StillSecure, After All These Years

Its no secret that over the past year it has been quite fashionable to bash NAC.  It has not lived up to the hype.  It is not the promised silver bullet.  Some companies in the market went belly up.  Yes, yes and true.  But as I have said all along this was I think just the natural evolution of a technology as it matures.  There was no way it could live up to the over hype that it was saddled with.  Those who spoke about it realistically always said it was not the next "great white hope" of security, just another arrow in the quiver. However, the reason that people got excited about NAC was that at a rather simple level it was very easy to describe the problem it was trying to solve.  As it turns out, solving that simple problem takes a rather complex solution, no matter how you slice it.

In the end though what we have seen in the NAC market is textbook hype cycle.  The technology triggers for NAC were unseen before numbers of guests having legitimate reasons to access the network.  The spread of malware not through downloading via the Internet, but by introduction via devices logging on and the need for compliance or otherwise to enforce access policies with the network technologies to make it happen.  With Cisco announcing their Network Admission Control program in December, 2003 and Microsoft announcing NAP that summer (interesting that it would be years before either one was actually available) NAC buzz went through a big bang expansion to the very height of inflated expectations. What goes up, must come down and NAC certainly has been dragged into the trough of disillusionment. However, the inherent appeal of the problems it can solve continue to drive customers and interest.  Now we are seeing real signs of NAC emerging into the slope of enlightenment on the way to the plateau of productivity.

What has got me so optimistic?  It is a variety of things.  Let me list them:

1. Network Computing's 3rd annual NAC survey which while it shows demand is down for NAC from past years, it is still substantial and appears to be deeper if not as wide. It also has several other metrics that show people are being more realistic in what they want to accomplish with NAC and have more confidence that it will work.

2. Forrester's new report that shows that customers think NAC is mature enough to be ready for more wide scale deployments. Remember this is the same Forrester who said that NAC as we know it would fail last year. Has NAC changed so much in a year or has Forrester?

3. That Ebenezer Scrooge of NAC, Mike Rothman, actually admits that maybe we are seeing some progress with less inflated expectations with NAC. What could be next, the NAC Grinch, Richard Stiennon admitting it might be OK as well. Here is my prediction: When Rich's new MSSP can make money offering a managed NAC service, Richard will jump on the NAC bandwagon with bells on.

4. My own observations at Interop, RSA, SANS and other events where I spoke to real live potential customers.  I have personally seen a marked upturn in the amount of real NAC projects that we see coming into both our partners and our sales pipelines. I assume that other NAC products are seeing the same pick up.

All of this is very gratifying to see after the bashing NAC has taken.  Now it is onwards and upwards to the plateau of productivity.   See you there!

So here is one of my pet peeves about the IT world. Too many "technical" people consider themselves (pick one:) superior, smarter, more ethical, better than, their marketing counterparts. Hey people, everybody is selling something all of the time, even if it is themselves. Case in point, a recent "spat" between my bud Mike Rothman and another friend, Misha Govshteyn. Now Rothman and I go back a bit and have had our share of blog bad blood, but all in good spirit. Misha is a good guy too. Anyone who knows where to find a schmaltz herring in Houston after all can't be too bad. And my friend Farnum who serves as the peanut gallery in this story is solid as well. OK now that we have the players, lets lay out the story.

It seems that Alert Logic had a webinar titled _ Simple & Affordable PCI Compliance w/ Alert Logic. Mike thought that this was very misleading marketing from the slimy, no ethics, don't understand the real pain marketing folks at Alert. They are preying on the simpletons who are responsible for security and PCI compliance in the world and Mike delivers his full venomous wrath (according to Misha anyway, I bet Mike could be worse) on Alert Logic and their marketing team. Misha than responds with his own venomous wrath, that Rothman is literally full of baloney, a shameless self-promoter on par with Michael Savage. To add fuel to this fire comes Michael Farnum, who tells Misha in his comments that while he likes Alert Logic, "many manufacturers use their marketing as fly traps."

OK, here is my take. To Mike Rothman: come on Mike, you never did anything like that when you were a marketing guy? What are you some kind of reformed smoker? What would you have them name the webinar: "PCI is hard and our stuff can only help a little". Give it a rest. Also a little respect for the people they are marketing too. I think they realize what is what and can separate the bull from the cream. To Misha, hey at least Mike gave you some PR. I understand your frustration but instead of pointing at everyone else, say we stand by the name and that does it. Most of all to my buddy Farnum, dude, we know what you do, it is just a question of price. If those Venus Fly Trap marketing people weren't drawing people in, you would have to have a second job to feed the family and many not have the leisure time for blogging.

But seriously folks, marketing people have a hard job too. It is not that they are not technical or don't understand what is involved in PCI compliance or the like. It is their job to make these webinars appealing. I don't think most marketing people think of what they are doing is being misleading. They try to make these webinars deliver as advertised. The same way engineers try to make a product work as intended. Lets understand that it "takes a village" to develop, market, sell and support a product. Everyone has their job to do and for the most part do it the best they can and again for the most part with the highest of professional standards. Thinking that marketing people are slimy fly traps does a disservice to them, the people they market too and frankly comes across as self-serving arrogance.

Michael Farnum has a good post up today about a customer of his over at Accuvant. In a real life reenactment of every security vendors dream (come on, admit it), while the customer was procrastinating about whether to spend the money on security or not they were pwned. Michael says this is the second time this has happened since he has been at Accuvant. Obviously nothing loosens up the purse strings like a real live security "incident". However, we can't as an industry rely on a security breach happening at the moment a customer is contemplating a security purchase to drive the sale through.

