Malware/Content Security

Incite Redux: Day 5 - Night of the Internet Dead

Submitted by Mike Rothman on Mon, 2008-07-07 14:41.

Good Morning:
Ah Friday. On vacation, every day is Friday, isn't it? But when are are at the beach, it always helps to have Plan B. Inevitably it rains and when it rains, you better have a plan to keep the kids occupied. Or it gets messy pretty quickly. Optimally, you get a half and half. Glorious sunshine in the morning with the weather rolling in around 2 PM. 

By then, the kids are beached out and they probably don't need any more sun at that point. Then we can bring them back to the house, feed them and get some naps in. Maybe a late afternoon movie would be on the plan as well. It's also good to have some games to play and art projects ready to go. Better to be prepared than have a bunch of bored kids writing on the walls of the rented house. 

It used to be a lot easier. There was one thing we'd do on a rainy beach day BK (before kids). Right to the bar. It could be 10 AM or 2 PM, no matter. If it was raining, I was drinking. That always helped my sleep habits too, since I'd usually be incoherent right around dinner time, so I'd eat and then pass out. After a few hours of sleep, I'd go for round 2. What we could do when we were young...

But I am not that young anymore. Nor do I live in the past. So right about now, it's probably time to break out Sorry or Chutes and Ladders. I can't wait until we can bust out the Monopoly and Stratego. Of course, by then the kids will want to play online with kids from around the world, I'm sure. Yet, I can still hope for family game day, can't I?

Have a great weekend.

Incite #5: Night of the Internet Dead

With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

Read the original Days of Incite post on this topic.

6-month grade: A

I'm happy to wind up the first week of Incite Redux on a high note. This Incite (although obvious) has certainly come to pass. We hear about new and more sophisticated bot networks weekly. We are starting to learn just how advanced the crime organizations are that drive much of the cyber fraud around the world. 

Fortune TellerI heard (anecdotally, of course) that one of the crime networks has built a database of private information that rivals "legal" information sources like ChoicePoint. Of course, that could be boasting and hyperbole, but to think that a crime database that size is within the realm of possibility is nothing short of shocking.

If you've made it through the first half of the year with no issues, none of your users losing their devices, none of your trading partners firing someone who had access to your stuff, and no public disclosures, then pat yourself on the back. I'm not sure if you are lucky or good, but all the same - the likelihood that you'll have the same answer next year is pretty small.

So plan for the inevitable. There are a lot of very smart guys that I hang around with, who make a living trying to figure out what attack is next. They find a lot of bugs and they do the right thing by responsibly disclosing those "features" to the vendor in question. Most of the time anyway. But of all the smarts these guys have, they missed little things like Melissa and SQL*Slammer. They missed many of the new social engineering attacks and crimeware, spyware and other x*ware variants that have been compromising machines and converting devices into zombies at an alarming rate.

And this has nothing to do with the talent and capabilities of the researchers. My entire point is that no one has a crystal ball. None are practicing fortune tellers. One of the most valuable roles that security research plays in the ecosystem is to find new attacks, pull them apart, and figure out how to defend against them. But to be very clear, in most cases, these folks are not working ahead of the curve. They are working against the clock because the bad guys have already weaponized the attacks.

Which is why the REACT FASTER doctrine is so important. No widget is going to protect you against an attack you've never seen. Although truly new attacks are fairly infrequent, they happen enough that we need to plan for the next one. So we monitor our networks and our servers. Also our databases and applications. We look for anomalies and other funky behavior that is not the norm. Then we investigate to see if that strangeness is just random or representative of a real issue.

Then we address the issue. Once that work is done, we live to fight another day. Take pride in the fact that most of the world reacts slowly, if at all. They are the ones that get to disclose breaches to their customers and mop up a real mess, if they can. Or they are constantly working on their resume and hoping their number doesn't come up before they get that new job.

It's true you can run, but you can't hide. All you can do is REACT FASTER. And that deserves an A.

