Endpoint Security

Deal: Sophos buys Utimaco - Endpoint encryption market continues to consolidate

Submitted by Mike Rothman on Mon, 2008-07-28 09:03.

Yep, even in a crappy macro environment, there will always be sectors that are doing well. As I pointed out during the Incite Redux series, endpoint encryption is certainly one of them. The rising tide definitely lifts all boats. But more importantly, the second part of the Incite is all about the consolidating market.

Crap in the bag - 1 poundWe saw a bunch of deals happen in this space last year and things went quiet for a little while. Until this morning, that is. Sophos has announced a deal to acquire Utimaco for 217 million Euros. That's about $341 million. Utimaco did a touch under 50 million Euros last year. Their last quarter was 14.4 million Euros, growing about 25% YoY.

Interestingly enough, Sophos' offer was literally a 92% premium to Utimaco's trading price on Friday. If you look at 30 and 90-day moving averages, the premium is a bit less, but it's still a HEFTY premium. Seems the German investors didn't quite get the need for endpoint encryption.

It's a big check, but a necessary check to write. Sophos wants to play on the big stage with Symantec, McAfee and Trend. They need to control the technology because it's a feature of a broad endpoint suite. Yes, it's a FEATURE. But a necessary feature. The endpoint is all about how much crap you can stuff into the bag now, and that means it's not a market for start-ups. It's a big is the new small market.

It also makes Symantec's decision to OEM GuardianEdge, as opposed to either acquiring them or someone else, that much more perplexing. Unless they built a pre-negotiated acquisition price into the OEM deal, they are seeing their price rise dramatically because it's not if, it's when they need to acquire this technology.

So all of you end users out there looking at 2H renewals for your endpoint suite. Use these deals and the need for endpoint encryption to your advantage. If your incumbent doesn't have the technology, poke them in the eye and force big price breaks. If they do, poke them in the eye and make the bundle it in for little to no additional price (which is effectively a big price break).

This is a competitive market folks, which means at a minimum you should be poking your vendor in the eye and also getting a big price break. Now is not the time for inertia or brand loyalty.

Photo credit: "Manure for sale" originally uploaded by sloejoe

Incite Redux: Day 6 - Laptop encryption hits the big leagues

Submitted by Mike Rothman on Wed, 2008-07-09 10:05.

 

Good Morning:
Week 2 of "vacation" is on. The last time I took off more than a week was back in 1997. The Boss and I took a 3 week trip to Australia and New Zealand a few months after we got married. It's been a long time. I guess part of me should feel bad about not really taking vacation and totally unplugging. I probably should just not work at all, not do any reading, not plug in and answer a few emails every day. Not work on any of my super-secret projects. But I don't feel bad. Not at all.

Why? Because I love what I do. I don't spend a portion of every day reading because I worry I'll fall behind. I do it because it's what I like to do. I'm an information junkie and I've found a profession that lets me indulge that. I love writing and inflicting my opinions on all that will listen. I love building new things, so my new projects keep me engaged.

The fact that I have enough back-up to "work" a few hours a day is lucky. So I can get my info fix and then spend the afternoon with the kids at the beach. And a couple of hours of beach time is about all I can handle anyway. Especially since I have no pool to lounge by and no one to bring me drinks in a pineapple.

Yes, I'm spoiled. I don't feel bad about that either. Have a great day.

Incite #6: Laptop encryption hits the big leagues

Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.

Read the original Days of Incite post on this topic.

6-month grade: A-

Yep, this one seemed very obvious when I wrote it. Though in a time of macro-economic chaos, and even the mighty (like VMWare) proving that trees don't grow to the sky, good old fashion disk encryption continues to do well. Well enough to keep big security afloat and announcing good earnings? That I'm not sure about (remember I wrote this about two weeks ago before many of the public security players announced their earnings), but I can tell you it would be a lot worse without the ballast of this hot category.

Please, please - give me back my data!And why is it hot? Well, just read the Incite. People keep losing laptops and disclosure laws mean customers need to be notified. It's a lot easier to just encrypt the disk and most companies are realizing that. Of course, you see datapoints from a few months ago that the US Government is about 1/3 of the way through their deployment and you realize how many friggin' devices there are out there, and that there is still plenty of running room for this category.

