StillSecure, After All These Years

Barracuda continues their poker game with Sourcefire today raising their $7.50 all cash bid to $8.25.  Are Dean and company just bluffing for publicity or are they willing to keep playing and stay in this game until all the cards are on the table?  I don't know for sure, but find it interesting that Barracuda did say to Sourcefire that they would be willing to explore ways that would show Sourcefire's increased value to Barracuda and based upon that increase their offer.  Of course $8.25 is still to low, but it is getting closer.  If the offer gets near 10 bucks, Sourcefire has some serious decisions to make.  In the meantime, Barracuda will again reap the PR bounty from having a seat at the hottest poker game in security.

These days every one wants to be seen as green.  Larry Seltzer over on PC Mag has an interesting story from McAfee Avert Labs that using anti-virus on your computer is green. The reasoning goes that by keeping your computer free of malware, your CPU usage stays lower, thereby using less energy and lowering your carbon footprint.  OK, I get it.  My question is what about all of the extra CPU cycles that some of the bloated endpoint security suites use on all of these machines they are installed on.  I would bet that they far outweigh any energy savings from clean machines. 

I guess in place of wrapping yourself in the flag, the thing to do now is wrap yourself in the green thing. How long will it be until some company hires Al Gore to hawk thier technology. In the meantime I would beware of Jolly Green Giants.

Last week in response to Richard Stiennon's glowing write up, I questioned what it is exactly that Rohati does. Well someone from Rohati must have seen it and I was contacted by the Rohati team and offered a peek and a deep explanation of exactly what Rohati does.  So today I had a chance to speak with Shane Buckley, CEO, Prashant Ghandi VP of product management and strategy and Steven Wastie, VP of marketing.  I was impressed that such a triumvirate of power players from the Rohati team took the time to speak to me.  But I guess after I wrote what I did, it was followed up by JJ writing her article on it and than Rothman piling on with his own two cents. 

Give the Rohati team credit for recognizing the power of blogs to influence the influencer and reaching out to stem the tide.  It just goes to show you how far blogging has come. But enough about the power of blogs, lets talk about Rohati.

The best way for me to describe Rohati is that it is layer 7 ACLs to control access to applications.  Where we already have security at the perimeter and at the edge, Rohati is about controlling access at the server/application.  The diagram on the left (click on it to get a bigger version), is a good illustration of how Rohati works. By integrating with LDAPs Rohati can assign you an access policy to any application.  Based upon that Rohati gives a very fine grain level of access control at the application layer.  It acts as a proxy to the app server for both regular and encrypted traffic.  Because the ACLs are on the Rohati box itself, there really is not any integration with switches per say and so no integration worries.

The only problem is that the Rohati box has to be able to handle the traffic flow.  Hence the box is a big honker.  The cheap one is about 20k list I believe and the industrial size version is 80k. This product is aimed squarely at the data center space and is sold through channels.

Will Rohati succeed.  Yes, I think it will.  I think they have taken a unique approach to a security issue that will continue to grow in years to come.  Application access is an area that I think is still up and coming.  In a period of nothing is ever new in security, the Rohati team seems to have found something that has not been done before in a packaged dedicated way like this.  If nothing else, with all of the ex-Cisco folks there, Cisco will eat its young and buy the technology back in.

We will watch Rohati's progress in the months to come.  At the very least, it seems they are blog savvy enough to navigate the waters of social media.  Maybe they will start their own blog soon.

Few occupations have such a low reputation as used car salespeople.  Well OK maybe lawyers ;-).  For the most part though used car sales people are not really as bad as they are made out to be or perhaps as bad as they used to be. Yes, there is the "what do I have to do to put you in this car today" attitude, but by and large - lemon laws, consumer protection rules and truth in advertising regs have taken some of the snake oil out of the fast and loose way of doing business which earned them their reputation.  Who doesn't hear or read an ad today for cars without the "fine print" being mentioned.

In the world of NAC though we have no such protections built in it seems. It is very much "caveat emptor" - buyer beware.  NAC companies can pretty much say what they want, claim what they will.  How is a prospective customer supposed to know the truth?  Some say you can check references, but even then much like someone applying for a job, do they ever give a reference who is not going say something nice about them? The easy answer of course is try it for yourself. There is no substitute for actually kicking the tires.

Here is another idea I was thinking about, I call it the Better NAC Business Bureau (BNBB).  Its mission is to shine a spotlight on some of the dark alleys and rat holes that some NAC vendors do business in.  The same way the used car salesmen of the world have been rehabilitated, lets do the same with NAC marketing! 

With that in mind, the first investigation of the BNBB is in regard to some recent press releases from two NAC vendors.  The first press release is from StillSecure and is in regard to Lehigh Valley Hospital and Health Center.  It claims that LVHHC is and has been a NAC customer of StillSecure for the past two years and continues to be a customer.  The press release has quotes from the CIO of LVHHC.  The second press release and case study is from NAC vendor X .  It also claims that LVHHC uses this companies product product for NAC throughout the entire organization.  They also have a quote from someone at the organization (OK, not the CIO, but someone).  Who to believe?  Does LVHHC have two NAC solutions?  I doubt it.  What to do? 

Well we can look at a little history.  For instance which of these two NAC companies claimed they did not use Nessus in their NAC product and than it turned out they did.  What company took the infamous TCP reset and tried to peddle it as a "virtual firewall".  Of course there was the time they took out Google ad words on my name. Yes my friends, it seems that playing fast and loose with marketing claims has earned this company a bit of a used car salesman reputation. But like gas mileage, past performance is not controlling and your performance may vary.

So lets give this company the benefit of the doubt. Maybe in their burning desire to show reference customers they were a little to quick to pull the trigger here.  Lets give them a chance to go back and check with their sources and see if they have the facts the straight.  If they find out that perhaps they were mistaken about this customer using their product for NAC for over 20,000 users at LVHHC, lets give them a chance to retract or correct the press release and case study.  At that the BNBB would close this file without any prejudice.  Case closed, the BNBB does its job again. What do you think would be a reasonable time to do this?  Two weeks? Three weeks? I'll tell you what, the BNBB is founded on fairness.  Lets give them a month. 

