StillSecure, After All These Years

So I have made the annual pilgrimage to the city by the bay for RSA.  As usual I got in late Sunday night in order to be at the Americas Growth Capital Conference on Monday.  This was the 5th AGC Conference. It has become a must attend event for many CEOs and other C level execs in the security industry.  Uncle Art of RSA delivered the keynote. Based upon his previous keynotes, I am surprised there was more than 3 or 4 companies there to listen to him, as we were all supposed to disappear.  Anyway his talk focused on DLP, GRC and encryption. Hey, when you are a nail, . . .

Anyway, the Qualys party was decent enough, very similar to last year. Tonight I will be a the SC Mag awards show.  If you are here at RSA stop by the StillSecure booth and say hello!

In other news:

1. What would you pay to put perhaps your biggest competitor out of business? If you are Oracle, about 7.4 billion. Hey and you get Java to boot!  Not sure what else they get though. Not sure of the future of Solaris or Sparc.  But Larry now has added another Silicon Valley legend to the stable.  What does the future hold for MySQL?  Will they just kill it? We will have to wait and see.

2. While we are discussing M&A, Lumension bought Securityworks and Symantec bought Mi5. Ok, seems like your average deals, but I bet the Mi5 folks are a lot happier with Symantec stock then the Securityworks guys are with Lumension.

3. Cloud and GRC – So far those are my votes for this years RSA buzzwords. They seem to be all over the place. Oh and DLP becoming real this year. That sounds like a familiar tune!

4. Shameless plug. If you are here at RSA be sure to join Mike Rothman, Rich Mogul, Michael Farnum, Mike Murray and I Thursday morning for a panel on good security in tough times. Catch it if you can!

Have a great day!

So the blogosphere is all a-twitter (couldn’t help it) about Google buying Twitter.  I am sure Twitter does not have a gun to their head to sell at this point, having raised substantial money recently.  That would lead me to believe that if they are indeed serious about selling to Google, it is because there is some very serious cash on the table.  One thing I have learned is that if you have an opportunity to cash out for serious cash, you should take it.

So we understand why Twitter would sell, why would Google buy?  To this point revenue from Twitter is pretty much non-existent, so that is not a factor.  Are Sergey, Larry and company just this generations William Randolph Hearst. Eccentric collectors who bring their shiny new baubles back to their Silicon Valley based San Simeon? Will Twitter go into the curio cabinet alongside Youtube, Green Border, etc.?

I understand the strategy of buying best of breed brands and worry about monetizing them later.  But at some point Google even with its oodles of search advertising has to show how these acquisitions are going to add to the bottom line.  Yes you can have twitter searching and with it the ability to do search advertising. But do you have to buy Twitter to have that?  OneRiot announced a cool service to do this yesterday.

So when does this all come together? How do you monetize Twitter? Without a real plan to do this I think at some point investors have to ask themselves how long they are going to indulge the Google-ians in their pack rat desire to collect shiny trinkets back at the nest.

OK I got back early from California (because someone I was meeting had to be hospitalized I am afraid) so have some time to blog.  It has been tough lately, but there are lots of stories to touch on.  First of all we are in full swing for the pre-RSA season.  My calendar is already filling up with appointments while I am out in San Fran.  I will be presenting at the Americas Growth Conference again this year on the Monday before RSA.  The AGC event has become a staple over the years and in these challenging times should be even more interesting this year.  Of course there is the security bloggers meet up with planning in full swing ready to rock (SBN members get an invite). Also the SC Magazine awards dinner and event which I was invited to and will be attending.  Thursday morning I moderate an all star panel on what to do about security in this economy.   All in all, RSA is shaping up as a great time! 

While I am registered as a speaker, an exhibitor and 5 year member, I was surprised that this year to attend just the expo and keynotes, there were no free passes.  In some ways it is good, it may keep some people out who are adult trick-or-treaters or resume pushers.  In other ways if you are in the local area the 75 dollars for an expo pass may stop you from attending.  Well here is where I can help. I have 4 expo passes to RSA to give away.  Leave a comment with why you deserve one and if you can convince me you win one. I wish I had full passes to give out to all of the tracks and all, but those are hard to come by. Hope to see you at the conference.

Couple of other stories:

1. Vyatta adds security to the router. I don’t know about you but this is so Cobia 2007!  Come on guys we did this at StillSecure with Cobia 2 years ago.  Plus reading the press on it, it is hard to see what special sauce if any Vyatta adds over the plain vanilla open source offerings that it is based on.  I guess it was to be expected, but I think they are going to have to do better then this to be successful.

2. Is Sun going to rise at IBM? – Looks like Big Blue might be picking up what is left of Sun.  Great, that gives IBM another database to work with (they already have DB2 and Informix), some open source stuff and another silicon design.  On the other hand, Sun has to do something as I am not sure what the future holds for them as a stand alone.

