Leak Prevention

OK, we've passed the half-way mark. Here is the Incite on Leak Prevention.

Incite #6 - Patching the Leaks

More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-6-patching-the-leaks
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-11-2007

Final grade: B

“More high profile privacy train wrecks…” Have any truer words been spoken over the past year? The list goes so far beyond just TJX and a lot has to do with lost laptops, but there have also been insider thefts, compromised machines and lost backup tapes. So the only thing you can pretty much count on is that if you think your private information is actually private, you are mistaken.

So you do you address the issue? The 2007 Incite talks about laptop encryption and DLP. Let’s pop the DLP bubble first. That market is early, and it’s also small. Symantec paid more than 3 times the entire market size for Vontu, but there is certainly a lot of precedent for Symantec paying up when they think they need something (Brightmail anyone?). EMC also bought Tablus, which means there aren’t too many independent DLP vendors left.

But that’s the simplistic vendor view of the world. What about customers? Basically, they still need to figure out what they are watching for. The current generation of tools does a decent job of checking against dictionaries and regular expressions. Catching stuff you don’t know about is still pretty dicey.

That being said, it is all about the content, and that means that inspecting the content is critical. It won’t be a standalone function over time, but the algorithms and content expertise required to do DLP right will prove valuable for every major security company to control. So expect more DLP consolidation next year, as the process becomes a more engrained part of security defenses.

What about laptop encryption? The answer is yes. It’s hard to envision how larger organizations can figure out how to protect their data, which increasingly resides on mobile devices, without resorting to laptop encryption. Maybe they are lucky and have all Macs, so they just turn on FileVault. Probably not, who has all Macs?

What about Vista’s BitLocker? Again, it’s pretty unlikely that your organization is all Vista (and given how badly Vista sucks, it probably shouldn’t be, but I digress), so you are looking for something to fill the gap. There are actually lots of choices to buy an encryption widget, and this is another market that will see further consolidation next year. Every endpoint security vendor needs to have this technology as part of their suite – whether they own it (like Check Point or McAfee) or do an OEM.

As hard as most organizations work to do the right thing in protecting your data, McNealy was right. You have no privacy – get over it.

Check out the other posts in the Report Card series.

At long last, those consolidation watchers can finally exhale, since SYMC has finally gotten the Vontu deal over the finish line. The deal was announced this afternoon as a $350 million dollar cash deal. It's a pretty decent multiple, which I estimate to be about 7-8x trailing twelve month bookings. Not as expensive as Brightmail, nor as cheap as Whole Security.

You can also read SYMC's "rationale" on how Vontu fits into their Security 2.0 strategy and introduces a new tagline "information-centric security."

The reality is Symantec needed to have some type of presence in the DLP space. Their big competition on the storage side is EMC and they have a widget in Tablus. Their main competition in the security space are also well represented, as McAfee, Websense and Trend have acquired companies in the space as well. I've been saying for a while that DLP is more of a storage and information function, than it is core security - so the fit with Symantec is pretty good. The question is whether this provides the "glue" that finally makes Symantec's security and storage capabilities kind of hold together.

And that brings up the huge blind spot in this deal, which is whether SYMC will be able to maintain Vontu's momentum in the large enterprise. They say Vontu will be run as a stand-alone entity, but I'm not sure if that's a good thing or a bad thing. They also plan to integrate Vontu into all of SYMC's existing offerings, given there is a piece of DLP in every aspect of SYMC's business. But to be skeptical (I know it's shocking for me), it hasn't happened in Big Yellow land with any other deal, so there is nothing that leads me to believe it will happen now.

Of course, there is always risk for existing Vontu customers that the deal won't go well and there will be a huge loss of Vontu brain power. But those are always risks in any deal.

