RSA

Art looks tanned, relaxed and healthy. A $2.1 Billion deal will do that for you.

Oh, yeah. Back to the keynote. He seems to be channeling Joe Tucci (head of EMC). It's all about the information. "If you can't manage the information, you can't secure it." You think he's in the information management business?

Clearly the approach we've taken for security isn't working. I've said that once or twice before. So I'm there with him.

He's calling for THE END OF THE STAND-ALONE SECURITY INDUSTRY. Within 2-3 years. That's a Bill Gates-ian prediction a la spam. Interestingly enough, he's putting the nail in the coffin of his own damn conference. If there is no stand-alone security business, who is going to pay the tab?

Big is the new small. Boy, the stuff I wrote last year was right on the money. Kind of scary. I better think of some new stuff for this year. Did I mention the Pragmatic CSO? That's new, right?

Security is inextricably linked to business strategy. Man, that's Pragmatic.

Now he's talking about how security can "accelerate" business. That's crap. Didn't believe it back then, don't believe it now.

But security is a hallmark of all the big technology providers. It's true. Cisco, HP, IBM, EMC, etc. Security is a key part of what all of these folks are doing.

Security is not about firewalls and IPS. It's about cash, unimpeded business processes, the customer experience. Interesting. We haven't implemented "information security." Haven't focused on the information or linked security to the information. Amen.

The new term is INFORMATION-CENTRIC security. Start at the core and work out. Minimize risk. Three guiding principles:

1. Not about perfect security - security aligns with the value of the information they are trying to protect. Did Art read my book when I wasn't looking???
   
   
2. Needs to adapt - Pattern recognition right into the infrastructure. Kind of like anomaly detection-based approach. Based on behavioral techniques. It's the only way to defeat malware. Of course he pushes adaptive authentication. I do buy into that.
   
   
3. Requires defense in depth - Proactively understanding the risk to your organization. Intelligence sharing and a layered approach to security. Need to leverage security being built into applications.

Now he's pushing EMC's other software products. Oh joy. At least Art knows who pays his salary.

Another pitch without a demo or specific product announcements. Maybe this is a trend.

I get asked pretty frequently by start-ups about how to get more exposure for their company. Basically, they are looking for free PR advice. Most of the time I'm pretty gracious in providing it. They also hope that I'll say something nice about them in TDI or on the blog. That is playing with fire. As we all know, I call it like I see it, so there is risk in "hoping" I'll favorably cover any vendor.

But I've got another idea, as the folks promoting the EMC, I mean RSA Conference reminded me about the Innovation Station awards. Basically, if you are a start-up or early revenue company that has something interesting, you can get an invite to participate in this program. You get a kiosk on the show floor (it'll cost $4K, but booths usually costs $25-30K, if you can even get one) and you get an opportunity to pitch a panel of CSO's and VC's with your idea. The catch? You get 5 minutes to pitch. That's it. 5 minutes. Even at DEMO you get 8 minutes - so this is really an elevator pitch.

When i was VP of Marketing at CipherTrust we did the inagural Innovation Station in 2005. I gave a 3 minute pitch (they are more generous with their time now) and it was great, despite the fact that I had laryngitis for the first time in my life. You really need to be laser focused. We came in third, with Sourcefire being the winner. Both companies have do OK, so performing well in the Innovation Station is usually a good sign.

So I think the Innovation Station is a great way to generate some interest in your company at RSA. The information is below, including the sign-up link. Good luck.

RSA® Conference 2007 Innovation Station

RSA® Conference is looking for the most innovative emerging company in the information security industry for its Innovation Station program – held in conjunction with RSA Conference 2007, February 5-9, 2007 at San Francisco’s Moscone Center.

The submission process is open for pre-IPO companies in the information security technology space interested in participating. Companies must be privately-held and in business for fewer than two years, with confirmed 2006 booked revenues under $5M and a new product or service introduced between March 2006 and February 2007. Once selected, these companies are provided with a unique opportunity to showcase new products or services to a judging panel comprised of leading venture capital investors, CSOs, press, and industry experts, as well as exhibiting in a special Innovation Station pavilion on the expo floor.

The winner will be named “the most innovative new company” at RSA Conference 2007 and be promoted on the RSA Conference 2007 Web site, in a follow-on press release – and also be provided two individual face-to-face meetings with members of the judging panel after the Conference (subject to availability).

