Perimeter Defense

2007 Incite: Perimeter (R)evolution
The consolidated perimeter platform continues to subsume additional security and networking functions, making top flight content security and application acceleration the next frontier – further squeezing pure-play security players. This accelerates consolidation in the sector, keeping perimeter architectures in flux. Customers increasingly embrace integrated solutions from larger players putting a “best of breed” mindset on life support and proving that “big is the new small.” The first open source perimeter platforms also hit in 2007, providing a legitimate alternative for technically savvy, mid-sized businesses.

2008 Incite: Best of Breed DOA
As security matures as an industry, the concept of “best of breed” goes the way of the dodo bird. Mature technologies such as firewalls, IPS, and anti-virus get subsumed and integrated into bigger “suites” making the individual performance and feature set of a specific function less important. Emerging functions still stand-alone, but not for long as the innovation/consolidation cycle accelerates. Security management offerings also consolidate, driven by the fact that most customers don’t have time to deal with one management hierarchy, certainly not 2 or 10. This continues to reinforce the “big is the new small” trend that has predominated security buying for the past 2 years.

I get a lot of questions about “best of breed.” It’s a manifestation of a couple of deeply seeded misconceptions regarding how security has evolved, and also a bit of an ego thing on the part of most security professionals. But before we jump into my amateur Freud act and conclude that it’s our parent’s fault, let’s dig into history a bit.

Most technology markets are driven by the innovation, integration, and consolidation cycle. That means a bunch of new companies start up to solve a specific customer problem. That’s the innovation thing. Then the big, stodgy, un-innovative companies figure out there may be something there, so they integrate the stuff into their existing offering. Finally, these same companies figure out how to sell the integrated innovation (say that 10 times fast), and by then it’s not really that innovative anymore – so they acquire pretty much all the players in the market.

The first stage – innovation – is really what the “best of breed” mindset is all about. In an early market, there usually are marked disparities between the products. Some work, others not so much. So buyers really have to be aware and careful to ensure they don’t buy a pile of steaming poop.

But in later markets, the technical capabilities normalize. Technical differentiation is largely a myth. All the products work “good enough.” At that point, you are buying not on technical capability, but softer issues – like integration with your existing stuff, management, and reporting. At that point, best of breed pretty much ceases to exist.

That’s where we are in a bunch of security markets. In 2007, the Perimeter Incite (referenced above) really reflected this fact, and it definitely came to a head. A lot of folks bought UTM, even though they were only looking at replacing their firewall. Why do this? The more applicable question is really why not? Even if they don’t turn on some of these other capabilities, they could. And over time, probably will.

Same goes with the “endpoint suite.” No companies offer just anti-spyware anymore. Why would they? That capability has been subsumed by what used to be called anti-virus. Rootkit detection? Ditto. Don’t forget about device and application control too. Yep, it’s in there.

But talking about UTM and endpoint suites isn’t particularly inciteful. I think that security management is next on the hit parade to hit this cycle. You have all of the SIM vendors saying they do log management. You also have all the log management vendors adding SIM-like capabilities. The NBA vendors are trying to feed algorithms and analysis (via partnership) to all of the above to stay relevant.

The cycle repeats itself once again. And it will continue to repeat itself. Remember, I’m not as smart as most of you – I’ve just been around longer and I’m good at recognizing the patterns that will repeat.

You don’t have to be a brain surgeon to see this writing on the wall. Market maturity kills product innovation. And that’s why I’ll be the first guy shoveling the dirt on security best of breed.

Photo credit: darleen2902

Ho Ho Hopefully you are enjoying this holiday season, wherever you are. Maybe it's time to return some gifts or just kick back a bit or maybe even poke ol' Mikey in the eye a bit about the next two Incites...

