ISS

In this week's NetworkWorld column, I go through some of the thinking behind IBM's acquisition of ISS. Of course for loyal readers none of this will be new. But if you are interested in how many Gulfstream V's or Bentley Continental GT's you could buy with $1.3 Billion dollars - read on.

http://www.networkworld.com/columnists/2006/091106rothman.html

 

In today's Daily Incite, I did a retrospective of the news and blog coverage on the IBM/ISS deal. Of course, I like to think provided some context and value-add, but you will be the judge of that. But since it was down towards the bottom of the newsletter, I figured I should call it out here.

So check it out and add some comments (to either this post or today's TDI). Per usual, if any good dust-ups happen in the comments, I'll pull them out, post them separately and get the last word. You can call that the home-field advantage!

http://securityincite.com/blog/mike-rothman/the-daily-incite-august-28-2006#IBM-ISS

 

IBM confirmed the worst kept secret in security-land this AM buy acquiring ISS for $28/share. Only a 6% premium to yesterday's closing price - but about 50% higher than the stock was trading before the rumors started.

Press release is here.

It's an interesting deal since IBM has been dabbling in security but hasn't really been focused on it. It also seems that the products business is going to be hung out to dry. ISS will become a business unit under the Global Services umbrella. The "software" products will be integrated into IBM Tivoli stuff (not sure what that means), but what about the hardware?

Is Proventia dead? If you are a Proventia customer (or looking at the product), then it's in your best interest to defer purchase until the integration plans and product roadmap crystallize. There will be a lot of uncertainty until the deal closes, which is another reason to defer purchases.

Another open question is what will become of ISS' management team. It's not like IBM keeps many of the senior guys in their big acquisitions, so maybe this is Tom Noonan's opportunity to ride off into the sunset.

If they are having a conference call, I'll listen in on that and do a more detailed post later. Just wanted everyone to get the news hot off the presses!

In today's TDI, I mentioned a different perspective - offered by Dave Goldsmith of Matasano - showing a positive view of the Symantec study of Vista's network attack surface (link here). Sure enough Dave's colleague Thomas weighed in to clarify some stuff. It because a pretty interesting interchange between the two of us and one that warrants a deeper discussion. Since many of you don't get access to the comments via RSS, I thought I'd cut and paste a bit to keep you clued in. I did edit Thomas' comments a bit because this is a family blog. HA!

The Symantec Study

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:15.

The mistake you're making with the Symantec report is believing that the work was driven by top-down strategy inside the company. It isn't.

I've known Oliver Friedrichs, the manager of what SYMC calls "Advanced Threat Research", since 1995. I worked directly alongside him at Secure Networks, where he co-founded the industry's first professional vulnerability research lab, along with Tim Newsham, Dave Sacerdote, and Ivan Arce.

Oliver Friedrichs is not f***ing [MSR edit] around. SYMC has the resources and the talent to build a top-calibre security research team. If there's any top-down decision-making at SYMC, I'm sure it's simply to go do that. "Oliver, kick Cisco and ISS's ass and seize the mindshare around research that Symantec has ceded over the past 6 years".

Once you get to that point, the Vista study is pretty obvious. You've got access to some of the best vulnerability research talent in the industry. What are you going to aim it at? I don't think the board, John Thompson, or even Oliver's immediate manager had to be involved in the decision to spend some resources poking the Vista TCP/IP stack.

I don't mind the accusation that you're leveling at Symantec. They're in business to win and they're not all nice people. But I don't think you make yourself look more credible when you cast Oliver's group in this light; people who know vuln research will scratch their heads at your assertion.

Thanks for noticing us, though! =)

For a change, the Matasano guys adding value to the discussion. Here is my response:

How much they publicize it is a corporate decision

Submitted by Mike Rothman on Thu, 2006-07-20 10:26.

Thomas,
I hear your point and that's more good perspective. But I also don't think that Oliver was out there humping his work in the press this week. That would be uncharacteristic given what I know about "most" vulnerability researchers. It's plausible that Oliver has free reign over what gets researched, but I highly doubt he has much to say about what Symantec's PR machine decides to push.

If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game. Maybe he knows this, maybe he doesn't. Since I don't know him I can't say. But when his group finds something of interest (like they did this week), the Big Yellow PR machine will try to bend it to their own devices.

I'm not doubting that the research was genuine. But I'm very comfortable in my assessment of what their PR aims were.

And this is where it gets interesting. Clearly there is something here and now we need to figure it out. Thomas weighs in a final time:

SYMC's Vulnerability Strategy

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:59.

You say, "If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game". I say, THAT's the interesting discussion to have about this.

Write something explaining the point you're making; I want to hear more about it. What's the "high profile game" around vulnerability research?

Your point about PR vs. research calendar is well taken. I can split the difference. Oliver's group owns their calendar, bottom-up. SYMC PR is probably top-down.