I'll also pat myself a bit on the back by saying the longer term prediction part of the Incite seems on track as well. There are precious few stand-alone device encryption companies left and many of them have shacked up with Big Security to OEM their offerings through a bigger distribution engine (like the Symantec/GuardianEdge deal). Of course, the good news about long term predictions is that they are longer term and thus I can just say it's right. Right?

But what about having the embedded OS capabilities kill stand-alone offerings by next year. That's the difference between A- and A. Microsoft's Vista is every bit the train wreck we thought and a lot of big companies are just going to wait for the next version of Windows. That means no BitLocker, which means continued demand for 3rd party offerings. And as many inroads as Apple is making in the enterprise, it's still a rounding error. So 2009 may turn out to be a bit optimistic. But to be clear, good enough will prevail in this game. It's not a matter of if, it's a matter of when.

Photo credit: "Laptop Stolen" by Bahi_P

Incite Redux: Day 3 - Best of Breed DOA

Submitted by Mike Rothman on Mon, 2008-07-07 11:23.

Good Morning:
Is it Wednesday already? Maybe for you. I'm writing this from the past, and that's one of the amazing things about technology. I can stack up 10 posts before I leave and like a clock, you'll get your daily dose of babbling. So let's all do a prayer of thanks to the Technology Gods. But the reality is that I am in fact writing this post, so at some point I had to get out of my normal schedule to get ahead of my publishing schedule.

My business still needs me to run, and that is an inherent limitation. It's also something that I'm planning on addressing in the very near term. No, I can't talk about it yet - but I've got some super-secret projects underway and hopefully it will contribute to being able to really take time off, as opposed to just paying my work forward.

So that brings up the inevitable question: when you are out of the office, who is holding down the fort? Can they do your job? If not, what do you have to do to get them there? No one is indispensable, and you don't want to be. So think about it. And have a great day.

Incite #3: Best of Breed DOA

As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

Read the original Days of Incite post on this topic.

6-month grade: A

I got a great question from one of my channel contacts a few weeks ago. They asked if they could still get a stand-alone firewall anymore. They'd been looking a bit, but it seemed that every device that was out there was "more" than just a firewall. Some went the UTM route, others have focused on applications, but you actually have to look hard for just a firewall. Clearly this kind of consolidation of functionality is happening and it's what "big is the new small" is all about. But is this good or bad?

French Army KnifeBasically, it's neither. I answered the question to my contact by reminding her that UTM devices are still firewalls. You just turn off all that other stuff and run it as a firewall. Yes, kind of like using a Swiss Army Knife as a cork screw. And given the cost economics of the technology business, that's not a bad thing to do as you are migrating from one perimeter platform to another. You incrementally get there and then when you are ready, you turn on more functionality in the UTM box and turn off the stand-alone device.

The same thing is happening in the endpoint security game. Everyone has an AV engine nowadays, if only to take that objection off the table. You know, why go with just an anti-spyware agent when I also need AV? You don't. You  buy a suite that includes all this stuff. And it seems there is no end to the bundling. Symantec is adding backup features (as you'd expect) and Microsoft is bundling Office with OneCare as a subscription. Yep, security is something we all need and something that will be a checkmark or free add-on to something else you are buying.

I kind of laughed 5 years ago when my new PC (yes, when I still bought and used PCs) came with a full license of CA anti-virus. I used it diligently until that machine croaked. Why would I pay for something else? And that's exactly the point. You'll see the endpoint security folks continue to focus on bundling as their main path to market.

Security management is also playing out as I projected. Pretty much all the SIM players have a log management offering and vice-versa. You are now seeing integration with the identity management folks, which makes sense because you want to get down to managing a user's activity - not just a nameless, faceless IP address.

Those companies that still have stand-alone solutions have some strategic decisions to make. It's increasingly clear that having just an IPS or just a secure switch, or just a set of security utilities is not a way to find long term sustainability. But with the macro-economic environment being pretty crappy, you won't see a lot of deals over the next 12 months, unless they are deals done under duress (yes, fire sales). The privately-held category leaders will likely wait for better valuations, which they figure will come back when the stock market strength returns.

This Incite is rather obvious, but still pretty accurate - so I'll bestow an A on it at this half-way point.