Incite #3 - Perimeter (R)Evolution

The consolidated perimeter platform continues to subsume additional security and networking functions, making top flight content security and application acceleration the next frontier – further squeezing pure-play security players. This accelerates consolidation in the sector, keeping perimeter architectures in flux. Customers increasingly embrace integrated solutions from larger players putting a “best of breed” mindset on life support and proving that “big is the new small.” The first open source perimeter platforms also hit in 2007, providing a legitimate alternative for technically savvy, mid-sized businesses.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-3-perimeter-r-evolution
Incite Redux Link:http://securityincite.com/blog/mike-rothman/incite-redux-july-10-2007

Final grade: A

Gosh, if only I could pick stocks as well as come up with Incites. This is another that is right on the money, although in hindsight - very obvious. Some may think that putting all this stuff in a single box creates security issues, but the reality is there is a VERY compelling economic justification for collapsing all of these perimeter defense activities into a single platform.

Given that security doesn’t really help to make more money, if there is any way for us to contribute to saving a few shekels – that is all good. Now what about content security? It’s in there. Pretty much every UTM platform has some type of anti-spam capability and web filtering too. A bit of a miss was this application acceleration theme, but it’s still pretty early for function. As it matures, it will be subsumed into the UTM platform as well.

Specifically in the case of anti-spam, is it good enough? Do you need a dedicated platform to scan some mail? The answer is probably not. Given that bigger companies that also have perimeter defense platforms have acquired most of the messaging security specialists, it’s not like a lot of the technology that shows up on this integrated platform wasn’t stand-alone at some point.

So big is the new small and given the continued consolidation that almost everyone is predicting for 2008, the best of breed mindset is definitely on the endangered species list. But it has been for a while, this is nothing new.

What about open-source? It’s clearly making an impact. The underlying technologies, including IPTables, Snort, OpenVPN, Spam Assassin, et al, are robust and mature. There are a bunch of companies (Astaro, Untangle, StillSecure/Cobia) that build wrappers around these technologies to make it easier for customers to implement. Sure these vendors do a little more than package the open-source distribution – but the reality is the existing perimeter players will need to step up their game in 2008 because the value gap is not enough to justify big pricing differentials anymore beyond these open-source alternatives.

Check out the other posts in the Report Card series.

The consolidated perimeter platform continues to subsume additional security and networking functions, making top flight content security and application acceleration the next frontier – further squeezing pure-play security players. This accelerates consolidation in the sector, keeping perimeter architectures in flux. Customers increasingly embrace integrated solutions from larger players putting a “best of breed” mindset on life support and proving that “big is the new small.” The first open source perimeter platforms also hit in 2007, providing a legitimate alternative for technically savvy, mid-sized businesses.

Last year, the perimeter Incite was all about “no mas box” since device sprawl had gotten to an unmanageable state. Not that we are past that problem yet, but every network security vendor offers a UTM (unified threat management) options nowadays. So if you still have multiple boxes in your external perimeter, that’s a choice.

Also to indulge my friend Chris Hoff, I’ll also support his contention about the multiplying of "perimeters" that are smaller in diameter and closer to the computing resources. That’s why I’ll do my best to refer to the “big” perimeter as EXTERNAL PERIMETER (EP), and other perimeters in the context they are used.

So what’s next on the external perimeter? Basically we’ll see two areas of focus. The first is continuing to add more functionality to the boxes. That means additional networking capabilities. Things like application acceleration and maybe load balancing, etc. It'll depend on the size and scale of your organization whether it makes sense to put all that stuff in one box.

This kind of integrated functionality grab favors the big, as opposed to the small, vendors. So we’ll continue to see consolidation, which I'm sure is a shocker. The investment bankers will stay busy in 2007.

What about “best of breed?” Basically best of breed is all about early markets. No one can tell me with a straight face that their firewall is demonstrably better than anyone else’s. I guess they can, but they’d be lying. As markets mature, technical differentiation is a myth and so is “best of breed.” Now as the EP platform adds new capabilities, there is an opportunity to differentiate, but not really on FW, VPN, IPS, even web filtering or anti-spam anymore.

I also expect open source to have an impact on this space. Folks like Barracuda, Astaro and others, that take a largely open source platform and add a bit of pixie dust (usually at the interface level) will continue to provide a legitimate alternative to proprietary offerings.

External perimeter protection is a commodity. Act accordingly.

Good morning. Ready for another 4 Report Cards? Well, they are coming right up!