This is a great opportunity for relevant clients on your firm’s roster. Please feel free to forward this information to any companies or clients that you feel would be a good fit for the Innovation Station.

To nominate a company as a candidate for the Innovation Station, please visit http://www.rsaconference.com/2007/us/expo/additional/innovation/.

Nominations will close on Friday, December 15, 2006 at 5:00pm PDT.

As I alluded to in this AM's TDI, EMC has not let the grass grow under their acquisitive feet and acquired Network Intelligence for $175 million this morning (release here). This looks to be about 4-5x sales and it a healthy number given that SIM is clearly just a feature of security management. Stiennon may not want to call it consolidation, but there is no standalone market for SIM. So now we get to watch all the vendors run for the exits.

For EMC, the deal makes sense on a number of levels. First, EMC has spent a while aggregating some management technologies (notably SMARTS) and Network Intelligence fits into that model. They provide intelligence for what is going on from a security standpoint and I think there is leverage in the data and analysis that SMARTS brings to the table for the network folks. It also gives some additional capabilities to the RSA folks, who didn't have a SIM in their bag.

Ultimately, I think the most leveragable part of the deal is something that EMC neglected to spell out in their deal presentation - the role of log management in driving more storage consumption. In fact, I'm not sure EMC realizes they just bought into the log management space. This is a good thing for EMC because logs take up a crapload of space, especially forensically clean ones. Anytime you are storing 100,000 things a second, it's going to demand some space. Ergo more storage.

EMC painted Network Intelligence as a SIM because that's where they started and that fits better into EMC's stack chart of all the security markets they play in. Too bad it's wrong. If you look at NI's positioning of late and what problems they were trying to solve - it feels a lot more like log management to me. If they were going to go it alone, they'd need to morph their positioning and log management is where they would have ended up. They were already more than halfway there.

I also want to point out that log management, though a distinct market from SIM IS NOT a standalone market over time either. On LogLogic's blog (here) they go through their reasoning about why SIM is crap and log management is a standalone market, based on what SANS says. Besides the fact that SANS just put on a blow-out Log Management Conference, it just doesn't ring true to me. Over time log management is also a subset of a broader security management story. Like SIM, only different.

I'm not disputing that log management is different than SIM. I've written about that a number of times (here, here). It's about high volume log aggregation and forensic cleanliness to help in the event of an issue. Like every other security market, the log management folks have plastered a reporting engine on top of it to appeal to the compliance folks.

But I don't believe it's standalone ad infinitum. So the real question is when does someone like Network Appliance (who is also trying to break into the security market) take out LogLogic or some repositioned SIM-thing like SenSage to gain exposure both to security and to control a storage driver. Or maybe it's Cisco or Juniper, since you can just as easily aggregate network log data. Or even Symantec or McAfee, though neither one particularly understands appliances.

The only thing I do know is that it will be someone, you can take that to the (Log) Bank.

In this week's column, I go into the EMC/RSA deal - but more from the perspective of why all of the detractors have it wrong. I seem to be one of the only folks that is positive about the deal, but I like it that way. If I agree with everyone, I'm not doing my job.

I'll also note that I have to be more careful about using cliches like "game-changing" in my mass market columns. I do use that term here, but then I went on to say about how the term game-changing makes me want to puke. Surprisingly, that part got edited. Arghhh!

But I guess that is part of the game. We'll see how this deal plays out over the next few years.

http://www.networkworld.com/columnists/2006/071706rothman.html

Technorati tags: EMC, RSA, security, M&A, data security, authentication, identity management

I checked the newswires, but I must have missed it. The deal is done and announced. $2.1 Billion, which is a HUGE number. Congrats to Art and the rest of the RSA team and the Cyota folks - who were one of the big engines for RSA's comeback.

Read the release here. Looks like Art is going to stay around and continue to run the operation. Also interesting is that the group will be called "EMC's Information Security Division," so the RSA brand presumably is dead - though they'd be fools to mess with the conference.

One of the other things I didn't consider is the proximity angle. Both EMC and RSA are Boston-based, which will make the integration of RSA into the fold much easier. Not that EMC hasn't done big West Coast deals (VMware and Documentum), but it's always a factor.