Photo credit: "French Army Knife" originally uploaded by Simon Davison

2008 DOI: Day 6 - Laptop encryption hits the big leagues

Submitted by Mike Rothman on Wed, 2008-02-20 15:32.
2007 Incite: Patching the Leaks
More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

2008 Incite: Laptop encryption hits the big leagues
Since remote employees insist on losing laptops and the Government insists on notifying customers when private information is lost, security teams respond by rolling out full disk encryption far and wide. Within two years, this market disappears, first because every endpoint security suite will include a FDE option (2008) and later because the operating system makers (Microsoft and Apple) do a good enough job (2009) to kill stand-alone offerings.


As I look at the 2007 Incite on leak prevention, it was broader and focused on the broader DLP space. This year, I’ve decided to break the Incites up. The DLP piece will hit in a couple of days, but in the meantime I want to focus on laptop encryption.

When I did the dry run of the Incites to a group of my trusted colleagues, the universal feedback on this was DUH! Everyone already had thought of laptop encryption was already in the “big leagues” and kind of a foregone conclusion. Unfortunately, there is a large part of the world that isn’t there yet.

Just think about the market numbers. Check Point’s PointSec group did something like $80 million in 2007. McAfee’s SafeBoot did a bit less. There are a bunch of other players with significantly less revenue. The firewall business is billions, laptop encryption is not. Yet. Laptop encryption is not a universal thing by any stretch of the imagination. My message here is that it needs to be.

If you have laptops, you need laptop encryption. It’s a simple as that. I don’t care whether you get the big enterprise package or just mandate the use of the built-in O/S tools. You need to do something. Why? Because laptops go away. They are stolen. They are lost. And they have private data on them.

One other thing before I jump into the market dynamics. If you have service providers (outsourcers, contractors, et al) that store your data, then THEY need to do laptop encryption as well. How many organizations are pulling splinters out of their butts because their auditor or their on-site contractor lost a laptop? That should be a requirement for continued business and put as a standard term of professional services contracts. OK, off soapbox now.

What about the market for laptop encryption? Basically, it’s going away. The first wave of this has already happened. Check Point and McAfee took out the two biggest players in the laptop encryption market. There are others and they will be spoken for in 2008. Symantec needs something. So does Trend and every other company that wants to play in the endpoint space. Check Point and McAfee will use the encryption as a wedge and differentiator in a market with precious few differentiators. That means the others are sure to act.

But over time, that capability within the endpoint suite goes away as well, or it's value is marginalized at a minimum. The capability will be subsumed into the operating system. Windows Vista already has BitLocker, but it’s not there yet from a centralized management standpoint. Once it plugs into Forefront or maybe just SMS (or whatever they call the management thing nowadays), then it truly becomes a feature. Apple has had FileVault for years as well. That works great, but doesn’t really have central management capabilities.

This is another market where the standalone vendors better find a partner pretty quickly. The window won’t be open for long. They better enjoy the fresh air while it’s there.

Photo of the Enigma machine: chris_malcolm

2008 DOI: Day 5 - Night of the Internet Dead

2007 Incite: You (Mal)ware it well
The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

2008 Incite: Night of the Internet Dead
With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.


Zombie Break Glass Last year’s malware Incite was about integration, and that has largely come to pass – so I ended up consolidating that topic with the perimeter Incite since both functions are no longer “best of breed” types of functions.

This year I want to focus on the inevitability of compromise. I don’t mean you’ll work out your issues more cordially with your significant other this year. I mean the fact that your users will do something stupid and thus they will get 0wned and that means your environment will be compromised.

Nowadays, it’s just too easy to get nailed. The users don’t have to do anything. The bad guys are now installed drive-by downloads on LEGITIMATE sites. Let me go over that again. The bad guys compromise a legitimate server and have it download a Rootkit or Trojan to all the visitors. It happened to an ISP a couple of weeks ago.

There is no defense against this. Training your users isn’t going to help, since they are going to a legitimate site. But it gets better. Now the bad guys may be specifically targeting YOU or someone in your organization. That’s right. They know your name. They know your email and they want to get something from you. It’s a lot more likely if you are a “C”-level something for a big company or in the news or something like that.

But all the same, this level of targeting is unprecedented.

Since I’m no mathematician (sorry Mr. Calabrese, I probably should have paid better attention in 11th grade), let me do the calculus. Users get nailed going to sites they trust and the bad guys are now specifically targeting them. Crap. What the hell do we do now?

