Web Filtering

2008 DOI: Day 5 - Night of the Internet Dead

2007 Incite: You (Mal)ware it well
The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

2008 Incite: Night of the Internet Dead
With a majority of attacks (like drive-by downloads) no longer requiring user interaction; the number of active zombies continues to exponentially multiply. Organized fraud networks increasingly use targeted, social engineering-based attacks because they work, forcing users to put a premium on REACTING FASTER and training users to stop doing stupid things, as opposed to hoping a new shiny product will solve the problem.

Zombie Break Glass Last year’s malware Incite was about integration, and that has largely come to pass – so I ended up consolidating that topic with the perimeter Incite since both functions are no longer “best of breed” types of functions.

This year I want to focus on the inevitability of compromise. I don’t mean you’ll work out your issues more cordially with your significant other this year. I mean the fact that your users will do something stupid and thus they will get 0wned and that means your environment will be compromised.

Nowadays, it’s just too easy to get nailed. The users don’t have to do anything. The bad guys are now installed drive-by downloads on LEGITIMATE sites. Let me go over that again. The bad guys compromise a legitimate server and have it download a Rootkit or Trojan to all the visitors. It happened to an ISP a couple of weeks ago.

There is no defense against this. Training your users isn’t going to help, since they are going to a legitimate site. But it gets better. Now the bad guys may be specifically targeting YOU or someone in your organization. That’s right. They know your name. They know your email and they want to get something from you. It’s a lot more likely if you are a “C”-level something for a big company or in the news or something like that.

But all the same, this level of targeting is unprecedented.

Since I’m no mathematician (sorry Mr. Calabrese, I probably should have paid better attention in 11th grade), let me do the calculus. Users get nailed going to sites they trust and the bad guys are now specifically targeting them. Crap. What the hell do we do now?

You know what’s coming don’t you? That’s right, you need to REACT FASTER. For long time Incite readers, this is a predictable outcome. I’ve never been one to say that you can “get ahead of the threat.” The best you can do is to make sure you figure out you’ve been compromised before there is too much damage.

Yes, it’s all about containment and incident response. Though we shouldn’t get the cart ahead the horse here. First we need to know something is wrong. We do that by monitoring. So do yourself a favor and get Bejtlich’s book on network security monitoring. That is the bible of how to do this.

I believe that this is a function that needs to be integrated into the security management platform. I talked in the Best of Breed DOA Incite that security management will undergo a fundamental shift towards an integrated platform mentality. Monitoring logs, Netflow, and other stuff (like database logs, applications, transactions) is critical to figure out what you should be focusing on.

Unless you are the one in a million that has so many security resources and budget that you get through your list every day – you need to prioritize. How do you prioritize your activities? By investigating the stuff that looks fishy, and you find that stuff via monitoring.

Here is some math even I understand: Monitor aggressively + REACT FASTER = Live to fight another day.

Photo credit: Drunken_Monkey

Deal (of the Day): SurfControl buys Black Spider

Submitted by Mike Rothman on Thu, 2006-07-13 17:24.
Following this M&A stuff is becoming a full time job. This morning, SurfControl acquired Black Spider (link here), which is a content security service provider that does email and web filtering. Postini, MessageLabs, and ScanSafe are their top competitors. I had decided not to do a separate piece, but then I heard from a friend of mine who is over in the UK and he mentioned how everyone over there was fired up about it. Sometimes I need to remember that we all live in a global village.

The specifics of the deal are pretty straight forward. SurfControl pays US$36 million and gains entrance into the managed service business. Black Spider gets an exit, and worldwide distribution given their real strength was in EMEA. As an added bonus, Surf Control can probably sell the blackspider.com domain name to Columbia Pictures for a pretty penny (if you've seen the Spider-Man3 trailer, you know what I'm talking about).

To be clear, Black Spider was small with about 1200 customers and doing less than $5 million in revenues, but that doesn't matter. They'll fit into SurfControl like a glove. If a customer wants a service option, SurfControl doesn't have to walk away from the deal (or the customer). It's a pretty compelling way to play into the inevitable trend that most customers will want to filter email and web traffic in the network (see Incite on Content Security here).

And as opposed to other deals announced this week, $36 million is very affordable for SurfControl.

Yet, there are always challenges every deal, and with this one comes the challenge of channel conflict. It needs to be very clear to the SurfControl field force when they should look to sell a service or an appliance. The worst case scenario is that they try to sell an appliance, and only when the client says a resolute NO do they move towards the service. By then, Postini or MessageLabs is in the house and will win the business.

You also will have a potential area of conflict around their VARs trying to get into the MSS business themselves. When I was in the business, I saw a lot of that and it's only been increasing. You know, a VAR buys 3 Barracuda's and bingo, they are in the email security business.

But for the most part, this deal makes perfect sense and is a precursor to maybe some bigger folks that offer appliances moving to take out the leading service providers. McAfee already sells Postini's stuff and IBM is very close to MessageLabs. So it wouldn't surprise me to see more deals in the space sooner rather than later.

Earnings Miss: Web(non)sense misses bookings

Submitted by Mike Rothman on Mon, 2006-07-10 17:44.