Symantec is the big loser here for a change. As I was writing the last post, the logic of Symantec/RSA made more and more sense to me. But alas, now the Big Yellow has another foil. It'll be interesting to see the Symantec spin of this deal over the next few days.

You know how that old nursery rhyme ends, right? It seems that the rumor mill is pumping about the possibility of EMC acquiring RSA for about $1.8 billion. There also seems to be another bidder in the picture, which could drive the price even higher. RSA has confirmed the strategic discussions, but predictably hedged as to whether a deal was going to get done. The fact they acknowledged the discussions means something is close, very close.

TheStreet.com has a pretty comprehensive story on the potential deal here.

It's been no secret that I think RSA is once again in the right place at the right time (here and here). LIghtning usually doesn't strike twice, but given the renewed interest in authentication and some savvy acquisitions - RSA is a plum property. But why sell now?

There's an old adage about how no one ever went broke by selling too soon, and that's exactly right in RSA's case. Sure they are hot and sure things look pretty good, but security is notoriously fickle and to monetize today wouldn't be a bad thing. And Art Coviello could ride off into the sunset as a hero.

But why is EMC interested? Is Symantec's John Thompson right in that security and storage are inextricably linked now? Has NetApp's increased interest in security (they acquired Decru a while back) shown the shape of things to come? Actually the answer is yes and yes.

It gets back to the Pragmatic Security model. Securing the infrastructure and securing the information that rides on top of it are DIFFERENT things. It will not be the same vendor that dominates both, that is clear because they are different buyers. The network or desktop guys buy information security. The application or database guys buy information security. How many more ways can I say different?

Though RSA gets most of it's notoriety nowadays from authentication, remember what RSA stands for - and that's encryption. EMC is all about "information lifecycle management" and that MUST include data security. They dipped their toes in the water by acquiring Authentica a while back, but you had to figure there would be more where that came from. RSA would give them instant credibility in the security space, a hot authentication product family, and most importantly a really big story regarding persistent control of data that no other vendor can match.

That's right, not even Symantec will be able to play at the same level. Symantec's entire security perspective is focused on the infrastructure. They do pretty much nothing (with the exception of some messaging security) in the application/information or identity space. In one fell swoop, EMC would become the horse to beat on the information side of the Pragmatic Security equation. John Thompson would have another reason to bury his head in the sand.

So who would the other bidders be? Thestreet.com indicates potentially CA or even Symantec. CA is pretty much in shambles right now, so I'd be very surprised if they could get their act in gear to do a big deal, though strategically it makes sense. But clearly Symantec would be the dark horse. For every reason this deal makes sense for EMC, it makes even more sense for Symantec. It gives the Veritas group some encryption and identity mojo and provides the glue to make the Symantec/Veritas deal work. Additionally, the tokens would fit very nicely into Symantec's security business giving them another cash cow to milk for a while.

But could John Thompson pull that off? They did just raise a bunch of money in a convertible offering, so the cash is there. I'd have some operational concerns given that Symantec has a poor track record of retaining talent and that's critical to make a growth deal work, but the potential of a Symantec/RSA combination is very interesting.

Stay tuned. It should be an interesting couple of days.

Anti-phishing is a problem getting a lot of attention lately. Mostly because the existing solutions are not getting the job done. Corporate users are pretty well insulated because of sophisticated anti-spam defenses, it's really the consumers that are at risk.

So it's been the consumer anti-fraud offerings that have most effectively targeted this issue by working with the banks, which are most typically targeted by these attacks. Cyota's eFraudNetwork is like a phishing analogy to the Brightmail spam-catching honeypot network. Lots of honeypots out there to gather and pinpoint phishing messages ahead of the curve.

Now Symantec is leveraging some technology they acquired from WholeSecurity to get back into the game. (link to NetworkWorld story) Whole had launched the "Phish Report Network" in February of 2005, but it had limited effectiveness. So now they think they are going to sell information that is largely available elsewhere and for free from folks like WebSense (they've got a phishing blog) and the anti-phishing working group.

More importantly, these services don't address the issue from either side. Just getting information does not alert the right folks nor help to take down the phishing sites.