You know what’s coming don’t you? That’s right, you need to REACT FASTER. For long time Incite readers, this is a predictable outcome. I’ve never been one to say that you can “get ahead of the threat.” The best you can do is to make sure you figure out you’ve been compromised before there is too much damage.

Yes, it’s all about containment and incident response. Though we shouldn’t get the cart ahead the horse here. First we need to know something is wrong. We do that by monitoring. So do yourself a favor and get Bejtlich’s book on network security monitoring. That is the bible of how to do this.

I believe that this is a function that needs to be integrated into the security management platform. I talked in the Best of Breed DOA Incite that security management will undergo a fundamental shift towards an integrated platform mentality. Monitoring logs, Netflow, and other stuff (like database logs, applications, transactions) is critical to figure out what you should be focusing on.

Unless you are the one in a million that has so many security resources and budget that you get through your list every day – you need to prioritize. How do you prioritize your activities? By investigating the stuff that looks fishy, and you find that stuff via monitoring.

Here is some math even I understand: Monitor aggressively + REACT FASTER = Live to fight another day.

Photo credit: Drunken_Monkey

2008 DOI: Day 3 - Best of Breed DOA

2007 Incite: Perimeter (R)evolution
The consolidated perimeter platform continues to subsume additional security and networking functions, making top flight content security and application acceleration the next frontier – further squeezing pure-play security players. This accelerates consolidation in the sector, keeping perimeter architectures in flux. Customers increasingly embrace integrated solutions from larger players putting a “best of breed” mindset on life support and proving that “big is the new small.” The first open source perimeter platforms also hit in 2007, providing a legitimate alternative for technically savvy, mid-sized businesses.

2008 Incite: Best of Breed DOA
As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

I get a lot of questions about “best of breed.” It’s a manifestation of a couple of deeply seeded misconceptions regarding how security has evolved, and also a bit of an ego thing on the part of most security professionals. But before we jump into my amateur Freud act and conclude that it’s our parent’s fault, let’s dig into history a bit.

Most technology markets are driven by the innovation, integration, and consolidation cycle. That means a bunch of new companies start up to solve a specific customer problem. That’s the innovation thing. Then the big, stodgy, un-innovative companies figure out there may be something there, so they integrate the stuff into their existing offering. Finally, these same companies figure out how to sell the integrated innovation (say that 10 times fast), and by then it’s not really that innovative anymore – so they acquire pretty much all the players in the market.

The first stage – innovation – is really what the “best of breed” mindset is all about. In an early market, there usually are marked disparities between the products. Some work, others not so much. So buyers really have to be aware and careful to ensure they don’t buy a pile of steaming poop.

But in later markets, the technical capabilities normalize. Technical differentiation is largely a myth. All the products work “good enough.” At that point, you are buying not on technical capability, but softer issues – like integration with your existing stuff, management, and reporting. At that point, best of breed pretty much ceases to exist.

That’s where we are in a bunch of security markets. In 2007, the Perimeter Incite (referenced above) really reflected this fact, and it definitely came to a head. A lot of folks bought UTM, even though they were only looking at replacing their firewall. Why do this? The more applicable question is really why not? Even if they don’t turn on some of these other capabilities, they could. And over time, probably will.

Same goes with the “endpoint suite.” No companies offer just anti-spyware anymore. Why would they? That capability has been subsumed by what used to be called anti-virus. Rootkit detection? Ditto. Don’t forget about device and application control too. Yep, it’s in there.

But talking about UTM and endpoint suites isn’t particularly inciteful. I think that security management is next on the hit parade to hit this cycle. You have all of the SIM vendors saying they do log management. You also have all the log management vendors adding SIM-like capabilities. The NBA vendors are trying to feed algorithms and analysis (via partnership) to all of the above to stay relevant.

The cycle repeats itself once again. And it will continue to repeat itself. Remember, I’m not as smart as most of you – I’ve just been around longer and I’m good at recognizing the patterns that will repeat.

You don’t have to be a brain surgeon to see this writing on the wall. Market maturity kills product innovation. And that’s why I’ll be the first guy shoveling the dirt on security best of breed.

Photo credit: darleen2902

Report Card: 2007 Incite #5 - You (Mal)ware it well

Submitted by Mike Rothman on Wed, 2007-12-26 07:54.

Continuing on with the 2007 Report Card series, the next Incite deals with endpoint security and the ever-present malware situation. It certainly seems it's getting worse, but is it still as impactful? Let's see...

