VeriSign

In today's TDI, I mentioned a different perspective - offered by Dave Goldsmith of Matasano - showing a positive view of the Symantec study of Vista's network attack surface (link here). Sure enough Dave's colleague Thomas weighed in to clarify some stuff. It because a pretty interesting interchange between the two of us and one that warrants a deeper discussion. Since many of you don't get access to the comments via RSS, I thought I'd cut and paste a bit to keep you clued in. I did edit Thomas' comments a bit because this is a family blog. HA!

The Symantec Study

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:15.

The mistake you're making with the Symantec report is believing that the work was driven by top-down strategy inside the company. It isn't.

I've known Oliver Friedrichs, the manager of what SYMC calls "Advanced Threat Research", since 1995. I worked directly alongside him at Secure Networks, where he co-founded the industry's first professional vulnerability research lab, along with Tim Newsham, Dave Sacerdote, and Ivan Arce.

Oliver Friedrichs is not f***ing [MSR edit] around. SYMC has the resources and the talent to build a top-calibre security research team. If there's any top-down decision-making at SYMC, I'm sure it's simply to go do that. "Oliver, kick Cisco and ISS's ass and seize the mindshare around research that Symantec has ceded over the past 6 years".

Once you get to that point, the Vista study is pretty obvious. You've got access to some of the best vulnerability research talent in the industry. What are you going to aim it at? I don't think the board, John Thompson, or even Oliver's immediate manager had to be involved in the decision to spend some resources poking the Vista TCP/IP stack.

I don't mind the accusation that you're leveling at Symantec. They're in business to win and they're not all nice people. But I don't think you make yourself look more credible when you cast Oliver's group in this light; people who know vuln research will scratch their heads at your assertion.

Thanks for noticing us, though! =)

For a change, the Matasano guys adding value to the discussion. Here is my response:

How much they publicize it is a corporate decision

Submitted by Mike Rothman on Thu, 2006-07-20 10:26.

Thomas,
I hear your point and that's more good perspective. But I also don't think that Oliver was out there humping his work in the press this week. That would be uncharacteristic given what I know about "most" vulnerability researchers. It's plausible that Oliver has free reign over what gets researched, but I highly doubt he has much to say about what Symantec's PR machine decides to push.

If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game. Maybe he knows this, maybe he doesn't. Since I don't know him I can't say. But when his group finds something of interest (like they did this week), the Big Yellow PR machine will try to bend it to their own devices.

I'm not doubting that the research was genuine. But I'm very comfortable in my assessment of what their PR aims were.

And this is where it gets interesting. Clearly there is something here and now we need to figure it out. Thomas weighs in a final time:

SYMC's Vulnerability Strategy

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:59.

You say, "If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game". I say, THAT's the interesting discussion to have about this.

Write something explaining the point you're making; I want to hear more about it. What's the "high profile game" around vulnerability research?

Your point about PR vs. research calendar is well taken. I can split the difference. Oliver's group owns their calendar, bottom-up. SYMC PR is probably top-down.

So let's dig a bit deeper here. What is the value of vulnerability research? Clearly in the early stages it was mostly for PR purposes. Folks like RipTech (which was subsequently bought by Symantec) had reams of data and they did some interesting analysis on it. Their real innovation was packaging it up in a report and starting the media frenzy about the increasing vulnerability landscape. They got very broad media coverage for the report and it really put RipTech on the map.

But now it seems that every vendor has it's own version of the report. Every big one anyway. ISS and VRSN have gotten their research groups a lot of ink driven by these quarterly reports. So it's not really differentiating anymore, is it?

At the same time, you see security vendors being attacked and vulnerabilities in their code being disclosed pretty regularly. Some patch things and forget to tell folks (ahem, McAfee) and it seems every month or so you hear about Symantec and Cisco patching things as well. So now the cottage industry seems to be finding the holes in other folks stuff.

This is both a PR strategy - pioneered very effectively by eEye (3rd party patching anyone) and new entrants like Mu Security that have boxes that are designed to find holes - as well as a competitive lever. Security is about credibility at the end of the day. If you have really smart guys that can find stuff broken in other people's software - then they must do a good job of protecting their own, no?

Well, not exactly. But close enough - especially to a customer that is looking at 3 products that are totally undifferentiated. I'm talking about pretty much every security market, by the way. Who do they pick? Maybe the one from the guys that seem the smartest. That's one plausible scenario anyway.

But, back to the topic. As Thomas speculates above, it's unlikely that anyone in Symantec specifically told their vulnerability research team to go find something broken in Vista. It could have happened, but I agree with Thomas - it's more likely bottoms-up. But once they found that data, I believe the Big Yellow PR team smelled a big opportunity to poke Microsoft in the eye. And they took it. And many of us bit. At least I can say I questioned their motives, as opposed to questioning their findings. Again, kudos to Dave G for doing the derivative analysis.

So what? Basically, I figure we are going to see vulnerability researchers let loose on competitor's security software. The Symantec-Microsoft deal may have been bottoms-up, but in a market this competitive, with folks looking for literally ANY advantage - it's just a matter of time before this becomes a big part of competitive analysis moving forward. And the PR teams will be orchestrating, on one hand working to seem on the up and up - just doing a service to the community - don't cha know. But on the other hand trying to stick it to the competition when they can. That's a high wire act for sure.

But it puts the researcher in the precarious position of trying to do the right thing, but more often than not becoming the finger poking some competitor. As I mentioned in my response, some will be cool with that and others...not so much. Interesting times to be a vulnerability researcher, that's for sure.