If after a month though they have not updated the case study and press release we will have a podcast here and we will delve into this further.  We are going to find out what the NAC solution there is.  Of course Forescout is invited to participate in the podcast and can even bring their own guests if they like.  But at the end of the day, there is only one solution being used for NAC at LVHHC and we all are going to find out what that is.  That hospital ain't big enough for the both of us!

If you would like to be involved in this podcast or the BNBB drop me a line at podcast@stillsecure.com

Sir Lancelot or Guinevere? Hey don't laugh it could happen to you. In the meantime what has Richard so hot and bothered that he is subscribing mythical qualities to Rohati?  It seems they are using a layer 4 to 7 firewall to control access to applications. They call it network based entitlement control.  I wonder how they stack up to Palo Alto Networks and some of the other next gen application aware, access control firewall products.  From what I understand Nevis Networks and ConSentry can do similar things with the firewalls in their secure switches.

Nevertheless Rohati has gotten some good press, albeit with most coverage carping on the fact that they are founded by former Cisco employees (there are enough former Cisco employees to found many companies I would think). I do think that application aware access control is of tremendous value and this technology will find its way into many technologies. It is a logical extension of identity based access control. 

As usual though Richard can't resist taking a few cheap shots at NAC vendors.  In Richards idyllic view of Camelot, somehow performing pre-connect health or integrity tests is the devils own work.  Richard will just admit that these tests have value and people want them.  They do not preclude doing the rest of the job of access control that Richard seems to approve of though.  Alas, Richard and I have danced this dance before though and I am not going to get into the why it is important.  In fact, here is a new tact for you Richard, it is not important. If you are not going to be convinced, forget about them.  Look beyond admission control tests at what NAC vendors offer around access control and you may find similar type of technology to Rohati in the near future. 

Until than though Richard let me paraphrase Merlin from the movie Camelot "Never be too disturbed if you don't understand what a former analyst is thinking. They don't do it very often".

So my friend Mr Bump has a problem with my post on vendor frustrations with customers. For those who don't know Mr Bump, he writes about "NAC in the real world", originally about his deployment of Nevis Networks product. At first I thought Mr Bump was a pseudonym for Dom Wilde over at Nevis, but over time I actually like some of what Mr Bump writes and he contributes to the security blogosphere in a positive way. I just like to give him crap about his choice of NAC vendors, but it is all in good fun. Plus I actually like and respect Dom Wilde and that kind of unscrupulous behavior is not his thing.  There is another NAC vendor who plays fast and loose like that though and I will be writing more about that this week, so stay tuned.

Mr Bump responds to each of my three points, but before I get to that, let me clear up a few things. First of all Mr Bump says that this is his problem with 90% of all "sales" people. Mr Bump, you obviously have some issues with sales people. Were they mean to you when you were young? Did your Mom like the salesperson sibling better? Do you secretly dream of being a sales person? Just kidding, but seriously, I did not write my article from the point of view of a sales person. Sorry you confused me with one, though as I have said before we all sell everyday, whether we admit it or not. I was writing from the point of view of a business owner, trying to build a solid business one customer at a time. I am not concerned with short term commissions, but building out a solid customer base. This way I can sell the business for a huge profit and you can call me a slimy entrepreneur ;-).

Also, I can complain as a customer, that is my right. Equally so it is my right to complain about customers as well. I guess I can complain about anything I want on my own blog, not sure why that should bother you. Think of it this way. We all wear different masks in different roles in our lives. Sometimes we wear the Daddy mask, sometimes the boss, sometimes the employee, etc, etc. Being one in one situation, does not preclude you from being another in another situation.

Now, on to the show. Mr Bump doubts my sincerity about being upset when a new guy comes into a customer replacing the guy who bought the product and we have to start all over with them. He says I am kidding him. I made my sale and collected my commission and am on my way. Well Mr Bump, I suggest that if that is the kind of security vendors you deal with, find new ones! Any good business person can tell you that one unhappy customer is worth 10 happy ones. It is about building long term customers. That is how you build a business, not about being bandits who come in, rape and pillage, collect the commission and move on. I have known sales people who have sold to the same people over and over again, because they do care for more than the short term commission. I am sorry you can't believe it and you can't see how it frustrates a vendor. But sometimes we will work with a person for months or even years and build a deep relationship. As part of the game, they move on, I get it and that is the way it is. But it is very frustrating starting from square one with the new guy who may have a pre-conceived prejudice.

Next Mr Bump finds it unbelievable that I would care if a product implementation got delayed. Again, this speaks wonders to the kind of security vendors he deals with. It is not about if my resources are committed at all. Mr Bump I can't wait to get you up and running so you can tell your friends and others about what a great product and company you deal with and we can continue building the business. Also, believe it or not I care that all of a sudden a maintenance fee comes up because the time starts running from the date of sale and the customer hasn't even used the product yet. Shelfware is a failure for a vendor. Delaying implementation is the first step to shelfware. Please Mr Bump spare me your "in the trenches and grenades" story. Most hard working people at security vendors or anywhere else for that matter are not sitting around playing foosball either! We all deal with emergencies and priorities. I am keenly aware of the security and network admins job pressures and have tried to build a company that actually makes your life easier. Again, I can only assume you are dealing with quite a bunch of vendors if you feel this way.

Lastly Mr Bump almost agrees with me about using the product in unintended ways. Mr Bump I can put you in touch with people who have done this. You have to remember that unlike your NAC vendor, our stuff is built on off the shelf hardware with open, standards based OS and database, etc. People who are comfortable around a command line and Linux like to play. We don't mind, just realize how hard that makes our support obligations though and don't expect us to fix what you "developed"

So I hope that clears that up. Like I said in my comment on your blog, too bad you didn't pick a better NAC solution you might have a different opinion of security vendors and maybe even sales people ;-)

There are some days where nothing strikes me as interesting enough to blog.  Than there are days like today where there are just too many things that I find compelling enough to comment on.  So rather than do 4 or 5 posts today, let me condense all of this goodness (I hope) into one post:

1. Sophos releases "financial results ahead of analysts expectations". While I applaud the Sophos folks for making public their revenue numbers (at least gross, net and deferred totals it seems), I am not sure what analysts they are talking about.  As a private company, it is not like people are trading their stock and the financial analyst crowd is putting their numbers on the street.  200+m is a lot of revenue, even for an AV company and 40+m to the bottom line is impressive, but until you are public, no one is holding your feet to the fire and analyst coverage is just not the same.

