StillSecure, After All These Years

TippingPoint announced their Core Controller appliance today. It is a 10GBPS in line IPS. Actually what it sounds like it is, is a network controller that load balances traffic among several conventional Tipping Point boxes and than puts the flow back together and passes it on.  Sounds cool, but I would like to see the latency involved in doing this.   Sounds like a lot of moving parts.  It also sounds a lot like the way Hoff used to do things over at Crossbeam Systems.

The real question for me though is not whether or not this new appliance does line speed IPS or not.  The question is do we still want our IPS as stand alone IPS or do we want it as part of UTM. Mike Rothman in his 2008 Days of Incite talks about "best of breed DOA". In it Mike talks about 2007 being a year where customers clearly voted for integrated solutions over individual best-of-breed.  He also says 2007 was the year the first open source perimeter platforms hit.  I like to think he is talking about Cobia. But 2008 will be an even bigger year for Cobia functionality! The bottom line though is except for the Ferrari crowd does anyone want to buy a stand alone IPS? Mike says it best when he says. "Market maturity kills product innovation".

Yes people buy UTM for one application at first. It could be firewall, it could be IPS or gateway AV, URL filtering or anti-spam. But they like the idea of getting more than what they just needed and paid for.  They figure they are going to turn on the other stuff soon enough anyway.  Plus they get it all from one vender.  So on this one, I have to agree with Mike.  I think people will buy UTM over single purpose security solutions in increasingly greater numbers in the months to come.  Agree?  Disagree?  Leave a comment with your opinion.

Saw a pretty funny video clip today over on the Hoff-miester's blog.  It is a viral video from the folks over at Palo Alto Networks poking fun at Juniper and Check Point.  Pay attention to the words, as it is good stuff. What could be next, Dancing with the Security Stars? I would like to see Amrit, Tom Ptacek and Mike Rothman (I hear he has been practicing dancing with his daughter for this) as the contestants. 

Seriously, these videos are a great way to get some buzz going and I think Palo Alto has done a great job.  Count on Chris to find this stuff. Enjoy!

I have been following the Don "Cutaway" Weber/ Chris Hoff "dialog" around whether UTMs just add complexity and risk to the security equation. Of course the peanut gallery than had to join in.  That Georgia peanut, Mike Rothman puts in his 2 cents and complete with a reference to Shinola comes Michael Farnum with his own play-by-play and color commentary. This in addition to lots of comments from various sundry sources like AndyIT Guy and others.  Frankly, I was content to read, chuckle and keep quiet.  However, something Michael Farnum wrote struck a chord with me and reminded me of a discussion I had with some folks at a large tech company recently. 

Michael says that Don, Andy and that crowd are equating "UTM=big Linux box with a bunch of security apps thrown on it."  Michael is of the opinion that "real" companies like Checkpoint, Fortinet, etc. don't use that and have "proprietary OS’s that do not typically fall prey to the same problems that a Linux server with Squid, Snort, and SpamAssassin installed on it".  To that I say, jokes on you Vet.  Many of the biggest names including some of the ones you mention do in fact take a Linux distro, pile on some open source, slap a GUI on and abracadabra you have a UTM.  Yes they  may have ASIC or custom silicon, but many of these UTM's are Linux and many may have one or two non-open apps and then load the open source on from there.  ClamAV, Spam Assassin, etc are staples of these boxes.  Yes, Hoff's old company Crossbeam may not follow this, their schtick (put that with your Shinola, Michael Farnum) was they took best-of-breed apps and put them together on one UTM.  But the rest are guilty as charged.  Let me be clear.  I am a big believer in UTM.  I don't buy the single point of failure stuff, I don't buy the increased complexity and security crap.  But Linux and some open source mash up with a smiley GUI is unfortunately the state-of-the-art with many UTM vendors.

As I said earlier in this post, I was talking to a large tech company who wants to bring a UTM/Network gateway product to market.  In our discussions it was clear what type of applications they would want on the box.  But no matter how much I tried to explain and not matter how much I banged my head on the brick wall, they just could not understand that when you pile crap high one on top of another, you end up with high pile of crap!  There has to be more to it.  You need to leverage efficiencies, you have to make products work together.  Customers want to manage these things out of one GUI.  Not a portal where you click on an app icon and it launches another browser window.  You need a way for them to share information, licensing and user accounts.  In short you need a framework, much like we built with Cobia. If you think you can do a mash up of a bunch of open source apps all just running on Linux without any glue holding them together, you don't have anything worth buying.  I suspect the tech company I was speaking to is going to find this out the hard way.  I also suspect that many of todays UTM players who are not doing more than this are going to learn that hard lesson as well.

