StillSecure, After All These Years

I saw an interesting Google Alert in my mailbox today. Titled “Cybercriminals In The Cloud”, I thought it was going to be about how cybercriminals were now using cloud services to access confidential information.  So I bit and found myself at a “welcome screen” from Forbes.  Why call it a welcome screen, lets call it an ad page as that is the only thing on there and you can watch the ad or click thru. After clicking through I was greeted by an article by Charlotte Dunlop (nice picture Charlotte).  The gist of the article was that the big thing at RSA was how top tier security vendors were going to use reputation services to make IDS/IPS, UTM and other technologies better able to stop the new more sophisticated attacks that CIOs are dealing with.

I say poppycock! Yes reputation services in the cloud are great for picking up IPs that have been used as spam homes or spewing other malicious content, but in targeted attacks cybercriminals are smart enough to use fresh IPs, not ones that are already tainted.  If these bad guys are smart enough to devices the techniques they do to break in, lets not be naive enough to think that they are going to then go out and use the same old IP addresses to launch new targeted attacks.  Reputation type of defenses are great against mass market type activity, but for targeted exploits that CIOs reading Forbes are worried about I don’t think it offers much hope.  Sounds to me more like yet another person bought the security in the cloud story hook, line and sinker.

So I have been a busy boy. Passover has been great, catching up with friends and family, enjoying my children. This past Easter weekend was a great relaxing time, spending time with friends and neighbors.  Now finalizing my RSA plans, I really don’t have many open time slots to meet anyone, but if you are going to be there, be sure to say hi! 

Also last week I was the keynote speaker at FIU’s IT Security Awareness Conference here in Miami.  The theme was: Are You In Jeopardy.  Rather than talking about StillSecure I actually recapped my post-Black Hat adventures for the audience and hopefully helped a few people about how to be more savvy about being hacked, as well as what to do if it happens to you.  It was good to speak about it in public. Reading today’s news I felt like I was playing Security Jeopardy and the category was IDS/IPS.  Alex, the answer is:

1. What is IPS, for 100 dollars?.-  When is 10Gbps IPS only 4Gbps? When Sourcefire puts out a new sensor adding to their “10Gbps intrusion prevention system (IPS) leadership.”  Seems a little confusing to me when the only 10Gbps thing about this sensor is it has 10Gbps interfaces, but admittedly only handles traffic up to 4Gbps IPS inspection.  But such is the state of the IDS/IPS monte game around speeds and feeds.

2. What is IPS, for 200 dollars? Why did Sourcefire’s target get raised from 7 to 11 dollars and they closed over 9 dollars today? It seems with the increase in government spending and the attack on the Dali Lama’s  computers, developers of intrusion prevention should benefit. OK, maybe.

3. What is IPS for 300 dollars?  When is being a niche player good enough? When you try to peddle your IPS as a NAC of course.  You have to both admire and wonder about those guys from the semi-autonomous region of Tipping Point. They actually put out a press release to say they made the niche quadrant of the Gartner Magic Quadrant for NAC. While I think the NAC MQ, like most Gartner MQ’s are worthless and Gartner does the whole industry a disservice with their capricious and arbitrary selections, this is the first time I remember a company crowing about making the niche quadrant. Especially a large company like Tipping Point / 3Com. I guess that just about sums up their high expectations for their NAC product.

4. What is IPS for 400 dollars? Whoa, its the daily double! Tipping Point again. This time the answer is what is the best way to provide Web Application defense. Forget all of those web app firewalls, proxies and stuff like that.  You just need a Tipping Point IPS with some custom written Digital Vaccines (some of us call them attack signatures).  Seems that Tipping Point will scan your web apps for vulnerabilities including cross-site scripting and such. Once they find them, they will write custom signatures for you.  I don’t know but this just doesn’t seem like a very scalable solution to me.  Seems like trying to use the wrong tool for the wrong job at the wrong time and probably as a result at the wrong price.  Other then hard core TP fans, can’t imagine this one does too much for the bottom line at 3Com.

5. What is IPS for 9.5 Billion dollars? Well actually that is the whole network security market of which IPS is the second largest segment behind UTM according to Global Industry Analysts, Inc. (how is that for a descriptive name). But the segment will grow slowly as more people opt for multi-function devices.

Have a great day!

Last month I wrote about the release of version 5.0 of StillSecure’s Strata Guard and the special promotion we were running with it.  Strata Guard 5.0 offers true multi-Gbps performance, multi-segment support and price/performance points far below what others charge. Plus we are offering up to 50% off appliances and software this quarter.