Authors note: Dr. Jan Hruska, co-founder of Sophos wrote me off line and gave me permission to publish this comment: 2. Apple is ready to enter the platform war - Larry Dignan over at ZDNet has some good comments and stats on Apple vying with Microsoft and Linux/open source to be "the platform" of the future. I agree that the iPhone and iPod are Trojan Horses into the enterprise and along with the Mac represent a viable platform that could compete with Microsoft and the Linux/open source crowd.  However, I don't think you can judge how many developers are developing Mac/iPhone apps based on the crowd at the upcoming WWDC (worldwide developer conference).  Steve Jobs is a master showman and I think these conferences have become media events.  Many people are there to to twitter and report and to "be there".

In October last year we prepared for a float on the London Stock Exchange. As a part of the exercise we had analysts from the three sponsor banks produce their projections for revenue etc for the next three years. We did better that their projections for 2007/08.

Larry is right though that Apple has to balance being too iPhone and iPod crazy at the risk of ignoring the "real" platform here the Mac.  His example about PGP developing a Mac version is a great point.  I have heard many other security companies likewise bringing Mac versions to market. This graphic I think shows the point well:

  But my ultimate point on this one is that the ultimate platform will be the web.  What the underlying OS is for future web apps should be somewhat meaningless.  The webtop platform would seem to me to be the platform going forward!

In any event the WWDC should be a lot of fun and I will be watching to see if any new reports come out.

3. Belden buys Trapeze - Another independent WLAN provider gets bought. Doesn't seem like a great multiple, 133m on 2007 revenue of 56m.  There are not many independent WLAN providers out there now.  Meru Networks is probably the biggest of the bunch. You don't hear too many people saying that wireless is not here yet anymore.

4. McAfee still chasing the dragon on security ROI - McAfee announced that using the Forrester Economic Impact Calculator you can now easily find out your ROI from buying a McAfee product. They have a very nice diagram that I have pasted in here. They ask you to plug in a few numbers about type of security you want, desktops, laptops and servers and presto - they give you an ROI.  I didn't call them to get the scoop, but it really underwhelmed me.  Looks like smoke and mirrors to me, just like many of these security ROIs do.

Here at the well-heeled Gartner IT Security Conference at the brand new, spectacular Gaylord National hotel.  The hotel is only 2 months old or so, but it is supposedly the largest on the East coast and really first rate.  Also, the Gartner folks put on a first rate show, though it is on the pricey side for everyone from exhibitors to attendees. Vendors who really want to have a big presence are in for big bucks reaching a relatively small number of customers.  It was good to run into a number of StillSecure customers here at the show.  Even though we did not exhibit our presence was felt in several of the tracks discussing security solution areas that we offer products in.

While at the show I had a chance to catch up with several other security vendors.  One fellow I spoke to was Phil Neray of Guardium.  Guardium is best known for providing database security to many of the largest financial institutions and other large companies.  They recently announced a major new release of their flagship product with something they call "S-GATE". I won't bore you with all of the details but the gist of it is that for the first time database security can move from passively reporting or alerting of data access violations to actively blocking such violations. 

For me the active versus passive mode of security is one that transcends different layers of security.  Whether we are talking about IDS passive response versus IPS active response, vulnerability scanning passively assessing and reporting to NAC testing and blocking access, to now database access, ultimately security follows a similar route. First comes the ability to actually detect.  Often times the ability to detect is a major step up from what was available before.  The next evolutionary phase is to be able to prevent or block the dangerous or malicious event from taking place.

This active blocking mode though is often not as readily accepted at first by the market.  Everyone is always afraid of blocking the wrong user, the wrong email message or other request.  I think it is part of human nature that we inherently distrust our technology to block, always thinking it will block legitimate traffic.  This has been true in every security technology I have seen.  Eventually active response does win out, but it takes time and there are always doubters.  It will be interesting if what Guardium has done here is viewed with the same suspicions at first and than catches on or not.  We will have to watch.

So the security blogging world welcomes a new contributor in Chris B over at Napera Networks. The Napera blog joined the security bloggers network a short time ago with the public unveiling of the company. Chris's first article is called NAC is dead, long live NAC. Evidently Chris was at one time working over at Lockdown Networks and brings his own unique views on what went wrong at Lockdown.

Chris makes some good points about the Lockdown shutdown. One in particular that I think we should all realize is that Lockdown's failure is not a failure of NAC technology, but rather a failure of Lockdown's execution. NAC still solves problems that customers have. Done right, NAC is valuable and will find its place in the security world. Over the past few days there have been more people people jumping on the "NAC sucks" bandwagon than there were vendors coming out with NAC solutions just a few short years ago. I read with disbelief Eric Ogren's piece in ComputerWorld the other day about him never being a believer in NAC. I don't remember him saying that when we were briefing him a few years ago. But maybe he was getting paid to cover NAC than, I don't know. But it is certainly fashionable to throw dirt on NAC now and there are plenty of people only too happy to do so. Frankly, part of me wants to say sure go ahead, throw dirt. It will be that much sweeter to show the naysayers wrong. Actually selling the solution, we see the real market for NAC and remain jazzed. For us it is about execution.

What I fear is that we are throwing out babies with the bath water here with all of the NAC bashing. Yes there are companies in this space that frankly don't have the technology or the team to make it. Lockdown is a perfect example. But there are others who have actually built a better mousetrap and the market (the ultimate decision maker) is rewarding them. But if the media and analysts just keep bashing NAC it becomes almost a self-fulfilling prophesy. No matter how good the technology or the team it is like spitting into the wind. I saw this happen with the dot com bubble first hand. Many companies that were doing great things were killed off in the great extinction of the dot coms. It took years for the market to come back. In the case of NAC not only would the better NAC companies and technologies be the ones to suffer, but the networks they can protect would suffer. NAC is attractive because it solves a real problem that people have. In spite of what Paul Roberts at 451 or Amrit say, there are no existing tools that solve that problem for them as well.

My only issue with Chris is he confuses the problem that Lockdown was solving with the way they were solving it. Yes using the network including switches is a great way to control access. However Lockdowns technology to test these devices with Nessus doing vulnerability scans was circumspect for the NAC mission. But more than that, SNMP is never going to scale for NAC. It is not secure. but more importantly you just can't wire and script every model and version of switch out there. Ultimately much of Lockdown's problems revolved around that. Inherently Lockdown had the wrong solution to the right problem, on top of some of the other focus issues that Chris talks about.