Incite #5 - Losing the Religion

Everyone finally realizes in 2006 that regardless of technical approach (IDS vs. IPS vs. firewalls vs. anomaly detection) it’s all about detecting and blocking malware quickly and effectively. Users expect to see multiple techniques implemented, spurring another wave of consolidation as vendors look to bring complete enterprise-class UTM solutions to market.

Grade: A

Original Days of Incite post: here
Incite Redux post: here

Alright, after awarding an “A” for the compliance Incite, we are on a roll. The ideas espoused in "Losing the Religion" are also very close to fruition and if you look at it from the customer’s perspective – we are already there. Stand-alone IPS is going the way of the dodo bird and UTM vendors are trying to differentiate on higher-level content security functions.

We are also seeing religion going away on the desktop, as anti-virus vendors continue to add broader endpoint security capabilities and anyone with an agent (anti-spyware, endpoint security, etc.) are adding AV engines to provide further integration.

The consolidation is also happening as Check Point finally got off their duffs and bought the long awaited IPS engine in the form of NFR Security. It seems almost all the other Big Security players already have their own IPS capabilities that most have built in-house (probably using Snort as the foundation).

The one part of the Incite that was a bit amiss was the integration of anomaly detection into the mix. Fact is, most of the Big Security players are doing a light form of anomaly detection within their IPS engines, but they don't make a big deal about it. The stand-alone anomaly detection players now call themselves “Network Behavior Analysis” and are not really providing a pure security function anymore, more effectively positioning to sell to the network manager that needs to understand what is going on within the network.

I’m not really a religious guy, and it’s good to see the security market leaving some of the dogma behind. Ultimately we are paid to protect corporate assets and ensure the systems are available. We can’t let religion dictate what we can/should be doing.

The latest battle between eEye's Ross Brown and StillSecure's Alan Shimel got me thinking about a bigger topic. How can/should we use data to make our security defenses stronger and to improve our posture?

To provide some context, I covered Ross' announcement of a free Blink! endpoint security product for home use (here). Alan responded about the fact that although the product is free, eEye gathers data about the products usage and uses that for security research purposes (here). Ross responded about the horrors of offering free stuff (here), and does a good job of walking through the decision process that got eEye to where they are.

Here is my response to Alan's post (as a comment on his blog):

Correctamundo, Sr. Shimel. I figure given you are in FLA, you are getting quite familiar with Spanish. :-) You are correct in mentioning that eEye will be collecting data, but this is neither unique, nor in my opinion an issue. Microsoft, Symantec, McAfee and every other security vendor systematically gathers data from their customers (usually with their agreement, sometimes not) and no one I've EVER spoken to has an issue with this. As long as the data is anonymized and just used for aggregation and summary statistics, it's cool.

I get that you are trying to take the high road, but maybe you should revisit the data you "aren't" gathering because perhaps it can make StrataGuard more effective at blocking attacks, or at least your own internal folks more effective at knowing what's going on out there.

But this topic is bigger than just whether it's cool to gather data from possibly unsuspecting customers. Data is necessary. Data is important. Without data, the good guys have precious few ways to figure out what the bad guys are up to. So the vendors MUST gather data, the question is what is the best way to do that?

I spent some time in the anti-spam business, and that is all about data. You need to gather good message (ham) and bad messages (spam) and you need to use that data to fine tune your filters and settings and to test new techniques. Now that data is aggregated and correlated to provide a sender "reputation," which can help to prevent spam from undesired parties.

Every customer was willing to share anonymized information about their message traffic because they knew it would make their email defenses better. It was never an issue.

Is there any doubt that Microsoft gathers a ton of data about how you use Windows? They do. Are the privacy mongers all up in arms about it? NO. Maybe they don't realize. Symantec and McAfee do as well. They've gotten a bit more sophisticated and they ask whether you want to participate in their "network," but by default you do. Most people don't care.

Is it a privacy risk? I guess. But everything is. As I mentioned this AM, my head hurts from thinking about all the potential privacy risks that are out there. So I don't. Maybe I'm playing my own ostrich game, but I'm more focused on helping people protect themselves from real attacks that are happening today, and not potential breaches that may happen tomorrow. I could be wrong, but that's my opinion today.