So let's dig a bit deeper here. What is the value of vulnerability research? Clearly in the early stages it was mostly for PR purposes. Folks like RipTech (which was subsequently bought by Symantec) had reams of data and they did some interesting analysis on it. Their real innovation was packaging it up in a report and starting the media frenzy about the increasing vulnerability landscape. They got very broad media coverage for the report and it really put RipTech on the map.

But now it seems that every vendor has it's own version of the report. Every big one anyway. ISS and VRSN have gotten their research groups a lot of ink driven by these quarterly reports. So it's not really differentiating anymore, is it?

At the same time, you see security vendors being attacked and vulnerabilities in their code being disclosed pretty regularly. Some patch things and forget to tell folks (ahem, McAfee) and it seems every month or so you hear about Symantec and Cisco patching things as well. So now the cottage industry seems to be finding the holes in other folks stuff.

This is both a PR strategy - pioneered very effectively by eEye (3rd party patching anyone) and new entrants like Mu Security that have boxes that are designed to find holes - as well as a competitive lever. Security is about credibility at the end of the day. If you have really smart guys that can find stuff broken in other people's software - then they must do a good job of protecting their own, no?

Well, not exactly. But close enough - especially to a customer that is looking at 3 products that are totally undifferentiated. I'm talking about pretty much every security market, by the way. Who do they pick? Maybe the one from the guys that seem the smartest. That's one plausible scenario anyway.

But, back to the topic. As Thomas speculates above, it's unlikely that anyone in Symantec specifically told their vulnerability research team to go find something broken in Vista. It could have happened, but I agree with Thomas - it's more likely bottoms-up. But once they found that data, I believe the Big Yellow PR team smelled a big opportunity to poke Microsoft in the eye. And they took it. And many of us bit. At least I can say I questioned their motives, as opposed to questioning their findings. Again, kudos to Dave G for doing the derivative analysis.

So what? Basically, I figure we are going to see vulnerability researchers let loose on competitor's security software. The Symantec-Microsoft deal may have been bottoms-up, but in a market this competitive, with folks looking for literally ANY advantage - it's just a matter of time before this becomes a big part of competitive analysis moving forward. And the PR teams will be orchestrating, on one hand working to seem on the up and up - just doing a service to the community - don't cha know. But on the other hand trying to stick it to the competition when they can. That's a high wire act for sure.

But it puts the researcher in the precarious position of trying to do the right thing, but more often than not becoming the finger poking some competitor. As I mentioned in my response, some will be cool with that and others...not so much. Interesting times to be a vulnerability researcher, that's for sure.

It's on folks. The battle for the campus infrastructure begins anew. Network Access Control will become the catalyst for a generational upgrade of the LAN switching infrastructure. I'm sure John Chambers is doing his best Dr. Evil impersonation saying, "just as we expected."

Today, ConSentry announced a new line of LAN switches that integrate a lot of their stand-alone NAC functionality in a low cost switch form factor. Release here. This is the first, but it won't be the last. I've already spoken to two other vendors that have updated LAN switching products with lots of security mojo almost ready to go, and there will be more. There always is.

Why is this interesting to customers? First, many of the existing switches are getting tired. Well not really, they move bits just fine. But a lot of the new functionality that integrates security into the core of the network fabric cannot be run on the older switches.

The interesting aspect of this is that some start-ups are going into one of Cisco's strongholds, which are switches in the closet. Is Cisco really exposed here? The answer is no. Cisco has a very good story about why the switches should be upgraded, and upgraded to Cisco hardware at that.

Cisco's only blind spot is price, but I still expect them to get a bulk of that business. But there are lots of other tired LAN switches that are vulnerable and a lower cost alternative will be pretty interesting to them.

I can definitely see how an Extreme and/or Foundry (or even 3Com of the walking dead) add new security capabilities to their switches, selling into their existing base of "anyone but Cisco" customers. But what chance does a start-up have to even move the needle against Cisco?

Basically not much. But that's not the goal. Remember, "big is the new small" and we know that Juniper, probably Symantec and even some smaller public companies like F5, Sonicwall and ISS need to be in the closet. They cannot maintain any kind of enterprise security presence without having equipment in all the enterprise domains, which includes the wiring closets.

So basically, folks like ConSentry are teeing up the exit strategy. Sooner or later Juniper is going to realize their strategy does not get them where they need to be. So their choice is to buy a Foundry or Extreme (and bring the checkbook because that's a multi-billion dollar deal) or take out a start-up with some interesting technology.

Customers should be excited by this. Not because they need to upgrade their switches, though that does tickle the fancy of more than a few network/security admins. But we are going to see serious price competition on these "secure ports" and further commoditization of standard ports.

So thanks to ConSentry for getting the ball rolling. We are going to see a lot of this in the near term, and my early prediction is that the most over-hyped product of RSA 2007 is going to be the "security switch."

Coming across a product review of NFR's latest intrusion prevention device started the gears turning in my head. That's always dangerous. If you read the review (here) and believe the reviewer, NFR has strong technology. Not sure how the reviewer thinks a $13k sensor is going to appeal to SMB customers, but I digress.