All in all though, Lockdown's failure should stop being used as a blunt instrument by the NAC naysayers to bludgeon the NAC vendors who are executing and solving customers problems!

Last week I came down pretty hard on Air Defense (here and here) for phishing WAPs at the InfoSecWorld trade show. Well just to show you that sometimes people make mistakes and if you blog it, you may get it addressed, I wanted to share the following email that I received today. I have redacted out the names to protect the innocent and the guilty.

Alan,

Let me start by first apologizing for any inconvenience I might have caused you or any other vendor at InfoSec World. You can be assured that next time I will collect alarms in the privacy of my own home prior to going to a convention.  I setup a test box during the vendor setup on Monday, this is a tool we use to show some wireless attacks.  After about an hour I shut it off, I was using it to gather some historical data to show in Advance Forensic.  If I recall correctly it did run it for about 5-10 minutes the 2^nd day after the demo crashed and we lost the data I collected on Monday (plug was kicked out).  This was very brief and not intended to be harmful. 

The intent behind using the page with AirDefense was in case anyone who saw the page could at least ask us why it happened and we could apologize and explain that it was just temporary.  JOHN DOE, the gentlemen you spoke with, was not aware of my actions nor was anyone else from AirDefense. I did ask him to point you out so I could apologies and let you know it should no longer be a problem but he didn’t see you.   I unplugged the test box just in case it was still doing something behind the scenes.  Once again I do apologize for any issues I may have caused.  If you have any questions or comments please feel free to call.  Also thanks for making us aware that it may have still been phishing people off their APs.

Thanks,

So to this Air Defense engineer, I take you at your word and apology accepted.  I am glad to hear that Air Defense does not condone this as a legitimate trade show tactic. Go in peace and sin no more ;-)

Bob Walters from Untangle on his Untangling blog has an article about open source business models and how Untangle is utilizing multiple revenue streams as their business model because the software they use is open source and is inherently free. Bob calls the article "Money for nothin’ and Code for Free ".Not sure how big a music fan Bob is but I think he has Dire Straits (the band who did that song) spelled wrong, but that is not the only thing I think wrong with Bob's article. Bob lays out Untangles revenue models as this:

• Untangle makes money from software by selling proprietary, for-profit extensions to our core open source code. We have targeted these extensions to appeal to larger, commercial customers. Our core software is open-source, full-featured, and free. Period.
• Untangle optionally packages its software on Pentium-based server appliances. We sell these servers at “cost-plus,” and so this is deliberately positioned as a convenience to our customers and channel and not as a core money-making strategy.
• Untangle sells tech support services, primarily to larger commercial customers, but also some of the larger schools and non-profits

So lets have a look. First off, if you don't know Untangle has a UTM that is aimed squarely at the "S" in the SMB market. It is open sourced and free and is made up of modules based on open source security tools. I get the upsell of extensions or premium features for some modules and premium modules, that is a no brainer. I don't disagree with the off the shelf hardware justification either, though there are many companies selling off the shelf appliances for a significant mark up over cost and it is a profit center for them. Untangle seems to be writing that revenue stream off. Than Bob says they are selling tech support services to larger customers. Again there is nothing earth shattering on that. Maybe sharing the revenue with local implementation partners? Again sounds like a VAR play, nothing special.

Here is where I think Bob and Untangles model could be in trouble. Bob assumes that the underlying software Untangle uses will be free, because it is free to them. But Untangle is using a Heinz 57 mix of open source security software of which it owns little if any of the copyrights. Yes, much of the software is today open source under GPL. But what happens if the copyright holders of the software and the project owners decide that Untangle is profiting from their software and hard work. What happens if they decide to dual license the software to anyone repackaging it in a UTM or other commercial product or for profit entity. Than what does Untangle do? Their whole business model goes down the tubes. From what I know of Untangles downloaded user base and their conversion rate to paying customers and what they charge, I don't think they have the margin to pay for any software. They could fork the software and develop it themselves or hope to develop a community to continue development, but I haven't seen that pulled off very often, if at all.

To stay with Bob's money for nothin theme, if he does not protect against this, Untangle could find themselves in dire straits.

First it was Caymas Systems, then it was Vernier Networks, now Lockdown Networks appears to be exiting the NAC market.  Of course the obvious reaction as a competitor is to say good riddance, one less competitor to deal with.  But to turn a quote on its ear, I write today not to bury Lockdown Networks, but to praise them. More than the other two NAC companies that have exited the market, I was personally in the loop on Lockdown Networks. I first heard about them when a VC friend of ours asked us about them years ago.  This was when we were still planning Safe Access and Lockdown's business plan was vulnerability management. They had not raised money yet and were still in stealth mode. We thought of them as competition for our VAM product, but wanted to see what they would come up with. I stayed abreast watching their progress from afar. Some time later, when I was looking to put together a group of companies to form a coalition to develop an independent NASL script library, knowing that they used Nessus, I reached out to them.

This is when I first met Rob Gilde.  Subsequently I also met Brett and most of the rest of the team there. I like Rob, he ran their product team, was knowledgeable and a nice guy in a west coast laid back kind of way.  In short time it became apparent  to me that Lockdown was looking to move out of the VM business.  Rob realized that just scanning and reporting was not going to make it.  He had the notion of adding enforcement to his vulnerability scanning. If you failed a vulnerability scan, you should be denied access to the network.  My initial reaction was vulnerability scans are done mostly on servers, but Rob wanted to do vulnerability scans on endpoints.  That is when I told him about our own product which we were about to release. Rob and the team re-tooled and released their Enforcer product some time later. 

I personally always thought that doing SANS TOP 20 scans on endpoints was not where it was at in NAC, but Lockdown raised money from Intel and a bunch of other folks and was making a big splash in the heady, gold rush days of NAC.  We ran into them on deals from time to time, especially in many of our major partner/OEM deals.  The good news for us, is that just about all of the time, our product was picked over theirs.

