CipherTrust

Boy, Secure Computing is taking a pounding today. Stock is way down and a couple of vociferous Wall Street analysts are really beating them up. This story (link here) on SmartMoney really sums it up. Pain, unless you were short the stock.

Richard Stiennon is jumping on as well, both in his Threat Chaos blog (http://blogs.zdnet.com/threatchaos/?p=369) and in the comments section here at Security Incite. Since my RSS reading friends usually don't check out the comments, here's what Richard had to say:

Your insight as an insider is better than mine Mike but I have a few doubts. While Secure is one of the most experienced at integrating acquisitions they may be trying to swallow too large a kangaroo here, especially with the big bulge of CyberGuard still being digested. Financially the company could be getting too deep in debt to recover. As to the talent sticking around I highly doubt anyone would last longer than their vesting period. They have been slugging it out for five years, missed a few market opportunities, and are probably tired. Meanwhile, Atlanta seems to be heating up with new startups, new financings, and other activity in the security space. While I have infinite respect for Jay, I cannot believe he is going to last as a chief anything officer in a publicly traded company. He is too much of an entrepreneur to put up with big company BS. -RS

The risk here is execution risk, not market risk. When you see a lot of deals you get both flavors, which dramatically reduces the likelihood of success. But there is definitely a market for "enterprise gateway security" and Secure has the pieces to play. The real question is do they execute? Of course, the CyberGuard experience does not give me warm and fuzzies that they will.

But CyberGuard was a different animal. There was tremendous product overlap, so then you have to deal with reconciling the technology and figuring out how to migrate customers to a new platform. Maintaining both products over time makes no sense. There were also channel issues and that's always a challenge. They did not execute on integrating CyberGuard. It's a simple as that.

Richard is exactly right in pointing out the personnel risk of the CT folks. Many of my friends over there are tired. 5 years at that pace feels like a lifetime. I wouldn't say the ATL is "thriving" but there is a bit of activity and many of those folks are start-up types. So it's a real risk that the brain trust of CT goes away sooner rather than later. But just as many folks are excited about the idea of playing in a bigger arena.

And of course, it seems that Wall Street's biggest issue is the economics and profitability impact. That's what those folks are paid to worry about. But I look at it a bit differently. Secure MUST pay attention to CT and work hard to unlock the value. It's a bet the company move. They are now highly leveraged and we know how a lot of those LBO's of the late 80's worked out for folks that didn't execute. If they bought something small, they could neglect it and bungle it with no impact. That's not an option here. If he doesn't get this right, McNulty (SCUR CEO) will be out on his ass. That's a fact.

So we'll see. There are lots of reasons not to like this deal. I could definitely be eating my words sooner rather than later. But I'm a bold guy and I like bold moves. This was a bold move - for both companies. 

 

It was an interesting afternoon for Secure Computing. I'm sure great highs and terrible lows. First off, they missed their Q2 by a country mile. This was the second consecutive quarter they missed since they closed the CyberGuard deal. The Street is taking their pound of flesh and then some. The stock is off 40% after hours and on the investor call there was obvious angst.

On the other hand, Secure announced the acquisition of CipherTrust for between $240 and 270 million, depending on whether Secure's stock recovers at all before the deal closes. It's a mixture of cash ($185 million) and stock (10 million shares), which makes CipherTrust CEO Jay Chaudhry as Secure's largest individual shareholder.

Interestingly enough, CipherTrust decided to go through with the deal even with the huge miss and resultant impact to the deal size. That means either they are true believers in the strategy and upside potential or there weren't any others at the dance.

In terms of disclosures, I am a CipherTrust shareholder and expect to liquidate my holdings upon closing. Yes I'll end up making a little money on the deal, so I'm happy. And a number of my good friends that are still over there seem to be excited about the deal, so good for them. But given my "insider" knowledge, I'll restrict my comments to the strategic rationale of the deal and the impact to customers. That's only fair.

The new Secure Computing is positioning as the "enterprise gateway security" company. With UTM, messaging security and web security under one roof, the story actually works. Secure wants to own the DMZ and they've got most of the pieces to do that. They specifically will not play on the desktop or the data center for the time being, and I think that focus is good.

Of course, they need to integrate all of those pieces or else there is no leverage. That is Job #1 and they don't have a lot of time. Secure also will be well suited to start looking at integrated hardware. Maybe blades, maybe virtualized stuff, but something to differentiate from McAfee or Cisco, that don't really have a combined appliance.

They also will not be able to buy anything else for quite some time, so they'll need to run with the horses that are already in the barn. Optimally, you'd like to see them add some more sophisticated outbound content filtering (beyond Webwasher), but besides that they've got the pieces. And over time, the gateway only play is inherently limiting. There is some stuff that will need to be done on the devices and some in the data center. But one step at a time, they've got a lot of integration work prior to this being an issue.