3. How to evaluate if MSSP is right for you- article in searchsecurity about how to properly evaluate whether MSSP is the right for you.  Pretty elementary stuff, but a start to making the decision.

4. NAC, its not just for compliance anymore. – Tim Greene’s article this week calls out how NAC for compliance is yet another great use of NAC.  Yes NAC can be quite the Swiss army knife of security, but is NAC as a compliance tool enough to drive a new NAC sale or just another use for a tool you already bought?  That is the big question about the NAC market.

I was going to call this has Miraged poisoned the NAC ARP well, but went with the above for another reason. Well Mirage has disappeared, gobbled up by Trustwave. Having just finished doing an acquisition ourselves, I can guess how this one went down. However, the key difference is that Mirage was a venture backed business that had raised a significant amount of capital over the years.  Knowing what I don’t know, I am pretty certain the investors took a haircut in Trustwave stock for their Mirage investment.  It appears that we will now see Mirage strictly as a managed NAC service.  Should be interesting. 

In the meantime if any of you out there are Mirage NAC customers and are experiencing that high and dry feeling, we will be offering a special program for Mirage non-managed customers at StillSecure. You can contact me at podcast@stillsecure.com for details.

The reason I said and then there were three is first that I always loved that Genesis album.  Secondly, I think that leaves really three stand alone NAC vendors.  Of course StillSecure is one of them and we will continue to offer our NAC as a stand alone appliance and software.  We will also have NAC as a managed service, as I have written early.  As to the other two NAC vendors, I don’t think that will stay that way for long. I think at least one of the remaining NAC vendors is busy looking for strategic alternatives as we speak, realizing that the gravy train of continued investment dollars may be running dry.  Should make for some interesting bedfellows.

I think this makes our acquisition of ProtectPoint last week all the more of a statement that SillSecure is here for the long haul and the stormy seas of a rocky economy, offers a safe harbor for NAC solutions.

Finally, congratulations to all of the Mirage employees and investors.  Bringing a company through to a liquidity event is never easy regardless of how much money or stock is involved.

Today StillSecure announced that we have acquired ProtectPoint Security, a Ft Lauderdale based managed security service provider.  In my role as chief strategy officer at StillSecure, I of course was very involved in this acquisition from beginning to end. I have tried very hard to not write about this on the blog (to the point of writing less about security even) or speak about it before official word came out.  But now that it is official, I can share some of our thoughts with you all. While so many are running scared in this economy, StillSecure has taken a bold move by acquiring a company.  I will tell you that I don’t think we are done acquiring either. I am very bullish on this move and StillSecure’s prospects. Not only that but my wife is really happy too because I now have an office to go to when I am not on the road ;-)

So why did we make this acquisition:

1. Security as a service and managed security is here to stay. Over the last 7 or 8 years we have seen a fundamental change in the security industry. In the past we were primarily trying to defend against mass market, high volume worms and script kiddies who judged their chops by how many machines they could bring down or web sites they could deface.  Now we have to defend against organized cybercriminal gangs who are targeting specific vectors to maximize illegal financial gains.  We are defending against national cybersecurity threats by terrorist organizations and rogue nations.  The threat landscape has grown in complexity and sophistication.  As a result the security industry has responded with more sophisticated and complex solutions, that while more effective, are also more specialized.  The age of the IT generalist being able to run and manage their own security is over.  To wage an effective defense you need security experts.  Security expertise is expensive and hard to come by.  Therefore it is easier, more cost effective and more secure for many organizations to outsource their security. This is especially true in the mid-market.  They don’t have all of the resources of their big brothers in large enterprises, but have many of the same security challenges. For most businesses, security has become a critical component of the business, but not core to their expertise.  Those types of functions that are critical, but not core are optimum to outsource. This is and will be the fundamental driver for managed security services.

2. Current economic conditions.  I wish we could say that we were smart enough to have seen the current economic reality coming.  But truth be told, we did not. The plans for our move into the MSSP market were put into place well before the full extent of the condition of our economy was apparent.  That being said, this economy we believe will hasten the move to MSSP. By offering a lower total cost of ownership and less monies up front for best-of-breed security solutions, cost conscious organizations will have to take a long hard look at an MSSP model.

In doing pre-announcement briefings with the press a common question asked was why when things seem to be so bad are we out making acquisitions?  My answer was to quote Warren Buffet, who some say actually quoted Ben Graham. “Be fearful when others are greedy. Be greedy when others are fearful." There will be those companies who hunker down and stick their heads in the sand hoping and wishing things get better.  We believe that there is a terrific opportunity here.  There are winners and losers in every era. StillSecure and I will not sit by and be victims.  There are terrific opportunities out there.  We will pursue them and capitalize on them to help build our success.