Soon rumors were everywhere that Lockdown was on the block.  Brett and team were looking to grab 20 or so major customers and quickly flip the company for a big win.  Than we began hearing that they were looking for less and less money.  Also, their PR began becoming more and more desperate.  That is when I began calling them on it in my blogging.  Evidently that got their attention.  A few Interop shows ago, Rob called me over and said he and especially Brett were really upset I called them out.  I apologized and said hey I call them as I see them.  At RSA or another show after that Brett walked right by me and tried his best to diss me.  People from NY don't get dissed that easy though.  I just laughed it off, but it was the last time I spoke to anyone at Lockdown. 

Recently we have begun to see a few customers that were choosing our Safe Access product to replace Lockdown's.  I thought this was ominous for them, but hey good for us! I truly expected to hear any day of someone picking them up at a decent price. I didn't think it would just implode.  In many ways a company shutting down is a death of a thousand dreams.  The soaring aspirations of the founders, the individual sugar plum fantasies of the early hires, the VC's thinking this could be the big hit.  Perhaps most sad of all, the customers who looked at the market and for whatever reasons decided that Lockdown offered them the best product for providing NAC and solving their problems.  Those people made a bet that Lockdown would be there to solve the issues and provide a great solution.  They as much as anyone lost that bet. 

As they do on Ebay, here is a second chance for Lockdown customers.  We will have on our web site a special offer to upgrade you to Safe Access and leverage your investment in Lockdown.  Lockdown's misfortune does not have to be yours.  We are here to help and are here to stay.  So to all of Lockdown's customers, I am sorry you are left in a hard place here, but there is help.

To Brett, Dan Clark and the rest of the Lockdown crew, most especially to Rob Gilde, I offer my sympathies that this did not turn out better for you.  You all made a great effort and you made us try harder which resulted in our product being developed faster than it would have otherwise.  For that I thank you and wish you all the best of luck in your future endeavors. This song is for you:

I guess maybe if you sell to the .edu crowd a lot, after a while you start thinking that all of your users are juvenile.  As a result you start thinking in terms of your product protecting against adolescents who are not smart, mature or capable enough of taking care of themselves.  You start thinking of yourself and the people who use your product as the grown ups, here to be the custodians of these addled brained users of the network. Or so it seems reading Gord Boyce's advertorial in Enterprise Networks and Servers titled "Are your users smarter than a 5th grader". 

You know what I mean by advertorial right? A piece in a magazine or e-zine that comes across looking like a real piece of journalism and is really a thinly veiled advertisement for your company's products.  Some people say my blog could be put in the same boat. If that is how you feel, so be it, I am not going to waste time arguing about it with you.

Gord's gist seems to be that users need parenting and that security and network administrators can administer the proper discipline or love in one of two personas.  You can be the Beaver's mom, Mrs. Cleaver or you can be Nurse Diesel (from High Anxiety for those too young to remember).  Frankly I find this view of network users arrogant and condescending.  For most enterprises their users are not some ill behaved child exhibiting bad manners.  They are legitimate users who have to access the network in order to get their work done.  And here is a lesson for all of you who subscribe to the "parenting approach" to network security, if those same users we are trying to discipline or raise into responsible adults don't get on the network and do their work, you may not have a paycheck!  So spare us the analogies to children accessing the network unless you are selling to schools.  Its time we treat our network users and legitimate guests as the adults they are. Adults who we are counting on to do their work and make our companies profitable and put food on our tables.

This same "teach the kids to mind their manners" approach to NAC is what has caused too many to think of NAC as being all about the quarantine.  It is not and should not be.  Quarantine should be something you do as a last resort. If someone has a legitimate right to be on the network, it should be the job of the NAC product to make sure they are on securely, in compliance and safely.  If they are deficient in some configuration lets get it fixed.  They should be allowed to go where they are allowed to go, not more or not less.  But I think we can spare the user the finger wagging and lectures. 

Unlike Gord, I actually think that time can be better spent in social engineering of NAC. Educating your network users is key.  The more time you spend making them understand why rules are in place and what they can do to help and make everyone more successful, the better off you are going to be.  I think the technology of NAC is only one piece of entire solution.  Security awareness and education are also key.  Also, unlike Gord I don't think that agentless NAC is the only way to test devices.  Especially if like Gord's product, all you are using to do so is nMap and an old version of Nessus (btw, Gord do you include the source code with your use of those open source products?). I think to truly test the full spectrum of devices accessing the network you need a combination of agentless, agent and web delivered testing options. You need a purpose built NAC testing engine.  If you want to provide continuous monitoring, you need to do more than recycling your failed IDS technology.

Here is the bottom line for me. If you think the people accessing your network are like the Beaver and Wally, Gord's product may be just what you are looking for. If you have adults trying to do business and make you and your company succeed perhaps another NAC solution might be best for you.

Actually someone once told me the same thing about women and I am sure women say the same thing about men. But Tim Greene has an epiphany in a recent article about bad news for NAC vendors who rely on agents.

I think we all know that the last thing most enterprises want is another agent on their machines.  Heck, not just enterprises either, no one wants yet another agent.  The reasons for this are many and Tim lays them all out.  For me personally the biggest reason is that too many of these agents (and not NAC agents necessarily) are pigs.  They slow down your machine more than some of the widgets I used to use slowed down my blog page loading.

But Tim offers agentless NAC as a panacea. That it is not. In some cases agentless NAC works great, in others it severely limits what you can test for when and how fast.  Personal firewalls and other such technologies can wreak  havoc on agentless NAC.  You may still need credentials to get any useful information.  Over the years here at StillSecure, we have come to realize that in most real life situations, you need both agent, agentless and even web delivered methods of NAC testing, if you are going to be able to perform NAC against the entire spectrum of devices logging on to the network.  There is no one perfect way to do NAC. If there was, everyone would do it that way.  A good NAC solution should be flexible enough to offer multiple methods of testing.

One other thing I noticed was in the comments to Tim's article Dan Clark from over at Lockdown tried to make a comment and refer back to the Lockdown blog for his further commentary on this. The next comment though from Robert B I thought was priceless. It isn't that long, so let me just paste it in here:

Does anyone else find vendor blogs like nactalk.lockdownnetworks.com a little troubling? They appear as a neutral blog discussing a topic, except they only contain the vendor's point of view.

While they seem to allow comments, the one time I registered and tried to comment, it was never approved. I'm assuming that since none of their other "vendor patting themselves on the back" articles have comments, I am not the only one.