Incite #5 - You (Mal)ware it well

The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.


Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-5-you-mal-ware-it-well
Incite Redux Link:http://securityincite.com/blog/mike-rothman/incite-redux-july-11-2007

Final grade: B+


During a recent speaking engagement on endpoint security, I made the point that malware is pretty much ANYTHING that I don’t want on my desktops. I don’t care if it’s a virus, a worm, a Trojan, a keylogger, or any other bad juju – it shouldn’t be on my machine and I want an integrated endpoint security platform to get rid of it.

The good news is that the vendors have responded. Whether it’s the free stuff focused on consumers, or Big Security that have upgraded their stuff in 2007, we are seeing (finally) the justification for those annual upgrades.

What about these new entrants? Most importantly, big Microsoft was a no-show. They made a lot of noise in the early part of the year, and then… not so much. But that’s OK, since this is part of Microsoft’s playbook. They make a big splash; realize that they have some work to do on the product, disappear for a while and then eventually come back with something that is competitive. Clearly they have disappeared for a while, but in my best Governator voice – they’ll be back.

The reason this is still a B+? The ISPs remain blissfully unaware and unwilling to act to take many of the bots off their networks. And there has been little to no external pressure to force the issue. ISPs continue to ignore the issue, the bot masters continue to run to the bank, and millions of devices out there are just waiting to launch a massive attack on whatever is the next target of choice.

I wish there was any kind of good news on the horizon, but there isn’t. Users will continue to do stupid things, leaving themselves open to being compromised. The best that a corporate security person can do is to monitor their networks and figure out when one of their machines has been compromised. Rebuild it and contain the damage.

I always get a lot of VCs asking me what is hot in security. Where they should invest their money. Unfortunately, the best growth market in security is bots, but I don’t think the limited partners of the VCs would be all that enthusiastic about funding a band of criminals. Although it’s not unprecedented…

Check out the other posts in the Report Card series.

2007 DOI: Day 5 - You (Mal)ware it well

Submitted by Mike Rothman on Tue, 2007-02-20 10:22.
The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

I don’t know much. But I do know that in 2007, the good guys will continue to surf in the wake of the bad guys’ innovation. Whether it’s new and interesting social engineering attacks or new found zero day exploits on client side applications, we’ll see more desktop carnage and mayhem.

Why? The objective of the bad guys is still monetizing owned desktops, via spam, DoS, keyloggers, Trojans and their malware ilk. Hopefully we’ll be able to react faster this year, but continue to expect all sorts of zero day exploits on all sorts of products, both general computing and security specific offerings. 2007 could be the YEAR of client side bugs, as we may not see 365 new ones – but scarily enough, we may come close. Maybe this will convince some software companies out there to finally get their act together on secure coding.

So what will be the response from Big Security? More shit in the bag. It may not be as integrated as it needs to be, but it will be in the same install package. The most fought after real estate in computing this year will be on the desktop. If the Big AV vendors lose the agent, they are cooked. So you’ll see things like rootkit detection, anti-phishing, whole disk encryption, wireless hygiene, safe web browsing and the like added into AV suites. This is actually a good thing for users, as long as the policy and management get the needed integration as well.

But it’s still about price and with increasingly sophisticated updating and software distribution infrastructure; the switching costs of a desktop security suite are minimal. So lots of customers will. And that creates downward pricing pressure on endpoint security. Though I do expect the public AV vendors to hide the pricing pressure by blurring the lines between product and services revenue. This keeps the financial analysts burning the midnight oil trying to figure out what’s going on. That’s another group I don’t envy.

And though it continues to feel fruitless, don’t give up on user education just yet. Seriously. It takes years of consistent effort to make inroads and an educated user is still one of the best defenses out there. You can’t buy enough technology to stop all the attacks. So the user really is the line of last defense. Keep them ignorant at your own peril.

Report Card: Incite #6 - Endpoint Hostile Takeover

Submitted by Mike Rothman on Wed, 2006-12-27 09:08.

Driven by the prevalence of unwanted applications, internal zombies outbreaks, and documented information leaks enabled by key loggers and spyware, users will increasingly lock down endpoint devices, despite pushback from the business users. Limitations of the Windows XP security model makes lockdown difficult in 2006, but much easier when Microsoft’s Vista operating system is ready for deployment beginning in 2007.