In the meantime, Don, Andy and the rest, you are spitting into the wind. The UTM train has already left the station.  Though it may not account for 50% of network security purchases by 2011 as Stiennon and IDC project, it is gaining momentum every day. It is going to be tough to buy a stand alone IPS or firewall in the near future.

There has been a bit of a brouhaha lately over the Jericho Forum and the amazing shrinking, disappearing, shifting, changing, eternal (take your pick) perimeter.  It started with Chris Hoff teeing off on Rich Mogul. Rich had a get out of jail free card while he was still at Gartner, as not even Hoff while working for a vendor, would piss off a Gartner dude.  However, the Teflon is gone and Hoff is on.  He took umbrage with Rich's views on the Jericho folks.  I was going to jump in, but every time I disagree with the Hoff man lately he accuses me of going off my meds.  No doubt Hoff can write a mean rhyme and a long blog post.  But sometimes he is so deep in the doo-do, that he kind of loses some of the subtler points being made.  Anyway, I digress.  What got this party started was another former Gartner dude weighing in, Rich Stiennon.  For those who do not know, Chris and Rich Stiennon have a long history of antagonizing each other.  Anyway, Dan Weber then brings up a point I wanted to comment on in Rich Stiennons comments.  Rich ends his article with this:

I work for a vendor of network perimeter security appliances. But, keep in mind, I would not be working for a perimeter defense company if I did not truly believe that the answer lies in protecting our networks. If I believed otherwise I would work for a de-perimeterization vendor, if I could find one. :-)

Dan calls BS on this and I agree 100%.  I don't believe for a second that Rich went to work at Fortinet because of his belief in the sanctity of the perimeter.  I think if Rich worked for an anti-spyware company (wait he already did that didn't he), he would be all for anti-spyware. If he worked for an endpoint provider he would be a big supporter of a endpoint security.  Lets be clear, it is not only Rich.  Many folks in the security sphere claim that they came to work where they did because of their deeply held beliefs in the supremacy of their companies technology and approach.  I say give me a break people.  You like it because it is yours and it is paying the bills.  Lets be open and honest about it. That would be a good place to start.

One of the classic mistakes that armies on the losing side make is fighting the next war with the last wars weapons and tactics.  I am afraid Mr Hoff is guilty as charged in talking about the recent Google/CapGemini deal.  In case you have not heard, CapGemini will offer Google Apps to the one million strong corporate desktops that it services.

Chris does a nice job of explaining how CG will make money on this and some of the advantages of Google Apps. However, Chris seems to side on the camp of those who think that SaaS based, centrally managed applications and the data that goes with it, will present compliance and security concerns that could slow adoption. 

I say poppycock to that.  I heard the same thing about Qualys storing vulnerability data 5 years ago and over the intervening time have seen that argument melt away except for maybe in the federal government space.  In fact Qualys has now become the tester of choice for PCI compliance in many cases.  But beyond that, the whole issue of outsourcing application hosting brings me back to my days at Interliant, an early entrant into the ASP market.  We hosted Lotus Notes, PeopleSoft and other enterprise level applications. As well as managed security (mostly checkpoint firewalls, which was sold to Akiva).

One thing that we learned the hard way at Interliant is that people will not outsource applications which they consider critical and core to the business.  So for instance, if they were an accounting firm, they would probably not outsource the hosting and management of their accounting software.  However, critical, non-core applications are good candidates for outsourcing.  I think for the most part, this is exactly where the Google Apps fall.  I think the success of hosted CRM like Salesforce.com also shows that people are willing to outsource critical, non-core applications.

Now the fact that it is Google after all, raises in my mind anyway, two other issues. One is the privacy of my data from Google.  Is Google going to use that to hone the ad words they serve up to me?  The other is that as Google continues to grow, will it suffer from Microsoft like "evil empire" syndrome, where people attach dark aspirations to everything they do.  I guess we will have to see how this plays out.

My friend Chris Hoff has himself all worked up. In fact Hoff is in a huff. What has Christofer (for those who may not realize he spells his name funny) so worked up you ask? It seems the good folks over at InfoWorld are staging an Executive Forum on virtualization next month down in NYC.  No where on the agenda is even a mention of security and the challenges that a secure virtualization environment poses.  Chris goes so far as to offer, on his own dime, to go down and personally deliver a presentation on security and virtualization. Well Chris it would be nice to see the InfoWorld folks take you up on this, but I would not hold my breath.

But Chris there is good news.  I know for a fact that security in virtualized environments is going to get the attention it deserves.  How do I know this you ask?  Simple, it is my 2 out of 3 ain't bad test.  No, I am not talking about some Meatloaf song from Bat Out of Hell.  I am talking about last week alone doing two interviews. One with a large analyst firm and one with a large VC firm who were only interested in my take and what StillSecure was going to do about the problems around security and virtualization.  The fact that both the analyst and VC asked me in the same week, makes it a high probability of this becoming the next hype sector in security.  In fact the only thing missing is a media interview request.  Something tells me I will get one of those very soon too.

So Chris you are out in front of this one, but have no fear.  Security in virtual environments is going to be big!

So Mitchell and the Hoff-meister both disagree with me on Googles intentions with the Postini deal.  They say no doubt about it, this is clearly a shot at Microsoft.  Well anytime Mitchell and Chris get together in an axis of evil without me, you have to ask why.  I did and actually commented on Christofer's article about it.  So let me take a quick moment and clarify what I said, so even Mitchell and Chris understand.

I am not saying that this is not going to put Google in competition with Microsoft or that this does not give Google a "foot-in-the-door".  I am also not saying that email is not a killer app (Mitchell, email a killer app?  That is so 1998).  What I am saying is that this is not as much about Google versus Microsoft, as it is software as a service versus traditional software.  This is equally a shot against any software vendor who delivers software the traditional way.  It just so happens that Microsoft is the dominant player in the traditional software world.

The fact is though that Microsoft itself is also moving into the SaaS world with their Windows Live line of SaaS. Microsoft agrees with Google that SaaS seems to be rising tide.  That is where the real Google vs. Microsoft battle will take place.

No, I am not talking about Kobe, Shaq, Tim Duncan and the rest of the athletes over at the National Basketball Association.  I refer of course to Network Behavior Analysis.  The estimable Mr. Rothman in his daily rant laments the fact that 5 years later we are still trying to explain what it is and that is pretty sad.  I don't think it is sad at all, it is just the facts.  In spite of this though, I think NBA has made terrific strides. Here is why:

1. NBA has grown to encompass a wide range monitoring and detection technologies and techniques which can actually detect potentially malicious behavior and traffic.

2. NBA has shown itself to be one of the best ways to detect zero-day type of attacks (if you don't have a signature for it, you can't detect it).  With security practitioners increasingly concerned about zero days, NBA seems to have found a niche.

3. As Mike points out, NBA has found its way into several other security product lines and adds real value.

Ultimately Mike I think you have to get your head around the fact that NBA may never be a successful stand alone security product.  However, its transition to feature inside of other security products is well under way.  If you want to find more about "market (or product) vs function" I refer you to Mr. Hoff (of the joining with Shimel to pile on Stiennon and promote our own products fame). Of course if you are a stand alone NBA vendor, I would probably be pursuing a very aggressive partnering and business development strategy.  If any NBA business development types are reading this, give me a call.  I think this technology is a great fit for some of the things we are doing at StillSecure.

Martin anticipates me weighing in on an article by Chris Hoff on a new ad by Big Fix that ran in USA Today.  I paste the picture of the ad here strictly for context of course! 

Do I think it is sexist? Yes.  Is this the image I would want to convey for my security company? No.  Let me ask this question, if it was a hot blonde in a bikini would it be worse? Not sure. Does the big gun in her hands signify anything? Don't even want to go there. Is she a Vulcan or a Shadow Run Elf?  Does it really matter. Maybe there is an inside story on this that we are all missing.  Ryan, Amrit, is there anything we are missing?  Is this a representation of anyone who works there?

The bottom line for me is, I don't think our marketing team would want to invoke this kind of image.  I am sure the Big Fix team did some extensive research and know that this type of message and image is exactly what they are "shooting for" and appeals to their intended audience.

My friend Chris Hoff is so mad that he is actually appealing to the inherent good he believes exists in all of us.  He asks that if you are going to write about something he wrote, have the etiquette to trackback to his post.  Not sure if that is to get the technorati rankings up or Chris is just dying to engage in dialog.  You would think that while he is out cavorting in city and town, Chris gets enough dialog, but maybe sober communication is what he craves ;-). Either way, he is right.  Leaving a trackback or commenting certainly keeps blogging as a two way communication medium.  To me that is the best part of blogging.  So for Chris's sake and the rest of us, trackback, comment and engage.