We did not take this path without a lot of aforethought.  We think fundamentally that change has to come to the IDS/IPS market. The problem is that if you ask 100 IDS/IPS customers across the board about what is better about their IDS/IPS than another one, they are hard pressed to say. It is a commoditized market where vendors are still making fat profit margins, selling custom burned or purpose built or call it what you want boxes.  With advances in hardware and software it is just not necessary to pay those kinds of premiums for that performance anymore!

Today we released Strata Guard Lite. It is a successor to our Strata Guard Free product. It is a fully featured IDS/IPS for free! It can handle up to 10Mbps. It has automatic rule updates, multi-segment support and the same code base as the commercial version.  In fact the only differences between the Lite version and the commercial version is limited support, no multi-node management and rate limiting to 10Mbps. There is a once a month reminder page that asks if you could use the commercial version or need a managed service, but that is all.  Let me repeat again, IT IS FREE.

We think this is another huge step in bringing change to the IDS/IPS market.  We have unmatched price/performance points in a full line of both appliances and software only models. We have a free product that should suffice for most smaller businesses and a managed service for those who would prefer to outsource their IDS/IPS management.  Now this kind of change is not red change or blue change, Republican change or Democratic change, it is change you can believe in!  Give it a try and see for yourself.

It is no secret that for a long time Tipping Point has tried to run away from its corporate ownership by 3Com.  The Tipping Point people would only admit to 3Com ownership and association if you held their feet to the fire.  Rumors abound that they were pulling hard for the Bain-Chinese purchase of 3Com to go through so that they could be spun off and set free from their corporate masters.  Of course aside from the outrageous price of 400 and something million and like 17 times revenue that 3Com paid for them, what right does 3Com have to have a say in what Tipping Point does anyway?  Most recently Tipping Point was known as an autonomous division of 3Com. I don’t know that sounded like certain parts of the old Soviet Union to me. Semi-autonomous republics and such. 

Anyway, it looks like all of that may be changing. Comes word that 3Com has appointed Alan Kessler as the new President of Tipping Point (I bet there are some Tipping Point folks who would question 3Com’s authority to appoint a new Tipping Point president, but anyway).  According to the article:

“As head of TippingPoint, Kessler will work closely with 3Com’s global organization as the company looks to continue to accelerate sales growth of its industry-leading IPS and NAC solutions worldwide. He will identify areas for additional investment in the network security segment, including in unique TippingPoint solutions and initiatives such as Digital Vaccine and the Zero Day Initiative. Kessler will also work to identify operational synergies between TippingPoint and other parts of 3Com.”

Well I would of course point out that Tipping Point’s NAC is far from industry leading. A very distant relative at best in fact.  But aside from that, this sure does sound to me like they are going to try and integrate Tipping Point more closely with 3Com.

Now just getting these two cultures to work together may be akin to getting the Hatfield and McCoys together.  Maybe Kessler can appoint George Mitchell or someone to be a mediator or special envoy to try and make the peace.  Anyway, I will believe it when I see it.

January 12, 2009.  Let that date go down as the start of the IDS/IPS revolution. We have heard that people are fed up with the high price of IDS/IPS.  Whether the economy is good or bad, IDS/IPS should not cost that much. Let the revolution begin.

Here at StillSecure we have been working hard for going on 9 years now (not quite 1984).  When we started the company there were a couple of foundations that we based the business on.  One was Moore's Law.  The power of off-the-shelf hardware exponentially increases every 18 months or so. Another foundation was that if you work with smart people you can find a way to do things faster, cheaper, better.  No where was this more apparent to us than in the IDS/IPS market.  For too long we looked at the 50k per Gbps price point that was the market rate for IDS/IPS and thought that it was just wrong.  Today we announced that the revolution has begun!

StillSecure is bringing high-speed, high performance IDS/IPS to the masses. The days of paying 10's of thousands of dollars per Gbps of IPS are over. Our new Strata Guard 5.0 offers a 4Gbps, mulit-segment IDS/IPS appliance for 20k!  To celebrate we are discounting even further.  If you buy before March 31, the same 4Gbps appliance is only 12.5k!

Let the revolution begin.  Put an end to expensive custom burned silicon solutions and the oligarchy of high priced IDS/IPS vendors squeezing your hard earned security budget.  IDS/IPS should be available to everyone who wants and at these prices it is.

