IPS

OHMYGOD! OHMYGOD! OHMYGOD! OHMYGOD!

I feel like a giddy schoolgirl because I'm seeing something that many of us haven't seen since 2001. A security IPO. OHMYGOD!!!!

Sourcefire has filed a S-1, which is the first step to going public. You can read the document for yourself here. They propose to raise up to $75 million and Morgan Stanley and Lehman are the leads. Hmmm.

I'm fired up (no pun intended) because you always get lots of juicy stuff in a S-1. Revenues, earnings, senior management salaries, employment agreements, investor positions. Oh the wonder of the S-1.

I don't have time to go through the filing with a fine tooth comb, but here are the highlights.

• Total revenue in 2005: $32.9 million
• 2005 loss of $8.1 million
• Current cash of about $25 million
• Existing shareholders have put about $56 million into the company
• Revenue ramp starting in 2002: $1.9MM, $9.4MM, $16.6MM, $32.9MM
• Services currently running about 36% of total revenues
• Last 4 quarters have been: $11.6MM, $8.5MM, $9.5MM, $10.8MM
• Profitable and cash flow positive for Q3 2006
• Over 80% of revenue from the US
• Marty Roesch owns about 9% of the company
• Sierra Ventures is the biggest venture investor with a 28.8% position
  

So what's the conclusion? I guess I thought they were bigger. TippingPoint is a bulk of 3Com's $25 million in security business last quarter. I had heard the CheckPoint deal kind of hurt momentum for Sourcefire and I guess that's right. They still haven't beat the Q4 2005 number yet in 2006, which is odd for a strongly growing company.

But what should be a bit over $40 million in 2006 is a good number for a deal to get done. I figure other companies (Arbor, IronPort, Postini, MessageLabs, Crossbeam) are roughly that size if not a bit bigger, but haven't filed yet - so we could have the security IPO extravaganza in early 2007. CyberTrust is probably 4x that size, but services shops are valued differently. But the profitability thing is big hurdle to get a deal done, and Sourcefire now has that.

This could also be a ploy to force the hand of potential suitors. Brightmail played that card magnificently by filing the S-1 and then using that as leverage to extract a sweeter deal from Symantec. You figure SourceFire would have a $300-400 million valuation on the IPO (maybe?), so any suitor would need to beat that price. Rumors are swirling that Check Point is sniffing around again and some others as well.

Going public also gives Sourcefire currency to start buying other stuff. So it'll be interesting to see if they can get the deal done and then the long security IPO winter will be over. That would be a good thing, especially for my sell-side analyst friends, who haven't had any exciting security stuff to cover in a long time.

Congrats to Marty, Wayne and the rest of the team. An IPO is a big deal for all of us security folks.

I was intrigued by Alan Shimel's post this AM (link here) about the inevitable morphing of IDS/IPS into something else. The metaphor he uses is the dinosaurs evolving into birds. I thought dinosaurs were extinct, but that's why I studied engineering and not history in school. Speaking of dinosaur birds, how cool is Rodan? Alan does your 4 year old grok Rodan yet? Man, sometimes I'm a total tool.

Back to the point. Alan uses the post to seemingly poke at some of the vendors that are now chasing sexier terms like UTM and NAC. Sure, there are quite a few struggling IPS vendors that are trying to reposition in the NAC space. That's not news, nor is it interesting. You'll always have those ankle biters chasing the next best thing hoping to hit the Cisco, Symantec or McAfee acquisition lottery. So aside from the stupid vendor marketing tricks, there is actual technology evolution happening here, which are both predictable and inevitable. At some point pretty much everything technology hits the commodity curve. That happens when volumes go up, and in the IDS/IPS space we are seeing volumes (or my contacts are at least).

Why? Because IDS/IPS is not sexy anymore. It's mature. It's stable. The channel knows how to sell it and implement it. It's low risk. We can certainly argue whether it does anything or not, but that's not the point. Customers THINK it does something, so they are buying it. I've got lots of contacts in the channel and end user community and IDS/IPS is on main street (in Geoffrey Moore's parlance). TippingPoint is keeping 3Com afloat, Sourcefire continues to grow rapidly and ISS is holding its own. It's largely because the unsophisticated masses are now buying IDS/IPS.