Hey Robert I agree with you. The Lockdown Blog is a pretty thinly veiled attempt at a cheap marketing outlet. A review shows they put up an article a month and never have any comments as Robert points out. That is not a blog, the same way many vendors who claim to offer NAC don't really have a NAC solution. However, I would hope that not all vendors who blog are painted with that same brush.  Besides myself, there are several excellent blogs authored by people who are also working for vendors. Not to say we are not biased, but I think there is a clear distinction there.

OK I am out of Orlando and Infosec World and now in DC for some meetings in this week's version of the Shimel world tour.  I wanted to put some finishing touches on the trade show though and some previous posts. 

First on the issue of Air Defense spoofing SSIDs to direct people to their site which I wrote about yesterday. Several people wrote to me privately and confirmed that indeed this is something that the Air Defense people have been doing for several years evidently at trade shows. They also agreed that while showing what their product can do, it is a pretty sleazy way of doing business and they are turning off more people than they win over doing it.  Real life example is someone tried to show someone a web site and were unable to do so initially because their machine would automatically log into the spoofed SSID of the Air Defense WAP. I have someone sending me a picture showing the spoofing in action in case anyone disputes that Air Defense actually stooped this low.  In fact let me tell you what I did on this one.

I went over to the Air Defense booth when there was no one else around.  I pulled the guy over and told him that I know what they were doing and I think it is pretty sleazy and they should stop spoofing SSIDs as it made them look sleazy.  At first the Air Defense dude played dumb and said he was not aware they were doing that.  Than I pointed out to him that the laptops they had set up right next to their WAP at the booth were showing the same Air Defense we have hijacked your wireless page that others were getting. I asked him to show me what SSIDs they were attaching to, to get to that page. He realized at that point that I had called BS on his story and said he would correct it. 

Now my young friend from Air Defense did not realize that when I walked away from his booth, I stopped just a both or two down and watched.  I saw him go over and tell his other booth buddy about what I said, they laughed like they were quite the hot stuff and didn't do a darn thing about it, as I checked the SSIDs a few minutes later.  That is OK a word to the show organizers about other exhibitors having problems with connectivity due to Air Defense's sleazy ways will put an end to them doing that in the future.  In fact I encourage my many security vendor readers to make sure and make show organizers aware of what Air Defense does at these shows and put an end to it once and for all. If they can't police themselves and act in a decent manner, I guess we will have to do it for them.

Other shows news - We had a booth next to Ken Belva launching his new info sec blog magazine which I wrote about they other day. I never met Ken in person before, it was good to meet both him and his dad. Always fun to spend some time with fellow NY'ers. Also, it always amazes me at the end of shows when the "adult trick or treaters" come out with their shopping bags looking to load up on chachkis.  Whether it be a foam little computer, StillSecure branded chap stick (that was a big hit this show) or anything else not nailed down, these people have no interest in your products or anything, they just want to know what they can bring home for free.  There is always a big competition for our fit balls which have become a trademark of ours over the years.  We are the company with big (fit) balls.

All in all, it was a great show.  Good catching up with folks, meeting new ones and keeping abreast of security news. Not sure why they "pit bull of self help" was a key note speaker but he was interesting if not security related per se.  This show has me really looking forward to RSA!

Just saw the release making it official that Wayne Jackson is stepping down at Sourcefire.  Having seen a few of these kinds of situations but not having any inside information, it looks to me like a mutual decision and probably tied to earnings and performance versus market expectations.  In any event, Wayne has done a great job of taking Sourcefire from a good open source project to a public company.  As much as Marty is the lightening bolt and thought leader over there, Wayne brought a steady hand and sense of maturity to the company.  He has much to be proud of in his work on this one.

With a new CEO search underway, I would imagine they are going to look for someone with public company CEO experience to help guide Sourcefire through a rocky market and make up for a history of missing street expectations.  At the same time Wayne's resignation was announced of course Sourcefire also announced another quarter where they missed the numbers. Their stock is down almost a dollar off of their 6.54 closing price.  This brings their market cap down below 150m I would bet.  Tough luck for a company that actually is executing. I think it has more to do with setting the right expectations with the street than it does with the companies market share and such. 

In any event, with a new CEO coming in you can be sure there will be other changes afoot at Sourcefire.  Good luck to you Wayne on your future endeavors, you have accomplished much!

Dan Kaplan over at SC Magazine had an article up today  (they use Intense Debate for comments too)about ArcSight's first day of trading.  It seems that in spite of the overall condition of the market, they went ahead with their planned IPO.  They picked a bad day to do so, as the NASDAQ was off 1.74%. Opening at 9 dollars a share (the low end of their expected range), they closed at 8.78, bouncing off an intra day low of 8.07.

OK not an auspicious start, but I think they deserve credit for putting the ship out in this storm. I remember when I was at Interliant and we were planning our IPO.  Trying to time the market is a fools game.  Sometimes you just have to go for it.  Only time will tell if the market rewards ArcSights gumption to go public at this time or punish them as they have done recently with Sourcefire. For reasons that include purely selfish ones would love to see the public markets be a viable alternative for security companies to pursue liquidity events and access to capital.  Without them no one will be able to gain the girth necessary to compete with the current security monoliths.

Not to insinuate he is a rat, Marc Maiffret is not a bad guy (once you get past the hair and metal), but Kelly Jackson Higgins over at DarkReading reports that eEye co-founder, CTO and Chief Hacking Officer, Marc Maiffret has left eEye. This comes on the heels of several other executives that have left the company over the last months including former CEO, Ross Brown.  Also, rumors of trouble at eEye have been swirling for months.  I had heard they let go most of their vulnerability management team a while back, as they shift from Retina being the flagship product to host-based Blink.  Maiffret says he actually left in September but didn't want to go public until now.

I don't know about you, but usually where there is smoke, there is fire.  I can identify with Marc leaving though.  With Mitchell Ashley leaving StillSecure recently, I am sure people may have asked the same questions.  However, in our case Mitchell and our company announced his leaving almost to the day he left.  We felt hiding that kind of news only draws negative connotations. Not sure why eEye and Marc waited this long, unless there was something else at play here.  Of course Marc puts on a good corporate face and says how great things are over at eEye now, but my gut tells me there is more amiss there.  Here is the first of Shimel the Soothsayers predictions for 2008, eEye will be acquired for bargain basement money in 2008.  Remember, you read it here first.