As I read the review, I kept thinking "who cares?" It's not like anyone is really going to buy something from NFR at this point in the game. Yes, that is being unfair, but life is not fair. Get over it.

In all seriousness, IPS is a very mature technology. Some products work marginally better than others, but all of the leaders tend to do the same stuff with relatively similar performance. So, at this stage of a market's evolution, how can company viability NOT be at the TOP of critical selection criteria?

Did we not learn anything during the deflation of the Internet bubble? To refresh your memory, countless numbers of organizations had a ton of fancy looking and expensive doorstops when scads of vendors went belly-up. So why take a chance on a company that may not be around 3 months from now? The answer is you don't unless there is something truly innovative and category breaking.

In IPS, I'm hard pressed to get a feel for what that would be. It's true that Sourcefire did bring significant innovation to the table (3 years ago), but that was by consolidating a number of functions roughly associated with IPS. And we know how that story will end with CheckPoint taking the viability issue out of play. That is as long as the US Commerce Department doesn't decide to make an idiotic stand because they are pissed off about that UAE ports deal.

Not to just pick on NFR, but TippingPoint runs the real risk of ending up in the same boat. They were a pioneer in the IPS space, but their parent company (3Com) is as sick as a Stage 3 cancer patient. How long before customers start worrying that 3Com is going to take TippingPoint down with the ship? I say 2 more quarters unless the new guy at 3Com can turn it around pronto.

It's just easier to go with Cisco or Juniper or McAfee or CheckPoint/Sourcefire or ISS. Big is the new small.

To be clear, I AM NOT a start-up hater. I love the innovation that comes out of start-ups. As long as a new category solves a real problem in an innovative way, then end users will take the risk. But once a category matures, there is no place for risky start-ups. The downside is not worth it. In mature markets, viability MUST be at the top of your selection criteria list.

 

Being out at the annual RSA show is always interesting. You try to get a feel for what is "hot" and what is actually selling. Over time, it has been amazing to track the hype and watch carefully for the signs of adoption.

Hype began in earnest a couple of weeks ago for "on-demand" security, driven by the formal announcement of Microsoft's Windows One Care and Symantec's Genesis. You can read the analysis of Genesis here. At the show, expect big thought leadership messages from the RSA keynotes, specifically VeriSign's Stratton Sclavos and ISS' Tom Noonan.

Noonan hit the circuit last week to start building up momentum for ISS' on-demand strategy. Check out eWeek to get the news. The article starts off with:

"Tom Noonan is fed up with the security industry. He's tired of seeing every new point solution touted as the savior of the Internet, and he's had it with the hodgepodge of security technologies from various vendors not working together and causing administrators more headaches than the threats they're trying to protect against."

Amen brother. That's awesome. I'm fed up too, and we are largely on the same page about too many narrowly focused products trying to solve every minor security issue. That's what "no mas box" is about and it's right. Something has to change. Best of breed is fine, as long as it fits into the existing infrastructure.

Is ISS the right company to be driving this change? They have a good a claim as any, I guess. But success will require more than fancy slides at RSA. To be clear, I have not spoken to ISS about their strategy (even though they are right down the street) and am planning to do so right after RSA. But let me give a couple of early impressions:

1. ISS needs to do something - Clearly the company has seen a bit of a renaissance driven by the move to Proventia appliances. But, in order to convince folks they are a security player with longevity (as opposed to waiting for Cisco or CA to buy them out), a big story demonstrating this is critical. Of course, executing on this over time is pretty important too.
   
   
2. On-demand security is nothing new - You get anti-virus updates on your machine every couple of days. Your anti-spam gateway may update signatures every 10 minutes. It seems every Tuesday you are getting patches for Windows. What is different about "on-demand?" Basically nothing. The idea of linking your asset base to a vulnerability scanner to get relevant updates is not novel (we tried to do that at TruSecure and Tenable and Sourcefire do it today). Packaging and pricing as a service is kind of novel. Moving to the razor blade model probably makes sense over time.

I'll also pull another quote from the article, this time from the reporter.

"But the security community has been slow to adopt the software-as-a-service model, in large part due to the concerns that many enterprises have about putting the security of their networks in the hands of outsiders."

This is actually wrong. Have companies TOTALLY outsourced their security? No, but how can you do that unless you've totally outsourced your infrastructure. But the adoption of targeted services is happening right now. Lots of folks have their ISP or outsourcer manage their firewalls and IDS devices. That is increasingly becoming the purview of the carriers and that trend will continue. And services for vulnerability scanning and email security tend to have as great (if not greater) market share than their on-prem counterparts. Check out the MSS Incite for more detail.

So, there will be lots of stuff announced this week at RSA, much of it aimed at driving hype to usher in the "on-demand" age of security. Much of this will be re-branding of the existing stuff, so we will see some innovative marketing to make the old stuff seem new. But, the short-term impact is minimal.

Yet, the idea of leveraging the "network" where it makes sense to increase security and speed reaction is right and this will happen. The question is just when. You know I'll be watching closely for when it becomes real.