I don't think about markets in terms of HOW, I think in terms of WHAT. Huh? IDS/IPS, firewalls, network anomaly detection, email security and probably 10 other things are HOW's to me. How you do something. I like to examine the WHAT. You are protecting your perimeter - that's WHAT. I don't much care how you protect your perimeter, but you need to protect it. There are lots of ways to skin the cat. The right approach will have everything to do with what your environment needs, not what arbitrary category a vendor's product is placed at some point in time.

I had an Incite at the beginning of the year called "Losing the Religion" (link here) and this is further confirmation of that path. UTM is all about using the right technique to block different attacks, while hopefully giving customers some management leverage. Of course the IDS/IPS vendors are going there because customers want them to. Only the big of the big can afford to support all sorts of different functions on different boxes with different management (see No mas box). The great unwashed want the IDS/IPS built into something bigger and simpler.

We are seeing the natural order of things. Getting back to Alan's bird metaphor - you've got lots of different birds and customers want something that tastes like chicken. It could be a Cornish hen or a turkey, but it better resemble poultry.

The second part of Alan's post is about Sourcefire basically focusing on post-admission control. It seems his biggest problem is that Sourcefire's RNA doesn't do pre-admission control. Yes, Alan sells pre-admission control, so he has strong feelings about it's usefulness and you know on what side of the fence he's going to end up. But customers shouldn't be playing favorites. At some point, you'll need both.

Pre-admission only solves half the problem. What happens if a machine is compromised AFTER it is admitted to the network? Likewise post-admission doesn't prevent a compromised or foreign attacker from doing damage until it is picked up by the passive monitoring approach and quarantined. So neither solves the entirety of the problem, how do you make sure only the right devices get onto the network and then do the right stuff when they are connected.

Over time the question becomes WHERE you perform these functions. My bet is that you do pre-admission control on an access gateway. Maybe a SSL VPN box on steroids to handle LAN speeds. Maybe on access points that terminate in-building wireless networks and public meeting spaces.

I think you do post-admission control in the network fabric. Initially you need to passively monitor traffic and centralize decision making, but over time (like 5-7 years) as more intelligence and capability makes its way into the wiring closet then you will actively enforce local policies in the closet and have a passive "overlord" watching everything to ensure network integrity and enterprise policy compliance.

It's a compelling vision and we are a long ways off, but that's one guy's vote on how things shake out.

I know. I know. I'm on vacation, but I couldn't resist. This is big.

Both Check Point (release here, FAQ here) and Sourcefire (here) have issued releases basically calling off their deal. Evidently the pressure from the Feds became intolerable, the approval process unbearable and the likelihood of closing the deal minimal. So both parties bowed out.

First, this is a shame. I'm sure someone on the financial side will do a bit of digging to figure out why the Feds would kill this deal. Hopefully it's more than that stupid Dubai ports fiasco. I'd be very disappointed if it turned out to be a well funded competitor making waves. That's dirty pool. Frankly I'm both surprised and concerned. Given the current administration's penchant to be pro-business, this is a big step in the wrong direction.

Customers won't really be impacted too much by this deal falling apart. There was little overlap between CHKP and Sourcefire, so it will be business as usual for both companies and their customers.

Check Point is a HUGE loser. Firstly, a lot of folks like me had been calling on them to talk more lucidly about what was next. Clearly that was Sourcefire. Now it's not, so they need Plan B and that hasn't been clear or forthcoming. Additionally, you need to be big to prosper and survive in the security business. This is a very CLEAR message to Check Point that they will not be allowed to buy US security companies. That is a big problem if they want to broaden their position and remain strategic. A very big problem.

Sourcefire is a big winner here. Sure, they did waste a bit of time, but did not lose much momentum from what I see. Everything I've been hearing about their business is very positive. With profitability, a strong growth rate and the best story among all the perimeter defense plays, they are well positioned. Their price tag just went way up.