Photo credit: "fortune teller" originally uploaded by yunheisapunk

Deal: Websense to buy SurfControl

Submitted by Mike Rothman on Fri, 2007-04-27 08:43.

Yesterday, after markets closed, Websense announced it's intent to acquire SurfControl for about $400 million (Websense press release). On the heels of a decent quarter from Websense, this is a strong move to consolidate the web filtering market and gain exposure to the large (and modestly growing) email security space. As an extra bone, Websense also puts a toe in the water on the content security managed services business (via SurfControl's Black Spider operations).

On the surface, this deal makes sense along a number of strategic fronts:

  1. Channels - Websense has traditionally been enterprise focused via a direct model, SurfControl more on the mid-sized business via channels. There is little overlap, though it has been a strategic focus for Websense to go through distribution and more effectively target the mid-market. This obviously accelerates that effort.

  2. Exposure to email security - SurfControl was the first of the web filtering companies to make a significant commitment to email security, and the combined offering (with some innovative packaging) has been modestly successful. The product is not robust enough to compete in the high end enterprise accounts, but for the mid-market it was good enough. This was a big hole in Websense's story that is now patched up.

  3. Exposure to managed services - The trend in the mid-market is more towards managed services for content security. SurfControl bought a UK-based company (Black Spider) last year to go after that market. Their US presence has been minimal, but at least Websense will have an offering.

  4. Geographies - Being a UK company (at least started in the UK), SurfControl has a decent presence in EMEA and that will help Websense further push their international objectives.

  5. They are doing something - Websense was a company going nowhere fast and waiting for ankle biters (like Barracuda) and the high end folks to come and loot their installed base. They definitely had "CheckPoint-itis" for quite a while. So doing something is better than doing nothing, and though this is a big something - the alternative of waiting to become the walking dead didn't look too good either.

So, there is a good strategic rationale for doing this deal, but as always the devil is in the details. Here are some gotchas that jump out at me:

  1. Product line overlap - It is not efficient to support to distinct, competitive, overlapping product sets. But to pacify fears on the part of SurfControl's customer base, Websense committed to support the existing product lines for 3 years. That is problematic when one of the key strategies behind the deal were to gain synergies in the market.

  2. On the deal sidelines - Like Secure Computing's acquisition of CipherTrust, this deal is heavily leveraged. By pushing a cash deal, WebSense is killing their cash position (at about $50 million after the deal, it seems a bit low) and taking on debt. The Wall Street guys can comment on the economics, but it clearly will keep Websense out of the acquisition game for 2 years or so. So they are going to play the hand they are dealt and in a business that changes as fast as security - the inability to do deals can be problematic.

  3. Customer retention - There are very low switching costs both on the web filtering and the email security product lines. So SurfControl customers can (and should) look at the market, as opposed to blindly renewing with the new regime. Websense customers should do that too, so there is a lot of risk that the so-called revenue synergies actually mean 1+1 = 1.6.

  4. Channel conflict - Websense has made it a point to buddy up to the channel and those efforts are proceeding, but there is still a lot of acrimony based on past sins. SurfControl plays into a different channel, and reconciling the programs and providing consistency is going to be a challenge.

  5. Lots of balls in the air - Websense has one, very small deal under their belt. Obviously Hodges and Co have done a lot of deals in their past lives, but culturally this is a lot different than PortAuthority. This changes the face of Websense and creates a lot of execution risk.

  6. What about ProofPoint? - When you think about potential partners for Websense, SurfControl wasn't really on the list. For a lot less money (although with IronPort's valuation, all the email security vendors may have an overinflated sense of their own worth), they could have acquired ProofPoint to gain exposure to email security, outbound compliance/encryption, and a largely enterprise oriented customer base. Of course, if the price would have been roughly the same, then they did the right thing - but ProofPoint would have been a cleaner fit.

So you are a Websense and/or SurfControl customer, what do you do? As with anyone that uses web filtering or email security products, you should scan the market every year. This business changes rapidly and you need to make sure your current product reflects your current needs. If anything, this deal creates the impetus to go shopping again.