The power of multi-core off the shelf hardware is not the only enabling technology behind this disruptive release of Strata Guard.  StillSecure has developed patent pending technology that allows us to accelerate the functionality of Strata Guard to enable these performance levels.  I am really proud of the team who have put several long years in on this one. 

BTW, we have a full line of Strata Guard appliances for just about every size and budget.  We also still offer Strata Guard as a software only product to run on your own hardware.  Of course we still have the free version too. Our celebratory pricing is across the board so check out what is the best deal for you.

You can read more at about Strata Guard here. Am interested in your thoughts!

As they indicated several months ago, Nokia is getting out of the security appliance business.  Today it was announced that Checkpoint is buying Nokia's security appliance business for an undisclosed sum. Nokia had a lot of boxes with Checkpoint firewalls on them, so this seems to make a lot of sense.

Recently though Nokia started selling other apps on their appliances, including Sourefire appliacations. I would assume these are competitive with Checkpoint and this will be the end of Sourcefire and other vendors selling their apps on Nokia appliances.  In the long run Checkpoint may actually decrease the value of the Nokia appliance business, but they may not care.

PS - I broke my finger playing basketball last week and typing is very hard. don't look for a lot of posts from me and certainly not any very long ones for a while!

Related articles by Zemanta

• Nokia Spinning Off Security Appliance Division
• Nokia to sell security biz
• Sourcefire aims security appliances at small networks
• Nokia Intrusion Prevention And Nokia Firewall

About a year, year and a half ago there was not a Cisco shop that you went to that didn't talk MARS.  MARS was going to be the control/management app for all of Cisco's security products.  Cisco IPS had a crappy interface you say?  No problem, just take the data into MARS.  Cisco NAC was not a great management tool for reporting?  No problem, soon you could take that data into MARS. Then over the last 6 to 9 months the buzz around MARS seemed to die down.  Almost as if the Cisco machine was just not pushing it anymore.  The IPS interface still stunk.  Cisco NAC still had bad reporting.  But there was no more talk of MARS remedying all of that.

Now Jon Otsik gives us some insight why in this article. It seems MARS was just not all it was cracked up to be.  As a SIEM it was sorely lacking compared to some of the best breed products available.  The log management crowd has them beat hands down. The Q1 product that everyone else seems to OEM is vastly superior. So according to Jon, MARS is a dog with so many fleas that not even the Cisco sales team can make a winner of it.  So not even the Cisco channel is behind the product any more, Jon says. Further, according to Jon Cisco has three choices:

1. Admit defeat and get out. Cisco could bury MARS and partner with others in the industry. GE would take this route but I can't imagine that Cisco will.

I agree with Jon Cisco is just not going to walk away from an entry in this space that they own

2. Double down on MARS development. MARS 6.0 was released earlier this year and it did move the ball forward but the product remains way behind others in the market. Management software has always been a bit of an Achilles' heel for Cisco.

They might stay stubborn and try to make MARS better. But again I agree with Jon this is not really a strong suit for them.  Some die hard Cisco bigots would use it still, but overall it would continue being an also ran.

3. Replace MARS with another acquisition. There are plenty available at bargain prices. Cisco could bid on publicly traded ArcSight, grab a legacy Security Information Management vendor like Intellitactics or NetForensics, pick up a log management player, or take a chance on a wildcard like Nitro or Splunk.

I think this is a very likely scenario. If at first you don't succeed, buy another one.  That is the way of big companies.  I think Splunk would be great for them, but probably too cool for Cisco.  NetForensics or even ArcSight themselves would be conventional.  Maybe Mike Rothmans eIQ Networks even.

The problem is that Cisco needs a MARS for more than just even correlation and management. They need it to fill in the holes of their existing security products to keep them competitive and to sell them to more than just Cisco shops.

Related articles by Zemanta

• Whither Cisco MARS?

One of the challenges of using open source components as part of the mix in our products at StillSecure, is to show the value we add over "pure" open source.  This is especially true in our Strata Guard IDS/IPS, which uses a Snort engine. A question we always are asked is what about the Snort signatures.  Do we use the Sourcefire signatures?  Do we get them right away? Do we add any value over what Sourcefire does?

For many years I have spoken about the StillSecure Security Alert Team (SAT).  By the way, don't pronounce it S-A-T.  That is a test students take when applying to college.  SAT is how they like to call it.  Anyway, our SAT team is tasked with keeping all of the StillSecure products up to date against the latest threats and offering up to the minute protection.  It is a 24x7x365 operation.

