IronPort

Just in time for irrelevance, I finally have a few minutes of airplane time to assemble my thoughts on the Cisco/IronPort merger. Overall, I think it was a smart move for Cisco, but not a good deal. $830 MILLION dollars borders on ridiculous for IronPort, who maybe booked $100 million in 2006 (which is a very generous estimate). But it won't even make a dent in Cisco's cash balance or profitability.

So what's with the price?

I've come up with three explanations for the price of the deal. First, Cisco has a set multiple on revenues that they typically pay for a security company. Sure IronPort has more top line than their typical deal, but they couldn't figure out how to unlock that cell in the spreadsheet, so they just paid the money.

Second is that IronPort found something in John Chamber's email that was "unflattering." Being the gateway provider for Cisco for years (can't tell you how many times I saw that goddamn customer slide from IronPort), these guys could have found something "nice" (in Borat speak) and used that as leverage. Yes, I'm joking.

Finally, the most likely situation is a bidding war. It seems that neither Cisco nor EMC (they bought RSA for an inflated $2.1 Billion) likes to lose a deal, even if it costs them a couple hundred extra million. What’s a couple hundred extra million between friends? I guess if you’re friends with Bill Gates or Warren Buffet that kind of holds. I suspect there was another party with a big checkbook interested (starts with a "J" and ends with a "uniper") and Cisco decided they just couldn't lose the deal.

Who looks like the smartest guy on the block? That’s easy, it’s John McNulty of Secure Computing. Relative to this price, he got a steal in taking out CipherTrust for less than $300 million. Personally, I thought CT was fairly valued and was not disappointed in the outcome - but Mr. Market says I was wrong.

Some other thoughts:

Better late, then never - Cisco is late to the content security party. Symantec has been in it for years. Secure Computing took out CipherTrust. And spam continues to grow at an astounding rate. You also have web filtering as a robust product category ready for a replacement cycle (exposing Websense to some negative fallout from this deal), so Cisco gets to play in all of these categories now, which they needed to. You have a lot of customers that like to buy everything from Cisco (even if it pisses off Dave Maynor), so now they can get their content stuff from them too.

Your reputation precedes you - A lot of folks have made a big deal of IronPort's SenderBase (and SpamCop) reputation network, which represents an effective way to block spam at the perimeter based on who is sending it. Reputation doesn't just apply to email, so having a big database of the relative "intent" of many of the IP addresses out there is a good thing. Cisco will leverage this heavily over the next few years, unless they are stupid - which they are not.

Encryption: sure we'll take some of that - IronPort had bought PostX in October for a song and a dance so now that goes along with the deal. But I suspect the secure envelope technology will get lost within Cisco, who barely understand that email is an application. The idea of statement delivery and other application level encryption is too much for Cisco to grasp right now. PGP and Voltage rejoice.

Losers

The most visible losers are the former CipherTrust shareholders, who evidently got swindled. Yes, I was one of them. But I don't play the woulda, shoulda, coulda game. Chaudhry got the deal done and in all likelihood walked away with more than Scott Weiss. Good for them, buy an airplane. That's all I have to say about that.

All but one of ProofPoint, Borderware, Tumbleweed, Mirapoint, and Barracuda are exposed. There is only one chair left and the music will probably stop by mid-year. Once Juniper makes its play, the rest of the folks are left holding the bag. If I had to bet, I'd say Juniper will take Proofpoint out. Borderware is a dark horse because the price would be significantly lower and they do have that SIP security box, which may interest Juniper - who knows a thing or two about networks.

Wherefore art thou IPO?

There is also a lot of speculation relative to whether another security IPO (after Guidance Software) will happen. Sourcefire has filed, though there is always the possibility they'll be taken out before they get it done. The UTMers - Fortinet and Crossbeam are the others frequently mentioned as IPO candidates.

I actually think both will file and one will get the deal done in 2007. Most of Big Security with Big Checkbook already has a UTM offering. Check Point could take out Crossbeam, which would make sense - but it's hard to envision who would take out Fortinet at a billion dollar valuation. Maybe when Alcatel-Lucent eats enough of whatever the French equivalent of Tums is, they'd be ready to get back into the enterprise game. Maybe Nortel. But probably not.

So I haven't given up on a Security IPO in 2007.

 

Since I've left the anti-spam business about 9 months ago, it's nice to see that it's still a brutally competitive market where everyone sounds the same. It does seem that innovation on email hygiene (meaning inbound mail) has slowed. I can't recall anyone really introducing a new, important capability over the past 6 months. It's been a lot of point releases aimed at either adding better enterprise management capabilities, scalability or broadening the product scope beyond just inbound email. So now things like IM and compliance/encryption are becoming the battleground - the differentiation so to speak.

At the tail end of my anti-spam tenure, reputation services were all the rage. The concept is that if you know a lot about the sending IP address, you can tell whether they are very likely to be sending spam or good mail. IronPort was the reputation innovator with SenderBase and CipherTrust came later with TrustedSource. Standard disclaimer: I used to work for CipherTrust and am a shareholder (because I can't sell the stock).