The channel needs to figure out what the new programs are going to look like, so it's business as usual until the deal closes (probably 4 months at least, since it's an international deal) and then resellers should be pinning down Websense to clearly codify what the new programs are going to look like.

Whether you are a customer or a reseller, understand content security is a VERY VERY VERY competitive business and you have options. If you don't like what you hear from Websense, then go find something else. There is a lot of stuff to pick from.


Cisco/IronPort: Better late than never

Submitted by Mike Rothman on Fri, 2007-01-12 13:49.

Just in time for irrelevance, I finally have a few minutes of airplane time to assemble my thoughts on the Cisco/IronPort merger. Overall, I think it was a smart move for Cisco, but not a good deal. $830 MILLION dollars borders on ridiculous for IronPort, who maybe booked $100 million in 2006 (which is a very generous estimate). But it won't even make a dent in Cisco's cash balance or profitability.

So what's with the price?

I've come up with three explanations for the price of the deal. First, Cisco has a set multiple on revenues that they typically pay for a security company. Sure IronPort has more top line than their typical deal, but they couldn't figure out how to unlock that cell in the spreadsheet, so they just paid the money.

Second is that IronPort found something in John Chamber's email that was "unflattering." Being the gateway provider for Cisco for years (can't tell you how many times I saw that goddamn customer slide from IronPort), these guys could have found something "nice" (in Borat speak) and used that as leverage. Yes, I'm joking.

Finally, the most likely situation is a bidding war. It seems that neither Cisco nor EMC (they bought RSA for an inflated $2.1 Billion) likes to lose a deal, even if it costs them a couple hundred extra million. What’s a couple hundred extra million between friends? I guess if you’re friends with Bill Gates or Warren Buffet that kind of holds. I suspect there was another party with a big checkbook interested (starts with a "J" and ends with a "uniper") and Cisco decided they just couldn't lose the deal.

Who looks like the smartest guy on the block? That’s easy, it’s John McNulty of Secure Computing. Relative to this price, he got a steal in taking out CipherTrust for less than $300 million. Personally, I thought CT was fairly valued and was not disappointed in the outcome - but Mr. Market says I was wrong.

Some other thoughts:

Better late, then never - Cisco is late to the content security party. Symantec has been in it for years. Secure Computing took out CipherTrust. And spam continues to grow at an astounding rate. You also have web filtering as a robust product category ready for a replacement cycle (exposing Websense to some negative fallout from this deal), so Cisco gets to play in all of these categories now, which they needed to. You have a lot of customers that like to buy everything from Cisco (even if it pisses off Dave Maynor), so now they can get their content stuff from them too.

Your reputation precedes you - A lot of folks have made a big deal of IronPort's SenderBase (and SpamCop) reputation network, which represents an effective way to block spam at the perimeter based on who is sending it. Reputation doesn't just apply to email, so having a big database of the relative "intent" of many of the IP addresses out there is a good thing. Cisco will leverage this heavily over the next few years, unless they are stupid - which they are not.

Encryption: sure we'll take some of that - IronPort had bought PostX in October for a song and a dance so now that goes along with the deal. But I suspect the secure envelope technology will get lost within Cisco, who barely understand that email is an application. The idea of statement delivery and other application level encryption is too much for Cisco to grasp right now. PGP and Voltage rejoice.


The most visible losers are the former CipherTrust shareholders, who evidently got swindled. Yes, I was one of them. But I don't play the woulda, shoulda, coulda game. Chaudhry got the deal done and in all likelihood walked away with more than Scott Weiss. Good for them, buy an airplane. That's all I have to say about that.

All but one of ProofPoint, Borderware, Tumbleweed, Mirapoint, and Barracuda are exposed. There is only one chair left and the music will probably stop by mid-year. Once Juniper makes its play, the rest of the folks are left holding the bag. If I had to bet, I'd say Juniper will take Proofpoint out. Borderware is a dark horse because the price would be significantly lower and they do have that SIP security box, which may interest Juniper - who knows a thing or two about networks.

Wherefore art thou IPO?

