August 28, 2006 - #104

Good Morning:
Wow. There is nothing going on this morning in security-land. I venture to say the barest cupboard that I've seen yet in the 6 months since I started TDI. So, I'll dig through some of the coverage of the IBM/ISS deal (here). I was going to do a separate post, but this will work. Suffice it to say, there has been LOTS of coverage of the deal. Everything from the impact of consolidation (or is it even consolidation?) to whether this finally legitimizes managed security services.

Of all the varying opinions of the IBM/ISS deal, the most original was from Thomas at Matasano (here). Basically assembling a number of us (Stiennon, Bejtlich, and yours truly) in a virtual panel - Thomas basically excerpted all sorts of stuff from our respective published opinions, took much of it out of context, and came up with a very entertaining mash-up to get his main point across. I've got no arguments with this, since he pretty much nailed what I would have said if there was a real panel. And it made me laugh last night, which after a weekend chasing around after my kids is always welcome.

Have a great day.

Top Security News

Google's now in the corporate apps business
So what?- This is pretty early, but something you'll want to be keeping your eye on. Basically Google is packaging up Gmail, Google Talk, Google Calendar, and Google Web Page Creator and allowing corporations to private label the capabilities. Won't be long before the online word processor and spreadsheet are part of the bundle as well. Of course, it requires connectivity. But the fact is, given this Google initiative and the increasing popularity of hosted applications (like Salesforce.com), your data is pretty much everywhere. And data security becomes immeasurably more complicated. So no real action items today, besides to start thinking about how you are going to ensure the protection of private data and intellectual property when data can (and is) everywhere.
http://news.yahoo.com/s/nm/20060828/wr_nm/google_apps_dc_5
Link to this

Top Blog Postings

Mogull on Mac Encryption
I can say I am not an early adopter. Basically I just don't have the time to play around with stuff, so I wait for folks that I think have a clue to do some work and if it makes sense for me, then I'll piggyback. Over the weekend, Rich Mogull goes into chapter and verse about his experience encrypting his files using the built in Mac OS X FileVault capabilities. And the technology seems to be pretty impressive, so now I'll give it a try. Which gets me out from the same spot that Rich was in - "do as I say, not as I do," since I've been talking about data encryption for a while, but haven't been encrypting my laptop files either. Thanks Rich. Beers on me next time we end up in the same city at the same time!
http://securosis.com/2006/08/26/experiences-with-filevault-mac-encryption/
Link to this

Beware the diversion
Michael over at MCWResearch brings up a good point about the automatic updating of many products. He calls out vulnerability scanners here, but it could just as easily been pretty much anything else that phones home to get updated automatically. Vendors screw up. At some point, you'll get a bum update that either doesn't work, breaks something, or writes over the customizations you did. Since the alternative is to manually check every single thing that gets updated from every single vendor every time, I suspect it's easier to clean up the periodic messes. But that is not always the case, depending on the size, scale, and criticality of your systems. Anyway, the most interesting part of the post is the idea of a diversion as part of an attack strategy. If you set off a smoke bomb in some far reaches of a network, your attempts to go after the mother-lode could be obscured. It's not like we don't have enough to think about, but keep in mind those seemingly annoying attacks could be a diversion.
http://mcwresearch.com/archives/281
Link to this

Secure your SOA
Applications based on service-oriented architectures (SOA) are happening and are going to hit security managers like a ton of bricks. Gunnar Peterson's point in this post is (per usual) it's much easier to build security in from the get-go, then to try to retrofit the application later. This is even more important for SOA because of the flexibility in distributing data, processing, and presentation. A key part of the application architectural process must be an end-to-end view of how the data is going to be accessed and used to ensure you can maintain adequate privacy. This is a new world folks, and I certainly don't have the answers yet, but it's something we need to start thinking about.
http://1raindrop.typepad.com/1_raindrop/2006/08/build_security_.html
Link to this