Folks like Symantec and Postini always said they had reputation services under the covers, but never really made them visible enough to prove it. Recently (like within the last two weeks), BorderWare (link here) and Habeas (link here) have introduced their own reputation services. Either broader, BorderWare's tracks IP and VoIP data, or larger, Habeas claims 60 million IP addresses in their database - which may or may not be true. I'm sure they have 60 million things in a database. What those things are is subject to interpretation. You have to love marketing.

But if you are a customer looking at these solutions, does it matter? The vendors will try to paint their reputation stuff as broader, more accurate, bigger and will let you drop more bad messages at the gateway. Who do you believe? I say believe none of them. Reputation is now a standard part of the game and its certainly under the covers. You don't buy an anti-spam product because of a reputation service. You buy it because it stops your bad mail.

Content security is a different animal. That is hard for many to believe that have grown up in the network security space, where an attack is an attack is an attack. Maybe 50% of spam is ridiculous. Dealing with nasty inappropriate stuff or prescription drugs, all the products catch that stuff - or they don't get to play.

It's the borderline stuff that is very difficult to categorize. One man's spam is another man's gold. A lot of spam is subjective, so it's very hard to say in absolute terms whether a message is really spam. That's why end user quarantine is so important, then the users at least get to see if there are false positives in the mix. Then you've got the language issue. Non-English spam provides a lot of variability in results. You can't just drop a US anti-spam product into the Far East. It's not a firewall.

But getting back to reputation, your definition of spam may be different and your traffic is going to be different. So you'll need to figure things out for yourself. In the content security space, the eval is everything. You need to test these products out. Maybe the specific vendor's reputation database works great for you. But it may not. And the only way you'll find out is by running the products against actual mail. That's right, run the email gateways against a subset of your live mail flow.

Theoretically, reputation should still be a differentiator. But folks like Proofpoint and MailFrontier/SonicWall continue to stop spam without it. So maybe it doesn't matter. Unfortunately I can't answer the question for you. You'll need to be the judge.

Saw a post yesterday on the Ferris Research blog [read it here] about a publicly available spam corpus called TREC 2005 (for more information about TREC read here). Ferris’ position on the value of TREC 2005 is:

The corpus is primarily intended for academic research and development of anti-spam filters and has significant restrictions on its use. This collection is important as it provides a standardized collection to test and compare spam filters in both academic and commercial contexts.

They are wrong. Using any corpus older than a month and obscuring the mail headers is actually detrimental to testing and comparing spam filters. Why? Because spam is a real time phenomenon and using “stale-mail” to test it is a waste of time. Your results will smell worse than 30 day old Wonderbread.

To be clear, a bulk of spam is no longer sent by that shady character using a spam cannon in his garage to blast out 200 million messages a day. Spam is sent by a worldwide network of zombies that have made it much harder to track and stop the onslaught.

A key technical innovation in defending against these zombies was the reputation system. IronPort’s Senderbase and CipherTrust’s TrustedSource are the two highest profile reputation systems out there. Basically, by tracking the types of messages coming from a specific IP (and using some fancy mathematics), you can get a pretty good feel for whether they are a legitimate sender or not.

Combining reputation with heuristics and signatures creates a cocktail of techniques that can be used to more accurately detect spam. Now anyone that says they can consistently always stop 99% of spam is lying to you. Spamming techniques change fast enough that effectiveness will ebb and flow as the spammers and anti-spammers engage in constant point-counterpoint. But in general, most of the solutions out there do a good enough job.

Now back to TREC 2005. I am a big fan of bake-offs (technical evaluations) during the procurement process (see Buying Security products post). Having users compare spam catch rates using stale-mail is a disservice because real time reputation checks cannot happen on stale mail. Who the message is coming from is a critical part of today’s detection techniques. So, using a pre-baked corpus eliminates that set of tests and will make your results suspect at best.

It is also a very bad idea to just forward the test corpus through a bit blaster. This puts your email security gateway as the second hop in and obscures the true sender’s mail header. This dramatically impacts your ability to accurately detect the spam. I can get into more technical nuances off-line, but take my word for it. Your results will be crap. In fact, a number of well-known publications used this technique in early anti-spam reviews and their results weren’t worth the paper they were printed on. But it took them 18 months (and a lot of my personal blood and sweat) to get them to see the fault in this testing methodology.

So how do you test anti-spam products? Basically you need to use them in real mail flow. I believe that you set up a set of test users (that are a bit more understanding than your CEO) and run their ACTUAL mail through the box for a month. Then you can gauge real time effectiveness and select the best fit for your organization. 

UPDATE: Let me clarify a bit that a corpus like this will be useful to an anti-spam research, who presumably understands how to tune their heuristics and/or signatures. My point is that this kind of corpus will NOT be useful to end users trying to compare anti-spam products.