There is also a lot of speculation relative to whether another security IPO (after Guidance Software) will happen. Sourcefire has filed, though there is always the possibility they'll be taken out before they get it done. The UTMers - Fortinet and Crossbeam are the others frequently mentioned as IPO candidates.

I actually think both will file and one will get the deal done in 2007. Most of Big Security with Big Checkbook already has a UTM offering. Check Point could take out Crossbeam, which would make sense - but it's hard to envision who would take out Fortinet at a billion dollar valuation. Maybe when Alcatel-Lucent eats enough of whatever the French equivalent of Tums is, they'd be ready to get back into the enterprise game. Maybe Nortel. But probably not.

So I haven't given up on a Security IPO in 2007.


Report Card: Incite #7 - Bad Content is Bad Content

Submitted by Mike Rothman on Wed, 2006-12-27 09:14.

Given innovation by spammers and fraudsters, keeping content filtering algorithms accurate and timely is proving very difficult for content-focused security vendors. In 2006, heuristics-based detection cocktails fall out of favor, pushing the pendulum back towards signatures that favor entrenched AV vendors. Users increasingly embrace in the cloud content filtering for e-mail, IM, and web traffic because it allows them to get rid of another box in the perimeter and stop worrying about exponentially increasing message volumes.

Grade: B+

Original Days of Incite post: here
Incite Redux post: here

Spam made a comeback in 2006 in a big way. Image-based spam and other nefarious techniques kept most of the anti-spam vendors on their heels all year and also created a lot of swap-outs and turmoil on the email security gateway.

The problem with the Incite was that spam signatures didn’t fare much better than anything else in detecting the new wave of spam. The business of catching spam is a thankless situation and much like the AV battles of a few years ago, tend to leave a few very large players and a lot of carnage. Anti-spam (along with other content security functions) is also increasingly being bundled into the UTM platform.

This is another case in point as to why I won’t be making any more product architecture projections in the future. Customers don’t care whether it’s heuristics, signatures, or black magic. They want the spam to stop and that didn’t happen well enough in 2006. The email security vendors have a lot of work to do.

The part of the Incite that really resonated was the drive towards services. Whether it’s the big couple of services players (Postini, MessageLabs), consolidated challengers (Microsoft/FrontBridge, SurfControl/Black Spider) or Tom, Dick and Harry installing a few Barracuda boxes in their garage and calling themselves an email security service – there are plenty of options for customers.

The large enterprise will still use their dedicated email security appliances, but the mid-market will continue to flock to the services as we move forward.

SearchSMB: Email encryption - Five steps to success

My latest missive in SearchSMB was a tandem piece to the recent email security webcast I did. Detailing why and how SMB organizations can take advantage of email encryption, I go through 5 steps to ensure you have better than a snowball's chance in hell of getting something done.

Check it out:,289483,sid44_gci1230349,00.html


Less than zero requires intelligence

Submitted by Mike Rothman on Tue, 2006-10-24 13:28.

Kudos to my buddy Alan Shimel for coining a new term that seems to have some legs. In this epic post (here) and follow-up (here) Alan adds some clarity to this whole zero day thing. Of course, what fun would it be if I didn't weigh in on the matter? Fact is, even if it is good for ratings, I'm not going to pound on Alan for what is sure to become another horribly overused marketing term that will further confuse users and keep the PPT-heads in most security vendors working over the weekend to show how their refriger-ovens stop a less than zero attack.

Why? Because Alan is right. We do need to draw a distinction between attacks that we know about and attacks that come out of nowhere. I differ a bit on how zero-day attacks are discovered. I'm of the opinion that it's white hat folks that discover most of the zero-day attacks out there and then in good conscience report that to the vendors and work through a responsible disclosure process. Maybe that's what Alan is saying, but I'm not sure. I'm not sure I'd refer to security research as "bug testing."

I also pick a little bone about how effective current defenses are at stopping what he calls "zero-day" attacks because there is no patch (or signature) yet even though the vendors know about the problem and either reputation-based (like virus outbreak filters, et al) or behavioral-based options (including anomaly detection on either the host or network) are fraught with peril from false positives or negatives.

