August 15, 2007 - Volume 2, #120

Good Morning:
Deals deals deals. Kind of reminds me of the famous Motley Crue song (and album), Girls Girls Girls. If I had a creative (or funny) bone in my body, I'd do a parody of the song about the frequent (and usually low economic) deals that we are seeing in the security business. Not sure if Stiennon calls this consolidation or erosion, but it's happening with increasing frequency. It's a logical outcome given the funding fiesta that everything security got from the VC lemmings 2-3 years ago. Now many of these companies can't get more funding, but they've built some interesting technology - so they do a fire sale to salvage something.

When you have 800 security companies - about 600 of which never should have been companies - chasing the same 1000 enterprise customers, there can be no other outcome. So what do you do if you are one of the few that actually bought something from one of these fire sale candidates? Basically look for Plan B. You can be hopeful that maybe the acquirer will still support the technology (not if you were a Caymas customer, though) for a certain amount of time. But that may not even happen, or not at the level that you need for an enterprise class and capable device.

Even if the acquirer does the right thing, a lot of times smaller companies get lost within a bigger entity. They don't understand how to fight for resources, haven't yet figured out the go2market model of the new shop, and basically have no idea which way the bubbles are going. All in all, that's why most deals end up on the junk pile of history.

Again, that's why you need to look at Plan B. There are a few cases where a deal works out for the customers of the acquired company, but that's pretty rare. Yes, it's sad - but it's also true. You are better off digging out your folder of alternatives when you selected the first vendor and see if they'll do some kind of buy-back on your kindling. For those left standing, there is still value in a growing customer base. Keep in mind there are no awards for staying with the ship to the bottom of the ocean.

I guess there is another alternative when you can't get any more funding and you need money. You can go public like NitroSecurity. Their income statement showed a loss of about $10 MILLION on revenues just over $2 MILLION. You can check out the S-1, if you want to laugh a bit. I don't think friggin' Houdini could put this deal out of a hat, but they are going to try. Bully for them. Good thing I don't invest in any companies that I could potentially cover, this one seems pretty tempting. Almost as tempting as an intimate night with Patient Zero. 

On that fine note, have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

OHMYGOD, a breach does cost some money
So what? - I guess TJX just reported their earnings (hat tip to Josh Jabs on a private mailing list for pointing this out). Guess what? Earnings were hurt because of costs to clean up the breach. Hmmm. That's interesting. Maybe now it will start to hurt TJX's market cap because now their results are suffering. I think the Security Value Destruction meter has some legs folks. Between the costs of the clean up and the inevitable market cap hit because of reduced earnings, there is a real financial impact. The fact is retailers have already gotten the message and that vertical is becoming easy pickings for security vendors. Everyone else, not so much. But if you take credit cards you need to take PCI seriously. We'll see who's number comes up next and we can start counting some more security value destruction. I guess being one of millions who were impacted has eroded my empathy for those folks.
Link to this

The Price is Right, but can you spin the wheel?
So what? - Personally, I think Drew Carey is a great choice to succeed Bob Barker on The Price is Right. He's funny, but hopefully he'll let the dogs keep their balls at the end of each show. This article on SearchSecurity posits that open source security stuff is appropriate for SMBs. I'm not so sure, even though the price is right. Most SMB technologists aren't really technical at all, and they have LOTS of stuff they are responsible for. So why not get a piece of software that they have to figure out and load onto their own hardware, keep up to date, and occasionally debug. Fits an SMB like a glove, no? That being said, for those technically astute practitioners who just happen to work for an SMB, open source is a decent alternative. But in my experience, those folks are few and far between. Most SMBs should layered their defenses by buying an $800 perimeter security toaster (I mean UTM box, which probably does use open source but SMB users don't know that), using an anti-spam service, and implementing an integrated desktop suite. Oh yeah, don't forget to pray a lot.
Link to this

Deal: Just call it Zenforce
So what? - What is it with companies that end in "force" having to do a fire sale? I guess the force was not with them. To be clear, I don't have specific details about how much Novell had to pay to acquire Senforce, but it couldn't have been much. Senforce had been on the market for quite a while, with no takers. Again, I find this pretty interesting that big security wouldn't look to bolster their endpoint agents with some technology that evidently works. Perhaps they didn't get the memo that actually managing the endpoint, as opposed to doing whatever it is that AV does nowadays is pretty important. Anyhow, Novell had done an OEM deal with Senforce a while back and the technology does add value to it's ZenWorks systems management stuff. I think it's also funny that a lot of the brain surgeon trade press called Senforce a NAC vendor. Guess they couldn't take the time to search Google to find out who actually provides their NAC technology.
Link to this

The Laundry List

Top Blog Postings

You don't even want to know my passwords
Big M on Shostack's Emergent Chaos blog pokes a little fun at a password generator that uses some choice words but decides that a fixed password format makes sense. Even 80 million choices is a lot to break using a brute force attack. By the way, if you allow 80 million failed authentication attempts, you probably shouldn't pass Go! But what about the profanity? Considering earlier in my career I was known as the "cursing guy" in more than a few tech newsrooms, I have been known to let a few F-bombs fly from time to time. But should it be a password? I don't much care what folks use as their passwords. If they string two or three curse words together to get about 15 characters (maybe one that starts with a F, then comes a P, then a B) you end up with a pretty strong password that you are unlikely to forget. That's got to be easier to remember than MyPaSSw0rdSuxS.
http://www.emergentchaos.com/archives/2007/08/obscenities_in_passwords.html
Link to this

Maybe there isn't enough hype
Brian Honan, from the land of Guinness, rues a bit about the fact that on one hand security products are way over-hyped by amped up marketers trying to sell via fear and differentiate in a world where hundreds of companies are chasing the same customers. His friend (a large enterprise IT pro) is "feeling confused by the various products, their claims and indeed the hype over the threats these products promise to address." Unfortunately she is not alone. But on the other hand, a great majority of the Internet users (including most small businesses) out there are blissfully unaware of what is really happening and how easy it is for the bad guys to have their way with their assets, their networks, and their identities. Kind of a strange dichotomy, eh? I guess that's my SAT word for the day. Being a marketing type guy, I believe in segments. The folks in the large enterprises pretty much know what going on, but they've been bureaucratically neutered into indecision and their environments are so large and complex, there is no way they could close the holes anyway. SMBs and consumers are not nearly scared enough, and it's going to take a coordinated effort to educate them about what's at risk and how to protect themselves. Seems like an interesting problem to address.
http://bhconsulting.blogs365.org/wordpress/?p=119
Link to this

Be happy they are on your side
Another great post by Errata Rob about SQL injection. I haven't really seen a bad guy break a network/application in real time, but I've seen enough researchers do it to be very convinced that a skilled attacker will break your stuff. It's not if, it's when and when is measured in minutes, not hours and certainly not days. Rob's description of breaking in via SQL injection is yet another case in point. To answer Rob's last question about why Darwin doesn't seem to be right in this case and why these porous web sites are still out there is kind of simple. The attack surface is too large and even with hundreds of thousands of capable attackers, there is too much ground to cover. Hundreds of millions of web sites are the potential targets and more are appearing every day with the same issues. Darwin just doesn't work that fast. Secondly many of these bad guys are trying to stay under the radar and perpetrate continual fraud, and they are good at their trade. Scary stuff. 
http://erratasec.blogspot.com/2007/08/sql-injection-is-surpisingly-easy.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite