Toto, you are not in Kansas anymore
Seems Greg Toto, VP of Product Management at Big Fix, took a little offense to my comments regarding patch management and Big Fix. I would normally leave his comment condemned to right hand column purgatory, but Greg obviously feels pretty strongly about his position and frankly I think he is dead wrong. So I am going to publish his comments into the middle column along with my response. Of course, I will give Greg a chance to respond as well. You should also know that I have spoken to Greg a few times in the past and though he is passionate about his product, I have nothing personal against him. However, Pride is one of the 7 deadly sins. Interestingly enough it was St. Gregory the Great who originally introduced the 7 deadly sins and he lists Pride as the first and most deadly. It would appear Greg has not read his namesakes work and is certainly guilty here. Lets look at what he has to say:
OK, lets dig in here. First of all to Greg's point about scanning based vulnerability assessment having a bleak future. Greg's reasoning is that they are fundamentally doomed due to the laws of physics. Greg sites what I guess is the Toto Law of Special Relativity, that says you cannot control something, any more tightly that (sic) half as fast as you measure it. I assume he means any more tightly than half as fast. In any event, I remember taking some physics in school. I do remember some physics theories by a guy named Einstein and some laws by Newton, but I don't remember any by Greg Toto and I don't remember any law of physics anything like he is talking about. Now maybe I was out in the Rathskeller that day drinking beers and missed it, but I doubt it. So Greg I have to call BS on your laws of physics. Next, what difference does it make anyway. Are you telling me that your law would only apply to vulnerability scans but somehow host based assessments would be immune from this law of physics? Are your host based assessments not subject to the laws of physics or do the laws of physics cease to function when applied to Big Fix. Somehow, Greg says, that because I have an agent on a machine, the information I will receive from the assessment it does is of a higher accuracy, faster and more comprehensive than a network based scan. Greg, maybe you should go to talk to Richard Stiennon and let him tell you about how you cannot believe an endpoint to honestly report on itself. You probably need both views at certain times to truly deal with this problem.
Then Greg you point out that network based scans might have a problem with "mobile assets". Glad you brought it up. Yes if the device is not on the network at that time, it cannot be scanned. Let me throw one out at you, can we say "unmanaged mobile assets". Yeah Greg, what do you do when you can't put your software on the device to test it. Don't start rambling about your partnerships with Infoblox and such who can put it in quarantine. That is diminishing productivity. Greg, you can jump up and down and rant all you want. Fact is that putting agents on every single device is never a complete answer in todays dynamic environments. You are going to have devices that you cannot install software on and then what do you do? On top of this, last I looked there was not a very big fan club of putting yet another agent on machines to manage. Frankly I don't care if you have agents for Windows, Mac, Linux, OS/2 or the microwave oven for that matter. The more agents, the more overhead!
I think any rational security expert without an ax to grind or a product to sell, will tell you that you need both host-based and network based security in place. You need to make sure you are getting an independent view of what is coming on the network and what its posture is. In fact much of today's security technologies come down to network based and host based approaches. Though our products are clearly network based, I am not too proud to say that they are all you need. There is certainly a need for host based security. But Greg don't be so prideful to think that the reverse is not also true. I find it hard to believe you would not agree with that Greg.
Next Greg takes out the marketing hose and starts spraying Big Fix marketing hype all around. So lets put our boots on and wade on in. It seems Big Fix can do it all. Greg I think you left out access control, I know you claim to do that as well. In fact Greg, Big Fix does so many things it is sort of the Popeil Kitchen Magician of security configuration. Maybe you can get Ron Popeil to put you guys on after the Showtime BBQ rotisserie. It could be a new distribution channel for you. Remember the old saying though, jack of all trades, master of none!
Are we to believe that Big Fix is so disruptive that Microsoft should stop selling SMS, IBM better not bother with Tivoli and HP should just junk Radia, not to mention Altiris, McAfee and the rest. Please Greg, like the title of this article says, you are not in Kansas anymore son. Don't come out here spewing marketing spin and expect to score any points or fans. When you are taking on companies like this, you are playing in the big leagues and a little humility may do you some good. These are all companies with exponentially more resources, experience, sales footprint and distribution models than Big Fix. You tell us about a few customers, last time I checked Tivoli and SMS had a few customers too. Greg, your pride is showing through and blinding you to common sense. But lets be real, at the end of the day you are not in their league fella. Big Fix's bread and butter is still patch. When you get big enough to become a blip on the big boys radar they will swat you like a fly. At that point I suggest you put on the ruby slippers, click your heels three times and wish you were just a patch manager again. It may be to late.