Thus I don't have an issue with eEye gathering data. Firstly, they are offering the product at no cost to the consumer. Last time I checked there was no free lunch, so I think sharing data is a reasonable trade. And even if I was paying for the product, I'd still share my data - anonymized and summarized of course.

Why? Because I know that it makes the products that I use better. And ultimately security practitioners are paid to protect things, not get religious about the use of data. So stand down Alan, you are barking up the wrong tree on this one.

 

One of my most treasured memories from college was the time my buddy Alex and I went to a fraternity rush event where they were serving Tom Collins. Lots of Tom Collins. Neither one of us could make it back to the dorm on our own, so we basically leaned on each other, took one ginger step at a time, and made it back in one piece. We were literally two drunks holding each other up and remain very close friends 20 years later. To this day I cannot drink Gin.

I get the same feeling looking at the Symantec/Juniper announcement this morning (here). I can imagine Scott Kriens of Juniper and John Thompson of Symantec meeting at one of those cocktail parties where your personal net worth needs to be in the 9 figure range to get in, and one goes to the other: "Hey, you're not Cisco! We should do something together."

I'm not sure how much wine they each had at that fateful party, but this is clearly two vendors who are not Cisco trying to prop each other up.

On the surface, I'm not as negative as Stiennon on this deal (here), but I think the impact will be largely at the product level and transparent to customers. Juniper gets to build in some of Symantec's "intelligence" into their perimeter network security gear. Symantec gets to reference sell a legitimate perimeter platform.

I do agree with Richard that this is clearly a reactive deal driven by the fact that Cisco has a better story, bigger channels, and more momentum in the security space. Neither could do an outright acquisition, so this is what they are left with. I concur that the channel stuff is going to be hard to navigate, especially for the Juniper folks - that don't really understand the enterprise and don't really understand security either (many of their Netscreen folks have left).

But adding Symantec's anti-spam, IPS signatures, and vulnerability research to Juniper's products will make them better and I think it will actually happen. Why wouldn't Juniper do this, given they are pretty much irrelevant in the IPS space and don't really have a compelling UTM platform? They've got nothing to lose.

And Symantec gets access to a legitimate perimeter security platform. After killing their own platform a few months back, this is the other piece of the puzzle they couldn't answer back then. Clearly they couldn't abandon the market, but they also didn't want to continue investing in a non-competitive platform. This solves those problems IF (and that is a huge IF) they can execute, which certainly hasn't been Symantec's forte of late.

So I would be positive on this deal if it involved money changing hands. Or an asset transfer (like SYMC bought the Netscreen business). Or anything besides a press release in a purple suit. But it doesn't, so I'm negative and skeptical.

But clearly both Kriens and Thompson now can proudly display their ABC (anyone but Cisco) membership cards. That's what this is all about.

 

I can always count on my pal Chris Hoff to tell me when he thinks I'm full of it. Though evidently a Pink Floyd fan, the ever verbose Mr. Hoff weighed in on my frivolous use of their lyrics in the Security is just another bring in the wall post (here).

Since responding to a comment that no one would read wouldn't allow me to debate, let me post Chris' comment and my response.

Is there anybody...out there?

Submitted by Christofer Hoff (not verified) on Thu, 2006-08-24 15:42.

(Keeping in spirit with your Pink Floyd theme...)

How appropriate that the next song after "Is There Anybody Out There" is "Nobody Home" because, sadly, you aren't and yet you left your lights on ;)

I take issue (for obvious reason) that people who choose best-in-breed are doing so merely because they are "...gluttons for punishment." That's as asinine a statement as saying that everyone who drives a Ferrari is an A-hole with a compensation problem...OK, bad example. Umm....

But seriously...

Perhaps they choose best-in-breed because in terms of managing risk, the value they get from using BIB productsis is greater than the cost of stringing together less capable or robust products/solutions - however "integrated" they may be.

Sometimes you want the best coverage for your dollar spent -- and when absolutes count, people aren't necessarily willing to gamble on "relative" security.