In terms of the strategic rationale, Secure outlined 4 reasons why the deal makes sense, but I was only able to capture 3. Oh well. Let me pick them apart.

1. Differentiated product set - Not so much. That's why the management integration and eventually the hardware integration is going to be critical to making differentiation a reality. Secure definitely has more pieces than a BlueCoat, SurfControl, F5 or Websense now, but that makes them the tallest 3rd grader on the playground. They aren't going to match up well against the 5th graders (Check Point and ISS) with a lot more revenue, or the Big Security 9th graders (McAfee, Symantec, Juniper, Cisco) that have much bigger resources and huge cash cows to milk.
   
   
2. Reputation-based technologies - This is actually the key to unlocking the value of the deal. When IronPort announced their web gateway a while back, it's positioning was based specifically around integrating "reputation" into the web filtering space. Secure can now do that, but it's not going to happen on day 1, let's be clear about that. CipherTrust is an email security company and gathers email security data. Once the deal closes, they'll presumably have access to a much wider mix of data, but then the fun work of gathering, correlating, and integrating it into the products start. Don't expect impact here until late-2007 - best case.
   
   
3. Distribution - Secure acquired a great enterprise customer base and a strong sales force (I should know, I used to work with them). If they can retain the talent, that will help especially with big, competitive enterprise class deals against Big Security. But I'm not so sure Secure's 1600 resellers will know what to do with a complicated, enterprise class email security gateway. That will be one of the biggest initial challenges because CipherTrust always stayed very focused on a select set of resellers. But Secure does have a lot more resources for training, etc. and a much better and broader international platform, which has been problematic for all the email security players.

CipherTrust is also committing some people resources to the deal as well. Specifically mentioned were Jay as Secure's new Chief Strategy guy. Paul Judge as the CTO, and Atri Chaterjee as the lead marketing guy. The ultimate success of this deal depends on at least some of the CipherTrust DNA sticking around. In order to thrive longer term, Secure's culture will need a bit of the CipherTrust aggressiveness. And candidly, CipherTrust's culture needs a bit of big company structure and process. If those guys (and many of the sales folks) are still there in mid-2007 that would bode well.

So, overall I can see the strategic rationale behind the deal. Customers that don't want Big Security in their DMZ now have an alternative, and if the technical integration is pulled off it's potentially a compelling alternative. CipherTrust customers will now have more stuff to think about as they re-architect their DMZ and Secure customers get a leading email security gateway option.

There will inevitably be some integration hiccups, so folks like IronPort and Proofpoint have a small window to throw some FUD (fear, uncertainty, doubt) around to try to get new deals. But neither is a stand-alone opportunity over time, so they should buddy up to Check Point and ISS, as the 4th graders are going to need additional stuff to compete on the playground.

Since I've left the anti-spam business about 9 months ago, it's nice to see that it's still a brutally competitive market where everyone sounds the same. It does seem that innovation on email hygiene (meaning inbound mail) has slowed. I can't recall anyone really introducing a new, important capability over the past 6 months. It's been a lot of point releases aimed at either adding better enterprise management capabilities, scalability or broadening the product scope beyond just inbound email. So now things like IM and compliance/encryption are becoming the battleground - the differentiation so to speak.

At the tail end of my anti-spam tenure, reputation services were all the rage. The concept is that if you know a lot about the sending IP address, you can tell whether they are very likely to be sending spam or good mail. IronPort was the reputation innovator with SenderBase and CipherTrust came later with TrustedSource. Standard disclaimer: I used to work for CipherTrust and am a shareholder (because I can't sell the stock).

Folks like Symantec and Postini always said they had reputation services under the covers, but never really made them visible enough to prove it. Recently (like within the last two weeks), BorderWare (link here) and Habeas (link here) have introduced their own reputation services. Either broader, BorderWare's tracks IP and VoIP data, or larger, Habeas claims 60 million IP addresses in their database - which may or may not be true. I'm sure they have 60 million things in a database. What those things are is subject to interpretation. You have to love marketing.

But if you are a customer looking at these solutions, does it matter? The vendors will try to paint their reputation stuff as broader, more accurate, bigger and will let you drop more bad messages at the gateway. Who do you believe? I say believe none of them. Reputation is now a standard part of the game and its certainly under the covers. You don't buy an anti-spam product because of a reputation service. You buy it because it stops your bad mail.

Content security is a different animal. That is hard for many to believe that have grown up in the network security space, where an attack is an attack is an attack. Maybe 50% of spam is ridiculous. Dealing with nasty inappropriate stuff or prescription drugs, all the products catch that stuff - or they don't get to play.