It is a thankless job for the SAT team.  For the most part they work in obscurity.  In fact as long as the rule updates they write work and protect our customers, you don't hear about it. Usually only when something goes wrong, do you hear or focus on the SAT. 

When it comes to Snort signatures, we have always partnered with and supported some of the alternative snort communities.  Communities such as bleedging edge and more recently emerging threats.  So it was gratifying to see Matt Jonkman at emerging threats call us out for contributing a bunch of Snort signatures this week.

Anyway, kudos to the usually anonymous folks on our StillSecure SAT team.  Keep up the great work guys!

Fortinet has been making noise about moving beyond the UTM space for some time. Today they took a very tangible step in that direction with the announcement that they have acquired Secure Elements. For those of you not familiar with Secure Elements, they were a DC-area based vulnerability management solutions provider. Their C5 platform started out as a run of the mill vulnerability scanning tool. I think they used the Nessus scanner and than started importing other scanner data.  Over time they morphed more to configuration management solution.

Secure Elements was virtually unknown outside of the Federal Government space.  I would bet 90+% of their customer base was in the Fed space.  They were one of the leaders in the FDCC and S-CAP requirements that NIST recently put out.  Their founders and pedigree had a long history of working in friendly confines of the DC Beltway. 

Fortinet on the other hand, while trying hard did not have a ton of success in the Federal space.  Is the fact that much of their development and design happens in Asia and China specifically represent a reason for this? Perhaps it did. Also beyond UTM what technology did they have. They recently announced an endpoint based agent for security that sounded suspiciously like a McAfee or Symantec type of play.  They had been making noises around doing vulnerability scanning and management as well.  Now the other shoe drops and we see where that comes from.

So what is Fortinet's end game.  Well certainly if the public markets were not in the sad state they are in, they would be a good candidate for an IPO. But beyond financial goals, what do they want to be when they grow up?  I think it is becoming clear.  They want to take on Symantec, McAfee, Checkpoint and others as providers of a full spectrum of security solutions. They want to use their base as an ASIC based UTM and move to the endpoint and beyond.  With the kinds of units they sell in UTM they certainly have the revenue to fund it.

My final question is:  How long until Fortinet offers a NAC solution?  If they are interested I know a company that is pretty good at OEM'ing their NAC solution to others.  You know how to reach me ;-)

Related articles by Zemanta

• Fortinet toasts sales success

Ellen Messmer has an interesting article up in Network World today (I wish Network World would stop that annoying page fold over ad that forces you to click close to view the page. It is just a pain in the butt and I wouldn't buy anything from anyone using that type of ad just on principle.), around the latest results of an Infonetics research survey commissioned by Tipping Point. The respondents were mostly from big companies with about 10k employees. Remembering who commissioned this report, you need to take this numbers with a grain of salt, but some interesting findings:

1. Cisco is hands down the market leader in IPS.  It is almost universally agreed by this reports findings and in other reports, that while the Cisco product is far from the best in usability and functionality, by sheer numbers it dwarfs the other IPS vendors. That continually amazes me that everyone knows the product is not good, yet people still use it.  For me that just reinforces the notion that people put IPS in as checkboxes.  They really don't care if they work or not, are easy or not and are up to date or not.  They just want to say they have something.  When their local friendly Cisco rep throws it in with the shiny switch, they are happy campers.

2. Most people are finally deploying in line, but not filtering and blocking. Of course the Tipping Point customers overwhelmingly had the box in line. Tipping Point was always an in line IPS, so that is to be expected.  The Sourcefire boxes on the other hand tend to be deployed out of band more often. The IBM/ISS and McAfee IPS are more in the middle. Regardless of whether they were in line or out of band, though the amount of filters that were being used to actually block traffic was way low.  Most people are still alerting, not blocking.  IDS is not dead, that is clear.

3. A sizable number of users do not update the latest filters (Tipping Point lingo for signatures and rules).  This is the one that really blew me away.  With all of the focus on zero day and all you would think people want to be up to date against the latest attacks.  Evidently not.  Even given that some people like to test the filters first, I would think they find themselves into the field pretty quickly, but it looks like I am wrong.  Maybe this is a big company versus mid-market thing though. I don't think mid-market companies have the time and resources to go through that type of QA check. They expect their IPS vendor to send down signatures that don't break the box.

All in all, despite Richard Stiennon's prediction of the death of IDS, it appears that we are still a long way off from everyone using their IPS as an IPS.

Related articles by Zemanta

• Your Network is a Sitting Duck Without IDP
• Protecting your network with Strata Guard Free
• SaaSy Security Suits SMB