What does drive the security sale? Over my years in security I have seen the answer change from FUD to compliance. There was a time when to sell security you would ask your customer, what would happen to your business if your network was brought down? What would happen if your IP was stolen? What would the negative publicity of a security breach cost you? Of course some of these questions could be turned on their side into the infamous Security ROI argument. But whether or not security can show a true ROI is highly questionable and I am from the school that it does not really exist. Than about 5 or 6 years ago, we started to see compliance becoming the driver. The first big driver in compliance for me was the Graham-Leach-Biley Act for the financial industry (when was the last time you heard that as a driver for security). Then always on the horizon and promising more than it actually delivered was HIPAA. Of course as Ilena Armstrong says "...HIPAA, say it with me now, "had no teeth." After HIPAA, California's breach notification law served as a model for many other states and finally brought some real compliance drivers to business outside of finance and health. FISMA brought the fear of God to the federal space.

Of course these all paled in comparison to the twin giants and darlings of the security industry, SOX and PCI. Have there ever been two sweeter words to the security industry. I remember speaking to security consultants who would relay how in their sales pitch to C-level execs they would tell them that failure to do something now about SOX could put them in jail. How did they look in stripes? PCI is still driving the merchant world security business and I don't think we have seen it peek yet. Yes, how sweet it is.

But what is next for the security industry? What is going to make people buy security next. Can we rely on the next gimmick or sales angle? Will there be a new statute, rule or regulation? Will a security breach scare the rest of us into doing something. Should we just wait around for our customers to get pwned and than come in like the cat that swallowed the canary with the magic bullet (even if there is no such thing as magic bullets). Or maybe as Bruce Schneier says people will just start expecting security as part of what they buy, not as a separate entity. They don't need to buy products that secure their network, they buy a network that is secure. Bruce says it better than I here:

Honestly, no one wants to buy IT security. People want to buy whatever they want -- connectivity, a Web presence, email, networked applications, whatever -- and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear. It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling.

It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.

To be fair Mike Rothman has preached a similar heresy for sometime as well. I use the term heresy because writing this article I feel a little like Jerry Maguire having a moral epiphany. However, the more I see and hear and learn, I become more convinced that StillSecure's emphasis on convergence is actually an off shoot of this truth. People are going to want secure networks, secure endpoints, secure products. Not products that secure them. Security companies that recognize this fact will succeed in the years to come, companies that do not will be the dinosaurs of tomorrow.

TippingPoint announced their Core Controller appliance today. It is a 10GBPS in line IPS. Actually what it sounds like it is, is a network controller that load balances traffic among several conventional Tipping Point boxes and than puts the flow back together and passes it on.  Sounds cool, but I would like to see the latency involved in doing this.   Sounds like a lot of moving parts.  It also sounds a lot like the way Hoff used to do things over at Crossbeam Systems.

The real question for me though is not whether or not this new appliance does line speed IPS or not.  The question is do we still want our IPS as stand alone IPS or do we want it as part of UTM. Mike Rothman in his 2008 Days of Incite talks about "best of breed DOA". In it Mike talks about 2007 being a year where customers clearly voted for integrated solutions over individual best-of-breed.  He also says 2007 was the year the first open source perimeter platforms hit.  I like to think he is talking about Cobia. But 2008 will be an even bigger year for Cobia functionality! The bottom line though is except for the Ferrari crowd does anyone want to buy a stand alone IPS? Mike says it best when he says. "Market maturity kills product innovation".

Yes people buy UTM for one application at first. It could be firewall, it could be IPS or gateway AV, URL filtering or anti-spam. But they like the idea of getting more than what they just needed and paid for.  They figure they are going to turn on the other stuff soon enough anyway.  Plus they get it all from one vender.  So on this one, I have to agree with Mike.  I think people will buy UTM over single purpose security solutions in increasingly greater numbers in the months to come.  Agree?  Disagree?  Leave a comment with your opinion.

Mike Fratto had an interesting blog up today about Steve Hanna having submitted in essence the TCG/TNC specifications to the NEA working group for consideration as working group documents.  According to Mike these were the only documents submitted.  This actually came as no surprise to me. I have felt for a long time that Cisco was not into leading the effort to blaze their own trail regarding NAC standards any more. They were just looking for a face saving way of going along with the TNC spec without looking like they caved in and crawled to Juniper and some of the other Cisco competitors in the TCG.  The NEA group is the perfect foil to call these standards by another name, but they remain the same. Frankly once Microsoft and the TCG joined forces, the writing was on the wall for Cisco.  Also, the fact that so many of Cisco's NAC customers use the NAC appliance and not the NAC framework, means that frankly the whole standards thing just didn't have the same aroma it used to.  The good news is that NAC customers and vendors (and not just NAC appliances, but everyone involved in the NAC ecosystem) can now all rally around one standard and build NAC systems that work.

Of course Fratto brings up "Grumpy" Rothman's incite about another down year for NAC.  Mike prides himself on predicting the obvious that NAC would not live up to its hype last year.  For this year he sees NAC moving into the network (NS, Sherlock). Mike finishes up with his who gives a hoot about standards spiel.  I think on that score, Fratto sets Mike straight and I will defer to Mike F.

Also to note Mike Rothman refers to another crystal ball blog article, this one by Thomas and Nate over at Matasano. With my history of mixing it up with Thomas, I don't want to come off as sour grapes on Thomas's outlook for NAC.  But I think in a classic case of when you are a hammer, everything looks like a nail , Thomas looks at NAC from the point of view of the kind of research he does.  The fact is what most customers want their NAC to do is not anywhere near what Thomas is talking about or the kind of things he researches. I also am not sure he is up on all of the different technologies used in NAC because you certainly don't need "100 crappy 1U security boxes" to do NAC across the enterprise.  I do think Nate has a better handle on it, with NAC becoming a feature on switches and in endpoint agents.