The right folks that really need to get this information are the consumers. They need to know about possible phishing sites BEFORE they are compromised. The toolbar in IE 7.0 does pinpoint sites using high security SSL certificates, which will put folks on alert if a site is shown as potentially problematic. I'm not sure how getting a list of bad sites from someone like Symantec is going to help unless it drives a desktop web filtering solution that would block bad sites in real time.

It's also not clear to me how this kind of offering helps the banks (or other targeted institutions). One of the most interesting aspects of Cyota/RSA's eFraudNetwork is the established relationships and process to quickly get a phishing site taken down once identified. Also the ability to uniquely identity a banking website to the consumer is another key requirement to defeat phishing from all sides.

Is Symantec investing in these capabilities? They'll need to if they want to be a player in the anti-phishing space.

RSA got out the checkbook again over the weekend and bought PassMark Security in a deal worth about $45 million. For this they will get about $4-5 million in additional top line revenue this year. So about 10x sales, which seems a bit pricey or does it?

What PassMark has is a number of banks that use their "two-way" authentication, which uses both the consumers location and password to authenticate the user to the bank. But also has what is called a "PassMark" on each web page, that is unique to the user and authenticates the bank to the user. Once the user is trained to expect the passmark, this is an effective anti-phishing technique.

So what? A good amount of anti-spam and anti-phishing technology is driven by data. The more messages and/or transactions you see, the tighter your detection tolerances and the quicker you can react. PassMark doesn't really give RSA any technology they didn't already have with Cyota, but it gives them more breadth, more data and more customers.

Last week, when I went over RSA's earnings release (link), one of my conclusions was that now with the Cyota technology RSA now has a reason to talk to larger financials about more than just token renewals. Now they are broadening their base of financial customers and can upsell the PassMark customers to a full suite of Cyota stuff (say that 10 times fast).

Clearly RSA has seen the light about consumer authentication, especially in the financial institution and is bent on not giving that business directly to Vasco anymore. I'm the kind of guy that likes a good fight and we seem to have one. We'll see how Vasco reacts to protect their consumer franchise (especially outside of the US), while they continue trying to attack RSA's base in the enterprise.

Evidently, RSA has taken some aggression pills because this is another solid move to broaden the foundation and get a new wave of customers to chase. And more importantly, they did it preemptively before someone like Vasco or ActivIdentity got to it first.

Having to jog my memory to remember the inventor of the firewall got me thinking about the early days of the network security market. As I'm writing this, I'm not exactly sure where it's going to end up. I'm thinking that providing some firewall history will help folks understand today's market dynamics a bit better.

The first thing that is abundantly apparent is that the world is far more complicated today. Way back when, customers had to worry about strong authentication and firewalls. That was about it. I guess you could count mainframe security, but that was more of the data center guys than the network guys that I dealt with daily. Nobody really thought about enterprise security, it was really focused on domains like network and host.

In terms of examining the two spaces, they couldn't be more different. Security Dynamics (now RSA) dominated the authentication space because they had built their agent into every remote access product out there. The other folks (Enigma Logic, LeeMah Datacom) couldn't compete. RSA still enjoys a huge market share position today.

The firewall market was brutal. You had DEC initially, but they couldn't get out of their own way. Then you had Trusted Information Systems, Raptor, Secure Computing, and Check Point trying to get established. So very similar to today, you had a bunch of companies that were chasing the same market, telling roughly the same story and making every deal a blood bath.

So when I say I've seen the movie about today's market dynamics, I'm not kidding. There are more moving pieces and product cycles are a lot faster, but things are roughly the same.

Now TIS was an interesting company. To my knowledge, they were the first company that offered a security product for free over the Internet (the Firewall toolkit) and then sold a more functional and polished commercial version on top of that. I think a couple of company's have made that model work since then, eh?

Ultimately one company survived the firewall war, and it was Check Point. Why? They had better distribution and marketing. Check Point's approach was different (stateful inspection vs. application proxy) and they played that up. They vilified application proxies as slow and the wrong approach.

At the same time, Check Point nailed down a distribution deal with Sun, so an entry level version of Firewall-1 shipped on every internet server that Sun sold - and that was a lot. Check Point also got very good at getting the Sun direct reps to bundle in the upgraded version as part of the deal. The cost of sales on these deals was minimal, Sun did all the work. That's why Check Point had gross margins like Microsoft and net margins over 50%.

