March 9th, 2008

Moving on

Posted by Richard Stiennon @ 11:00 am

Categories: Security Industry News, Security blog

Tags: Network, Blog, Blogging, Security, Internet, Richard Stiennon

I travel a lot. It has been almost ten years since I had a job that was based in the same place I live. Whenever I get a call from friends and family the first question I get is “where are you?” People who have known me for years but do not stay in touch have a different question: “What are you doing now?” Other than a four year stint at Gartner I have never had the same employer for more than two years.

Followers of this blog will remember when it moved from the independently hosted ThreatChaos.com to ZDNet two years ago. That was coincident with my departure from Webroot Software, the anti-spyware company. (see Webroot loses voice). Well, it has been a great two years here at ZDNet. The folks at CNET (ZDNet is part of CNET not the troubled ZiffDavis. That still confuses people.) have created the most mature collection of tech blogs on the Internet and I have enjoyed being part of the ZDNet blogging community. But, I think they are pretty well covered on security now with the likes of George Ou, Larry Dignan, and newly joined Nate McFeters.

UPDATE November 6th ‘08:   One more move.  I hope the last as the Stiennon Security blog comes full circle. First it was at www.threatchaos.com, then it was at ZDNet, then it was at NetworkWorld. Now my blog is coming home to the re-born www.threatchaos.com! 

For  thoughts and coverage on hacking, cyber crime, cyber warfare, and malfeasance visit www.threatchaos.com

February 17th, 2008

Does IT matter?

Posted by Richard Stiennon @ 10:44 am

Categories: Security Industry News

Tags: Concept, K Mart, Information Technology, Wiki, Matter, Marketswiki.com, Interactive Brokers, Strategy, Management, Richard Stiennon

As someone who has been accused of publicity seeking through grand pronouncements I can understand the motivation behind Nicholas Carr’s 2003 article in Harvard Business Review: “IT Doesn’t Matter”. His main thesis is:

For a brief period, as they are being built into the infrastructure of commerce, these “infrastructural technologies,” as I call them, open opportunities for forward-looking companies to gain strong competitive advantages. But as their availability increases and their cost decreases - as they become ubiquitous - they become commodity inputs. From a strategic standpoint, they become invisible; they no longer matter.

Admittedly when Carr published this article I was employed by an IT Research firm whose very existence depended on the premise that IT matters. Most people in the IT world have a visceral reaction to Carr’s challenge. My own cathexis is reinforced daily as I see example after example of IT being used as a strategic differentiator that leverages one company above another. It is far too early to lump IT in with other historical improvements in technology such as railroads and telephones as Carr does.

Examples? Let’s talk about six: Amazon S3, UPS, Marketwiki, Interactivebrokers, Kmart, and Tierconnect.

Oh sure, you say. Amazon S3. The on-demand storage service that just Read the rest of this entry »

February 15th, 2008

Congrats to Arcsight

Posted by Richard Stiennon @ 1:17 pm

Categories: Security Industry News

Tags: ArcSight, IPO, Podcasts, Cellular Phones, Security, Financial Services, Internet, Consumer Electronics, Personal Technology, Richard Stiennon

Hard to believe that a SIM (Security Information Management) company has made it “out”.  Arcsight went public yesterday at $9/share. Pure play security company IPO’s are few and far between.   Managing  alerts  and looking for abnormal behavior has been a difficult market to crack.  But, based on their S-1, Arcsight has done it.  Read my blog on Arcsight’s chief security officer and author of “Enemy at the Water Cooler” Brian Contos.   You can listen to the podcast I recorded with Brian as well.

February 11th, 2008

Father of anti-virus says to invest in security awareness training

Posted by Richard Stiennon @ 2:09 pm

Categories: Security Industry News

Tags: Antivirus, Training, Security, Richard Stiennon

I don’t want to start a debate here over who invented anti-virus. According to DarkReading it is Peter Tippett.(see the recent debate over who invented the firewall here. Is Dark Reading going to also knight the inventor of malware if they can track him down?)

In a speech last week Tippett made some great points. Here is my favorite:

For example, today’s security industry focuses way too much time on vulnerability research, testing, and patching, Tippett suggested. “Only 3 percent of the vulnerabilities that are discovered are ever exploited,” he said. “Yet there is huge amount of attention given to vulnerability disclosure, patch management, and so forth.”

But Tippett has his own problems in understanding the state of IT security. He also states:

Security awareness programs also offer a high rate of return, Tippett said. “Employee training sometimes gets a bad rap because it doesn’t alter the behavior of every employee who takes it,” he said. “But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn’t that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?”

That’s a lot of “ifs” there Peter. I would rather spend $100K on an authentication program that does not require user defined passwords than $10,000 every year for ever trying to get my users to stop using “Pistons”, “Patriots”, or “Redwings” as their passwords.

Security awareness training for end users is a complete waste of time and money. Save your money for real security solutions that solve real deficiencies in your defenses.

February 3rd, 2008

More on Microsoft + Yahoo!

Posted by Richard Stiennon @ 1:19 pm

Categories: Security Industry News, Windows

Tags: Google Inc., Merger, Yahoo! Inc., Microsoft Corp., Mergers & Acquisitions, Investment, Finance, Richard Stiennon

Henry Blodget does a plain vanilla analysis of the Microsoft + Yahoo! merger on Sillicon Alley Insider. He agrees with my predictions of disaster but bases his arguments on how difficult it will be to execute on the merger. By the time regulatory hurdles are overcome Blodget thinks it will be at least a year before the deal can happen and in the meantime there will be brain drain and stalled innovation, giving Google a chance to surge ahead.

All good arguments. True for any large merger. But I go further than that. It is a bad deal because MSFT should not be in the online ad business period. Even in a perfect world where everybody dug in and pulled off this merger without a hitch it would be a disaster for both Yahoo! and Microsoft.

Just a few minutes ago Google has chimed in, stating that this merger is “troubling”. In other words Google will be rooting for a long drawn out process that leaves the field clear for them to continue to innovate and do an end run around Microsoft. Google realizes that there is a business model in developing useful apps online. Microsoft has missed that point.

February 1st, 2008

A successful bid for Yahoo! would be death knell for Microsoft

Posted by Richard Stiennon @ 11:50 am

Categories: Security Industry News, Windows

Tags: Advertisement, Yahoo! Inc., Microsoft Corp., MSFT, Internet, Richard Stiennon

Microsoft has weathered two significant challenges to its world wide monopoly. It is facing the third challenge right now and it is not advertising revenue. The first challenge was the Internet. Microsoft almost missed the boat there but thanks to Bill Gate’s mom he was introduced to a local ISP and immediately grasped that the Internet changed everything. He wrote a famous memo and turned the MSFT juggernaut. It is still too bad that he crushed Netscape in process, that was uncalled for. But, by introducing a TCP/IP stack into Windows 95 Microsoft ensured the rapid growth of the Internet and their own place as the platform of choice for accessing the marvels of the web.

The next challange to Microsoft was security. And, another memo outlined their response and what has now proven to be a successful strategy. Microsoft has weathered the vulnerability storm. Thanks for to better patch management than to better software practices, but that is coming too.

I find it ironic that Bill Gates has even identified the next major challenge to Microsoft’s world domination. He recognized back in 2005 that web based applications were the next “sea change”. But, because he had stepped down from day to day operations, and this year is retiring completely, I believe Microsoft has failed to act effectively to address this final challenge.

Maybe it is my years fighting “ad supported software” otherwise know as adware, scumware, shlockware, spyware, that makes me suspect of the “ad economy”. Yes, Google makes obscene levels of money over a few simple but powerful applications. But just because there is money to be made does Microsoft have to be in that space? Was MSFT buying up gold and oil reserves the last few years? Are they getting into bulk shipping? Were they buying New Zealand dollars? There are tons of ways to make money if you are sitting on $19 billion. Ways that have real returns for your stake holders.

This grab for Yahoo! will kill Microsoft if it goes through. The guys at Yahoo! are smarter at generating ad revenue than the guys at MSFT but they are still losing out to Google. Microsoft should open their eyes to the real challenge facing them: software as a service. Chasing after ad dollars is a red herring.

If this deal goes through you will be able to mark this single event as the beginning of the end of the biggest tech giant ever.

January 28th, 2008

US Government seeks to invest $6 Billion in security by obscurity

Posted by Richard Stiennon @ 8:32 am

Categories: Security Industry News, State Sponsored Hacking

Tags: U.S. Congress, U.S. Government, Transparency, Security, Richard Stiennon

According to the Wall Street Journal this morning the Bush administration is pushing to spend $6 billion on cyber security in one year! They claim that US telecom systems are not adequately protected and that they need to spend this money to protect it. Just one problem, the government is not revealing to Congress just how these funds will be spent.

First of all let’s put some perspective around the size of this budget. $6 billion is larger than the entire industry for firewalls. That’s right, the total sales of firewalls from Check Point, Cisco, Juniper, Watchguard, Sonicwall, and twenty other vendors, world wide, is less than $6 Billion. The entire security industry for products is less than $24 Billion.

So just how could the Federal Government spend $6 Billion on cyber security? They are not saying. They are asking Congress to buy a pig in a poke. Of course you will see the DHS claiming that these new investments must remain secret to be effective. I beg to differ. There is *no* security in secrecy when it comes to effective cyber defenses. Just as the best security in cryptography is to use almost impossible to break but completely transparent encryption schemes, the best security for networks and systems is that which can not be penetrated even if every detail is published and open.