It's all scales of economy -- comparing the Fortune 2000 with Joe's Ice Cream and Taxidermy is a stupid exercise. Different strokes for different folks, but BIB is NOT an inappropriate solution for those who can afford it.

Equating BIB as "overpriced" or bloated is simply unfair. You don't have to be a commodity (or even integrate a bunch of commoditized functions) to show value and innovation isn't only derived from non BIB players.

As you know, Crossbeam provides UTM solutions -- but we don't offer $500 perimeter widgets that are "good enough." We are the ONLY Enterprise and Provider class UTM solutions vendor that combines the integration of BIB security functions for large enterprises and service providers. We don't sell one vendor's version of the truth and that flexibility combined with performance and high-availability means that BIB and UTM are not mutually exclusive.

That's a brick in very strong wall.

-Chris

The religion of best of breed (BOB) vs. "good enough" is no longer interesting to me. I believe that a SMALL subset of the buying commmunity will buy best of breed because of the things you mention. That may be a big enough market for someone like Crossbeam to thrive, but then again maybe not. But I know that your positioning is about more than just best of breed, right?

But why should customers have to settle? Isn't your point that it's possible to take best of breed functionality and provide a more effective level of integration and flexibililty with your hardware? Or am I missing what Crossbeam says their positioning is?

I don't think you are telling me (or the readers) that providing hardware to host best of breed software is the endgame. What customers want is the reduction of complexity. That may mean integration. Or it may mean abstraction (so the best of breed is basically hidden and dramatically simplified). But to have to settle for best of breed that is not integrated over time seems like we are giving up. Admiting failure is not one of my strong suits.

My point is that integration/abstraction and as a result, the "another brick in the wall" innovation strategy has passed the tipping point. The perimeter defense aspect of security is a mature market and no amount of wishing is going to change that fact. I know you guys do more than perimeter defense (see I have been listening a bit), but that is still the highest profile part of the market.

It is my belief (and remember I get paid to have opinions) that perimeter best of breed is a dying architecture. Crossbeam even calls what you do UTM. So maybe we are just disagreeing about semantics and words. Ultimately isn't this abstracted "security services" layer that you evangelize more of what customers are interested in.

To get back to my another brick analogy, you could say that every new best of breed application you add to your box is another brick that makes your box more interesting to customers. No?

If we are being honest, what you and Nokia have done is pulled the asses of security software vendors out of the fire. Without Nokia and Crossbeam, CheckPoint would have been marginalized a LONG TIME AGO.

Like everything else, it takes a long time to replace the old boss with the new boss (may as well throw some of The Who in there, while I'm at it). So this will play out over the next few years. But to be clear, I have no doubt as to how the movie ends.

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 15. Link here.

It tends to be hard to describe IT security to folks that only know about email and, maybe, their web browser. So you are always looking for a quick and universal analogy to make the concepts clear. The one I've been using for about 10 years is... the moat.

The moat is great. You put up a nice picture of a castle with a large moat protecting it and people get it. The bad guys are on the outside, so you build a deep, wide gulf between you and them and life is good, no?

Unfortunately, the moat is passé. Thinking about security as a moat no longer works, because you are intentionally dropping the drawbridge to let some of your "trusted" trading partners in to streamline operations. Or, at least, that was the story you were told. What about all of those insiders that have access because they work for you (or are consultants)?

Nowadays, we don't know who the bad guys are. So a deeper and wider moat is not really going to help. This phenomenon is called "de-perimeterization" in the trade. I'm not sure who came up with that term, and it kind of sucks, but it's what we've got. Suffice it to say, you need to spend some time focusing on how you are going to protect your environment when the bad guys can be anywhere. Literally.

So now you need to look at security from two perspectives. The first is "outside-in," which is still important. Bad guys are still out there, and, if you let your guard down, they'll compromise your defenses, turn your machines into zombies and steal your private data. Although the moat is no longer sufficient, it's still necessary.

The new wrinkle here is something that my pal Ted Julian (over at Application Security) calls "inside-out." Basically, you need to figure out how the data is used, who has rights to it, and a way to protect it. This is more art than science right now, and sometimes there aren't good answers. You should be thinking about how products in the database, content, and web application security spaces are potential solutions.

