[0] Incites Redux - June 20, 2006
Good Morning:
In today's Incites Redux, I tackle the next 3 Incites (compliance, threat management techniques, endpoint security) and am pretty pleased with each of the Incites. Much of my thinking on endpoint security has not come to fruition yet, but I think that's mostly due to end user analysis/paralysis, as opposed to the market not needing those solutions.
In the classics section today, I revisit some of the Security Incite rallying cries, like "Big is the New Small" and the Pragmatic Security architecture. For those not familiar with those topics and rants, check them out. A lot of what I write every day makes more sense if you have the context of my original postings.
Have a great day, the pontoon boat awaits for me.
Incite #4: Stay out of Jail
Compliance continues to generate tremendous hype, but largely remains a red herring throughout 2006. Smart users will use the compliance word to get funding for critical imperatives (perimeter redesign, identity management) and sufficiently document their processes to keep regulators happy. Those not so smart users figure encryption is a panacea and buy some; ultimately realizing making encryption work on a large scale basis hasn’t gotten any easier.
6-month grade: A
The compliance Incite (link here [0]) has been right on the money. In pretty much every end-user conversation I have, the compliance topic comes up. I inevitably ask about budgeting and their strategies for compliance. As I predicted, there is still a compliance budget (and likely will be one for 2007 as well), but no one is under the delusion that it will be there forever. Compliance (at least in a security context) has become a funding mechanism for the stuff that needs to get bought.
There are also some rumblings about compliance being “done.” That’s a load of crap. Compliance is never done, but it is becoming an operational endeavor, as opposed to a process-defining, capital-building situation. That also means that compliance expenditures will be much more heavily scrutinized in the near term.
I also think the encryption part of the Incite has proven out as well. You have a tremendous number of folks dipping their toes in the encryption waters because they think it allows them to check the “compliance box.” But I see almost as many folks that are solving problems with encryption, and that’s a good thing. There is still some challenge around figuring out what to encrypt, but the encryption vendors are increasingly bringing their own policy engines to the table to address this issue.
There has been some progress on making encryption easier to use (see my NetworkWorld column [0] on encryption to find out more), but it’s still not there. Yet, in 2007 application support may be sufficiently transparent to drive wider-spread adoption. That being said, a shakeout in the encryption market is imminent, as there are quite a few vendors with largely undifferentiated offerings and seemingly more popping up all the time.
Incite #5: Losing the Religion
Everyone finally realizes in 2006 that regardless of technical approach (IDS vs. IPS vs. firewalls vs. anomaly detection) it’s all about detecting and blocking malware quickly and effectively. Users expect to see multiple techniques implemented, spurring another wave of consolidation as vendors look to bring complete enterprise-class UTM solutions to market.
6-month grade: B
This Incite has also proven rather prescient, but it totally interrelated with unified threat management (UTM). Pretty much all the large security vendors are bring forward gateway boxes that do all sorts of things, and we are also seeing increasing relationships between anomaly detection vendors and Big Security to integrate anomaly detection into the “suite” of protection devices.
We haven’t seen the spur of consolidation yet, as there are still a bunch of stand-alone IPS and anomaly detection vendors out there – and there probably shouldn’t be. But, we are only at the 6-month mark and there are lots of folks shopping themselves franticly to make sure they aren’t the only ones standing alone when the music stops.
But on the end user side, there is no religion left. Customers do in fact want to solve their problems and they don’t much care how it happens, and they expect their vendors to make it simple to use and comprehensive.
Incite #6: Endpoint Hostile Takeover
Driven by the prevalence of unwanted applications, internal zombies outbreaks, and documented information leaks enabled by key loggers and spyware, users will increasingly lock down endpoint devices, despite pushback from the business users. Limitations of the Windows XP security model makes lockdown difficult in 2006, but much easier when Microsoft’s Vista operating system is ready for deployment beginning in 2007.
6-month grade: B-
Amazingly enough, the rush to application control and whole disk encryption to protect private data on laptops is just starting now. Yes, given all the privacy breaches of late – protecting endpoints is one of the hottest topics of conversation out there. But I was figuring that we’d see a much more rapid adoption.
All sorts of idiocy, a lot happening at the application and data architecture layers, cause these privacy breaches. But I’ll make the point again – shame on anyone that doesn’t have an endpoint protection project in process with clear funding and a deployment timetable.
It feels a lot like analysis/paralysis, folks seems so shell shocked by the problem (and maybe the thought of having to deploy anything to thousands of laptops) that they haven’t taken action. Well, get over it. Do something. I can be wrong and you’ll likely be changing it over the next 18-24 months, but at least do something.
I also would have expected folks on both the application control (SecureWave, Bit9, etc.) and disk encryption front (SafeBoot and a bunch of other smaller players) to have been acquired by Big Security by now as well. McAfee pays $60 million for SiteAdvisor to bundle into their security suite and they don’t think these technologies are important? I’d be surprised if this consolidation doesn’t happen this year.
The other aspect of this Incite is Vista and it’s inability to help with the problem anytime soon because it keeps slipping. Customers no longer have the option of waiting to do something on their mobile endpoints. So do something now and if new Vista functionality like BitLocker and UAC (user account control) can sufficiently lock down the endpoints, then move to that later.
But for God’s sake, stop the pain of these constant privacy breaches due to laptop theft and don’t be the next fool to show up on the front pages of the business press.
Classic Security Incite Rants
Big is the New Small
This became a rallying cry for me as I was getting my research sea legs back and it's been awesome. Folks on both the end user and vendor sides understand what I'm talking about and they (for the most part) agree. Check out these posts to learn more about the dynamics that are swinging the strength in security towards the big. Of course, that doesn't mean that innovation isn't still important, but the odds of building a new, great, huge, self-sustainable security company get longer every day.
http://securityincite.com/blog/mike-rothman/view-from-the-agc-conference-big-is-the-new-small [0]
http://securityincite.com/blog/mike-rothman/more-thoughts-on-big-is-the-new-small [0]
Pragmatic Security
Another rallying cry of mine has been the need to simplify how we think about security. So I documented some ideas around a "Pragmatic Security" architecture that was meant to break down the market into digestible buckets and give end users a way to both make sure they got everything done, but didn't make their head explode. Yes, I'll be fleshing out Pragmatic Security quite a bit over the next few months, but check out my early thinking on the topic in this post.
http://securityincite.com/blog/mike-rothman/pragmatic-security-coming-into-view [0]