McAfee has been making hay lately with their "triple play" promotions. But the biggest security vendor out there has recently announced a triple play themselves.  I am referring to Cisco of course.  In the past few weeks Cisco has made several announcements that show they are serious about keeping competitive, if not best-of-breed n security. But having best-of-breed is not necessary when you are Cisco. When you control 75+% of the networking market, like Joe Namath said, "if you got it, flaunt it". However, when you take a close look at these announcements and the products they tout, we see t is more of the same from Cisco.  Trying to play catch up to other security vendors and driving more into the switch box to leverage their advantage. Lets have a look.

First up is their the Cisco IPS 4270.  This is touted as a 4GPS IPS for certain types of media traffic.  For more conventional data, it does packet inspection at 2 GPS.  While not as high as the highest rated boxes from ISS/IBM. Tipping Point, McAfee, Sourcefire, etc., it does move Cisco into the multi-gig IPS space.  I am not sure if those "boys with toys" types who go in for these Ferrari IPS's will be satisfied though with less than the highest throughput vehicle though.  In the meantime I am sure there will be plenty of Cisco shops who will be only too happy to fork over the bucks (has anyone been able to get a price on this baby?) for this baby.  Besides speed though, I have always heard that Cisco's IPS is beast to use and is not updated very often.  I don't care how fast it goes, if they have not addressed these issues, who cares about how fast it is. It will be just another useless piece of Cisco gear. I have seen more companies than I can count who paid for Cisco IPS (or they think they got it for free with their network buy, but somewhere along the line they paid) and have the boxes not even plugged in, as they use something out.

I have a bigger issue here that I would like to draw attention to though.  That is what can we do to stop the BS around speed ratings in IPS.  Doing 4 GPS on only certain kinds of traffic is not a 4 GBPS IPS!  Cisco is not alone in this though.  Almost every single vendor is guilty of word games with their speed ratings.  2 GPS of traffic in is touted as 4GPS because it also sends those 2GPS out.  That is not 4GPS either!  I would like to see some vendor come along and blow the lid off of the marketing scam and see real throughput levels.  We need apple to apple comparisons!

Second player in the triple play, is Cisco's move into behavior based detection. Brad Reese (our latest guest on the podcast, coming up this week)on his Cisco Subnet, NetworkWorld blog talks about Cisco moving away from NetFlow to a new ASIC packet inspection card (again in the switch) and working with the Cisco QoS Policy Manager. I don't know enough about this one to say for sure, but I think at a time when the industry leaders (Lancope, Mazu, Arbor, etc. are standardized on NetFlow, Cisco at least according to Brad's article is moving away from it.

Finally is Cisco's TrustSec announcement.  I think the Wizard of Syracuse, Mike Fratto has done a good job on his Network Computing blog in calling a duck a duck. When I first heard about TrustSec I though TrustSec was part of the NAC framework. I was surprised to learn it is not. I see TrustSec absolutely competing with NAC.  The fact that one comes from the security group (NAC) and one from the networking group has all the earmarks of a political turf war to me.  In any event like Dom Wilde at Nevis pointed out, identity based access control - BFD. Nothing earth shattering there.  It will be interesting to see hwo TrustSec plays out with NAC when andif it is finally available.

There you have it, 3 new security plays for Cisco.  It certainly keeps it interesting and makes it harder than ever to compete with these guys!

Couldn't help but to compare and contrast two companies different approach to the security (and specifically the NAC) market, after reading two articles today. The first was in eChannelLine and talks about how HP ProCurve has launched a special certification and designation for its partners that are delivering solutions based on HP ProCurve's recently released ProCurve NAC 800 appliance. Rather quietly, in typical HP ProCurve fashion, they have launched their entry into the NAC space and they are bringing the considerable HP channel and machine to bear in carving out market share.  Some are still surprised when they find out that HP ProCurve is solidly the number 2 provider worldwide in the switch market.  In many ways it is one of the best kept secrets in networking.  That same approach may have us waking up one day to see this 800 pound gorilla capturing more than their fair share of the NAC space as well.

The second article in contrast had me a bit chagrined. Bradford Networks, a NAC company that has traditionally been focused on the education market, has joined the "Johns" list who pay "vendor escort" fees to SiliconValley Communications.  I have written about SilconValley and their InfoSec products guide awards lots of times, as have others like Mike Rothman.  However, there is a john sucker born every minute, so there are plenty of folks who pony up their precious marketing dollars to these charlatans to receive bogus, bought and paid for awards.  Everyone is so jaded by the nonsense that it does nothing but cheapen other honest awards.  Really now, does anyone believe that Bradfords NAC product is worthy of "the worlds best security product"?  I wonder what they paid just to be in the finals along with other renowned security products like Infineon, MXI Security, Promisec and Fujitsu.  All of them jump right out at you as contenders for the worlds best security product don't they?

Only when the security industry wakes up and smells the coffee of reality and not the cheap perfume of jokers like SVC will these folks shrivel back up under the rocks they came out of. Until then these parasites make a living off of our own greed.

When I first read the headline of the Shavlik-Sophos deal, I thought it made a lot of sense.  Sophos (who bought the Endforce NAC product), was going to use Shavlik to deliver automated patching and remediation to out of policy endpoints.  To me this is one of the 4 pillars of NAC going forward, along with pre-connect testing, post-connect monitoring and identity based access control.  As a matter of fact, I think we are going to see more and more built in auto-remediation as NAC products mature.  Self-remediation is just really not an option for many customers.

A closer read of the Shavlik press release seems to indicate something different.  The release states, "If customers then require an automated method to remediate discovered problems, Sophos will recommend Shavlik’s advanced deployment solutions, which provide simple, automated and configurable methods to test and deploy patches onto vulnerable systems."  This would indicate that Sophos is going to "recommend" Shavlik but it sounds like it is not integrated.  Also, Mark Shavlik says, "... this integration will make it very easy for Sophos’ customers and partners to come to Shavlik in order to simplify and automate the next step of deploying of critical security patches across their network." Again clearly the plan is if you want actual patching you come to Shavlik, it is not integrated into Sophos.