Frankly, I am always baffled by these predictions on NAC. I always wonder why they are not talking to our customers.  I find it hard to believe that I or the rest of us at StillSecure were that smart.  We have recognized from the beginning that working with network vendors was going to be key in the NAC market.  So we have forged OEM and partner relationships with most of the switch vendors out there. We have tried hard to allow NAC to leverage existing investments in security.  I think most of the customers and people looking at NAC see the value in it.  No, it is not the silver bullet (and maybe that great white hope tag is what is dragging down perceptions by some) but it is a great tool for security and compliance for most companies.  I know we are not alone among NAC vendors seeing this either.  Yes there was a lot of snake oil out there, but I think the shake out is  by real players staying and the BS walking.

I usually tolerate Security Mike's rants and knocks on NAC and chalk it up to Mike concentrating on consumer security issues with his Iron Security Mike stuff.  I don't think he is really dug in deep on NAC. I even appreciate the occasional little dig about giving my fingers a rest and such and appreciate the love.  However, Mikee writes yesterday about a Network World article on NAC standards.  Mike sees no reason for Cisco to support a common NAC standard.  He gives his reasons which I will go into, but I think the real reason Mike finds the referenced Network World piece so offensive is that it is a Joel Snyder induced rant. For those of you not in the know, Joel and Mike are the Kennedy-Hoffa of security analysis.  In other words for those of you too young and unfamiliar with Bobby Kennedy's feud with Jimmy Hoffa, they absolutely hate each other. So, immediately you have to take what Mike says with a grain of salt here.  But lets look at where mike loses his NAC.

1. What is in it for Cisco to play along?  Well how about their network gear playing nicely with endpoints, remediation solutions, reporting and SIMs.  So much so in fact that Cisco joined with Juniper, TCG members and Microsoft in the IETA standards body which will hopefully unify NAC standards.

2. Mike says you are not going to buy NAC gear from multiple vendors.  Wrong again Mike.  When you think and speak of NAC as just the enforcement and testing NAC software you are showing you don't understand what NAC really is.  NAC is more an ecosystem or group of systems, than any one product.  NAC includes you network switches, your LDAP, DNS, DHCP, IDS, firewalls, vulnerability management systems, AAA, remediation and the list goes on.  For NAC to work, all of these parts of the system need to play nice. This is why NAC standards are important.  One of the reasons NAC has not been as successful as it can be is that people like Mike think it is just the NAC test and quarantine gear.  That ain't the fact Jack, er I mean Mike.

3. Microsoft joined with the TCG in a Barney relationship.  Mike, three strikes and your out.  This is much more than a Barney relationship.  Their is true interoperability between NAP and TCG.  This is real standards at work and is going to accelerate adoption of both.  And Mike it won't be next year.  With Vista out, Server 2008 out any day and service pack 3 for XP in PRC, you are going to see NAP/TCG installs in full swing this summer.

So Mike do the pragmatic thing, do Security Mike stuff.  But my friend, admit it, you don't know Jack about NAC.

I have been following the Don "Cutaway" Weber/ Chris Hoff "dialog" around whether UTMs just add complexity and risk to the security equation. Of course the peanut gallery than had to join in.  That Georgia peanut, Mike Rothman puts in his 2 cents and complete with a reference to Shinola comes Michael Farnum with his own play-by-play and color commentary. This in addition to lots of comments from various sundry sources like AndyIT Guy and others.  Frankly, I was content to read, chuckle and keep quiet.  However, something Michael Farnum wrote struck a chord with me and reminded me of a discussion I had with some folks at a large tech company recently. 

Michael says that Don, Andy and that crowd are equating "UTM=big Linux box with a bunch of security apps thrown on it."  Michael is of the opinion that "real" companies like Checkpoint, Fortinet, etc. don't use that and have "proprietary OS’s that do not typically fall prey to the same problems that a Linux server with Squid, Snort, and SpamAssassin installed on it".  To that I say, jokes on you Vet.  Many of the biggest names including some of the ones you mention do in fact take a Linux distro, pile on some open source, slap a GUI on and abracadabra you have a UTM.  Yes they  may have ASIC or custom silicon, but many of these UTM's are Linux and many may have one or two non-open apps and then load the open source on from there.  ClamAV, Spam Assassin, etc are staples of these boxes.  Yes, Hoff's old company Crossbeam may not follow this, their schtick (put that with your Shinola, Michael Farnum) was they took best-of-breed apps and put them together on one UTM.  But the rest are guilty as charged.  Let me be clear.  I am a big believer in UTM.  I don't buy the single point of failure stuff, I don't buy the increased complexity and security crap.  But Linux and some open source mash up with a smiley GUI is unfortunately the state-of-the-art with many UTM vendors.

As I said earlier in this post, I was talking to a large tech company who wants to bring a UTM/Network gateway product to market.  In our discussions it was clear what type of applications they would want on the box.  But no matter how much I tried to explain and not matter how much I banged my head on the brick wall, they just could not understand that when you pile crap high one on top of another, you end up with high pile of crap!  There has to be more to it.  You need to leverage efficiencies, you have to make products work together.  Customers want to manage these things out of one GUI.  Not a portal where you click on an app icon and it launches another browser window.  You need a way for them to share information, licensing and user accounts.  In short you need a framework, much like we built with Cobia. If you think you can do a mash up of a bunch of open source apps all just running on Linux without any glue holding them together, you don't have anything worth buying.  I suspect the tech company I was speaking to is going to find this out the hard way.  I also suspect that many of todays UTM players who are not doing more than this are going to learn that hard lesson as well.