There were rumblings that Check Point got a bargain based on Sourcefire's strong Q4 and pipeline momentum. Guess that's not an issue any more. To be clear, Sourcefire is a long way off having the breadth to be a long term, publicly traded, sustainable security player - so being acquired is still the most likely outcome for them. But Sourcefire will need to find another partner quickly before they get too big. It's very hard for all but 2 or 3 vendors to do a deal north of $300 million and that's clearly where Sourcefire's price tag is now.

So overall, I think this is terrible news for the industry and America takes a black eye. Truly horrible news for Check Point. Sourcefire comes out smelling like a rose.

Now back to my previously scheduled vacation. 

 

There is clearly a move to take back control of corporate networks. Which, to be clear, is a good thing. Ultimately corporate networks (and the devices that run on them) are the property of the corporation and should be treated as such. I'm as big an MP3 user as most, but that doesn't mean I should have 20GB of music on my work laptop. I have a jukebox that I carry with me, and that suits me just fine.

But what about Skype? Obviously a lot of small businesses are using Skype for business calls. So, controlling Skype is not high on the agenda given the cost savings it provides, especially for those global organizations. Yet, it still begs the question about enterprises, should you allow Skype? If so, can you control it? If not, how can you stop it?It seems that my friends over at the Burton Group have a strong opinion about the topic, as evidenced by this quote in an article called "Skype Dangers May Be Acceptable to Business" on March 7:

"If the risk is too high - ban Skype. If the reward outweighs the risk - consider Skype as part of your overall communications strategy," says Irwin Lazar, senior analyst for Burton.

Now that is taking a hard position. First let's weigh the actual risks of Skype. It uses a very innovative mechanism to evade both detection and ensure connections go unfettered regardless of the security products put in place. They also use their own encryption techniques to make sure the sessions (and files or conversations) cannot be snooped. NetworkWorld contracted with Ed Mier a while back to see what the real impact of Skype was on a network and whether it was a security risk. The article is [http://www.networkworld.com/reviews/2005/121205-skype-test.html]. The answer was rather impressive in that Mier couldn't really find anything wrong with running Skype, from a security perspective.

Of course, that assumes that none of your devices is a Skype Supernode, their term for a call switching node. Kind of like a Class 4 switch for Skype calls. Have any of you seen a Class 4 switch? They are big, have lots of horsepower, and a ton of network connectivity. Your desktop is not that, so if you mysteriously have significant network congestion and your computer is inexplicably smoking, you should probably turn it off. SuperNodes are bad for corporate network hygiene.Now from a policy perspective it could present a big problem.

Let's say you are in a regulated business and you need to have every call with a customer logged and in some cases recorded. You can't do that with Skype. You won't even know the call happened. Most of your diligent employees wouldn't be doing something below board like this, but you wouldn't know it even if they did. That's a problem. Same goes for environments with real sensitive intellectual property. Skype can transfer files too.

I'm pretty sure that the "extrusion prevention" tools like Vontu and Reconnex don't know what to do with Skype either. So it's not something that you can control if you let it in. Yes, free is a good price, so the cost savings can be compelling. But for those having to answer to Sen. Sarbanes or Rep. Oxley, you may want to think twice. It's hard to have strong controls on something that you can't control.

How do you stop it? As with most things, you can attack it at the network or at the endpoint. Skype was designed by the folks that did Kazaa, so they know a little bit about how to go into a network undetected. I saw an announcement from SurfControl (http://biz.yahoo.com/prnews/060321/sftu084.html?.v=52) that says they can stop Skype on the gateway, and maybe they can. For now. How long will it be before Skype changes the packet dynamics and connection mechanisms? I guess since they are owned by eBay now, they are less likely to act like hackers, but still. Part of their value is that it just works, so I suspect they'll spend some time making sure it still works, regardless of the "defenses" that security vendors put in place. That may not be a battle that SurfControl (or any other network solution) can win.

So that leaves the endpoint, which is where I think it should be controlled. You can deploy application control technology as a subset of endpoint security to basically define a list of acceptable applications that can run on the desktop. Skype wouldn't be on it. Thus, the executable will not run on the desktop and Skype is not a problem anymore.

Does that seem too simple? Maybe it is, but there is no prize for finding the hardest, most technically elegant solution to anything. Do what works, and application control will work to control this (and any other) unwanted application.