Tuesday, December 29, 2009

Web security strategy

Check out SearchSecurity.com for the latest:

If you haven't focused on an enterprise-wide Web security strategy then it's time for a reality check. It's safe to assume that various parts of your organization are using Web applications and a cloud computing infrastructure or services, and the time to wrap a security strategy around that is now.

Wednesday, December 16, 2009

Microsoft and EC settle their IE dispute

Good to see the European Union competition commissioner has finally come to its senses and settled its silly and costly business practices lawsuit against Microsoft over the bundling of Internet Explorer into Windows.

This seemed like pure harassment to me – browsers are free, users can easily download and install any browser they want, and service providers could have included or recommended browsers if their customers demanded help. In fact, you could even argue that ubiquitous feature-rich free browsers have worked to everyone’s benefit (though I do not believe Microsoft set the market price of free).

Anyway, Microsoft and the European Commission are now in agreement. Microsoft has agreed to give the user a choice of leading browsers in versions of Windows and presumably the EC can find better things to do.

Tuesday, December 15, 2009

Lessons from CoreStreet

CoreStreet is the most recent security company fire sale – selling to ActivIdentity for “approximately” $20 million. Usually this means that the investors get some money back, the founders get some candy so they’ll bring their next idea back to the VC’s, and everyone else gets new business cards. CoreStreet gave it a good go – they had sharp mathematicians and a new idea for authentication, but could not find a sustainable and repeatable business. There are at least 2 things that other struggling security companies may be able to learn from CoreStreet:

Keep your messaging simple. CoreStreet is in the “distributed credential validation solutions” segment. You cannot expect a security team to evaluate, recommend or buy a product that they do not fully understand or have an expressed need for. When I first talked with them, CoreStreet described proofs and math models to authenticate signatures when a certificate authority was unavailable. I was in over my head in about 30 seconds, and I like to think I’m pretty good at authentication and math. If you are looking to increase sales traction, make sure your messaging is easily understood and directly addresses an important business need.

Try to diversify from government dominated customer base. When it comes to security, government agencies often have unique solution requirements that do not translate well into the commercial world. You can make a business serving the federal government if your company reaches a critical mass, but if you are not cash flow positive you need to have alternatives. While CoreStreet attracted business from defense-oriented agencies, it couldn’t translate its technology to the commercial sector. The company had no options and no place to grow, except perhaps by acquisition to a vendor that can service outstanding government contracts.

There is a tough year coming up and we will see more security vendors like CoreStreet with tired investors and shuttered doors in 2010.

Database activity monitoring lacks security lift

Posted to SearchSecurity ...

The IBM acquisition of Guardium Inc., a privately-held database activity monitoring (DAM) vendor, is far from a validation statement of DAM as a viable security market segment.

Vendors including Embarcadero Technologies Inc., IPLocks (acquired by Fortinet Inc.), Lumigent Technologies Inc., Symantec Corp. and Tizor Systems Inc. (acquired by Netezza Corp.), have already given up on the DAM space, leaving companies such as Application Security Inc., Imperva Inc., Secerno Inc. and Sentrigo Inc. fighting to divvy up a total annual market of well less than $100 million. The IBM acquisition of Guardium helps the company gain information management technology and a capability to drive professional service revenues in the data center.

Tuesday, December 1, 2009

Health Net breach failure of security policy, technology

I'm back from vacation and Thanksgiving - hope you all had a nice break!

Here is the latest SearchSecurity posting:

"The recent Health Net data breach—affecting some 1.5 million users—is a failure of all aspects of IT security, including the ability to set appropriate policy, communicate that policy to employees and deploy the relevant security technology.

Health Net announced last week that unencrypted records, and the portable external hard drive containing those records, were lost. A loss of this magnitude from normal business practice suggests that either sensitive data accumulated over a long period of time and was not systematically erased when no longer needed, or the user worked on extremely large chunks of data without proper security controls. IT should have been aware of both possibilities and acted to protect the business." ...

Friday, November 13, 2009

Audit Ready Data Center Webinar with Accelops

AccelOps has a really interesting approach to management of the technical infrastructure for mid-tier organizations. They do a solid innovative job of going a few extra steps to combine, correlate and analyze data - steps that IT does not have to learn to manually perform. The Audit-Ready Data Center is a webinar in conjunction with ISSA where we talk about the needs of meeting requirements for continuous audit that provides a common language for security discussions with other organizations in the company. Hope you can check it out on the 19th.

Tuesday, November 10, 2009

Press Quote: Tufin extends security lifecycle management

Tufin has a nice vision for helping IT manage network access policies - coordinating rules between firewalls, routers, and switches for consistency and security. It is worth checking out, especially if your network has sensitive data (and what network doesn't).

"Firewall Policy Management functions are only part of the solution when controlling access to sensitive zones within the corporate infrastructure." said Eric Ogren, principal analyst of the Ogren Group. "Access policies that are enforced by high speed switches and routers need to cooperate, and be consistent with firewall rules for effective management of a secure network. Tufin’s approach of converging analysis of leading network and security devices can help enterprises control dynamic networks for compliance and security."

How to use Internet security threat reports

A bunch of security threat reports have hit the presses lately. Here are a few thoughts of how IT should use these, as posted in SearchSecurity ...

"The Melissa worm, one of the most prolific email viruses in history, earned its notoriety by forwarding itself to the first 50 people found in a victim's Microsoft Outlook address book. Security researchers celebrated its 10th anniversary earlier this year, and in the decade since Melissa, the world has seen a boom in viruses, Trojans, SQL injection, spam, phishing and drive-by downloads." ...

Friday, November 6, 2009

Security benefits of virtual desktop infrastructures

Newly posted to SearchFinancialSecurity:

"An emerging technology is helping to solve security issues within the financial industry: virtual desktop infrastructures. With a virtual desktop infrastructure, an organization actually executes desktop applications on servers in the data center, relying on remote display protocols to give the user a localized look and feel. The security benefits of VDI in the data center are clear: IT controls software configurations, assuring that users execute software with the latest patches and upgrades ..."