Those most exposed are storage folks like Sun and NetApp, and big tech like Microsoft, Oracle, IBM and HP - who currently have no DLP strategy and may get left with 3rd tier pickings if they wait too long. Since DLP is clearly a feature of a bigger data security strategy, any player who says they manage data needs to have a story around DLP. There are also risks for start-ups who have not been spoken for, like Vericept, Code Green and Reconnex. You know the story of the company that holds on too long, waiting for that bigger, better deal. It usually ends as a fire sale. Though anyone independent now has some running room as the inevitable integration hiccups will provide a small window of opportunity.

So to net it out and not belabor the point, strategically the deal makes sense. Now it's all about executing the integration well and that really hasn't been Symantec's strong suit over the past few years.

More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

Read all of the 2007 Incites here.

Leak prevention is an interesting market. To day, the total sales in the category is less than the VC funding by an order of magnitude. That will change, but not overnight.

We’ve seen this movie before, lots of times. Big, high profile problem. Frantic buying of anything that portrays to solve the problem, which leads to general customer dissatisfaction with what they bought. Eventual consolidation, then integration and the category is ultimately swallowed up into a larger data or information security function.

The good news is that for most information leakage solutions, the benefits are much clearer than other over-hyped categories (like NAC for instance). But I haven’t found a way to accelerate the market adoption curve (and it’s not from lack of trying), so you’ll have early adopters/panic buyers over the next 12-18 months. This will give way to the mass market (likely in late 2008/09) that figures out what they need and why.

Keep in mind that we are really talking about two different problems here. The first is lost laptops. This is the high profile issue that keeps both security pros and PR people up at night. Just look at the Veteran’s Administration fiascos of the past 8 months and you’ll know why. Lots of whole disk encryption (WDE) will be sold to solve that specific problem. But these are very tactical buys, and vendors that talk about “policy” and integrating WDE with an encryption utility are selling ahead of the requirements.

Separately, you’ve got the problem of private data and intellectual property being sent outside the boundaries of the enterprise. This is another huge problem, with much less clarity on the solution. There are lots of products, but their effectiveness is questionable and the amount of integration it takes to make it work can be significant.

Gosh, kind of sounds like SIEM to me. I wish I was smart enough to have made that analogy, but I’m not. It was my pal Mark Bouchard. But unlike SIEM, there is a real value proposition for leak prevention, and it extends to more than the largest 2000 companies in the world. But only if the technology gets easier to implement.

When the market leaders have average selling prices of greater than $400,000, clearly it’s an early, integration centric market.

As this market matures, we’ll see folks continue to drive for integration (enforcing a common policy for data in motion, data at rest and data on endpoints) and simplifying the implementation process.

Very few markets develop without hiccups and I believe that leak prevention will be a key part of the data security landscape in a few years. But for those that absolutely, positively need a solution today – just understand the inherent messiness of early market technology.

It didn't take long for Websense to figure out they needed to own a leak prevention technology. Only a few weeks after doing an OEM deal with PortAuthority, they decided to acquire the company for $90 million in cash.

The release is here.

Why do the deal only weeks after the OEM is announced? Clearly there was some type of catalyst and given the multiple (which is probably 12-13x 2006 sales) it looks like there was another suitor involved. That is just speculation on my part, but if you are getting the milk, you don't buy the cow. Unless someone you don't like is about to buy the cow. Then you pay double.

From Websense's perspective, they had to do something. Gene Hodges (Websense's CEO) said they were going to start doing small deals, so this is as good a start as any. Their existing customer base is a good place to start pushing this technology and it's a good fit with a content-centric perimeter security strategy. PortAuthority is also software, so it fits well with Websense's existing products.

PortAuthority's technology was also pretty well regarded, especially their ability to accurately fingerprint documents. We'll see how Websense is able to integrate the product into their channels and whether they can keep up with the pace of innovation, since deals usually adversely impact product delivery by 6 months or so.

So what's in it for PA? Basically they get out, and that's a good thing. The leak prevention market is going to get even bloodier next year as leadership is fought over. Partnering up before it gets messy at a valuation that is a pretty big win for the investors and employees is a good holiday gift to all involved.

So it's not even 2007 and the consolidation in leak/extrusion prevention has begun. There is no doubt we'll be seeing more of the same next year.