So it looks like most of the public security companies will make Wall Street expectations this quarter. Except Websense. After the market close, Websense announced a light quarter (link here) from a bookings standpoint, though they did hit revenue and earnings numbers. I had previously covered their Q1 miss (link here) and mentioned how important it was to make the Q2 number.

I'm of the opinion that Websense's business is sick, even if the Street doesn't think so (as evidenced by the slight raise in WBSN after hours). I continue to hear a lot of back chatter from my industry contacts. Competition is getting harder, the lack of a legitimate appliance platform is also hurting, as well as emerging competition from managed services like ScanSafe.

Websense tries to explain away the shortfall because they are changing their distribution model and other sales execution issues. Here is CEO Gene Hodges quote:

"Our second quarter billings performance reflected continued transition to a pure channel distribution model, which resulted in challenges generating new business outside our renewal base, especially in North America," said Gene Hodges, president and CEO of Websense. "We believe our market opportunity remains strong and the actions we have taken will generate continued growth over the long term."

Sorry, I don't buy it. Because you are transitioning to a channel model, your existing sales force doesn't have to sell anything to new customers? That's a load of crap.

I've navigated the treacherous waters to pure channel distribution and it doesn't go down like that. What happens is that you give the new deals to the channel in good faith. But to be clear, there are still new customers and new deals. The transition does usually involve a revenue hiccup because you are taking the VAR margin off the revenue line - which you don't have to pay when you take a deal direct.

But what you don't say is that you are having trouble generating new demand. That means either the market has slowed down or you are losing deals because the product is no longer competitive, either on the functionality or pricing side. I've navigated those waters as well and both options are very painful and take at least a year to fix. On the conference call, Hodges said that prices are holding, but when your customers feel trapped (or are too lazy to switch), they continue to pay for renewals. Again, I know this from personal experience.

And they continue to believe moving to a 2-tier distribution model will help them get to the SMB market. I'm skeptical because big enterprise software is not easy to sell, especially when there are lower cost competitors that target that market.

These folks feel like Check Point more and more. Very interesting and large client base, but little technical differentiation and no real strategy. At least Check Point didn't piss off their channel.

This may be getting a bit ahead of the things, but I think Websense is now an acquisition target. If only for their customer base, they've got to be interesting to a company like CA, Symantec or even Check Point. Though I'd expect any potential suitor to wait for another quarter or two for things to get really stinky since it would still cost over a billion to take these guys out. 

Deal (sort of): Microsoft Continues to Fill Out Security Portfolio

Submitted by Mike Rothman on Fri, 2006-02-10 17:10.

Microsoft's acquisition strategy is becoming more clear by the day. They buy stuff that no one has heard of (for the most part), and either:

  1. Give it away - Like the anti-spyware stuff
  2. Bundle it with existing offerings - Like the Sybari stuff
  3. Roll out services targeted towards consumer/SMB - Like OneCare/anti-virus and FrontBridge

Today Microsoft announced they acquired a web filtering product called DynaComm i:filter Web filtering product from FutureSoft, Inc., presumably to be bundled onto the ISA Server. Here is an interview with a Microsoft exec about the deal.

So Microsoft is slowly cobbling together a pretty comprehensive suite of security products. Their focus on the mid-market (given their lack of credibility in the enterprise) is exactly right and over time if you want software, you'll pretty much buy it from Microsoft.

We'll also see a number of appliance vendors take Microsoft's platform and sell it on a hardware platform. Kind of like folks are doing with network attached storage. We are seeing that a bit now, but ISA is not really where it needs to be to make that competitive now. But over time it will get there, and provide a viable alternative to folks like Barracuda and SonicWall in that market.

Large enterprise isn't interested in this kind of stuff from Microsoft, but mid-sized businesses will be. And I can only say it a million times, SMB is where the action is moving forward.


Technorati Profile

Another One Bites the Dust

Submitted by Mike Rothman on Thu, 2006-01-12 18:04.

Secure Computing completes its acquisition of CyberGuard. Read the release.

This is all about consolidation of market share. Secure gains both in the firewall/VPN and web filtering markets. Secure also gets a bit more activity on low end.

It really doesn't make sense to support two lines of either firewalls or web filtering over time. Expect Secure to move to migrate Cyberguard customers to their platforms sooner rather than later. Don't believe the kubaya press release jargon, "we're going to take the best of both product lines and integrate." Blah blah blah. Economically, it doesn't make sense. Why force ALL of the customers to migrate when only half of them would need to? Pick a platform, communicate that to customers with a strong (and economically attractive) migration plan and move on.

For Cyberguard customers, this is a good opportunity to revisit your perimeter strategy since you are likely going to need to move platforms anyway. Call your rep (or VAR) and demand to understand the roadmap and how much investment your product is going to receive moving forward. If they can't give you a definitive answer within 30 days, get very worried. At a minimum, bring a couple of vendors in to see if you can squeeze Secure on the maintenance renewal.

There is also going to be some consolidation of VARs, so Cyberguard VARs will need to figure out if they want to add Secure to the mix or not. 

It also wouldn't be surprising to see some of the companies on the low-end (you listening Sonicwall and Watchguard?) aggressively courting Cyberguard customers, since uncertainty around M&A is the best breeding ground for vendor swap-outs.