Congress should stick to their guns and refuse to grant funds for secret cyber defense solutions. Yes, investment is needed - more in new policies and rigid enforcement that anything else. But granting a carte blanche to the Department of Homeland Security for $6 Billion a year in budget will result in only one thing: a new cyber bureaucracy.

Transparency is good for security. The administration should earmark these funds for specific departments and specific security measures. Otherwise there will be no metrics, no accountability, and they will be back at the trough next year asking for money to accomplish more secret goals.

January 23rd, 2008

Now this is leverage: scaling a phishing operation

Posted by Richard Stiennon @ 9:19 am

Categories: Security Industry News, Spyware

Tags: Phishing, Cyberthreats, Spam, Viruses And Worms, Security, Spam And Phishing, Richard Stiennon

Great research over at Netcraft today. They have found a site called Mr. Brain set up by some Moroccon hackers that offers a whole suite of phishing tools. The phishing tools are the usual set of cloned HTML, and management interface for routing stolen bank card info, etc. But these tools come with a bonus! All of the stolen data is also sent to the guys at Mr. Brain!

Brilliant.

January 21st, 2008

Market crash? What me worry?

Posted by Richard Stiennon @ 9:11 pm

Categories: Security Industry News, Uncategorized

Tags: Financial, Information Technology, IT-spending, Mortgages, Financial Accounting, Finance, Capital Structures, Richard Stiennon

I am writing this at midnight, January 21. The DOW Industrials have seen their worst year opening performance ever. Asia and Europe experienced 5-7% declines today. Whatever is in store for the US tomorrow I thought it worthwhile to look at the outlook for IT spending.

As, apparently, the only industry analyst to call the end to the last IT spending recession it occurred to me that I have some responsibility to talk to the current outlook.

Yes, a general recession in the US is going to impact IT spending. Of the three or four major downturns I have experienced, spending on everything is cut back. It is just the way it is. For a public corporation to cut back on spending on IT projects is as natural as for the couple who have experienced a job loss to cut back on dinners out. But, this current financial crisis is just that, a debacle brought on by bizarre trust in financial instruments based on mortgages and several orders of abstraction from the monthly payments you and I equate with the term mortgage.

But, no. This situation is not going to translate into an IT recession. The bubbly activity sited in my current favorite video aside, there are such tremendous forces at work that IT spending will, I believe, continue at a survivable pace.

What are these forces? Performance, throughput, and usability. IT investments are paying off in huge returns in productivity and business interactivity.

IBM, Dell, Apple, Intel. All healthy thank you. These companies cannot pull us through a recession when the likes of Merill Lynch, Countrywide, and just about every financial institution mis-judged their risk portfolios. But investing in their technologies is how the typical enterprise is going to reduce costs, increase productivity and gain a competitive edge. My message? Sure dump your banking stocks Tuesday. But do not sell IT short.

January 21st, 2008

Arbor Networks abandons security space

Posted by Richard Stiennon @ 8:41 am

Categories: Security Industry News

Tags: Arbor Software, Sales Force, Arbor Networks, Telephony, Mergers & Acquisitions, Telecom & Utilities, Content Management, Security, Telecommunications, Networking

I was actually in Ann Arbor last week when news broke that Arbor Networks had acquired Ellacoya a so called “deep packet inspection” technology vendor. I was perplexed. That’s not security.

First let me clear up some terminology. “Deep Packet Inspection” was the term some Gartner analyst popularized to describe what content filtering gateways do. They inspect content for worms, attacks, and viruses. Somewhere along the line the traffic shaping industry(Ellacoya, Allot, Sandvine) co-opted the term to describe what their devices do: look at the packet header to determine what protocol is being transported and throttle the throughput based on protocol. In other words Quality of Service for network traffic. These devices do not look at payloads at all except in some rare instances when you have to determine if Skype-like programs are spoofing different protocols.

And then there are the Netflow companies (see “Getting to know Netflow“) that had been using existing packet monitoring capability to provide an analytical view into a network’s traffic.

It appears that once again I am going to be a lone voice in objecting to this merger. First of all, when a privately held company like Arbor makes an acquisition it is usually at a fire sale. In other words, my guess is that Ellacoya was having trouble getting traction in a very competitive field. So maybe this is a classic “leverage existing customer base to sell more tools” play. My only problem with this is that it further dilutes the security message.

Every merger is a huge risk. Many companies have entered their death spiral soon after attempting to merge two dissimilar product portfolios. The sales force gets confused over conflicting messages (would you like some traffic shaping with that DDoS defense?) The customer gets confused. And the competitors move in.

All I can hope is that this is a technology acquisition and that Arbor will continue to evolve its security message. Switching gears and going after the Sandvine’s is a mistake. Arbor has survived one downturn in the telecom space. Last time around they created enterprise products to tide them over. I am afraid that with the telecom recovery they have neglected their true strengths for the easy pickings. If, as seems likely today, the telecom industry is entering another recession Arbor should be looking for enterprise security opportunities, not doubling down on the carrier.