a problem and the industry education efforts are sucking wind.

It makes a guy like me think about taking some action - not because I want to - but because everything else educational out there just sucks.

Even worse, many of the entrenched endpoint security suite vendors are working hard to make everything seem OK, even though it’s not. What does that mean? It means they are doing everything to protect the sacred cash cow, while not really addressing the problem. A case in point is the announcement of Symantec’s Anti-Bot offering, which is just an OEM of Sana’s behavioral detection product.

Why not integrate that functionality directly into Hamlet or Norton 360 or whatever they are calling the cash cow nowadays? As always, it gets down to money. They think they can sell customers another SKU to solve the problem their big, fat-ass suites are supposed to. They are wrong. But like McAfee with SiteAdvisor Plus, customers that go “BOO” will get the product bundled in.

The other factor that will play heavily into these market dynamics is the increasingly brutal competitive landscape. There are lots of aggressive folks that can be marginally successful and still build $100 million dollar businesses. Yes, the AV market is that big.

And don't forget our friends in Redmond. Microsoft just shipped their first foray with Forefront and they’ve already talked about what will be next, which looks an awful lot like McAfee’s ePO and Symantec’s Hamlet. This is not a good sign for the incumbents. It took Symantec 5 years to figure out that a management console was important. Microsoft figured that out in one. Go figure.

Why isn’t Incite an A? Because the ISP’s just suck. They have shown no interest in fixing the Bot problem and continue to ignore the fact that folks like Verizon and Comcast are the biggest spammers out there. Not them, but the Bots that run on their networks. Recently I found that Comcast has blacklisted Yahoo’s domain, so I couldn’t send a personal message to my neighbor via my Yahoo! mail account. That’s not the answer sports fans. But until either someone mandates it (like the Feds) or carriers figure out how they can make money, Bot eradication is not an interesting business.

But clearly Bot farming is a great business, so we are still going to see the problem get worse before it gets better.

Incite #6: Patching the Leaks

More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

Read the original Days of Incite post on this topic.

6-month grade: A

Another day, another data breach – or so it seems. This has resulted in a lot of folks flapping their lips about data leak prevention, but it’s still very early. Lots of big companies are kicking the tires or doing initial deployments. Of course, until all the flanks are covered, the DLP solution doesn’t really solve the problem. Data will continue to walk out of the building. I guess the hope is that you actually know about it.

There also seems to be some pushback on laptop encryption. This market has developed in a traditional fashion. You get about 30% of the market adopting quickly, just to do something. Everyone thinks every company is going to buy something within the next 6 months. They are wrong because the rest wait it out. They figure the hype starts to die down, they haven't been exposed, so they are in the clear. Waiting has been a pretty good solution for lots of organizations. I suspect we are in the waiting period for laptop encryption.

Of course, that didn’t stop Check Point from spending a crap load of money on PointSec, just in time for the market to stutter a bit. My spies are telling me there are channel integration issues, but over time the more fundamental problem is that disk encryption is not a stand-alone solution. The sooner Check Point can just bundle it with the Integrity client, and the other Big AV vendors get their own widgets to solve the problem – the better it will be for customers.

It’s also still early for stand-alone DLP offerings. There is a lot of activity in the market space, but I suspect not a huge amount of buying. I think that market will grow significantly this year, but it’s still relatively small. 100% growth on a small number is still a small number. Three years from now, it's a big number - but not in 2007.

But DLP is clearly a solution that every company needs. It’s just a matter of how they deploy it. My recommendation is to focus on figuring out WHAT needs to be protected first, and then worry about how you are going to protect it. Most folks don’t realize that leak prevention is a process issue that is assisted by technology. NOT a product that you buy to make the problem go away.

Which shouldn’t be surprising because most of security breaks down into process and education problems, not really technology.