In the meantime, Don, Andy and the rest, you are spitting into the wind. The UTM train has already left the station.  Though it may not account for 50% of network security purchases by 2011 as Stiennon and IDC project, it is gaining momentum every day. It is going to be tough to buy a stand alone IPS or firewall in the near future.

I have to thank Mike Rothman for this one.  I swore off reading anything that comes out of Silicon Valley Communications, who are the folks behind Security Products Info Guide Awards. I have written many times how full of crap these particular awards are.  You can buy your own category and no one else can be in that category.  It is hard to lose like that.  Anyway, as I said I stopped reading the garbage they spew as news.  However, Mikee points out that in a case of extreme self-absorption, the Silicon Valley Communications folks are now trying to claim that by buying one of their awards you have a good chance of being acquired by Cisco or some other big company.  These guys have stones the size of boulders!  They say products that "win" their awards have 4P's (People, products, performance and potential).  I say don't stop there guys, they have a 5th P too - Payola!

When are we as an industry going to wake up and smell the coffee?  These awards for hire do nothing but cheapen and confuse those awards and accolades that are actually earned on merit.  Companies like SVC are parasites living off of the fat our marketing budgets.

BTW, in the same insight, Mike commends The Mogul for making available his analysis on DLP among other things.  Mike laments how people like Rich and he just have to figure out how to make money off of giving away the analysis for free.  I think it is sort of like Vegas.  They used to give away the rooms and entertainment, in order to get you to gamble.  Now they use the gambling to get you there and go to the entertainment and stay in the rooms.  Analysts used to charge you for their analysis.  Now they give you analysis for free, but I think that gets them mind share and you hire them customized research, advice and analysis. It is a brave new world for sure, but something tells me Mike, Rich and those like them will figure out a way to eke out a living ;-)

Rothman writes today about his experience in working in the consumer market with how hard it is to do things that should be simple. He writes how ease of use is a dream and complicated is the norm.  Mike talks about how making it look easy is a magic skill that the only the most successful people and products do.  Of course Mike than takes a swipe at NAC and DLP not being easy enough, but I am not going to take the bait on that one.  What I do want to tell you about is a new company called Splashtop.

Splashtop solves one of the most basic ease of use issues we all have with our computers.  How long it takes to boot.  How many times have we had to do a quick task or just needed to look something up, only to wait literally minutes for first the bios and then that stupid Windows logo to disappear, only to wait even longer for all of our bloatware start up programs to load?  Splashtop solves the problem.  You can launch into a web enabled desktop literally within seconds.  Check out the You Tube video attached to see for yourself.  What a great idea.  It is chimp simple easy to use and gets you up and doing what you need to do right away. Splashtop is the brainchild of Mark Lee and some other really sharp folks. Mark has a long history of success and Splashtop looks like another winner. 

Splashtop actually is installed on the motherboard from what I know and takes advantage of virtualization technology.  By not booting the OS, it offers secure web surfing and even has a green angle, allowing people to shut their computers off more often. In the future as Google Apps and Microsoft Live and others bring more functionalit to web apps, more and more of the tasks we perform really don't need us to boot the whole OS.  Splashtop could be just the ticket.  You can also read more about Splashtop at their blog.

For too many of us Internet Security is about keeping corporate assets safe and keeping the bad guys out, for a price of course.  How many of us though actually worry not about our work or corporate customers, but about the consumer. Yes thats right, you brother the lawyer or doctor or your sister the architect using their computers at home.  Even worse their children using the computers at home.  For too long consumer level security has been left to the likes of Symantec and McAfee who have provided the bloatware that is clogging up these machines.  What is worse, consumers are paying a lot of money for this.  So who is riding to the rescue?  Why its none other than security's own John Wayne, riding high in the saddle, Mike Rothman!

Thats right, "Security Mike" is here to save the day to help you secure your computer, avoid identity theft, talk to your children about internet security (it is not going to be this is your brain not secure, this is your brain secure type of talks, is it Mike?) and help you delete that expensive, crappy bloatware, once and for all!

You can read more about Security Mike on Mike's new website or start at Mike's Security Incite page.  Not sure what effect this will have on the Pragmatic CSO stuff and Mike's other business interests, but wish him the best of luck with this new venture.

A while back I left a comment on a post my good friend Michael Farnum wrote about a recent sales call he made along with a vendor partner to a potential customer.  It started a bit of a dialog between Michael and I and some others about what the expectation should be for a VAR or reseller's engineer selling a vendors product.  Today the Georgia peanut gallery weighs in by way of Mike Rothman.

Let me first of all say that I get it.  As a vendor, my expectation that the VAR/reseller's (should there be different expectations between a VAR and reseller?) engineers should be proficient in my products is pie in the sky.  Today's VARs sell too many products and have too much to learn to really know it as well as my own people do.  What I don't buy is that they are not making enough margin on the deals to make it worth their while to learn.  Yes, VARs may fall over themselves and cut their own throats on a Cisco deal and wind up with less than 5% margin, but VARs selling products from smaller companies like StillSecure routinely make 25 to 30% margins on sales.  Granted there is a lot more demand and business from Cisco, but you have to make the decision if low margin-high volume is your game or not.

So if as a vendor I should not have an expectation of the VAR engineer being proficient in my product that he is selling to his customer, what should my expectation be?  Yeah, I know that they all worship at the alter of customer satisfaction and trusted security adviser. But making sales and money is ultimately what they are there for. Let a few bad quarters of sales go by and watch how quick they convert to the god of the almighty buck.

