Incites Redux - June 21, 2006

Good Morning:
The next three Incites to tackle are content security, security management and services. I remain pleased with my thinking back in January. Basically for making a bunch of stuff up (given I wasn't fully engaged in research until I started Incite), much of my thinking has turned out pretty close. Just goes to show, luck and experience are pretty effective tools for soothsaying in the security space.

In the classics section today, I point back to some of my coverage and analysis around mergers. In the security space, we see a lot of that, and it will continue. So understanding the impact to customers and to the vendors themselves is pretty important. I think the 3 posts I pick do a good job at describing my views on the topic.

Finally, I want to point you towards a rant that I just couldn't stop from writing. I do like to stay pretty quiet during vacation, but when I saw Alex Eckelberry's post on Microsoft's predatory security pricing, I just couldn't help myself. This kind of alarmist crap doesn't add to the conversation and someone needs to call him out on it. Check it out (http://securityincite.com/blog/mike-rothman/predatory-pricing-paranoia).
 
Have a great day, looks like it'll be another tough day at the beach for me.

Incite #7: Bad Content is Bad Content

Given “innovation” by spammers and fraudsters, keeping content filtering algorithms accurate and timely is proving very difficult for content-focused security vendors. In 2006, heuristics-based detection cocktails fall out of favor, pushing the pendulum back towards signatures that favor entrenched AV vendors. Users increasingly embrace “in the cloud” content filtering for e-mail, IM, and web traffic because it allows them to get rid of another box in the perimeter and stop worrying about exponentially increasing message volumes.

6-month grade: B+

For the most part this Incite (link here) is right, and what is not right actually doesn’t matter. So I want to thump myself in the head for hinging part of the Incite on technology – instead of focusing on the customer need and the user experience. The grade would have been an A if I didn’t try to get cute and show everyone how much I know. Doh!

Spam remains a problem and the pendulum is swinging back towards the bad guys. I have many contacts in the email security world and the market (at least in the enterprise segment) has become a zero sum game. Spam detection effectiveness is down, customers are pissed, and it seems that enterprises swap horses every two years or so. Of course, the new product is not any better – but it makes frustrated email administrators feel good and lets them point the finger at the now displaced incumbent.

It is also clear that services (or dealing with content in the network) is an interesting alternative for both small and large companies. The leading managed content providers are now substantial companies (like MessageLabs and Postini) and Microsoft will figure out what to do with FrontBridge in the short term. Of course, there are literally minimal switching costs between services, so we’ll see the same type of user defections in the services space as well. What we won’t see are folks moving to services that eventually go back to an appliance. The cost to do so would be significant. That’s why the services folk will continue to take share from the appliance vendors for the foreseeable future.

The signature vs. heuristics debate is useless and again, 6 months later I’m pissed I even brought it up. Customers want content security to be “set it and forget it” and could care less about signatures, heuristics, etc. Like “Losing the Religion” in the Perimeter Defense security space, the answer is all of the above.

Incite #8: Security Management (oxy)Moron

Stand-alone security information management (SIM) plateaus in 2006, as consolidation continues and the need for large-scale system integration makes acceptable “time to value” out of reach for all but the largest enterprises. Closed correlation systems increasingly take root as users swing towards homogeneity and ratchet back expectations on which devices really need to be integrated into the management system, while leveraging the reporting infrastructure for compliance purposes.

6 month grade: A

I still hate SIM, and it seems that the market does too. The SIM vendors continue to struggle, and most of the infrastructure vendors are pushing for their own “poor man’s SIM” by taking all the data they gather and generating a nice report. This Incite (link here) was right on the money (though not very popular initially).

So does that mean that management is not a problem anymore? Of course not. But customers still struggle to find useful solutions to solve the problem. And when customers are confused, they tend to do nothing. And that’s what they are doing.

What about these “closed correlation systems?” That’s happening too, largely driven by Cisco’s marketing muscle pushing its MARS product. It integrates data from Cisco devices and if you are mostly Cisco (like a pretty large portion of the world), then MARS makes sense. There are other folks looking to aggregate data from heterogeneous devices and remediate (like Sourcefire and Q1), so that is the way most customers are looking at the problem.

Finally, I didn’t see the log management market happening in January, but it’s here. Many of the SIM vendors are trying to re-position in this space, and for one or two it may even work. But there will be the inevitable consolidation here as well, but more likely with systems management vendors (IBM, HP, CA) or storage folks (EMC, NetApp) breaking out the checkbook as opposed to Big Security. The main buyer for Log Management is the compliance guy, not the security guy – making it more of a systems management/storage discipline over time.

Incite #9: Services

Managed Security Services provide increasing value in terms of both operational capabilities and content filtering. Users realize that removing threats “in the cloud” provides better bang for the buck for mature technologies (firewalls, IPS, anti-spam, gateway AV, web filtering). The biggest challenge in 2006 will be integrating operational and reporting capabilities across internal and MSS spheres of control.

6 month grade: B+

Since many of the larger managed security services vendors predominately do content security, there is lot of overlap with the “Bad Content is Bad Content” Incite. Traditional MSS (firewalls, IDS) continues to grow, but not at an interesting pace. Customers have a mind-numbing array of choices for MSS, and I don’t think that helps the decision process. The initial discussion of this Incite is here.

What we see in that space is really a congested, brutally competitive market with a number of different vendor factions. Big security built or bought MSS players a few years ago, but with the exception of ISS – security services continue to be a rounding error. CyberTrust remains by far the largest pure-play, and if they can generate consistent profitability is probably an IPO candidate over the next 18 months.

Smaller independents (CounterPane, SecureWorks, LURHQ) continue to show modest but consistent growth, which is a feature of their monthly billing-based business model and vertical market specialization. You’ve got carriers that are increasingly trying to go horizontal to the SMB market with MSS, but they don’t really understand security. Finally, you have a large group of security VARs that are tired of getting squeezed by security product vendors and now are looking at MSS as a way to build an annuity stream.  So, go figure, but customers are confused.

In terms of the demark points between the MSS and internally managed systems, I perceive not a lot of progress has been made on this front. But candidly, I haven’t heard of this being a huge problem at this point and it should be. So that convinces me that MSS is still being used surgically (get your scalpel, cut the function out and send it somewhere else), as opposed to a logical extension of a security management environment.

Classic Security Incite Rants

No Deal: Check Point/Sourcefire is kaput
The day I posted this analysis on the impact of the inability for Check Point to close the Sourcefire generated the most web site hits on securityincite.com, so this piece clearly touched a nerve. It should have, it both highlighted the strategic issues that Check Point is having, as well as a pre-cursor to other meddling in security deals by governments around the world.
http://securityincite.com/blog/mike-rothman/no-deal-check-point-and-sourcefire-is-kaput

Are acquisitions good for customers?
Given the number of deals we see in the security business, it always makes sense to look at it from the customer's perspective. Are deals good for customers? Do they add value? Or is it just about moving financial assets around?
http://securityincite.com/blog/mike-rothman/are-acquisitions-good-for-customers

Understanding the Opportunity Cost of a Deal Gone Bad
Staying on the topic of deals (and those that didn't get over the finish line), this piece highlighted some of the impacts to the participants when a deal went south. Check out the comments section on this post as well because Richard Steinnon weighs in with a very insightful perspective that completing a bad deal is much more expensive than killing it.
http://securityincite.com/blog/mike-rothman/understanding-the-opportunity-cost-of-a-deal-gone-bad