Grade: C

Original Days of Incite post: here
Incite Redux post: here

Swing and a miss on this Incite. Basically, the market is speaking and application control is just not that important at this point. Over time, it becomes part of a broader endpoint security suite, but the initial versions of this "application control light" technology is based largely around black lists (as opposed to a white-list based positive security model) and that’s a bit disappointing.

The fact is, the problems are not getting fixed. We continue to have phishing attacks making mincemeat out of desktop and consumer devices and application control is a legitimate way to stop those attacks. But Mr. Market tends to be right over time, and the stand-alone opportunity for pure-play application control vendors (SecureWave, Bit9, Savant, etc.) is waning by the day.

The best those folks can hope for is to be taken out by an AV or anti-spyware vendor that is trying to push the functionality envelope to win a feature war.

Of course, we are at the dawn of the Microsoft Vista age of computing (for 95% of the world anyway) and that is going to fundamentally alter how desktops are provisioned and how they work. User Account Control is the most visible new security capability and it will be annoying at times. But it’s also critical because locking down what software can be installed is a must to control Trojans and zombies.

It will be a long road to Vista and most organizations won’t be rolling it out en masse until 2008. So it looks like another year of cleaning up the XP mess, as opposed to using application control to proactively lock the devices down. But, as my driver’s ed teacher used to say when reminding us to always drive defensively, “You may be right, but you’ll still be dead.”

The Role of Aggregate Data in Security

The latest battle between eEye's Ross Brown and StillSecure's Alan Shimel got me thinking about a bigger topic. How can/should we use data to make our security defenses stronger and to improve our posture?

To provide some context, I covered Ross' announcement of a free Blink! endpoint security product for home use (here). Alan responded about the fact that although the product is free, eEye gathers data about the products usage and uses that for security research purposes (here). Ross responded about the horrors of offering free stuff (here), and does a good job of walking through the decision process that got eEye to where they are.

Here is my response to Alan's post (as a comment on his blog):

Correctamundo, Sr. Shimel. I figure given you are in FLA, you are getting quite familiar with Spanish. :-) You are correct in mentioning that eEye will be collecting data, but this is neither unique, nor in my opinion an issue. Microsoft, Symantec, McAfee and every other security vendor systematically gathers data from their customers (usually with their agreement, sometimes not) and no one I've EVER spoken to has an issue with this. As long as the data is anonymized and just used for aggregation and summary statistics, it's cool.

I get that you are trying to take the high road, but maybe you should revisit the data you "aren't" gathering because perhaps it can make StrataGuard more effective at blocking attacks, or at least your own internal folks more effective at knowing what's going on out there.

But this topic is bigger than just whether it's cool to gather data from possibly unsuspecting customers. Data is necessary. Data is important. Without data, the good guys have precious few ways to figure out what the bad guys are up to. So the vendors MUST gather data, the question is what is the best way to do that?

I spent some time in the anti-spam business, and that is all about data. You need to gather good message (ham) and bad messages (spam) and you need to use that data to fine tune your filters and settings and to test new techniques. Now that data is aggregated and correlated to provide a sender "reputation," which can help to prevent spam from undesired parties.

Every customer was willing to share anonymized information about their message traffic because they knew it would make their email defenses better. It was never an issue.

Is there any doubt that Microsoft gathers a ton of data about how you use Windows? They do. Are the privacy mongers all up in arms about it? NO. Maybe they don't realize. Symantec and McAfee do as well. They've gotten a bit more sophisticated and they ask whether you want to participate in their "network," but by default you do. Most people don't care.

Is it a privacy risk? I guess. But everything is. As I mentioned this AM, my head hurts from thinking about all the potential privacy risks that are out there. So I don't. Maybe I'm playing my own ostrich game, but I'm more focused on helping people protect themselves from real attacks that are happening today, and not potential breaches that may happen tomorrow. I could be wrong, but that's my opinion today.

Thus I don't have an issue with eEye gathering data. Firstly, they are offering the product at no cost to the consumer. Last time I checked there was no free lunch, so I think sharing data is a reasonable trade. And even if I was paying for the product, I'd still share my data - anonymized and summarized of course.

Why? Because I know that it makes the products that I use better. And ultimately security practitioners are paid to protect things, not get religious about the use of data. So stand down Alan, you are barking up the wrong tree on this one.