Let me give you an even better example.  Post-sales professional services.  VARs like to claim that they add value by adding services and support. They don't want the vendor to do the post-sale install, as that is high margin work that they would prefer to do themselves.  So, what is my expectation as a vendor there?  Should I not expect that if the VAR is taking it on themselves to install and implement the solution, they should have a level of proficiency in the product to properly do so?  I would think the answer is obvious, but it is not.  In fact with things like NAC, I see lots of VARs that though they want to make the money from pro services, don't have the network expertise and the product specific expertise to do it right.  Before we learned this lesson we had several customers that we had to come in ourselves and rescue because the VARs limited knowledge really screwed the pooch. 

Now, we just tell the VARs that we understand their model. We will do the pro services and implementation ourselves and still give the VARs the margin on it. It actually is more profitable for them to do it that way, then for them to have their own people do it.  Mike Rothman says I am trying to buy their business.  Maybe I am.  But I am also trying to make sure that the customer gets the solution he paid for, working the way it was intended.  Is that such a bad thing?

take your pick. Stiennon, Rothman, Rob Newby from over in Spain or how about yours truly. To me, whenever I see people trying to make long range predictions of what is going to happen in any market, I think Johnny Carson probably had as good a chance of being right than any of these understudies. In my mind there is the next 24 to 36 months.  Beyond that is better left to Nostradamus, Carnac and the like.  Who knows what kind of devices we will be using for access by then.  This alone makes it hard to predict that far out.

However, let me audition for the role here a bit.  I agree with Richard on two things.  First of all I don't think innovation is dead in security. I think venture money may be harder to come by for security start ups, but there are lots of ideas out there for new security methods and even more ideas to combine existing security technologies in ways that have not been done before and will result in more effective and efficient security.  I also agree with Richard that security as a service is going to be hot. However, I have seen this pendulum swing before. I think services will heat up and then over time cool off, as people realize it is not any cheaper and gives them less control over their own security. A fact of life is that as the mice get smarter, we need smarter mouse traps.  This is also a fact of life in security.  As the bad guys figure out new vectors in, we have to figure out smarter ways of preventing and detecting them.

I disagree with Mike and Richard that security as a stand alone goes away. I think there are going to be pure play security companies that specialize in protection.  I think that there will always be smaller security companies getting swallowed up by the bigger boys.  This sort of farm league of security allows the bigger companies to buy innovation, rather than having to innovate themselves.  Many larger technology companies are going to want in on the security market, so you may seem them entering the market via acquisition like EMC a few years back.

I totally agree with Rob Newby about a generic platform on generic hardware "that we can turn into whatever device we want, anywhere in the network".  That actually sounds very much like Cobia. I think virtualization and multi-core technology is going to make that happen. I also think open source and "freemium" applications are going to make themselves felt in security, even more than now.  Of course convergence with networking will make security more ubiquitous, but it will not just be blended in.

Beyond that, your guess is probably as good as mine.  One thing for sure though is that don't worry about Rothman or me, we will find a way to to live off of the fat of the land somehow.

So it has been a while since I have had a good old fashioned blog war with Mike Rothman.  Though Mike is a good friend lets face it, we are two loud mouth NY'ers transplanted here in the south and we thrive on confrontation.  I guess Mike feels the same way.  Why else would he make the inane (Mike in case you need it, here is the definition of the word) statements he made about Snort licensing, other then he was looking to tweak my tail and engage me.  Though Mike acknowledges that he is no lawyer, I am afraid it goes deeper than that.  What Mike seems to know about Open Source license issues would not equal the clippings from a Richard Stallman haircut (hint: he doesn't cut his hair too often). 

In typical Rothman fashion, Mike makes its all about him and who his perceived audience is. After all, isn't Mikey the hero of the common working man.  In Mikes mind, he is sort of a Lenin-esque Robin Hood, looking out for the common proletariat end user and taking from the big bad vendors.  Anything not related to that and he quickly loses attention. In the Rothman world you are either paying for something or not.  If not, you don't get support and you can't make money off of it.  Anyone doing anything else are scumbags, cheats and scoundrels (hey, those are Mike's words not mine).  Great Mike, now wrap that big brain of yours around this:  What about if the software is licensed by something called the GPL and it gives you the right to use it?  You are equating licensing the software with a pay for commercial license.  This just does not equate with the whole GPL and FSF view of the universe.  I think this fundamentally shows that you truly don't understand the whole open source thing. It has nothing to do with being a lawyer or hiring one. It has to do with understanding what open source means and giving credence to the license software is released under.

Yes it may just matter to vendors, but that does not make it any less important.  Also it may surprise you Mike but in the most recent releases of Snort, Sourcefire did not write all of the code and there were lots of contributions by the Snort community with some members retaining copyright.  So put that in your pipe and smoke it before you go off calling people cheats, scoundrels and scumbags.  Sourcefire can do whatever they want with Snort. I never said differently. I just say be honest about what it is.  Don't use the GPL as a shield and claim the benefits of open source while using the same open source as a way of negating competition while garnering good will.  Either you are or you aren't.  Mike the subtly of that may be lost on you, but try to think about something other then you and your constituents.

No, I am not talking about Kobe, Shaq, Tim Duncan and the rest of the athletes over at the National Basketball Association.  I refer of course to Network Behavior Analysis.  The estimable Mr. Rothman in his daily rant laments the fact that 5 years later we are still trying to explain what it is and that is pretty sad.  I don't think it is sad at all, it is just the facts.  In spite of this though, I think NBA has made terrific strides. Here is why:

1. NBA has grown to encompass a wide range monitoring and detection technologies and techniques which can actually detect potentially malicious behavior and traffic.

2. NBA has shown itself to be one of the best ways to detect zero-day type of attacks (if you don't have a signature for it, you can't detect it).  With security practitioners increasingly concerned about zero days, NBA seems to have found a niche.