Just wanted to take a moment and announce that the Security Bloggers Network has now reached 74 contributing security blogs!  The newest member is the Watchfire Application Security blog by Ory Segal.  Ory has a good article up on playing in the sandbox and asking why anti-virus vendors have not adopted this approach.  If you get a chance check out what Ory and the Watchfire guys have to say.

Ory joins some other great bloggers like Jeremiah Grossman of White Hat Security, Mike Rothman of Security Incite, Amrit Williams and Ryan Russell of Big Fix, the blogging guys from nCircle, Richi Jennings, Chris Hoff of Crossbeam (received a weird call from Chris and some "friends" last night but lets not go there) and many others to numerous to mention.  There is some great content there.  Subscribing to the combined feed is a great way to stay on top of all of these great blogs in one RSS feed.

Also, if you have a partially themed security blog at least and would like to add your feed to the mix, there is no cost to do so.  Just email me with your request.

Its been about a month or so since we publicly announced Cobia over at StillSecure. An interesting but puzzling fact that we have observed is that just because a device can perform more than one function, people think that somehow limits you from using it as a single function device.  Case in point is Cobia's firewall and router functions.  We have received more then one question asking if you can just use the firewall function in Cobia, without the router and other modules.  Similarly, we have been asked by people who want to just use Cobia as a router (sometimes just temporarily) but not any of the security functions.

This got me to thinking about UTM's and other multi-function devices.  Do people think just because they have a UTM, they must use more then one function.  I happened to come across a blog ad for Fortinet (they offer ads for the Security Bloggers Network), the only thing they mention in the ad is a fourth generation firewall.  Could it be that most people are just using UTM's for firewall. I know Chris Hoff reads my blog.  I wonder if Chris has any numbers on how many Crossbeam customers are just loading firewalls on their X-series boxes.  Does having all of these choices confuse people from using just one of them? I think this is a common problem in technology.  We tend to load so much functionality into our machines that they can be overwhelming and bloated.  Do you really want your toaster to be hooked into the net?

Of course if you're interested, the answer is even at this early stage, Cobia is a great choice for a free firewall or router or both.  The GUI allows for easy management and configuration.  If you need to drop a router in while performing some network redesign or just want to put an easy to use firewall in, even at home, give it a try. I promise you don't have to run everything else Cobia can do, unless you really, really want to ;-)

I know we must be on to something if Hoff is relying on the force to make you not pay attention to Cobia.  Now he wants to wave his hands and tell us to move on, nothing to see here. Of course he was watching Bill Maher when he wrote this, so I will give him some credit. The comedian on the panel was really funny and right on.  Anyway, Chris lets put this one to rest once and for all.

First as to what I mean by markets, technology, products, stand alone products, etc., let me be explicit as it seems you are pretty wrapped around the axle on this one.  When you say NAC and other products are moving from markets to features I disagree with your use of the word markets, not that I disagree that it is moving to a feature.  Maybe it is another kiwi thing or maybe it is my Long Island vernacular. What I think you mean when you say market, is what I call a stand alone product.  Another words, will people buy NAC as a single, stand alone product or as something integrated into the network (I know that makes you cringe or maybe even in a high end UTM).  If that is what you are saying Chris, I agree with you.  I think NAC will be integrated.  In fact we have several OEM and partnership deals that do just that.  That does not mean that NAC does not have a market in my mind though.  A market to me is, will someone pay for it. I think whether sold stand alone or integrated with other products, the value of NAC will still be important. It will be a factor when people pick one switch or product over another. NAC to me is a technology, whether it is a stand alone product or not, has again nothing to do with it is a market. By the same token, UTM perhaps is not a technology, but instead an amalgamation of technologies.  However, that does not mean that it could not be subsumed into something like UNP. 

The fundamental problem I have with what you are writing Chris, is you have negative connotations around the feature word and I do not.  We anticipated this happening to NAC when we originally designed Safe Access.  BTW, we thought the same thing would happen to IDS/IPS.  I think only someone who thinks that the network should be inherently dumb and that security ride as a layer above it, would find the product moving from stand alone to integration into the network such a negative. Does that sum it up Chris?

Now my young padawan, why don't you come over to the darkside and acknowledge that a Unified Networking Platform can turn UTM into a feature as well.  The truth will set you free Chris!