But that's neither here nor there. The one thing we all agree on is that if the good guys don't know about the exploit, there is a very low likelihood that you can do anything about it. Both less than zero and zero-day attacks are dangerous, that's for sure - but at least with a zero-day the vendors are supposedly working on a fix.

So what are we to do? Hold our hands up and whimper? Pray to the vulnerability gods to pass over our humble enterprise? None of which are really strategies, though they may make you feel a bit better. The answer is intelligence. Not your SAT score, we leave that to the Mensa-card carrying crowd. I'm talking about the gathering of intelligence relative to what the bad guys are up to.

This was one of the subjects of a NetworkWorld column (here) and these points are more relevant now than ever before. I got the power and usefulness of intelligence drummed into my head when I was at TruSecure. We had research guys (I'd say gals, but none were female) that would spend their entire day (and most of their nights too) penetrating hacker networks, tracking bot activity (yes back in 2003 the early botnets were forming), and trying to figure out which of the infinite number of vulnerabilities would be targeted soonest.

So the only way to really deal with a less than zero attack is to know it's coming. The only way to know its coming is to have a spy in the bad guy's network, and candidly that is not really the purview of any end user. So you end up subscribing to a security intelligence service (if you can afford it) or maybe expect that your preferred vendor's offerings are better because they've got that intelligence underlying their product offerings.

Ultimately, I believe that security intelligence is a high value, premium service that large enterprises buy from folks like IBM (ISS X-Force), Symantec, VeriSign (iDefense), CyberTrust or eEye. I know lots of other vendors (especially the AV vendors) have research teams too, but they are more focused on pumping out signatures once a problem is identified - once it becomes zero-day in Alan's lingua franca. Mid-sized businesses can't afford this stuff, so they'll end up picking products because of the intelligence. This is an emerging differentiator that will increasing in importance over the next 18 months.

And I do have a problem with the "less than zero" term is that really bad 1980's movie depicting drug mayhem in high school LA. I'd rather think of less than zero in the context of one of my favorite Arnold movies, "The Running Man." You remember the classic quote once Ben Richards puts Subzero on ice: "Subzero: Now you are less than zero!" Now that's the way I'd like to think about these types of attacks.


The Role of Aggregate Data in Security

The latest battle between eEye's Ross Brown and StillSecure's Alan Shimel got me thinking about a bigger topic. How can/should we use data to make our security defenses stronger and to improve our posture?

To provide some context, I covered Ross' announcement of a free Blink! endpoint security product for home use (here). Alan responded about the fact that although the product is free, eEye gathers data about the products usage and uses that for security research purposes (here). Ross responded about the horrors of offering free stuff (here), and does a good job of walking through the decision process that got eEye to where they are.

Here is my response to Alan's post (as a comment on his blog):

Correctamundo, Sr. Shimel. I figure given you are in FLA, you are getting quite familiar with Spanish. :-) You are correct in mentioning that eEye will be collecting data, but this is neither unique, nor in my opinion an issue. Microsoft, Symantec, McAfee and every other security vendor systematically gathers data from their customers (usually with their agreement, sometimes not) and no one I've EVER spoken to has an issue with this. As long as the data is anonymized and just used for aggregation and summary statistics, it's cool.

I get that you are trying to take the high road, but maybe you should revisit the data you "aren't" gathering because perhaps it can make StrataGuard more effective at blocking attacks, or at least your own internal folks more effective at knowing what's going on out there.

But this topic is bigger than just whether it's cool to gather data from possibly unsuspecting customers. Data is necessary. Data is important. Without data, the good guys have precious few ways to figure out what the bad guys are up to. So the vendors MUST gather data, the question is what is the best way to do that?

I spent some time in the anti-spam business, and that is all about data. You need to gather good message (ham) and bad messages (spam) and you need to use that data to fine tune your filters and settings and to test new techniques. Now that data is aggregated and correlated to provide a sender "reputation," which can help to prevent spam from undesired parties.