It's the borderline stuff that is very difficult to categorize. One man's spam is another man's gold. A lot of spam is subjective, so it's very hard to say in absolute terms whether a message is really spam. That's why end user quarantine is so important, then the users at least get to see if there are false positives in the mix. Then you've got the language issue. Non-English spam provides a lot of variability in results. You can't just drop a US anti-spam product into the Far East. It's not a firewall.

But getting back to reputation, your definition of spam may be different and your traffic is going to be different. So you'll need to figure things out for yourself. In the content security space, the eval is everything. You need to test these products out. Maybe the specific vendor's reputation database works great for you. But it may not. And the only way you'll find out is by running the products against actual mail. That's right, run the email gateways against a subset of your live mail flow.

Theoretically, reputation should still be a differentiator. But folks like Proofpoint and MailFrontier/SonicWall continue to stop spam without it. So maybe it doesn't matter. Unfortunately I can't answer the question for you. You'll need to be the judge.

When I left CipherTrust, I closed the VP Marketing chapter of my career and started to focus on starting up Security Incite. There were lots of things that I liked about the marketing role, and lots of things that I didn't. Joel Snyder in a NetworkWorld column (link) reminds me of something I despised, which is product reviews. His column also questions why a vendor wouldn’t sell equipment to a customer. I have some thoughts on both of these topics.

First of all, let me say that I think Joel’s column was a hack job. This has nothing to do with the fact that I used to work at CipherTrust. It just reads like he’s crying over spilt milk and just being petty. The way he presents his case makes you think he’s hiding something. At least that’s the feel I got reading the column.

I’m very surprised that CipherTrust has not issued an official response to the article. They should. But not by posting anonymous personal attacks on Joel on the Techdirt blog. Mike Arrington Masnick of Techdirt mentioned the column on his blog (link) and then someone from CipherTrust made anonymous comments that were less than flattering. That is cowardly. At least be man (or woman) enough to stand behind what you say. CipherTrust took a bad situation and made it a thousand times worse. Arrington Masnick calls them out on it in this post.

By the way, CipherTrust did not ask me to write this and they are not a client of my analyst firm. In fact, they'll probably be pretty pissed at me for breaking the code of silence. Whatever - I don’t work there anymore. I can say what I want. From a disclosure standpoint, I am a CipherTrust shareholder since I cannot unload the stock - they are still a private company.

First, let me deal with the NetworkWorld review which happened in December 2004. Joel’s recollection is slanted at best and bordering on revisionist history.  Sorry, but I just can't let it lie. A bunch of my friends are scratching their heads wondering why I’m getting involved. It’s actually pretty simple, I think Joel is wrong and I’m going to call him on it.

Joel maintains that we did something below board by turning off the device in the middle of the test. I was the one who shut the box down and I can assure you there was no panic involved. And the only miscommunication was the fact that Joel told us he was going to be on a plane to Europe when the formal testing began, so we didn't think there was any way to contact him to discuss the issues.

Basically, we found that the test was not as we were told. In accordance with the testing methodology we tuned the product for a couple of days, based on what we believed was the entire mail stream. That was not the case. Joel had his mail still running through his managed service during the tuning period. So we were optimizing the product on an incomplete mail stream. So when the actual test began, we saw all the traffic and the box was not performing as it did throughout the entire tuning period. Clearly something was amiss - he sold me a bill of goods about the testing methodology.

I saw no option but to pull out of the test.  I had lost confidence in the methodology and Joel's ability to test the product effectively. So I shut the box down. His test was screwed up and I called him on it.  Joel got all pissed off (which I found entertaining), and evidently he wasn't on that plane to Europe. So we talked it out and came to a mutual understanding. He acknowledged that we should have time to retune the box, which is what we did. Quite effectively I might add. To my knowledge that was the end of the situation, it was in the rear view mirror and he published his findings on the product.

To bring that incident back up as he tries to condemn CipherTrust for something else is juvenile and ridiculous.

Now that's off my chest, let's discuss that other thing he mentions, which is that CipherTrust would not sell him a box. He says he's testing products for a "consulting customer." Well, what consulting customer? Is the company a vendor or an end-user? I checked with the CT people and Joel wouldn't tell them. Hmm. Is it just me or does this smells really fishy.

Why wouldn't the "consulting customer" work with CipherTrust themselves? Or at least say they were working with Joel's firm to test the products. This is not Consumer Reports here. And why would the "consulting customer" (assuming it's an end user) provide the money to actually buy the products they are testing? I’ve been in this business a long time and I’ve never seen an end user buy one of everything to test them out. It's not like you can get any of these products for $2000. If they are testing 4 products, they are looking at an additional $40k expenditure (an adequately configured box costs $10k), especially when all of the vendors would provide a trial version for testing. It just doesn't add up.