Interestingly enough, Raptor tried a similar deal with Compaq. That went over like a lead balloon. Basically, Compaq didn't sell much of anything - their channel did. Raptor just couldn't get Compaq's channel interested in upgrading the firewall. There were too many other things to do.

Check Point also started OPSEC, their partnership program, positioning their firewall as a platform, not a product. Once they built an ecosystem around their stuff, it was a lot harder for the other guys to compete.

But all of the firewall companies were able to go public and all benefited from the rising tide for a while. Then economic reality set in. Secure Computing used their overvalued currency to acquire a bunch of other companies and then hit the wall big time. They almost went down during the bubble, and ceased to become a firewall player. They are still in the business and even acquired what was left of TIS after the Network Associates deal, but they never regained their luster in the space.

Speaking of TIS, they sold out to Network Associates and then watched as CEO Bill Larsen's dream of a suite of security and management products turned out to be a few years premature. They tried to be big when small was still cool.

Then, of course, a little company called Netscreen started doing a firewall packaged as a secured appliance. I remember meeting with them when they were first launching the company. I couldn't believe what a dumb idea it was. Didn't they realize that Check Point owned the firewall market? Who wants it on a box anyway? Not one of my shining analytical moments.

So what? I ask that question all the time. Who cares about this ancient history? Well, I think every user needs to because history has a way of repeating itself. If you pay attention to the signs and recognize the patterns, you can save yourself a lot of heartburn. Vendors lose their edge, they don't navigate product or market transitions very effectively and many customers are left holding the bag.

Look at your current stable of "key" security vendors. Are you comfortable with their strategy? As big becomes the new small, are they poised to prosper? Are they willing to acquire the right products and partner to build a broader product set? Are they financially stable and have the resources to keep investing ahead of the next threat?

If you are not comfortable with any of the answers to those questions, it's time to start building a contingency plan. You don't need to pull the trigger too early, but you should give some thought to what you'd do if one of your key vendors is acquired or doesn't keep pace with the rate of change.

When I was a marketing guy, RSA was the company everyone loved to hate. Not because they necessarily did anything wrong, but me and many of my security marketing brethren hated paying the RSA Conference ransom. This was especially an issue during the tech meltdown because you couldn't hit a customer with a 12 gauge shotgun at the show. There were none to be found.

And the quiet but steady erosion of their installed base of tokens made the company seem tired and on the long slippery slope to oblivion. Folks like Vasco and Secure Computing were making the token business about pricing, instead of functionality. It certainly didn't help that they bungled the Securant acquisition, basically getting into the space of web access management right as it peaked, paying a pretty significant premium.

A few earnings misses, the departure of a well respected CFO and VP Sales and Marketing and the wheels seemed to be falling off the bus. Clearly it was just a matter of time before one of big security aggregators bought RSA to milk their installed base.

But now a very strange thing has happened, RSA is turning it around. You can count on your fingers the number of companies that have turned the ship. They announced a Q1 (with record revenues and beating earnings by a penny) and a good outlook for Q2. Of course, one strong quarter does not make a turn-around, but things look good. There is buzz around RSA again.

The reason is pretty simple. They bought a company called Cyota back in September. Cyota provides what I've dubbed "contextual authentication" services to most of the big banks around the world. Using their software, the banks can decide how strongly they need to authenticate a user for each specific transaction. So now, the banks can just require a password to check your balance, but can require a series of stronger methods if attempting a high value transaction.

Contextual authentication is the next big thing in the authentication space. No one really has a competitive offering, so RSA taking Cyota out of play was a strong move.

But more importantly, it gave the RSA field something strategic to talk to their customers and prospects about. Something the reps understand, which is authentication. That web access management stuff is different. So is provisioning, which they initially OEM'd from Thor (who was subsequently acquired by Oracle). RSA had a hard time selling those other applications because they weren't tokens.

At the same time, identity management became front and center on the project plans of many of the large enterprises and RSA has a decent story. They stick to their authentication knitting and add value to the big stack players. The Sign-On Manager is well regarded. Since customers are looking to add to their RSA offerings the renewal premium for all of those tokens goes down a bit easier. In many cases they are buying more and/or new stuff from RSA. This has a powerful effect on RSA results and momentum.

As I mentioned, one quarter does make a turn around, but the trend lines for RSA are moving in the right direction.