Wednesday, November 4, 2009

Two-factor authentication, constant vigilance foils password theft

The latest on passwords at SearchSecurity"

"The state of the art in static password protection policies has left some specialists questioning the usefulness of current password policies.

It's going to take new measures -- a mixture of technology and policy -- to hold users more accountable while addressing new attack methods and the automated connectivity of Web 2.0 behavior..."

Thursday, October 29, 2009

Chip and PIN adoption serves lesson for U.S. payment industry

Fresh off the SearchSecurity press:

"First Data Corp. and RSA, the security division of EMC Corp., are the latest major companies working together to encrypt credit card data at the point-of-sale device. This early encryption approach, also offered by other vendors, including ProPay Inc. and Merchant Warehouse, can lower the technical costs of Payment Card Industry Data Security Standard (PCI DSS) compliance, as well as the legal risk of disclosure notifications and the risk of mass information loss. It is a proactive approach that retailers should be evaluating" ...

Tuesday, October 27, 2009

Lumension adds AV to endpoint security offering

Lumension continues to put together the critical pieces of an endpoint security solution. In addition to patching vulnerabilities to reduce the risk of an exploit and application whitelisting with device control to reduce the risk of an attack modifying software, Lumension now adds an attack-centric AV layer to eradicate known threats. Defense in depth only really works if each layer adds a unique complementary technology approach. That way, whatever threat one approach might miss, the next approach is likely to catch. The addition of AV to patching and applicatino whitelisting is a good approach that should work well for Lumension's customers.

I supported Lumension's release activity with the following quote:

Eric Ogren, Principal Analyst, Ogren Group
“As the explosion of viruses and data-stealing crimeware continues to wreak havoc on corporate networks, IT administrators need to take an increasingly more proactive and blended approach to endpoint protection. Lumension now offers solution layers that close system vulnerabilities, identify and remove attacks, and protect against malware from Web 2.0 threats. Organizations that adopt such a coordinated defense will be better-suited to protect against threats, keeping their network, endpoints, and business resistant to the daily influx of newborn malware.”

Wednesday, October 21, 2009

DLP technology challenges security costs

New to SearchSecurity:

"Vendors have blurred the functional boundaries between data leakage prevention, digital rights management and even endpoint device control, to the extent that IT should reset expectations for DLP deployments. The recent Burton Group report on DLP summarizes the market from a vendor offerings point of view, with heavy emphasis in vendor rankings given to companies with large market shares and marketing budgets. DLP can be a powerful weapon for security teams balancing threat protection with data protection and acceptable use policies, but only in well-defined business scenarios." ...

Friday, October 16, 2009

Phishing protection begins with training, antiphishing evangelist

Newly posted on SearchSecurity:

Law enforcement has demonstrated that it's serious about cracking down on phishers, spammers and other nefarious cybercriminal activity, but now is the time for security organizations to launch an antiphishing program to protect customers and employees from the upcoming wave of attacks that will most certainly mark the holiday season.

Phishing is a nagging social problem that preys on users' trust of established brands and confidence in the Internet. The classic phishing scam consists of a plausibly written email message containing a link to a phish website that looks like the real thing, but is designed to steal passwords and account numbers when the unsuspecting user authenticates. While law enforcement is part of the solution to breaking up phishing rings, IT needs to continuously focus on social countermeasures to fight the strength of phishing attacks.

Tuesday, October 6, 2009

Mitigating zero-day vulnerabilities in customers' environments

Posted today at SearchSecurityChannel:

"Zero-day exploits -- attacks in the wild that are too new for signature checkers to recognize -- present a serious challenge to security solution providers who are expected to protect client endpoints, hosted websites, application services and Web communications. However, there may be opportunities for service providers to differentiate, or offer revenue generating services, with services that help clients recover from a zero-day infection."

Monday, October 5, 2009

Feds push cybersecurity jobs, PCI DSS changes ahead

Posted to TechTarget today:

"In a significant sign of the government's commitment to improving its cybersecurity profile, the Department of Homeland Security said it could hire 1000 security professionals over the next three years. This is welcome news for those seeking cybersecurity jobs. A longer-term view of the problem of securing the national technical infrastructure would have DHS allocating more of its $40 billion total budget authority to cybersecurity educational programs. We've heard reports about the problem of filling and retaining professionals in government information security jobs. In addition to existing degree programs at a few universities, perhaps cybersecurity can also be featured in Reserve Officers Training Candidate programs to develop military leadership well-versed in cybersecurity skills. Presently, neither the Army ROTC nor the Air Force ROTC shows cybersecurity as a career choice..."

Tuesday, September 22, 2009

Nominum Broadens Intelligent DNS Impact with SKYE Cloud Services

Nominum is introducing a DNS SaaS approach called SKYE. This is interesting partly because the DNS lookup seems like a good time to layer on security and acceptable use services, since attacks now originate from the Web. It is a good concept, with a good management team behind it, and I was glad to support their release.

“DNS has evolved from a simple name resolution protocol to a policy-based system that provides essential availability, auditing and security services for the entire ecosystem of web-based applications,” said Eric Ogren, principal analyst at the Ogren Group. “Since the first step of any Internet request is a DNS look-up, the name service is a natural position to deploy technology asserting manageable controls over the complexities and threats of today’s Internet. With web threats dominating the Internet, the time could not be better for Nominum to launch its SKYE service for ISPs and enterprises.”

Monday, September 21, 2009

Whitelists, SaaS modify traditional security, tackle flaws

Posted on SearchSecurity.com:

"The SANS Institute's latest threat report should be a reminder to security teams that now is the time to rethink the traditional approach to security as 2010 plans are being prioritized, with a strategy to transform security into a capability that is as dynamic as the attack landscape.

Threat reports are usually a tough read as they highlight the successes of hackers without suggesting meaningful preventive actions that IT can take. But the SANS report, The Top Cyber Security Risks, found that traditional security is woefully inadequate in protecting the business infrastructure against infected websites and penetration through popular applications such as Adobe Flash and Microsoft Office."

Wednesday, September 16, 2009

Last thoughts from VMworld

Now that my computer has been replaced with a shiny new Dell box, it is time for my last thoughts on VMworld. Overall, VMware did a great job, there was tangible excitement throughout the entire week at the show, and VMware is poised for a great year. Without further ado, here are my top 5 impressions -

1.Virtual desktops and virtual workspaces are gaining real momentum. The concept of IT managing users and content, and not managing devices is gaining traction. The primary driver is compliance – IT is fed up with configuration drift and data loss at the endpoint which is leading to programs for VDI.

2.VMware needs to provide a bridge from physical environments to hybrid physical-virtual environments to a total virtualized infrastructure. It is one thing to evangelize virtualization and the cost savings associated with application density. However, only 15-20% of applications in the data center have been virtualized. The remaining 80% or so of physical applications will take a while to evolve so VMware would do well to have vCenter embrace management of the entire infrastructure, not just ESX.

3.VMware has the chance to be the spokeperson for virtualization if they change their approach to competitors. RSA was brilliant in giving airtime to opposing points of view from competitors and the US government. The result is the most important and comprehensive security conference on the planet. VMware needs to lift space and messaging restrictions on Citrix, Microsoft, Oracle and others to elevate VMworld to the virtualization showcase conference.

4.VMware has a brand new leadership team with key players in their roles for less than 3 quarters. It is a challenge to learn the business and choose the best strategic path while undergoing on the job training. Maybe I’m overly sensitive to this – I saw Security Dynamics (now RSA) swap out Sales, Marketing, and Engineering leaders only to find the newbies surround themselves with cronies and stymie the business by chasing the PKI windmills.

5.Citrix and Microsoft are very much in VMware’s cross-hairs. Even Citrix customers often host applications on ESX and deliver the user experience with Citrix ICA. VMware is targeting end-to-end solutions by bolstering VDI with PCoIP – a direct challenge to Citrix’ ICA. This is a good move for VMware and will certainly benefit customers who will soon have more choice. Less good is the fear of Microsoft Hyper-V and App-V. VMware needs to find a cooperative and competitive strategy where they can spend less time looking over their backs at Redmond.

Thursday, September 10, 2009

Security vendors can learn from ConSentry Networks demise

The latest article posted to SearchSecurity:

"There is a plethora of security vendors in the world today, many of which are not going to get any bigger. Security startups struggle to get broad horizontal traction, and I have talked with many vendors who insist that everyone must have their product. However, most security vendors simply do not grow to be very big, primarily because their product line is not obviously needed by everybody.

The recent demise of ConSentry Networks Inc., a switch-oriented NAC vendor, serves as a sad reminder that security often only has niche appeal. Smaller privately held vendors may need to go vertical to best understand how to serve the business and to survive as a company..."

Thursday, September 3, 2009

At VMworld 2009, companies focus on virtual desktops for security

Just posted on SearchSecurity.com from VMworld:

"While security and compliance is a major driver of virtual desktop infrastructure projects, security is taking an otherwise decidedly low profile here at VMworld this week. Clearly customers are moving ahead with virtualization projects within the context of traditional security architectures. This is also reflected in the trend that attached costs for professional services, incremental storage, networking, and business applications are all greater in virtualization projects than security expenses. Virtualization projects are going ahead in the data center where application service configurations are relatively static and security can be placed in the physical infrastructure..."

Tuesday, September 1, 2009

At VMworld this week

VMworld brings me back to the Moscone this week. The VMware conference has drawn over 12,500 people and the exhibit hall was absolutely hopping yesterday. There is a lot of excitement about new technology and the vision of a dynamic IT service. Most of what I’ve seen so far is in CAPEX reduction such as layering shared OS images, application packs, and personification settings to reduce storage and administration costs. I like the prospects of VDI to change the security model, but it looks like VDI may stay poised waiting for a breakout for a bit longer.

Most of the security here is tied to multi-tenancy. For example, if an Exchange VM is launched on a new server to meet capacity demand, then make sure a DLP VM is also launched to meet compliance mandates. I can’t say I’ve seen much of innovative use of VMsafe even though big security vendors Check Point, McAfee, Symantec, and Trend Micro are all here. Reflex Security may be interesting when I talk with them tomorrow.

It has come to my attention that www.ogrengroup.com returns a “not found” error message. My blog is hosted by Google so I’ll have to see what changed there. If you are reading this, then you know how to get to my blog directly. Bad timing with the conference going on - I’ll get this fixed as soon as I can!

Thursday, August 20, 2009

VMware AppSpeed moves virtualization forward

This is an Ogren Group Impact I wrote a few weeks ago for VMware AppSpeed. The product is a pretty good idea and should do well for VMware's customers.

"VMware is bolstering its vCenter management capability with AppSpeed 1.0 software enabling organizations to confidently control performance as applications transition to a virtualized infrastructure. AppSpeed allows IT organizations to manage memory, network, and system resources for applications across the physical and virtual corporate infrastructure, assuring predictable VM performance under peak workloads. The Ogren Group believes establishing visibility and control of performance as applications become virtualized is a critical capability for organizations advancing their strategy of cost savings and dynamic IT service management through data center virtualization. The introduction of vCenter AppSpeed is an innovative move by VMware, and positions VMware customers to rely more upon ESX virtualization in the data center..."

Wednesday, August 19, 2009

Hacker charges also an indictment onPCI, expert says

Just posted to SearchSecurity ...

"The federal indictment this week of three men for their roles in the largest data security breach in U.S. history also serves as an indictment of sorts against the fraud conducted by PCI – placing the burden of security costs onto retailers and card processors when what is really needed is the payment card industry investing in a secure business process.

A federal grand jury has indicted Albert Gonzalez of Miami and two yet unnamed Russian hackers for their alleged roles in the Heartland Payment Systems Inc. and Hannaford Brothers Co. thefts of 130 million credit and debit card data, plus the 40 million credit cards grabbed from TJX.
SQL Injection still a major problem:
SQL Injection troubles firms, errors lead to breaches: Security experts see the secure software development lifecycle improving, but legacy applications and Web server flaws continue to offer a rich treasure trove for attackers.

Three indicted for Hannaford, Heartland data breaches: A grand jury has charged three men for their role in stealing more than 130 million credit and debit cards from Heartland Payment Systems and several other companies.The indictment makes for good reading, with references to SQL injection, distributed data collection servers, QA against major AV products and temporary messaging accounts to elude detection..."

Webinar coming up - 3 Tactics for Securing Your Website and Driving Trust, Customers and Revenue

I have the pleasure of conducting a VeriSign-sponsored, IT Security-hosted, webinar next Wednesday on web site security. Given the prevalence of web site attacks, this is pretty timely. I hope you can check it out.

3 Tactics for Securing Your Website and Driving Trust, Customers and Revenue

Date: Wednesday, August 26, 2009
Time: 1PM ET / 10AM PT

If your customers visit your website and don’t think it’s secure, they won’t buy from you. Secure your transactions. Join this FREE live webinar to learn 3 ways your company can ensure your website is secure and you can improve transactions with your customers.

Get 3 easy tactics to secure your website now and drive trust, customers and revenue:

• Strategy to drive trust, customers and revenue by securing your website
• What are the costs and risks to online customers and your business
• Why you need to secure your e-commerce site
• 3 easy tactics to secure your website NOW

A Chance to Win

Live attendees will be entered for a chance to win an iPod Nano. One winner will be selected from the audience by random drawing.*

If you’re interested but can’t attend the live event, register today and we will send you a link to the on-demand archive when available.

We look forward to having you join us.
Featured Speakers:

Eric Ogren is the founder and principal analyst of the Ogren Group. Ogren’s background features over 15 years of enterprise security experience, becoming a highly regarded industry analyst. Coverage areas include virtualization security, alignment of security technologies with business requirements, evolution of endpoint security, authenication and user identity protection, application security, managing security in large enterprise environments, and consumer privacy issues. Prior to starting The Ogren Group, Ogren served as security analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. Additional vendor-side experience includes product leadership roles at RSA Security and Digital Equipment. Ogren holds a B.S. degree in mathematics from the University of Massachusetts and an M.S. degree in Computer Science from Boston University.

Ryan White is SSL Product Marketing Manager at VeriSign, Inc. Ryan has been at VeriSign for over 3 years helping to educate businesses about how to protect their site and customers with encryption technology.
Michael Oliver-Goodwin is a Contributing Editor of IT Security. He is a widely published writer and an experienced editor for publications, including PC World, MacWeek and InfoWorld.
*Employees of associated companies are not eligible for drawing. Person must live in the US to be eligible. Winner is chosen at random. Winner will be notified at the conclusion of the live webinar. One prize will be given out per person selected from the drawing.

Thursday, August 13, 2009

Patch management study shows IT taking significant risks

Posted to SearchSecurity.com -

"The latest research around patch management is a good reminder for security teams to move patch diligence up the stack to applications and to resist disabling signature checking for performance in UTMs.

Qualys Inc. presented an update at the recent Black Hat USA 2009 briefings to their Laws of Vulnerabilities research, a timely statistical review in light of the increase in Microsoft Internet Explorer, Microsoft Office, Adobe Reader, and Apple QuickTime application level attacks. The study, first conducted in 2004, is based on years of accumulated vulnerability scanning data of the Qualys installed base..."

Tuesday, August 11, 2009

Microsoft Security Essentials (MSE) shows no vision, expert says

Posted today on SearchSecurity.com.

"Microsoft's security program is lost in time.

While it works diligently to bring yesterday's antimalware solution to market with Microsoft Security Essentials (MSE), the company is completely losing the future of security definition to competitors, with recent evidence supplied courtesy of Google's Chrome OS announcement and Check Point's browser sandboxing feature. There are a few points where Microsoft security is losing time." ...

Thursday, July 23, 2009

Written for Lumension - Endpoint Security: Moving Beyond AV

"Application whitelisting is emerging as the security technology that gives IT a true defense-in-depth capability, filling in the gaps that anti-virus (AV) was never designed to cover. Organizations have invested heavily in traditional AV solutions, often stacking AV filters from multiple vendors along the data path in the desperate hope that one of the products would stop malware from infecting the corporate or government endpoints. While AV plays a crucial role in identifying known malware and cleaning infected systems, the reality is that relying on layers of the same defense mechanism leaves organizations completely exposed to attacks and data theft from unknown or designer malware that can be delivered in web-based active code, downloaded encrypted code fragments, and persistent botnets. Security teams that know they need more than AV are now deploying application whitelisting technology to protect laptops, desktops, server and Point-of-Sale endpoints from unidentified malicious code as well as undetected code injections - and they are finding significant operational benefits due to fewer interruptions responding to infected endpoints.

This Ogren Group Special Report, Endpoint Security: Moving Beyond AV, commissioned by Lumension, presents the market demand for application whitelisting with recommended actions for security decision makers. Information in this report derives from Ogren Group research and interviews with enterprise security executives of global organizations." ...

Wednesday, July 22, 2009

OPSWAT quote for press release

OPSWAT is a neat company that develops toolkits for embedding security into applications. The most common need is for a general purpose interface to make calls to an AV product, allowing the application vendor to pick and choose the right AV engine for the job. OPSWAT also includes logic to facilitate a clean removal of security - a welcome capability for those of us who have ever attempted to uninstall an AV product when switching vendors. They do interesting work with a refreshingly pragmatic approach. I am pleased to support their press release with a quote:

“As the IT need for embedding security solutions in the fabric of the infrastructure becomes an increasing necessity due to the growing number of Internet-based threats, so does the ability to manage these solutions in an efficient manner,” said Eric Ogren, founder and principal analyst at the Ogren Group. “OPSWAT, Inc.’s Metascan technology provides the capability to bolt anti-malware scanning engines directly onto third-party software. Together with OESIS application management features, the acquisition of Metadefender’s technology nicely positions OPSWAT to provide a comprehensive, all-inclusive anti-malware scanning engine, benefiting vendors of secure products.”

New hacker skills optimize revenue

The latest from SearchSecurity:

"Malware is evolving into a rewarding, mature high-tech market, and it's not surprising that the financial incentives of developing and peddling malware can outweigh the risk of penalties that include spending quality time in jail. Malicious code developers may not be business school graduates, but they appreciate basic business principles to expand their addressable market; optimizing revenue from the install base and leveraging technology. That was the takeaway from the Cisco 2009 Midyear Security Report, an excellent summary of the major malware activity written for a less-technical executive audience..."

Friday, July 17, 2009

Offering SaaS for securing mobile devices

The following has just been posted in TechTarget's SearchSecurityChannel:

"Intelligent mobile devices are revolutionizing the way remote users connect to their business, and thus are presenting unique security opportunities for solution providers. Blackberrys, iPhones, and the emerging category of promising Mobile Internet Devices (MIDs) are exploding in popularity, fueled by the availability of easy-to-use application interfaces to access information (both business and personal) in non-traditional ways..."

Monday, July 13, 2009

Cloud-based security services should start private

Posted on SearchSecurity.com this week:

"Many early stage cloud vendors have it backwards when it comes to offering cloud-based services. They implement Software as a Service (SaaS) first to demonstrate their vision and then develop enterprise integration features. But the right way to go about it is to support corporate clouds in early product releases. IT is typically conservative about business risk and likes to retain control over sensitive data and applications. Security SaaS vendors may be better served by allowing IT to start by hosting its own private cloud service, integrated with existing data repositories and administrative systems and then provide a path to the full cloud application environment"...

Wednesday, July 8, 2009

Ogren Group Impact: MokaFive LivePC at your service

MokaFive has the innovative idea of deploying virtual desktops as a service for remote users. The payoffs can be large for IT – centralized control of endpoint configurations for meeting compliance mandates, protection of sensitive data while working in remote locations, and end-user convenience of having ubiquitous access to their desktop. The Ogren Group believes that with performance concerns abating due to the virtual desktop running on the endpoint, virtual desktops will usher in new opportunities for IT to cost effectively service business users.

Wednesday, July 1, 2009

Tufin takes an operational view on firewall rules management

Tufin is one of the promising companies in the firewall rules management market. While security and managing compliance is of primary importance, Tufin also appreciates the operational cost savings benefits of controlling and automating firewall rules administration. The following is a quote for their Automatic Policy Generation press release that hit the wires on June 29th:

"Automating the creation of optimized firewall rule bases is critical to establishing an accurate baseline for increasing network security and reducing operational costs," said Eric Ogren, principal analyst of the Ogren Group. "Well defined firewall rules lower the risk of creating holes in network security, eliminate many of the business disruption issues that can accompany firewall deployments, and reduce the number of costly support calls. Automation ensures that firewall rule bases act on the intelligence discovered from actual observed business traffic."

Twitter risks, Facebook threats trouble security pros

Nice way to start July with a new SearchSecurity post!

"The explosive growth in social networking has positioned many security teams solidly between a rock and a hard place. On the one hand, conscientious security executives cannot ignore the data loss and regulatory compliance risks to the corporation; on the other hand, security cannot politically survive by categorically objecting to other organizations innovative use of new business tools...."

Thursday, June 18, 2009

If you were Check Point, who would you buy?

I gave this feedback to a senior editor at MergerMarket. Since they provide a subscription service I thought it would be interesting to also dream about Check Point M&A here.

Check Point is an interesting company with a healthy revenue stream, big bank account, and dominant market position. They haven't shown a great desire to grow by aquisition in the past, and the vision of the Zone Labs and Nokia deals doesn't particularly wow me. Still, they can print money so they're clearly doing a lot of things right!

Check Point Software Technologies is a software company specializing in network inspection and processing. I would think the first wave of merger activity would be to diversify from security into adjacent areas of networking. If you think about it, a firewall's job is to let traffic into the network so I tend to think Check Point can better use its checkbook to improve connectivity for its customers.Here are three areas I would recommend for Check Point corporate development:

WAN optimization. Performance over the Internet is critical to capturing new customers and improving business processes. Riverbed would be the number one target. RVBD would allow Check Point to combine security features with web access, accelerated storage, and more. Check Point is good at terminating WAN connections so this is a natural fit.

Virtual Desktop and Virtual Machine delivery. Virtualization will continue penetration in the datacenter and we will see more enterprises solving labor intensive endpoint complexity and security problems with virtualization. Picture a remote user connecting by VPN through a firewall to a network server to run or download a virtual application. Most of the companies in this space are small, with software implementations that Parallels and perhaps the smaller MokaFive and Ring Cube. It would be bold and cool if they could scarf up Citrix but I'm not sure that Checlk Point's pockets are that deep.

Network Management. An under-appreciated strength of Check Point is its management capability. The company gets great stickiness and loyalty from its base that shies away from command line interpretters and script-writing. The trick is to combine mergers in this area with WAN optimization of virtualization. I would look towards companies like Reflex Systems, DynamicOps, or FastScale to allow organizations to quickly take advatage of a compelling Check Point infrastructure. Those are tiny companies - I'm sure there are public ones that also fill this bill it is just too late for me to think of them ;)

I'm not big on Check Point acquiring hardware capability (e.g. Crossbeam) because Check Point is a software company and it is difficult for hardware product lines to thrive in a company with a software DNA - just look at McAfee's history with hardware. I also don't think it makes much sense to commoditize adjacent security vendors (been there with Sourcefire, and what does it really add for customers that can't be done through parternships?). Though maybe they'll score Imperva to get Shlomo Kramer back in the fold or put Code Green on one of their software blades.

Virtual appliances boost flexibility, improve security

The latest TechTarget post highlights the innovative use and device sharing possibilities afforded by virtual appliances.

"Security products purchased as virtual appliances give IT greater flexibility in deployment than traditional security hardware devices. The concept of treating network security as a software application has proven to be successful. Organizations can save money by re-purposing expensed servers as security devices, achieve a performance boost by placing network-oriented security on a faster processor and consolidate security functions on fewer servers to save on administration while making the security function a bit greener." ...

Monday, June 15, 2009

Security pros find corporate firewall rules tough to navigate

Posting on June 15th to SearchSecurity:

"Corporate firewalls usually contain a security-Pandora's box of rules, representing prioritized sequences of allow or deny decisions that only the most brave security operator dares to modify. Removing or re-sequencing firewall rules runs the risk of blocking approved business communications or of opening a hole exposing the business to unauthorized traffic. It is near impossible for a human to manually audit firewall rules across the enterprise to reduce risk, optimize firewall device performance, and streamline data paths through routers, switches and firewalls. Security teams are turning to firewall management tools to perform security audits of the infrastructure and automate operational control of the firewalls. ..."

Cloud security begins with infrastructure assessment

Posted June 10th on TechTarget's SearchSecurity:

"Security professionals are facing the difficult challenge of extending security requirements to take advantage of cloud computing and software-as-a-service applications. Particularly difficult is finding ways to secure the new boundaries between the enterprise, the cloud service and the end user while managing dependencies on off-premise infrastructure and privileged operators. And they have to do all this without inhibiting flexibility and agility. ..."

Sunday, June 7, 2009

Early Vibe: Triumfant

Triumfant is an up and coming endpoint security product vendor headquartered in the Washington, DC area. The company takes a holistic approach to endpoint security, detecting changes to the environment, auditing activity, and restoring the endpoint to a compliant state after an attack. This is a sharp contrast to traditional anti-virus approaches that can never catch all the exploits and behavioral approaches that fail to unwind from a detected attack. I believe the security experiences of Triumfant’s leadership team, and the uniqueness of its technology, give the company a promising future if it can navigate the pitfalls associated with growing an “A” round company.

The secret sauce for Triumfant is the capability to define and manage the drift of adaptive baseline configurations of endpoints under protection. This allows the technology to detect unauthorized changes, such as those caused by malicious code, and to reset the endpoint to the latest baseline. Agent software scans the local environment for changes, and also uses signature and behavioral techniques to increase the chance of detecting an attack. The centralized server allows IT to manage baseline definitions, to automatically allow for configuration drifts by auditing endpoints under Triumfant protection, and to reset a non-compliant endpoint to the latest pristine image without the need for an IT refresh. The approach is refreshing as most endpoint security vendors completely ignore the need to reset an endpoint without IT intervention.

Triumfant will face challenges as it grows, and must carefully choose product features that keep it ahead of the slower moving vendors. The two greatest impacts may come from anti-virus vendors and virtual desktop vendors. IT cannot conceive of an endpoint security world without AV, no matter how many times AV is proven to be effective. Triumfant should bundle an optional AV in its solution to be able to displace installed competitors with a more comprehensive endpoint security solution. Virtual desktops offer the ability to reset the desktop to pristine compliant images when an infection is detected. Triumfant can fill the gap for virtual desktop vendors by enabling desktop resets of virtual images.

Customers need to demand more from all endpoint security vendors and not just accept a status quo that does not work often enough. Triumfant is rising to this challenge with an innovative approach to protect servers and desktops from attacks, and to give IT relief from attack recovery procedures. It is an interesting play that lends itself well to servers and will inevitably become popular on desktops too.

Thursday, June 4, 2009

IT pros can detect, prevent website vulnerabilities, thwart attacks

Posted on SearchSecurity June 3rd.

"IT is left to its own ingenuity to weave diverse products into a Web security protection scheme. Security practitioners will have to categorize externally facing websites and then make security investment decisions among technologies such as scanners, penetration testers, Web application firewalls, source code scanning and security development lifecycle (SDL) investment. There is no one best practice when protecting websites, which is a worrisome state for businesses and helps explain why security vendors report that most attacks penetrate browsers through infected webpages."

Tuesday, June 2, 2009

WH cybersecurity plan needs private sector guidance

Posted this week on SearchSecurity.com

President Obama's announcement last week of the creation of a White House senior cybersecurity coordinator has put a dramatic shift in emphasis on critical infrastructure protection that is long overdue -- the country runs on networked applications and other countries have targeted critical elements of the U.S. infrastructure. There were ideas expressed in the Cyberspace Policy Review that are worth calling out ...

Wednesday, May 27, 2009

Organizations struggle with data leakage prevention, rights management

Posted May 26th on SearchSecurity ...

"While it is important to have technology that can automatically block violations of acceptable use policies, it is more important to have end users that know their responsibilities and application developers that integrate data security. That's where audit, discovery and reporting features come into play when evaluating data protection products such as data leakage prevention, endpoint device control and rights management systems..."

Friday, May 22, 2009

Software piracy pandemic needs government role, better vendor antipiracy plans

Posted earlier this week on Tech Target's SearchSecurity.com ...

A satisfactory solution to the business software piracy problem has proven elusive to the software industry. Draconian measures, such as rights management systems or hands-on key management systems, can drive up customer costs in IT administration, while in consumer markets the cost of a single support call can erode all profit margins and may even exceed the price of the product.

Saturday, May 16, 2009

Posted opinion on Citrix series of announcements

Recent post to TechTarget on the Citrix announcements.

One way for IT to dip their toe in the cloud computing waters is by providing internal users with a corporate hosted application service that IT controls. This gives IT the ability to monitor usage patterns and could reduce operating expenses. The key capability of an application service is to deliver compliant applications and desktops to end users with performance close to what would be experienced if the applications were locally installed.

App service cloud could boost security, manageability

Feds should get private sector advice on cybersecurity

Posted on SearchSecurity.com earlier this month

Feds should get private sector advice on cybersecurity

Monday, May 4, 2009

VMware should push towards becoming the de facto standard

The latest issue of NetworkWorld dings VMware for not supporting Microsoft and Citrix hypervisors with their vSphere release, claiming VMware’s strategy promotes “vendor lock-in”. Well, duh. Who said supporting other hypervisors was a market requirement for VMware?

Enterprises typically buy technology products because they offer the best features match for the desired functionality, offer the best performance for the business, or offer the best economics between purchase price and operating costs. IT has made the decision to make VMware the market leader for virtualized datacenters because of functionality and performance. Other factors, such as vendor relationship, product roadmap, open support for competitors are usually relegated to tie-breakers. IT strived to control the datacenter – I have not talked with too many IT folks that strive for a mish-mash of hypervisors for corporate applications in the virtual datacenter.

In terms of competition, Microsoft will successfully compete on price, and will be penetrating the market via small and mid-tier organizations. They always do, and they always do it well. I have spoken with companies that will switch to Hyper-V as soon as it is enterprise-ready. Citrix competes on performance, especially when it comes to application delivery to the desktop. Yes, Xen has open source roots, but customers buy predominantly because Citrix Xen delivers a local experience to virtual desktop and can save huge operating costs for endpoint management.

I do not often see vendor lock-in as an overriding issue in emerging markets, and I certainly don’t see it here for VMware’s vSphere. VMware's mission is to become the de facto standard for virtualization in the data center, which will drag an eco-system with financial benefits for the installed base. I’m not sure how vendor lock-in is even a major customer concern at this early stage of the market. Am I missing something here?

Thursday, April 30, 2009

Last RSA thoughts ...

The attendance was way down, but RSA has always been a vendor-to-vendor show to encourage open discussions on security. This year seemed to focus on all things cloud, and aligning security with business requirements. With that, here are a few loose ends from last week …

AVG, a nifty endpoint security player, reports that 60% of infected Web sites disappear in less than 24 hours. Cisco is doing a nice job of incorporating Ironport’s reputation heuristics into its security offerings, applying the technology to IPS devices to dramatically boost performance and filter short-lived transient attacks. It looks like this bold move by Cisco could work out for their customers.

I really liked what I heard from Citrix and TrendMicro, and even Microsoft (though it takes them an insane amount of time to ship any security product). Together with Cisco and IBM it is good to see the major infrastructure vendors with product roadmaps recognizing that coordination between host, network, and cloud is the way forward.

I have gone almost full circle on Web application firewalls. I was a huge advocate back in my Yankee Group days, but now I am less sure. WAFs all but died off because IT preferred to fix applications the right way – in the source code – rather than putting a band-aid in front of the app. WAFs are challenged penetrating deeply into the applications chain of Web servers, application servers, and data base servers to thwart SQL injection attacks. PCI threw a lifeline to the segment, but IBM will put a hurt in it with its free version. IBM can do that because scanning and fixing the source code is the Rational route.

Finally, a thanks to Greylock. I’ve been critical of VC’s not venturing new startups over the last two years. Their reception was the networking highlight of the week. There were quite a few friends I would’ve missed had it not been for Greylock’s generosity!

Thursday, April 23, 2009

My RSA Conference is over

The RSA Conference is over for me. I managed to pack in over 30 formal meetings and a big number of informal conversations. Great week! I'll be winging home at 8:30 tomorrow morning, but before I go here is a link to an article on the Innovation Sandbox.

RSA Conference 2009 shines spotlight on security innovation

More from Re-union of Security Associates conference

This has been a fabulous week at RSA. The weather has been outstanding - my favorite briefings were outside in Yerba Buena gardens surrounded by sun, green grass, and flowering azaleas. Way better than a booth discussion - thanks to Citrix and Safend for getting me outdoors yesterday! I have really enjoyed catching up with people that I only get to see once a year.

A couple of my favorite articles were posted this week on SearchSecurity. Check 'em out:

Gartner gets NAC wrong, again

Mimic the IBM approach to security at RSA

A big surprise at the show is the abstraction of VMware's marketing communications teams. They choose to make a major vSphere announcement on the first day of the show when security press and analysts are at their busiest (hint: Monday was better timing), announce VMsafe on the last day of the show when press and analysts are done for the week (hint: next Monday was better timing), and do not have a presence on the show floor (hint: EMC is your parent; RSA is your sibling - ask to borrow a corner of their booths). I did however manage to chat with a VMware person at the Greylock reception.

Kudos to Greylock for hosting the best event of the conference!

Tuesday, April 21, 2009

Nice move to the C-Suite by Lumension to start off RSA

Lumension started off the week with a bang by announcing the acquisition of SecurityWorks at 10:00 Monday morning. This is nice move to add compliance and risk management tools to an already strong portfolio of patching, device control and endpoint security products.

One of the major trends I'm already seeing this week is applying GRC capability to map business goals into automated IT directives. This purchase positions Lumension to have deeper conversations with prospects about the managing and securing the infrastructure, and also gives the company flexibility in driving revenue through additional product lines. Lumension still has to execute, but this is a promising addition.

I'm looking forward to another sunny 80 degree day here - can't wait to see what today's news will be!

Sunday, April 19, 2009

On my way to RSA

I am writing this as the six foot three guy in the middle seat as Virgin America is bringing me to RSA Conference 2009. For an analyst, this is a week jammed with briefings and networking sessions. It is my best chance to meet people I have enjoyed talking with on the phone, catch up with friends I don’t see often enough, and deepen vendor relationships in the pursuit of business. It is all about talking with people this week for me. I do tour the exhibit hall, but to be honest I’ve been briefed before the conference by most of the savvy vendors and it is challenging to have productive conversations in a trade show booth. And there is never time to actually sit in on a session.

RSA is the ultimate networking conference in the security industry. RSA has always been about the best vendors getting together to improve security and business propositions. Be sure to put on your networking hat If you are at the conference – this is the one time to meet people with common interests that can help you in the future.

If you are working a booth, be prepared for a quiet week. Economy-driven travel restrictions that are now in vogue means you should not expect hordes of customers crawling through the exhibit hall. When members of your installed base aren’t stopping by to see what’s new, be sure to check out startups for new ideas and introduce yourself to people.

It is going to be 80 degrees and sunny in San Francisco. Should be a great week!

Saturday, April 18, 2009

Citrix XenApp may seem complex, but streamlines security management

April 17 posting on SecurityBytes, a SearchSecurity.com blog:

Citrix Systems' XenApp, its flagship application delivery product line, can appear to require a complex chain of moving parts of moving parts that can be difficult for prospects to understand. However, existing customers that are saving operational expenses consolidating data centers may also find improvements in the latest version of XenApp to manage user authentication and access control and conduct application auditing as a result of delivering applications from fewer virtual data centers.