3. As Mike points out, NBA has found its way into several other security product lines and adds real value.

Ultimately Mike I think you have to get your head around the fact that NBA may never be a successful stand alone security product.  However, its transition to feature inside of other security products is well under way.  If you want to find more about "market (or product) vs function" I refer you to Mr. Hoff (of the joining with Shimel to pile on Stiennon and promote our own products fame). Of course if you are a stand alone NBA vendor, I would probably be pursuing a very aggressive partnering and business development strategy.  If any NBA business development types are reading this, give me a call.  I think this technology is a great fit for some of the things we are doing at StillSecure.

Just got this email advertising the Security Standard conference.  Looking at a picture of the guy, there is no doubt it is Mike Rothman.  But it doesnt mention him anywhere in the email.  So is it in fact Rothman? Is it a dead ringer?  Is it Darryl Lemecha, CIO Choice Point? Does Mike lead a double life? What else do we not know about Mike's double life?  Was he too ashamed to tell us that he was responsible for the Choice Point data theft? Is it Mike's evil twin?  I guess Mike can shed some light on this.  Mike?

Just wanted to take a moment and announce that the Security Bloggers Network has now reached 74 contributing security blogs!  The newest member is the Watchfire Application Security blog by Ory Segal.  Ory has a good article up on playing in the sandbox and asking why anti-virus vendors have not adopted this approach.  If you get a chance check out what Ory and the Watchfire guys have to say.

Ory joins some other great bloggers like Jeremiah Grossman of White Hat Security, Mike Rothman of Security Incite, Amrit Williams and Ryan Russell of Big Fix, the blogging guys from nCircle, Richi Jennings, Chris Hoff of Crossbeam (received a weird call from Chris and some "friends" last night but lets not go there) and many others to numerous to mention.  There is some great content there.  Subscribing to the combined feed is a great way to stay on top of all of these great blogs in one RSS feed.

Also, if you have a partially themed security blog at least and would like to add your feed to the mix, there is no cost to do so.  Just email me with your request.

Mike Rothman pragmatically sitting back in Hotlanta, instead of being here "in country" at Vegas Interop, says that Mitchell misses the point in his article on the implications to Cisco of the MS-TCG alliance. While I myself am not sure of what this means for Cisco, I think Mike is wrong about this being a bad thing for supporters of the TCG/TNC. 

Two things on this.  One is as Mike says, TCG needed this to gain credibility and momentum.  However, Microsoft needed no one to help them "taking control of the desktop agentry that will drive pre-admission host integrity checking."  Microsoft had this all along Mike. It was just a matter of time as to when they wanted to claim it. I don't think anyone in the TCG or any other NAC vendor except maybe Cisco, had any delusions that when Microsoft wanted to provide the agent for NAC, it would be spitting in the wind to offer an alternative.  I think the realy story here is that at some point early on, Cisco looked at NAC as a way of moving on Microsoft's turf which is the desktop.  Between this move with TCG and their earlier announcement with Cisco, Microsoft has solidified their choke hold on the desktop and ensured that no NAC vendor or framework will take that.

Speaking on behalf of a NAC vendor, I am fine using the Microsoft agent to help me perform checks. My only hope is that we do see NAP agents for Mac and Linux.  I think the real value is in making up the policies and health checks and then working on how to enforce them.  To paraphrase something else "give unto Microsoft, what is Microsofts, and give unto God that which is Gods".  I don't think this puts any NAC vendor in the Netscape or Novell model, unless all they were banking on was having their own agent.

Just have to give a quick call out to Mike Rothman for calling BS on David Strom in Information Week on his use of endpoint security interchangeably for NAC.  NAC is not endpoint security, as Mike clearly points out.  To me it is the old, all spaghetti is macaroni, but not all macaroni is spaghetti argument. Not sure why people can't get it, but it only adds to the confusion around NAC.  Thanks Mike for setting them straight!

As much as I hate to admit it, I agree with Mike more often than not.  Today Mike wrote about something that I was holding back on but am glad he did first, so now let me pile on. Earlier this week Frank Ohlhorst over at CRN wrote an article about a bake-off CRN did on three software based NAC vendors.  The bake off pitted StillSecure against Symantec and InfoExpress.  I have dealt with Frank before and have a lot of respect for him. I personally walked him through Safe Access and then he and his team took it for a drive on their own.

When the review came out this week I was somewhat disappointed that they rated us a close second to InfoExpress but ahead of Symantec. Hey, you can't win them all and Safe Access has certainly won its share of awards.  But when I read the whole review, especially the conclusion, I was baffled at how they picked InfoExpress. If you just read the reviews it was clear they thought Safe Access was the best product, they also came right out and said we made the most sense for the channel, but said InfoExpress "barely" edged us out.  But they never said what it was that caused them to edge us out. 

I didn't blog about it because I didn't want to come off as sour grapes or maybe I was being too sensitive.  But Mike Rothman calls this right on the head.  Read the review and tell me who do you think won this bake off?  I think stuff like this does confuse more people than it helps.  Mike is right.  Frank, I would love to hear what the reasoning here was.

Could not go to sleep tonight without mentioning and congratulating two friends on a new venture.  Mike Rothman and Michael Santarcangelo announced the Security Education Network (SEN) today.  Both of these guys have been threatening to do something around education on security for some time and it looks like they are finally going to do something about it.  Knowing both of them, it is going to be pretty hard to get a word in edge wise in that lobby ;-)

But both of them have good heads on their shoulders and are very passionate. I think there is a real need for security awareness and education. Good luck gentlemen!

OK, first off this is not about the local office for the database company. For those of you who do not know what an Oracle is, you can go here to Wikipedia and read for yourself. An Oracle is someone who can foretell the future.  Well it seems like we have our very own Oracle right outside of Atlanta.  In addition to  being author, analyst, blogger, etc., our own Mike Rothman is changing from mouth of the south, to oracle of the south. After getting all sensitive on us about "The Boss's" birthday and the mortality of man, Mike could not miss the chance for an "I told you so" on NAC.  Thanks for jumping on the bandwagon Mike and I won't even throw the flag for piling on.

But you know what Mike is right. There is no way NAC could live up to the hype.  The media is a fickle friend.  They blow hot and cold like the weather. It looks like we are going to see them treat NAC as the whipping boy for a while.  As I wrote yesterday that is OK. I think it will be good for the NAC vendors who are in this game for keeps.  It could lead to a shakeout of this overcrowded space as well.  In the meantime, I think customers will continue to see value in NAC and products that clearly show their stuff will find a home in many networks.

So Mike you are still my friend in spite of making yourself look like an oracle at my expense.  As to what that other anonymous bloggers may say about me, Mike I have a very simple philosophy on that. Success is the best revenge!  Can you imagine being in a place in your life where you can't even blog under your own name?  I think life must be pitiful enough for someone like that. Me calling them out would be in the words of Ross Brown "like kicking a retard".

Back in September of 2006, I wrote an article about this being a "golden age" for security blogging and podcasting.  I was afraid at the time that this golden age of innocence may be short-lived due to commercial pressures that would take away the special comradeship that exists among the security blogging community.  I am happy to report that so far that is not the case.  The folks at ITSecurity.com have put out a list of the 59 Top Influencers in IT Security.  Reading the list I was amazed at how many of these folks I have developed relationships with over the years via blogging.  The community is really making a difference and leading the industry.  I know Martin (number 11 on the list, congratulations!) thinks we are just talkers and the real heroes are the doers, but still I am very proud to be associated with this group of folks.  I hope we can use our leadership and influence to do good things around security.

Of course, I would be remiss if I did not mention that I was listed number 2 on the list behind Amrit Williams.  I am humbled and grateful for the recognition.  Other notables and friends Mike Rothman at 7, Mitchell at number 9, Michael Farnum and Michael Santangelo and just about everyone else.  Congratulations to you all, you all deserve it.  I was also really proud to see at number 19 the Security Bloggers Network, which is now 65 blogs strong.  I feel responsible for starting the Network and hope to see it continue to grow in influence and usefulness.

Mike Rothman called me the Man of La Muncha today on his blog for my Don Quixote-esque defense of NAC.  Hey that is a first for me, I don't think anyone has ever called me that before, though I have fought some windmills in my day. Mike I am flattered, but let me say why I feel it necessary to defend NAC.  I think that unfortunately the old adage is true.  The bigger the lie, the more often you say it, the more people believe it.  I think too many people Mike, don't have the long view you do and are trying to label NAC a bust.  By hanging the "next Mickey Mantle" tag on NAC and calling it a magic bullet, the expectations are so wild, that it can never be deemed a success. 

Can the myriad of NAC vendors out there so confuse the market, that what it is and what it does becomes lost in the maze?  I think that might happen.  While we are at it, let me also lay all of the cards on the table.  In the wilderness of the chaotic NAC market, I would like to be a clear voice.  I would like to help define what it is that NAC does, what it doesn't do, where it is helping and where it is not. To that end following up my Brief History of NAC post the other day, I will post on what I call Complete NAC later this week.

Hey, they laughed at Al Gore the day after we went to Iraq and he was speaking out against it.  Now, not only did he create the internet, become the Oscar winning father of global warming, he is also being credited for speaking his mind and being correct early on about the war.  Maybe some day when NAC is recognized for having the impact it will on network security, somebody will ask me to be vice-president or at least star in the Broadway remake as Don Quixote or even Pancho.  Until then I will keep fighting the windmills.

It has been a while since I disagreed with Mike Rothman publicly on the blog.  Fact is I usually find myself on the same side of the fence as him and frankly there are easier marks then him to pick on.  But with the long holiday weekend, the news is slow and we all need something to ponder, so let me dig in on Mike's recent searchsmb column in Techtarget.  Mike returns to his tired (not tried) but not necessarily true, "big is the new small" thing.  It is now called best of breed vs big security.  I know we have debated this in the past, but I still don't buy it all.  I think there is a difference between buying multiple security products from one vendor versus buying from the big boys. Using Mike's examples of McAfee and Symantec, even Mike says their suite products have been largely a failure. So what makes him or anyone think that is now changing.  Yes they have a lot of products, but they are not integrated.

Mike that is the key, integration.  SMBs want unified products, not lots of individual products from one vendor.  Until big security can show unified integration, they are no better than the little guy, who at least gives you best-of-breed.  This is exactly why we think a Unified Network Platform will be so appealing to this crowd.

Had a good laugh reading Mike Rothman's recap of his uncanny ability to pick companies that seem to lose their brand and/or their whole business once he joins them.  One could say that it is almost a good thing, if some of these brand exits led to some money changing hands.  Mike, my suggestion would be that you just tell people that every company you have worked for has had an exit.  Most people may not dig in to find out that some of them may have been less than successful.  Seriously though it reminded me of a lesson I have learned in dealing with VC's and in the tech sector.  Once you are somehow associated with a winner or a successful exit, somehow or another you are deemed smart.

This is especially true in the VC business. It is so much easier for a second or third time entrepreneur to raise funds than a first timer.  Even in building a new start up team, it is not uncommon to say, here is John Doe, John was one of the key people at such and such company that was either acquired by this big company or had an IPO.  All of a sudden that person is now considered to have taken on the mantle of intelligence and an inner light shines from them.  It makes no difference that it was plainly a case of in the right place, at the right time.  That the chances of lightening striking twice were well, like lightening striking twice.  This was especially true in the Internet bubble.  I saw so many people who because they were able to sell hamburger to starving people, were deemed to be highly intelligent. However, in a different economic climate they folded up like a house of cards.