So if it is not patching, what is this deal about?  I don't know for sure, but my reading of it is that Sophos is replacing the Nessus engine they used, for a Shavlik vulnerability assessment engine.  However, this is more I think than just replacing one vulnerability scanner with another one.  As I have written many times depending on how you use Nessus, it may not be the right product for NAC.  You have to make sure you are on the right side of the license, including the plug ins you use to scan.  Also, because of the nature of local versus network scans, banners, etc., speed/scalability can be an issue.  Many NAC vendors actually use Nessus (some admit it and others try to hide it), but generally those that do use Nessus, only use it with a handful of plug in scripts.  Maybe a dozen and a half at most.  In this way, they only check for a small sample of what a full blown vulnerability scanner like Nessus can check for.  However, this has been enough for most NAC products until now.  At StillSecure because we use our own custom testing engine optimized for NAC, we never had that issue and so have been able to check for a wider range of configurations and policies than most other NAC products.  With the Shavlik product will Sophos be able to match this? I think not.

The reason I think not is that to the best of my knowledge, Shavlik is no better at this type of scan than Nessus is.  It remains to be seen whether Sophos will actually check for anywhere near the 22,000 patches that Shavlik claims to support.  In fact I would bet the actual number is no where near that.  But, there is another reason that I think this is an apple to oranges comparison.  Shavlik only checks for patches and vulnerabilities.  NAC is just not another pretty name for a vulnerability scanner.  NAC checks should look for the presence or absence of applications, services and settings that do not require a patch, but are a security policy. 

Ultimately the market has to decide if NAC checks and enforces for violations of security policies including vulnerabilities or is it just another form of vulnerability scanner and VM.  I don't think the world needs more vulnerability scanners, but it does need NAC.

Because a customer asked him too, of course. The same answer applies to the question Ron Gula asks over on his Tenable Network Security blog, about why there aren't any NAC vendors that are CIS certified or speaking XCCDF.  Frankly, Ron is right, I am not aware of any NAC vendors that are CIS certified. The reason I think is that there are few if any customers who have asked for this.  There are so many features that customers are asking for, that virtually every NAC vendor is up to their ears providing, there is no time to put in what is a nice to have or may make sense, but no one is standing up and asking for or willing to pay for.

From a technical point of view I don't think it would be too hard for our Safe Access NAC to perform this type of test.  I don't know about other NAC products that don't have the deep testing Safe Access does though.  On the other hand, you would think with so many of these NAC products using Nessus and Nessus already having this functionality, they would be able to do it already.  I guess the fact that these same NAC vendors don't like to admit that they use Nessus prevents them from claiming some of the benefits that using Nessus affords them.  But I digress. In some of our DoD engagements I know we are auditing against standards put forth by DoD. I don't think it would be any more intrusive than some of these tests we already perform. I also believe you will see FDCC type audits in Safe Access shortly. I am not as familiar with the XCCDF format but will have a look.

I also agree with Ron that using a tool such as Nessus and a NAC solution like Safe Access to talk to each other and using a standard like XCCDF to communicate a common standard for testing and enforcement would be a good thing.  I will have to talk to Ron off line on that one.

Most of all though, Ron is right again in that if you want your NAC vendor (or any vendor for that matter) to implement a certain feature, you have to speak up.  Our customers input in terms of  what they need to make our products more useful and more valuable to them is the best way we have of improving our products!

You know I try to never believe the hype, even about myself.  When that silly list came out with the top 59 most influential people in security and I was number 2, I had a good laugh.  When people recognize me in the street from the picture in my blog, I feel good and move on.  When people ask if my blog and podcast has helped StillSecure, I shrug my shoulders and say "I don't know, but I have a lot of fun doing it". Frankly, I am not the most technical person in the world. I consider myself a good business person who is passionate about security and what my company is trying to do to make networks more secure. But I am no celebrity. When I helped start StillSecure, I never imagined that one day I would be considered a "known person" in the security field.  However, it appears to be true.  In a corollary to the adage "imitation is the sincerest form of flattery", it seems some of the StillSecure competition are actually buying Google ad words keyed on my name.  Can you believe that?  How low can you go? Someone told me about it today and I tried it for myself and sure as you know what, there is a banner ad that a certain NAC vendor has taken out on the name Alan Shimel.  How cool is that?  Go try for yourself.

So that got me thinking.  Hey, maybe there is a cottage industry here .  I can sell or rent my name out to NAC companies that must be so desperate that they would hitch themselves to my name. You know the kind of companies that don't have a bona fide personality themselves and need to rent out someone like me.  Hell, I am thinking even bigger than that.  Maybe I can do personal appearances, webcasts and all kinds of stuff like that. Maybe, I could even do a blog for them. I might as well suck out as much cash as I can for my kids college education fund.  I even drew up my own Google Ad over on the left.  Of course I think it only fair that I get a piece of the action from their sales then too, right? 

But seriously, how much money is there to be made by buying ad words on my name. Maybe instead of trying to get more customers by cashing in on my good name, they should use the money they have left and get their development lab over in Israel fired up. They can perhaps write their own testing software, instead of relying on someone else's licensed software layered on top of a failed IPS.  This way they could be honest and upfront about how their product works.  Nah, that sounds hard.  Probably easier to hitch a ride on my name and live off of the crumbs of my table.  Geez, I feel like John Chambers.

Not sure if this article in Dark Reading by Kelly Jackson Higgins is some sort of joke or if Pat Clawson thinks the security business is a big Texas Hold'em tournament. But it could get real embarrassing if someone calls him and he has to show his cards. It seems the spark for this story is the long rumored name change of the former Patchlink Security to Lumension Security.  They have been threatening to change their name for months, if not years now and have finally gone and done it.  They really had no choice.  It really gave their sales team a lack of creditability when they would try to sell the fact that they were not a patch company with a name like Patchlink. Of course the fact that Big Fix says they are secure configuration management drove the Patchlink guys crazy, as they didn't want Big Fix to be anything Patchlink wasn't.  Where they came up with a name like Lumension though is anyone's guess.  I have two - One they ran a new name contest and someone's 13 year old daughter came up with it. Two, they paid a small fortune to one of those boutique naming shops to come up with that one.  I don't know but it sounds like last years new Chevy model to me.

Anyway, Pat Clawson takes the opportunity to spin a yarn that Kelly dutifully reports (come on Kelly, how about some more up close and personal features like this one on Thomas Ptacek).  Clawson tells us that the reason for the name change is the company is "retrenching" for an IPO in mid-2008.  Retrenching?  As if we don't know that an IPO would mean cool hand Pat would have to file an S-1 that would show us all what he