Focus on IBM/ISS

Customer Impact
I always start any analysis with an idea of the impact on the customer. Overall for ISS customers, I think the IBM deal is positive. Of course, it all depends on the integration and continued investment on the product side, but those are details, no? ISS was clearly struggling and it was taking them too long to transition their product focus to this idea of "security in the cloud." I'm figuring IBM will accelerate that, which is critical because clearly ISS couldn't really compete effectively in the UTM space and their IPS technology is getting long in the tooth. Of course, those ISS customers expecting to continue with a product-centric approach may be left holding the bag, and I certainly wouldn't be committing new money to ISS products until more details emerge. Overall now ISS has a chance and if this deal didn't happen - it was more of a matter of when, not if they were going to run aground. This article gets the opinions of some other analysts about the impact on customers, with folks like Andy Jaquith of Yankee, Paul Stamp of Forrester, and Zenobia Austin of Morgan Keegan weighing in. Their opinions are mostly consistent.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1212272,00.html
Link to this

Winners/Losers
When evaluating the winners and losers, you need to think both long term and short term. Short Term Losers: I think in the short term, folks that just invested in Proventia could be losers. Holding the bag on a new product purchase is always painful for customers. CyberTrust is also a short term loser because IBM was going to buy something and it wasn't them. Short term winners: On the winning side of the short term coin are folks that compete in the IDS/IPS and UTM spaces against ISS. So as opposed to VARBusiness, which thinks this deal could mean trouble for Check Point and McAfee, I think those vendors (more McAfee, Sourcefire, maybe even TippingPoint) will get a short term benefit, as the FUD around the IBM deal will impact ISS' sales efforts. Another short term winner is ISS' shareholders. Getting $1.3 BILLION is a big win. Long term winners: Longer term, this is very positive for the bigger services players (notably VeriSign and CyberTrust) as this legitimizes the services delivery model for security. Long term loser: The biggest long term loser I see is Arbor Networks. Arbor was relying on ISS to break open the larger enterprises for network-based anomaly detection. The deal was proceeding along well and they were starting to get traction. The deal throws uncertainly all over those efforts. And since NBAD isn't really a "must have" for customers, they'll just defer their purchases a bit longer. And it's also unlikely that IBM would swoop in and acquire Arbor (as ISS may have), given Arbor has no services play.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=192203463
Link to this

Channel impact
ISS had a love/hate relationship with the security channel. Actually, there wasn't much love most of the time. There was constant channel conflict and lots of other hijinx that made it hard for the channel to both trust and make any kind of significant investments. Though the tide did seem to be turning, as the Proventia line was much more channel friendly with much less friction, especially for the low end box. Now all bets are off, as CRN reports. The rubber will meet the road in how much investment and effort IBM continues to drive on the product side. In a business as competitive as security, unless that is a major focus, other players will supplant ISS in the channel very quickly. And most VARs are looking to bring their own MSS offerings to market and IBM doesn't strike me as very private-label friendly. To net it out, I think the ISS' channel clearly loses in this deal, but it's OK. According to Stiennon there is no consolidation since there are still over 850 other security vendors to focus on. That's hogwash, as pointed out by Richard Bejtlich.
CRN: http://www.channelweb.com/sections/allnews/article.jhtml?articleId=192203531
Stiennon: http://blogs.zdnet.com/threatchaos/?p=393
Bejtlich: http://taosecurity.blogspot.com/2006/08/all-network-security-functions-in.html
Link to this

Market leadership and "indie" security plays
It would seem IBM paid too much for just the services component of ISS, given that they were only doing maybe 15-20% of revenue on the MSS side. But it's about "leadership" and for that term, IBM was willing to pay up. Fact is, MSS is still a pretty small market, and ISS was one of the revenue leaders. You throw in IBM's security services, and they do have a strong market share position. VARBusiness (here) and SC Magazine (here) draw that conclusion. Clearly this is another example of "Big is the new small," and that's fine. But getting back to Matasano's take, I don't think this kills security innovation. If anything, it's just become apparent that there probably won't be another big, public security company that emerges from nowhere. But as I mentioned on Friday (and Thomas reiterated in the "panel"), as long as entrepreneurs don't get too greedy, there is plenty of opportunity to innovate on the product side and find a home (yes, be acquired) in one of the Big Security aggregators.
http://www.matasano.com/log/439
Link to this

Recently on the Security Incite Rants Blog

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-08-25

Technorati: Information Security