And then he changes the story, clearly this box was intended to do a competitive bake-off. But he tells CipherTrust after they won't sell him the box that it's for use in his company. How can that be the case, since everyone in the business knows that Joel uses a managed service? Now he's going to implement an enterprise class appliance for the 5 people in his company? Not likely. Again, I wasn’t there but I would have been a little wary of the situation also.

Mike Arrington Masnick is right in supposing that part of the fear might have been that information would be passed onto a competitor. In general you never sell an enterprise class product to someone unless you know where it's going to be deployed. The unfortunate truth is a great majority of those boxes that are "unaccounted" for end up in the hands of competitors. To be clear, I'm not saying Joel would buy a product for a competitor, but if you are CipherTrust why would you take the chance? The fact that it's a blind test, done by an independent consultant makes your chance of success suspect at best. Certainly not worth the $5000 you'd make for selling the product.

And what about this "consulting customer?" I suspect any end-user would have told Joel to walk away. There are a ton of email security solutions and clearly CipherTrust doesn't want their business. So that should have been the end of it.

In my opinion, it was a no-brainer for CipherTrust to walk away from the deal. Anyone that’s spent any time in a product company knows that you need to focus resources on deals that you can win. Without proper qualification, you are wasting your time. Even worse, you have the chance (however unlikely) that the box falls into the hands of a competitor. That's not a risk worth taking.

Clearly Joel doesn't understand that. Instead of letting it go he chose to be vindictive and petty, spouting baseless innuendo about how a company must treat its customers because he felt slighted. It's disappointing to see a fellow NetworkWorld columnist use his space in the book to settle what is clearly a personal score.

Saw a post yesterday on the Ferris Research blog [read it here] about a publicly available spam corpus called TREC 2005 (for more information about TREC read here). Ferris’ position on the value of TREC 2005 is:

The corpus is primarily intended for academic research and development of anti-spam filters and has significant restrictions on its use. This collection is important as it provides a standardized collection to test and compare spam filters in both academic and commercial contexts.

They are wrong. Using any corpus older than a month and obscuring the mail headers is actually detrimental to testing and comparing spam filters. Why? Because spam is a real time phenomenon and using “stale-mail” to test it is a waste of time. Your results will smell worse than 30 day old Wonderbread.

To be clear, a bulk of spam is no longer sent by that shady character using a spam cannon in his garage to blast out 200 million messages a day. Spam is sent by a worldwide network of zombies that have made it much harder to track and stop the onslaught.

A key technical innovation in defending against these zombies was the reputation system. IronPort’s Senderbase and CipherTrust’s TrustedSource are the two highest profile reputation systems out there. Basically, by tracking the types of messages coming from a specific IP (and using some fancy mathematics), you can get a pretty good feel for whether they are a legitimate sender or not.

Combining reputation with heuristics and signatures creates a cocktail of techniques that can be used to more accurately detect spam. Now anyone that says they can consistently always stop 99% of spam is lying to you. Spamming techniques change fast enough that effectiveness will ebb and flow as the spammers and anti-spammers engage in constant point-counterpoint. But in general, most of the solutions out there do a good enough job.

Now back to TREC 2005. I am a big fan of bake-offs (technical evaluations) during the procurement process (see Buying Security products post). Having users compare spam catch rates using stale-mail is a disservice because real time reputation checks cannot happen on stale mail. Who the message is coming from is a critical part of today’s detection techniques. So, using a pre-baked corpus eliminates that set of tests and will make your results suspect at best.

It is also a very bad idea to just forward the test corpus through a bit blaster. This puts your email security gateway as the second hop in and obscures the true sender’s mail header. This dramatically impacts your ability to accurately detect the spam. I can get into more technical nuances off-line, but take my word for it. Your results will be crap. In fact, a number of well-known publications used this technique in early anti-spam reviews and their results weren’t worth the paper they were printed on. But it took them 18 months (and a lot of my personal blood and sweat) to get them to see the fault in this testing methodology.

So how do you test anti-spam products? Basically you need to use them in real mail flow. I believe that you set up a set of test users (that are a bit more understanding than your CEO) and run their ACTUAL mail through the box for a month. Then you can gauge real time effectiveness and select the best fit for your organization. 

UPDATE: Let me clarify a bit that a corpus like this will be useful to an anti-spam research, who presumably understands how to tune their heuristics and/or signatures. My point is that this kind of corpus will NOT be useful to end users trying to compare anti-spam products.