3. Offering the customer more choice.  Now we at StillSecure can offer the market a choice of using our solutions as a hardware appliance, software that can run on your own server or often in a virtual environment or as a managed service. At the end of the day, whatever works for the customer, works for us.

We think the fact that we will also be the developers of the solutions we are offering as a managed service will give us a distinct advantage over so many other MSSPs who are just managing a 3rd party vendors products. We know our products better, can customize the development of and generally be more responsive as a result of “rolling our own”.

4. ProtectPoint was a natural fit.  There are many MSSPs out there.  But ProtectPoint was the right one for StillSecure for many reasons.  First, the people and culture.  Steve Harris, ProtectPoint CEO and his entire team have built a business around superior customer service. Their customer comes first attitude matches our own. Their technology is built on a similar open standards platform to the StillSecure platform. Our products should find an easy transition onto the ProtectPoint platform.  ProtectPoint has built a terrific set of scalable portals and management applications that allow their customers, their over 100 partners and their certified security analysts to have up to the second insight into their customers security. ProtectPoint has lived through the early growth of the MSSP market and in doing so has learned many lessons. They have built a channel with over 100 organizations, including some of the premier data center operators in the nation. They are a SAS-70, Type II certified provider. No matter what else we do in the MSSP market, ProtectPoint’s platform will be the foundation of what we do in this market. ProtectPoint’s channel focus and established customer base are very desirable and serve as the perfect jumping off point to leverage as we build that part of the StillSecure business going forward.

We are very pleased that the entire ProtectPoint will be joining us at StillSecure and welcome them to the family!

It is no secret that for a long time Tipping Point has tried to run away from its corporate ownership by 3Com.  The Tipping Point people would only admit to 3Com ownership and association if you held their feet to the fire.  Rumors abound that they were pulling hard for the Bain-Chinese purchase of 3Com to go through so that they could be spun off and set free from their corporate masters.  Of course aside from the outrageous price of 400 and something million and like 17 times revenue that 3Com paid for them, what right does 3Com have to have a say in what Tipping Point does anyway?  Most recently Tipping Point was known as an autonomous division of 3Com. I don’t know that sounded like certain parts of the old Soviet Union to me. Semi-autonomous republics and such. 

Anyway, it looks like all of that may be changing. Comes word that 3Com has appointed Alan Kessler as the new President of Tipping Point (I bet there are some Tipping Point folks who would question 3Com’s authority to appoint a new Tipping Point president, but anyway).  According to the article:

“As head of TippingPoint, Kessler will work closely with 3Com’s global organization as the company looks to continue to accelerate sales growth of its industry-leading IPS and NAC solutions worldwide. He will identify areas for additional investment in the network security segment, including in unique TippingPoint solutions and initiatives such as Digital Vaccine and the Zero Day Initiative. Kessler will also work to identify operational synergies between TippingPoint and other parts of 3Com.”

Well I would of course point out that Tipping Point’s NAC is far from industry leading. A very distant relative at best in fact.  But aside from that, this sure does sound to me like they are going to try and integrate Tipping Point more closely with 3Com.

Now just getting these two cultures to work together may be akin to getting the Hatfield and McCoys together.  Maybe Kessler can appoint George Mitchell or someone to be a mediator or special envoy to try and make the peace.  Anyway, I will believe it when I see it.

As they indicated several months ago, Nokia is getting out of the security appliance business.  Today it was announced that Checkpoint is buying Nokia's security appliance business for an undisclosed sum. Nokia had a lot of boxes with Checkpoint firewalls on them, so this seems to make a lot of sense.

Recently though Nokia started selling other apps on their appliances, including Sourefire appliacations. I would assume these are competitive with Checkpoint and this will be the end of Sourcefire and other vendors selling their apps on Nokia appliances.  In the long run Checkpoint may actually decrease the value of the Nokia appliance business, but they may not care.

PS - I broke my finger playing basketball last week and typing is very hard. don't look for a lot of posts from me and certainly not any very long ones for a while!

Related articles by Zemanta

• Nokia Spinning Off Security Appliance Division
• Nokia to sell security biz
• Sourcefire aims security appliances at small networks
• Nokia Intrusion Prevention And Nokia Firewall

When I was in college some of the "cool dudes" used to have a contest.  If you did not meet anyone at a bar or club by the time it got late, say 2 or 3am, you had the ugly girl contest.  The thinking was you were not going to meet anyone great at that late hour, so you might as well go for something that you could laugh about tomorrow.  Of course you would never call that girl again after that night.  She was a 3am'er.  Me, I was lucky to meet anyone I could, so wasn't cool enough to play that game, but heard about it plenty.