Every customer was willing to share anonymized information about their message traffic because they knew it would make their email defenses better. It was never an issue.

Is there any doubt that Microsoft gathers a ton of data about how you use Windows? They do. Are the privacy mongers all up in arms about it? NO. Maybe they don't realize. Symantec and McAfee do as well. They've gotten a bit more sophisticated and they ask whether you want to participate in their "network," but by default you do. Most people don't care.

Is it a privacy risk? I guess. But everything is. As I mentioned this AM, my head hurts from thinking about all the potential privacy risks that are out there. So I don't. Maybe I'm playing my own ostrich game, but I'm more focused on helping people protect themselves from real attacks that are happening today, and not potential breaches that may happen tomorrow. I could be wrong, but that's my opinion today.

Thus I don't have an issue with eEye gathering data. Firstly, they are offering the product at no cost to the consumer. Last time I checked there was no free lunch, so I think sharing data is a reasonable trade. And even if I was paying for the product, I'd still share my data - anonymized and summarized of course.

Why? Because I know that it makes the products that I use better. And ultimately security practitioners are paid to protect things, not get religious about the use of data. So stand down Alan, you are barking up the wrong tree on this one.


Still half full on Secure Computing/CipherTrust

Boy, Secure Computing is taking a pounding today. Stock is way down and a couple of vociferous Wall Street analysts are really beating them up. This story (link here) on SmartMoney really sums it up. Pain, unless you were short the stock.

Richard Stiennon is jumping on as well, both in his Threat Chaos blog ( and in the comments section here at Security Incite. Since my RSS reading friends usually don't check out the comments, here's what Richard had to say:

Your insight as an insider is better than mine Mike but I have a few doubts. While Secure is one of the most experienced at integrating acquisitions they may be trying to swallow too large a kangaroo here, especially with the big bulge of CyberGuard still being digested. Financially the company could be getting too deep in debt to recover. As to the talent sticking around I highly doubt anyone would last longer than their vesting period. They have been slugging it out for five years, missed a few market opportunities, and are probably tired. Meanwhile, Atlanta seems to be heating up with new startups, new financings, and other activity in the security space. While I have infinite respect for Jay, I cannot believe he is going to last as a chief anything officer in a publicly traded company. He is too much of an entrepreneur to put up with big company BS. -RS

The risk here is execution risk, not market risk. When you see a lot of deals you get both flavors, which dramatically reduces the likelihood of success. But there is definitely a market for "enterprise gateway security" and Secure has the pieces to play. The real question is do they execute? Of course, the CyberGuard experience does not give me warm and fuzzies that they will.

But CyberGuard was a different animal. There was tremendous product overlap, so then you have to deal with reconciling the technology and figuring out how to migrate customers to a new platform. Maintaining both products over time makes no sense. There were also channel issues and that's always a challenge. They did not execute on integrating CyberGuard. It's a simple as that.

Richard is exactly right in pointing out the personnel risk of the CT folks. Many of my friends over there are tired. 5 years at that pace feels like a lifetime. I wouldn't say the ATL is "thriving" but there is a bit of activity and many of those folks are start-up types. So it's a real risk that the brain trust of CT goes away sooner rather than later. But just as many folks are excited about the idea of playing in a bigger arena.

And of course, it seems that Wall Street's biggest issue is the economics and profitability impact. That's what those folks are paid to worry about. But I look at it a bit differently. Secure MUST pay attention to CT and work hard to unlock the value. It's a bet the company move. They are now highly leveraged and we know how a lot of those LBO's of the late 80's worked out for folks that didn't execute. If they bought something small, they could neglect it and bungle it with no impact. That's not an option here. If he doesn't get this right, McNulty (SCUR CEO) will be out on his ass. That's a fact.

So we'll see. There are lots of reasons not to like this deal. I could definitely be eating my words sooner rather than later. But I'm a bold guy and I like bold moves. This was a bold move - for both companies. 