I've come up with a security architecture, called "Pragmatic Security," that aims to simplify how we talk about security, and make the point regarding the need to treat your infrastructure (outside-in) differently than your data/information/content (inside-out). Check out that post here. Of course, the lines blur at times, but this model has been well-received by folks trying to restore order to the chaos.

As disappointed as I am to not be able to explain security with the moat analogy anymore, I think it's good for the business. Maybe now we have to talk about two moats: one protecting the perimeter and one for
the data center. Not sure it gets there, but it's a start.

Boy, Secure Computing is taking a pounding today. Stock is way down and a couple of vociferous Wall Street analysts are really beating them up. This story (link here) on SmartMoney really sums it up. Pain, unless you were short the stock.

Richard Stiennon is jumping on as well, both in his Threat Chaos blog (http://blogs.zdnet.com/threatchaos/?p=369) and in the comments section here at Security Incite. Since my RSS reading friends usually don't check out the comments, here's what Richard had to say:

Your insight as an insider is better than mine Mike but I have a few doubts. While Secure is one of the most experienced at integrating acquisitions they may be trying to swallow too large a kangaroo here, especially with the big bulge of CyberGuard still being digested. Financially the company could be getting too deep in debt to recover. As to the talent sticking around I highly doubt anyone would last longer than their vesting period. They have been slugging it out for five years, missed a few market opportunities, and are probably tired. Meanwhile, Atlanta seems to be heating up with new startups, new financings, and other activity in the security space. While I have infinite respect for Jay, I cannot believe he is going to last as a chief anything officer in a publicly traded company. He is too much of an entrepreneur to put up with big company BS. -RS

The risk here is execution risk, not market risk. When you see a lot of deals you get both flavors, which dramatically reduces the likelihood of success. But there is definitely a market for "enterprise gateway security" and Secure has the pieces to play. The real question is do they execute? Of course, the CyberGuard experience does not give me warm and fuzzies that they will.

But CyberGuard was a different animal. There was tremendous product overlap, so then you have to deal with reconciling the technology and figuring out how to migrate customers to a new platform. Maintaining both products over time makes no sense. There were also channel issues and that's always a challenge. They did not execute on integrating CyberGuard. It's a simple as that.

Richard is exactly right in pointing out the personnel risk of the CT folks. Many of my friends over there are tired. 5 years at that pace feels like a lifetime. I wouldn't say the ATL is "thriving" but there is a bit of activity and many of those folks are start-up types. So it's a real risk that the brain trust of CT goes away sooner rather than later. But just as many folks are excited about the idea of playing in a bigger arena.

And of course, it seems that Wall Street's biggest issue is the economics and profitability impact. That's what those folks are paid to worry about. But I look at it a bit differently. Secure MUST pay attention to CT and work hard to unlock the value. It's a bet the company move. They are now highly leveraged and we know how a lot of those LBO's of the late 80's worked out for folks that didn't execute. If they bought something small, they could neglect it and bungle it with no impact. That's not an option here. If he doesn't get this right, McNulty (SCUR CEO) will be out on his ass. That's a fact.

So we'll see. There are lots of reasons not to like this deal. I could definitely be eating my words sooner rather than later. But I'm a bold guy and I like bold moves. This was a bold move - for both companies. 

 

It was an interesting afternoon for Secure Computing. I'm sure great highs and terrible lows. First off, they missed their Q2 by a country mile. This was the second consecutive quarter they missed since they closed the CyberGuard deal. The Street is taking their pound of flesh and then some. The stock is off 40% after hours and on the investor call there was obvious angst.

On the other hand, Secure announced the acquisition of CipherTrust for between $240 and 270 million, depending on whether Secure's stock recovers at all before the deal closes. It's a mixture of cash ($185 million) and stock (10 million shares), which makes CipherTrust CEO Jay Chaudhry as Secure's largest individual shareholder.

Interestingly enough, CipherTrust decided to go through with the deal even with the huge miss and resultant impact to the deal size. That means either they are true believers in the strategy and upside potential or there weren't any others at the dance.