Hearing the story about how Google pulled out of the joint advertising deal with Yahoo reminds of that story. When Microsoft was trying its best to pick up Yahoo, Google treated Yahoo like she was the prettiest girl on the block. They were willing to do just about anything to keep Yahoo out of Microsoft's hands.  Jerry Yang and the team was only too happy to point to its Google deal as a poison pill that Microsoft would not swallow.  Of course the Microsoft-Yahoo deal never happened and the Google partnership was a big reason why.

Now that the Microsoft-Yahoo deal is off the table, Google dropped the Yahoo partnership as soon as the water got a little rough.  I think Google was only too happy not to go through with the deal.  Yahoo is after all a competitor still.  They dropped Yahoo like the girl they met at 3am the night before. In the cold, light of day they could laugh about it, but they would be damned before they continued hanging out with them.  Google got what they wanted by keeping Yahoo out of Microsoft's hands.  When they were done they threw away Yahoo like a cheap date. 

Shame on Yahoo for being used and abused like that.  I could understand why a Yahoo shareholder would be upset with this.

Related articles by Zemanta

• Jerry Yang Talks About Microsoft, Google and more at Web 2.0
• Splitsville for Google and Yahoo

Niel Roiter over at Techtarget has a good article up on what has become of ISS as it approaches 2 years under the rule of Big Blue.  Of course Mitchell and I had Tom Noonan on just a few weeks ago and as we spoke about, Tom is no longer at IBM/ISS. At the time of the ISS acquistion, speculation was rampant over whether IBM would continue the ISS product line or instead concentrate on the services side of the ISS business, which represented the majority of the revenue actually.

Coinciding with the 2 year anniversary, IBM/ISS actually released a slew of new/updated products:

• A new release of its unified threat management (UTM) tailored for small business, including, for the first time, an SSL VPN.
• A virtual appliance version of its network intrusion prevention system (IPS).
• An update to its network enterprise vulnerability scanner.
• An IPS controller, effectively a load-balancer to aggregate IPS appliances to achieve a greater throughput of up to 10 Gbps.
• A new release of Proventia Management SiteProtector, IBM's security management console.

So at first blush it seems that ISS/IBM is still very much concentrated on products.  It took 2 years to find their way within the IBM universe but are getting back to business.  But as Neil points out, a closer look at the new releases show two trends:

1. IBM/ISS is moving down to the SMB/SME market.  Clearly making products easier and better suited to a smaller customer was a driving force here.

2. MSSP or SaaS is the holy grail for them.  All of these products are being made to work together and be managed by a central outsourced MSSP.  IBM, like many others sees the security market for the mid-market moving to a managed model.  IBM wants to move down stream from managing not only the largest networks in the world, but managing every network in the world. 

Network management is more than just security, but security will play an in important role in it.  We are going to see IBM, HP, Verizon, etc. increasingly coming down into the SMB/SME market to offer to manage IT environments for customers. Historically this has always been like herding cats.  The question is, what will make it different this time?

Related articles by Zemanta

• IBM targets SMBs with security upgrades
• IBM and Tata Communications Dig Into Managed Security Services
• Security Products: Suites vs. Best-of-Breed

Fortinet has been making noise about moving beyond the UTM space for some time. Today they took a very tangible step in that direction with the announcement that they have acquired Secure Elements. For those of you not familiar with Secure Elements, they were a DC-area based vulnerability management solutions provider. Their C5 platform started out as a run of the mill vulnerability scanning tool. I think they used the Nessus scanner and than started importing other scanner data.  Over time they morphed more to configuration management solution.

Secure Elements was virtually unknown outside of the Federal Government space.  I would bet 90+% of their customer base was in the Fed space.  They were one of the leaders in the FDCC and S-CAP requirements that NIST recently put out.  Their founders and pedigree had a long history of working in friendly confines of the DC Beltway. 

Fortinet on the other hand, while trying hard did not have a ton of success in the Federal space.  Is the fact that much of their development and design happens in Asia and China specifically represent a reason for this? Perhaps it did. Also beyond UTM what technology did they have. They recently announced an endpoint based agent for security that sounded suspiciously like a McAfee or Symantec type of play.  They had been making noises around doing vulnerability scanning and management as well.  Now the other shoe drops and we see where that comes from.

So what is Fortinet's end game.  Well certainly if the public markets were not in the sad state they are in, they would be a good candidate for an IPO. But beyond financial goals, what do they want to be when they grow up?  I think it is becoming clear.  They want to take on Symantec, McAfee, Checkpoint and others as providers of a full spectrum of security solutions. They want to use their base as an ASIC based UTM and move to the endpoint and beyond.  With the kinds of units they sell in UTM they certainly have the revenue to fund it.

My final question is:  How long until Fortinet offers a NAC solution?  If they are interested I know a company that is pretty good at OEM'ing their NAC solution to others.  You know how to reach me ;-)

Related articles by Zemanta

• Fortinet toasts sales success