So Mike, take solace, the fact that you have been involved in all of these brand changes probably means some VC thinks you should be in the Mensa Society and is waiting to shower you with money.

Well the answer can be summed up in 3 bullets:

1. Mitchell is lucky most of his necessary organs and appendages are attached to his body.  First he lost his Motorola Q phone on the shuttle bus from the show.  Luckily he had phone insurance and was able to get a replacement. Of course he lost all of the numbers and info stored on the phone.  Then at the bloggers party (more on that later) after a full day of recording some great interviews (including a fantastic discussion on booth babes with Ross, Rothman, the Phantom Blogger and me), Mitchell leaves the damn, brand new portable recorder at the place and it is now gone!  They don't have portable podcaster machine insurance so Mitchell is out on that one.  Frankly, I wouldn't have been quite so heartbroken if we had at least downloaded the audio files on there.  I am going to start bringing a tag with Mitchell's name and phone number as well as the hotel he is staying at for Mitchell to wear at these events, in case he gets lost too.

2. In the immortal words of Dean Wormer in Animal House, "fat, drunk and stupid is no way to go through life". I try not to get too crazy at shows and make sure I get a good nights sleep, as my schedule at these things are usually packed.  Well, I was so excited about meeting so many virtual friends in person at the bloggers party, I went to three more places drinking with the boys and stayed out until almost 3am.  Even with Mitchell losing the podcasting equipment, I still could have put an update on the days activities up. I didn't when I finally got to my room, because I was afraid at what drunken ramblings would find there way on to the blog.  I guess Mitchell was not as worried about that. Instead I threw my clothes all over the room and went right to bed.  Four hours later, I woke up still buzzing and headed over to the show before going back to pack and finally flying home.  I think for the next show, I am going to go on a diet, so I will just be drunk and stupid.

3. The Blogger/Podcaster party- As Martin, Michael Farnum, Rothman, Mitchell and I don't know how many others have mentioned, the party even exceeded our expectations. I have not had this much fun in a long time.  I was really looking forward to this event for a long time. I really felt like I knew most of these folks already.  Some of them like Farnum, Martin, Rothman and even Ross, I count on as my blogger family (maybe posse is a better word).  I can't wait for next years show and have some ideas I will be blogging and discussing later.  One fact that was really heartening to me was that most of the folks there were also part of the Security Bloggers Network.  The network has really picked up and if anyone security blogger/podcaster wants to join, drop me a line at podcast@stillsecure.com. Also, Rich Mogul is someone I was really looking forward to meeting. I think we will continue to keep in touch and become fast friends.  As a result of the good will and free drinks (thanks Microsoft and Fortinet), it resulted in me continuing on a binge for the rest of the night. As Michael mentioned I did have an altercation with a cab driver, but it was all in a nights work. I am not going to rehash it here, Mitchell and Michael can if they want.  Just another moment with Shimel, as far as I am concerned.

So, I have no update for day 3, the dog did not eat my homework and now you know why.  If I can ever get around to it, I will try to

I was reading Mike's Daily Incite where he mentioned this article by Dan Molina from McAfee.  Usually the McAfee blog is the usual anonymous bland dribble that passes for blog posting at most large companies.  But I will say this for Dan Molina, bland this article is not.  After yesterdays Ross, Amrit, Rothman posts about bias, this one just blows the doors off. I guess Dan works in marketing, but there comes a point where you read this and Dan and McAfee hurt themselves more than they help. 

This goes to the heart of what Ross and I were, I think trying to get at yesterday.  Yes, you expect us to be biased and passionate about our positions and companies.  But when it crosses the line you turn people off and lose creditability across the board.  Unfortunately for Dan I think he crossed the line here and not be a little bit either.  If this were a football or basketball penalty, it would be flagrant. 

I think Mike was right on to call Dan on what he said.  Especially comparing Citadel to Altiris.  I had lots of friends at Citadel.  They had a nice presence in the federal government place.  But lets face it, financially they were not knocking it out of the park by any measurement. Their stock was de-listed I believe and was trading sub-one dollar.  They were bleeding money pretty well and top line was not growing very fast.  Altiris on the other hand has major distribution deals with Dell and HP, a tight relationship with Cisco and lots of revenue.  Probably whey their market cap was what it was. Comparing them and trying to say McAfee got a bargain and the better deal just stretches the limits.  Mike makes some other excellent points.  What really broke the camels back for me though was when Dan says, "At least Symantec is consistent, as it treats its business the same way it treats your networks and computers. It’s too complicated, not integrated, and it overtaxes available resources while trying desperately to get the job done."  Talk about slinging mud! I don't think the Republican National Committee even runs anything this negative. 

So Dan here is a message for you.  We would welcome a voice from McAfee in the security blogosphere, just try to be a bit more objective and stay off the caffeine.

So my buddy Ross is yanking my chain again.  This time it is over the whole bias thing with Amrit and Rothman.  Great after those two introverts are done, just what I need, Ross putting his 2 cents in.  And here is a news flash, Ross is biased too.  Geez I thought Ross was just studying to be an ophthalmologist with all the ranting he does about retina, blink, REM, Iris and other eye stuff at eEye on his blog ;-)  Then in a final pique of chutzpa (I can link to wikipedia too), he wants to know if I am at all passionate about StillSecure.  Nah, Ross I can give a flying f*%^ whether it succeeds or fails. Of course I am passionate about it and of course I am biased.   Ultimately as a co-founder here, my long term financial well being is intimately linked to our success. But then again I have been accused of being biased and a blog bully before.  In fact, I usually come out and say I am biased when I write something and to take it with a grain of salt.

Ross, the