In terms of disclosures, I am a CipherTrust shareholder and expect to liquidate my holdings upon closing. Yes I'll end up making a little money on the deal, so I'm happy. And a number of my good friends that are still over there seem to be excited about the deal, so good for them. But given my "insider" knowledge, I'll restrict my comments to the strategic rationale of the deal and the impact to customers. That's only fair.

The new Secure Computing is positioning as the "enterprise gateway security" company. With UTM, messaging security and web security under one roof, the story actually works. Secure wants to own the DMZ and they've got most of the pieces to do that. They specifically will not play on the desktop or the data center for the time being, and I think that focus is good.

Of course, they need to integrate all of those pieces or else there is no leverage. That is Job #1 and they don't have a lot of time. Secure also will be well suited to start looking at integrated hardware. Maybe blades, maybe virtualized stuff, but something to differentiate from McAfee or Cisco, that don't really have a combined appliance.

They also will not be able to buy anything else for quite some time, so they'll need to run with the horses that are already in the barn. Optimally, you'd like to see them add some more sophisticated outbound content filtering (beyond Webwasher), but besides that they've got the pieces. And over time, the gateway only play is inherently limiting. There is some stuff that will need to be done on the devices and some in the data center. But one step at a time, they've got a lot of integration work prior to this being an issue.

In terms of the strategic rationale, Secure outlined 4 reasons why the deal makes sense, but I was only able to capture 3. Oh well. Let me pick them apart.

1. Differentiated product set - Not so much. That's why the management integration and eventually the hardware integration is going to be critical to making differentiation a reality. Secure definitely has more pieces than a BlueCoat, SurfControl, F5 or Websense now, but that makes them the tallest 3rd grader on the playground. They aren't going to match up well against the 5th graders (Check Point and ISS) with a lot more revenue, or the Big Security 9th graders (McAfee, Symantec, Juniper, Cisco) that have much bigger resources and huge cash cows to milk.
   
   
2. Reputation-based technologies - This is actually the key to unlocking the value of the deal. When IronPort announced their web gateway a while back, it's positioning was based specifically around integrating "reputation" into the web filtering space. Secure can now do that, but it's not going to happen on day 1, let's be clear about that. CipherTrust is an email security company and gathers email security data. Once the deal closes, they'll presumably have access to a much wider mix of data, but then the fun work of gathering, correlating, and integrating it into the products start. Don't expect impact here until late-2007 - best case.
   
   
3. Distribution - Secure acquired a great enterprise customer base and a strong sales force (I should know, I used to work with them). If they can retain the talent, that will help especially with big, competitive enterprise class deals against Big Security. But I'm not so sure Secure's 1600 resellers will know what to do with a complicated, enterprise class email security gateway. That will be one of the biggest initial challenges because CipherTrust always stayed very focused on a select set of resellers. But Secure does have a lot more resources for training, etc. and a much better and broader international platform, which has been problematic for all the email security players.

CipherTrust is also committing some people resources to the deal as well. Specifically mentioned were Jay as Secure's new Chief Strategy guy. Paul Judge as the CTO, and Atri Chaterjee as the lead marketing guy. The ultimate success of this deal depends on at least some of the CipherTrust DNA sticking around. In order to thrive longer term, Secure's culture will need a bit of the CipherTrust aggressiveness. And candidly, CipherTrust's culture needs a bit of big company structure and process. If those guys (and many of the sales folks) are still there in mid-2007 that would bode well.

So, overall I can see the strategic rationale behind the deal. Customers that don't want Big Security in their DMZ now have an alternative, and if the technical integration is pulled off it's potentially a compelling alternative. CipherTrust customers will now have more stuff to think about as they re-architect their DMZ and Secure customers get a leading email security gateway option.

There will inevitably be some integration hiccups, so folks like IronPort and Proofpoint have a small window to throw some FUD (fear, uncertainty, doubt) around to try to get new deals. But neither is a stand-alone opportunity over time, so they should buddy up to Check Point and ISS, as the 4th graders are going to need additional stuff to compete on the playground.