Deal (and Earnings Miss): Secure Computing Buy CipherTrust

It was an interesting afternoon for Secure Computing. I'm sure great highs and terrible lows. First off, they missed their Q2 by a country mile. This was the second consecutive quarter they missed since they closed the CyberGuard deal. The Street is taking their pound of flesh and then some. The stock is off 40% after hours and on the investor call there was obvious angst.

On the other hand, Secure announced the acquisition of CipherTrust for between $240 and 270 million, depending on whether Secure's stock recovers at all before the deal closes. It's a mixture of cash ($185 million) and stock (10 million shares), which makes CipherTrust CEO Jay Chaudhry as Secure's largest individual shareholder.

Interestingly enough, CipherTrust decided to go through with the deal even with the huge miss and resultant impact to the deal size. That means either they are true believers in the strategy and upside potential or there weren't any others at the dance.

In terms of disclosures, I am a CipherTrust shareholder and expect to liquidate my holdings upon closing. Yes I'll end up making a little money on the deal, so I'm happy. And a number of my good friends that are still over there seem to be excited about the deal, so good for them. But given my "insider" knowledge, I'll restrict my comments to the strategic rationale of the deal and the impact to customers. That's only fair.

The new Secure Computing is positioning as the "enterprise gateway security" company. With UTM, messaging security and web security under one roof, the story actually works. Secure wants to own the DMZ and they've got most of the pieces to do that. They specifically will not play on the desktop or the data center for the time being, and I think that focus is good.

Of course, they need to integrate all of those pieces or else there is no leverage. That is Job #1 and they don't have a lot of time. Secure also will be well suited to start looking at integrated hardware. Maybe blades, maybe virtualized stuff, but something to differentiate from McAfee or Cisco, that don't really have a combined appliance.

They also will not be able to buy anything else for quite some time, so they'll need to run with the horses that are already in the barn. Optimally, you'd like to see them add some more sophisticated outbound content filtering (beyond Webwasher), but besides that they've got the pieces. And over time, the gateway only play is inherently limiting. There is some stuff that will need to be done on the devices and some in the data center. But one step at a time, they've got a lot of integration work prior to this being an issue.

In terms of the strategic rationale, Secure outlined 4 reasons why the deal makes sense, but I was only able to capture 3. Oh well. Let me pick them apart.
  1. Differentiated product set - Not so much. That's why the management integration and eventually the hardware integration is going to be critical to making differentiation a reality. Secure definitely has more pieces than a BlueCoat, SurfControl, F5 or Websense now, but that makes them the tallest 3rd grader on the playground. They aren't going to match up well against the 5th graders (Check Point and ISS) with a lot more revenue, or the Big Security 9th graders (McAfee, Symantec, Juniper, Cisco) that have much bigger resources and huge cash cows to milk.

  2. Reputation-based technologies - This is actually the key to unlocking the value of the deal. When IronPort announced their web gateway a while back, it's positioning was based specifically around integrating "reputation" into the web filtering space. Secure can now do that, but it's not going to happen on day 1, let's be clear about that. CipherTrust is an email security company and gathers email security data. Once the deal closes, they'll presumably have access to a much wider mix of data, but then the fun work of gathering, correlating, and integrating it into the products start. Don't expect impact here until late-2007 - best case.

  3. Distribution - Secure acquired a great enterprise customer base and a strong sales force (I should know, I used to work with them). If they can retain the talent, that will help especially with big, competitive enterprise class deals against Big Security. But I'm not so sure Secure's 1600 resellers will know what to do with a complicated, enterprise class email security gateway. That will be one of the biggest initial challenges because CipherTrust always stayed very focused on a select set of resellers. But Secure does have a lot more resources for training, etc. and a much better and broader international platform, which has been problematic for all the email security players.
CipherTrust is also committing some people resources to the deal as well. Specifically mentioned were Jay as Secure's new Chief Strategy guy. Paul Judge as the CTO, and Atri Chaterjee as the lead marketing guy. The ultimate success of this deal depends on at least some of the CipherTrust DNA sticking around. In order to thrive longer term, Secure's culture will need a bit of the CipherTrust aggressiveness. And candidly, CipherTrust's culture needs a bit of big company structure and process. If those guys (and many of the sales folks) are still there in mid-2007 that would bode well.