In VeriSign's latest flexing of the checkbook, they have acquired GeoTrust for $125 million in cash. I don't really do market share numbers, but it would seem that this deal would give VeriSign a virtual monopoly on the SSL certificate business. But GeoTrust claimed to be the second largest certificate authority and they are being bought by the first. Sure Entrust and CyberTrust are still in the business, but no one else of note.

But does it matter? Is VeriSign all of a sudden going to start turning the screws on customers and raising prices, which is where anti-trust would be an issue? I don't think so. The switching costs on SSL certs are virtually nil. I mean if you have 10,000 of them, then it may be a bit of a problem - but short of that, I don't see VeriSign doing anything on the pricing front. Status quo is good. You just want the customer to renew every year and keep milking that SSL cash cow.

I'd be surprised if they even changed the branding. I still see the "Protected by Thawte" seal every now and again, even though VeriSign bought them like 6 years ago. Again, why mess with anything? It's not like those web seals cost a lot to maintain.

So why do the deal? It's all about scale. GeoTrust has 100,000 customers representing who knows how many certificates and those can be plugged directly into VeriSign's infrastructure. They can gain operational efficiencies from the deal and continue to control that market. For GeoTrust, this is a way to get liquidity. Do you go out and raise money to get another 3-4 points of market share? Nah, not worth the effort. Take the money and run.

VeriSign thinks the deal will be accretive in 2007, so there you see the power of integrating the infrastructures. VeriSign has additional data center capacity, so if they can drive more revenue through - it flows right to the bottom line. Nice. 

Customers don't really care either. It's business as usual on that front. Your cert is your cert is your cert. But in all likelihood it's been issued by VeriSign. 

 

It seems all the big security vendors have their check books out and they aren't afraid to use them. The pace of M&A continues to accelerate and for good reason. Niche security is out, "security solutions architectures" are in.

So vendors need to get big or get out. Big is the new small. This will continue to drive consolidation this year and into next. The latest deal (there were 3 announced last week alone) is VeriSign buying Snapcentric, to add some fraud identification technology to their line of authentication solutions.

Strong authentication is a critical part of identity management. The upcoming "Battle Plan" on Identity Management will discuss this in much more detail, but suffice it to say having a built out identity management infrastructure is fairly useless if you don't know who is trying to get in.

For the first time RSA is facing legitimate competition in the enterprise token space. VeriSign has the reach and brand to challenge. In terms of where authentication is going, clearly the need to get smarter and do the "right" amount of authentication depending on what needs to be done. This kind of "contextual authentication" is critical, especially for financial institutions. If someone is transferring a million bucks, you probably want a few more authentication hoops to be required. That is what drove RSA to buy Cyota at the end of last year.

Adding value on top of the commodity token drove VeriSign to acquire Snapcentric. Paying about $12 million for the company, clearly RSA's Cyota is much further along in establishing that beach head in the banks. Yes, I understand Cyota and Snapcentric do somewhat different things, but that's not the point. It's about adding value on top of strong authentication, and that is what both deals were about. Suffice it to say that VeriSign is now going after their genetic ancestry, using the very network RSA had a big hand in building. Remember, it was RSA's technology that was the foundation for VeriSign.

It should be fun to watch these two slug it out. Customers will get better pricing, safer transactions and more innovation. That's the way competition is supposed to work.

Yesterday at RSA, VeriSign announced their VeriSign Identity Protection strategy, called VIP. Cute, eh? Focusing on providing broad strategy to provide "identity protection for consumers who conduct business online" (their words, not mine). The VIP will be initially integrated into eBay/PayPal (through the payments platform VeriSign sold to them) and Yahoo, which is a good start.

As I've been researching the identity management market for the upcoming Battle Plan, it's become clear that one of the impediments to wide-scale, truly ubiquitous identity is the lack of a central body to vouch for those identities. You can use your favorite drivers license analogy here to illustrate the need. But without a somewhat universally trusted entity to vouch for these credentials, we will always be having to do one-off business relationships, which is neither efficient nor scalable.

It seems that VIP is focused initially on consumer financial applications, continuing to go up against RSA and VASCO in that space. To be clear, tokens are not novel anymore. The eventual winner in this space will surround the token (or whatever other authentication mechanism) with value added services to create a more complete solution.

So for RSA, that value add is in the form of Cyota's "contextual authentication" capabilities. They can figure out what kind of transaction is being attempted and provide the "right" amount of hoops for the customer to jump through.

VeriSign's value-add is their network, and they are playing to their strengths. The fact that their trust hierarchy is present in EVERY browser in the world is critical. As VeriSign undertakes greater levels of authentication to establish an identity, a VeriSign VIP credential becomes more trusted and somewhat universal. Combine that with a strong business development effort to permeate the VIP "agent" in all the web sites out there and this could be a pretty powerful option.

Seems a lot like Security Dynamics' (yes, the forefather of today's RSA) strategy in the early 90's. Get your agent deployed in all the applicable network equipment and customers don't have a choice but to work with you. It was brilliant and worked like a charm. They are still the leader 10 years later based on that strategy.

Will VeriSign execute as well? I suspect not, the world is much harder today and competitors are much more capable of building to similar APIs to remove any kind of API lock-in. That's one of the "benefits" of web service standards. It's also not clear that consumers will accept a commercial Identity Service Provider.

It's also interesting that VeriSign does not seem to be playing with the Liberty Alliance in this initiative. What they are describing is basically Federation, but for consumers oriented applications. This will go over like a lead balloon in identity Management circles that have worked pretty hard to establish standards and rules of engagement for federation. But VeriSign has always been a bit of a maverick relative to working with other folks.

What VeriSign does have is the network and a trusted brand driven by their SSL business. So, they've got a chance, and given the true need for the "Identity Service Provider" that is progress.