So, overall I can see the strategic rationale behind the deal. Customers that don't want Big Security in their DMZ now have an alternative, and if the technical integration is pulled off it's potentially a compelling alternative. CipherTrust customers will now have more stuff to think about as they re-architect their DMZ and Secure customers get a leading email security gateway option.

There will inevitably be some integration hiccups, so folks like IronPort and Proofpoint have a small window to throw some FUD (fear, uncertainty, doubt) around to try to get new deals. But neither is a stand-alone opportunity over time, so they should buddy up to Check Point and ISS, as the 4th graders are going to need additional stuff to compete on the playground.

"Effective" security - within reach?

This morning I stumbled upon Roger Grimes' column in InfoWorld and his recent post "Effective Security isn't easy, but it's possible." Link here. In this piece, he makes a number of contentions that make a lot of sense and highlights the point that security your environment is achievable, but there is a cost - and I'm not talking about money.

The thing I didn't see in Roger's column that I think is pretty important is every company's threshold for security is going to be different. Some are willing to accept a bit more risk in order to either improve the user experience or perform an important business function. But the key here is for the end user to MAKE that decision, as opposed to having it thrust upon them.

Some of Roger's ideas will work for your environment, some not so much. But this is the kind of simple stuff (in concept anyway) that can really make a big difference in your security posture.

So let's go through Roger's list of "effective security solutions" (in his order of effectiveness):
  1. Do not allow end-users to run or install unauthorized software - Bingo. This is why application control software is so effective at stopping malware. If users can't do stupid things, everyone is better off.

  2. Don't put unnecessary software on the authorized list - This is where the rubber of #1 meets the road of the customers. He specifically mentions Flash, Real Player and iTunes. I'd posit that for many employees, RealPlayer is the only one that is "optional." With iTunes being a prevalent distribution mechanisms for podcasts (where folks can get info directly related to their jobs), I'm not sure iTunes is the villain it once seemed. And anyone that surfs the web needs Flash. Do these add risk, yes! But I'm not sure a strategy preventing these applications is defendable.

  3. Implement default deny - Amen to this. Otherwise called the positive security model, unless you say it's good, it's not - so you block it. This can be implemented on routers and firewalls and will dramatically increase your perimeter security posture.

  4. Don't allow end-users to be logged in as Administrator - This is easier said than done, and Roger admits that. But getting new applications isn't a very good answer for most folks. Vista will do a lot to help this problem for Windows users.

  5. Automate comprehensive patching - This is great advice. A lot of companies have rigorous change control that takes weeks to authorize a patch. That is weeks of exposure. I say patch first, clean up the small percentage of messes later.

  6. Convert all inbound email to plain text - Hmm. I'm torn about this one. If you have application control implemented, I'm not sure this does anything but piss people off that their email looks like crap.

  7. Enforce long passwords - I don't buy this one. So it takes a password cracker 3 hours instead of 3 minutes. And the reality is that hackers get passwords via social engineering anyway. If you are worried about it, two factor (like BioPassword) could be a good alternative.

  8. Encrypt all confidential data by default - I'm not sure what this means and how you do it. This only solves half the problem. What happens when that data is loaded to a laptop or sent in an email?

  9. Spend less money on new security software and more money on reviewing the basics - This is the best one of the bunch. A misconfigured firewall is about as good as not having one, so yes - in all of our desire to get that shiny new thing, we tend to forget about the simple stuff that can kill us.

  10. Hack and audit your own network regularly - Again, this is great advice. Public companies need to do this and private companies should as well. You never know how effective your defense are until you try to break them.
So in general, Roger's list is real good. I agree that all of these are possible, given a CIO/CISO with an iron fist that can ram a no iTunes policy down the throats of the users. I know they exist, but I don't know too many.