Securing Smart Grid: How solution providers can help

April 9 posting on TechTarget's SearchSecurityChannel.com:

The Obama administration is setting aside $54 billion to modernize the national electronic grid infrastructure, which represents a number of opportunities for security solution providers. The goal of what's being called the Smart Grid plan is to bring the communications power and flexibility of IP networks to the management of the electricity supplier's network. The modernization effort for Smart Grid would involve extensive modernization of security technology and processes to be successful. Solution providers specializing in security technologies or in the utilities vertical will have to expand their knowledge base to be successful.

Cloud computing group to face challenges ahead

April 15 posting on TechTarget's SearchSecurity:

The new Cloud Security Alliance (CSA) has a number of hurdles to climb if it expects to foster a meaningful discussion about cloud computing and provide useful data for organizations planning cloud implementations. The organization announced its formation earlier this month and plans to release a whitepaper in conjunction with its official launch at the RSA Conference in San Francisco.

Monday, April 6, 2009

Conficker leaves security industry looking clueless

Posted on TechTarget SeachySecurity.com on April 4, 2009:

The Conficker-fed doomsday scenarios fed to us by security vendors and trade press has come and gone without the big disaster. The IT world on April 4 looks a lot like the IT world on March 31. It is almost disappointing, just as a forecasted winter storm that misses the mark - nobody wants to see property damaged, but a good storm is captivating and fun to watch. Conficker, also known as Downadup and Kido, was primed to start seeking its payload using a wider range of domains on April 1. The over-hyped storm has thus far turned into a dud, leaving the security industry looking clueless once again.

Press quote for CoreStreet

CoreStreet has very interesting and innovative authentication technology that is finding traction particularly in government organizations. This quote supporting their
CoreStreet Announces the CoreStreet FIPS-201 Solution was an easy one as the CoreStreet FIPS approach can reduce costs in consolidating authenticated ccess for both physical and logical systems.

“The CoreStreet FIPS-201 Suite provides government agencies the critical capability to fulfill the promise of converged physical and logical security as envisioned by HSPD-12,” said Eric Ogren, founder and principal analyst of the Ogren Group. “As an effective upgrade to legacy PACS systems, this solution allows government employees and contractors to use their FIPS 201 credential for secure access to federal buildings.”

Special Report for AccelOps

AccelOps is a new company dedicated to bringing IT service management to mid-tier firms. This special report is based on qualitative survey research conducted by the Ogren Group on the needs of IT for a pragmatic All-In-One management tool. Check out the special report here.

Monday, March 30, 2009

Press quote for Code Green Networks

Code Green is one of the up and coming DLP companies. I was impressed with their depth of understanding the data protection problems that the healthcare industry is facing. The following quote in their March 9, 2009 press release reflects their unique position.

"Given the nationwide push to digitize health care records, health care IT professionals should adopt appropriate tools to identify and secure sensitive data moving over their networks, especially via non-secure channels such as web mail and public health networks," said Eric Ogren, principal analyst at the Ogren Group." Content inspection solutions like Code Green’s are an essential tool for identifying and securing data vulnerabilities."

Microsoft IE 8 security only benefits educated users

Posted on TechTarget's SearchSecurity.com on March 25, 2009:

Microsoft Internet Explorer 8 (IE 8) has a slew of productivity and security features that IT needs to understand. But knowledge of IE 8 security features needs to trickle down to end users quickly in order for organizations to benefit from some of the most meaningful improvements.

Monday, March 23, 2009

Latest Apple iPhone features prompt security concerns

Apple has a knack for producing consumer friendly technology, and they have done it again with its Applie iPhone OS 3.0 software, which is available later this summer. But in the process they've exposed the smartphone to new areas for hackers to target. The new iPhone software has many exciting new features for consumers. Features such as landscape editting, viewing of email and text files and access to corporate applications through browsers, means this handheld device will be a significant issue for security teams.

Read the entire article at SearchSecurity.com, posted 19 Mar 2009.

Wednesday, March 18, 2009

See my Ziff-Davis presentation on virtualization security

I was one of three speakers at today's Ziff-Davis virtual tradeshow on virtualization security. The session went well with several lively questions at the end. You can check it out at the Ziff-Davis virtual trade show.

Microsoft Threat Management Gateway has some drawbacks

Posted to Tech Target's SearchSecurity on 17 March 2009:

Microsoft Threat Management Gateway has some drawbacks

Microsoft is now a few weeks into the second beta release of its Threat Management Gateway , the successor product to Internet Security and Acceleration Server. But the software giant's conservative approach to security results in some drawbacks for IT.

Thursday, March 12, 2009

Smartphone security lacking at many businesses

Posting on TechTarget SearchSecurity on 19 Feb 2009 -

Smartphone security lacking at many businesses

Smartphones are ubiquitous in corporate life, supplying email and browser access to data whenever and wherever information junkies need a fix. But so far IT has been slow to address the security arising as a result of the smartphone phenomenon.

HIPAA changes force healthcare to improve data flow

Article posted on Information Security/SearchSecurity.com on 2 Mar 2009 -

HIPAA changes force healthcare to improve data flow

The recent U.S. stimulus bill includes $18 billion to catapult the health industry toward the world of electronic records. This is sure to light a fire under every hungry security vendor to position itself as the essential product or service necessary to achieve HIPAA compliance. It should also motivate healthcare IT professionals to learn where their sensitive data is located and how it flows.

eWeek recommendation for insider abuse

I was recently asked to contribute commentary to eWeek for prevention of insider abuse. Check out the entire slide show -


Wednesday, March 11, 2009

Heartland breach highlights PCI limitations

Article posted on Information Security/SearchSecurity.com on 5 Feb 2009 -

Heartland breach highlights PCI limitations

Heartland invested in the security products and audit processes necessary to comply with the Payment Card Industry Data Security Standard (PCI DSS) and yet still suffered a serious exposure of consumer credit card data.

Four ways to prioritize security programs in a bad economy

Article posted on Information Security/SearchSecurity.com on 16 Feb 2009 -

Four ways to prioritize security programs in a bad economy

The economic doldrums are causing IT departments worldwide to re-evaluate security projects. This forces many critical decisions on where to reduce security investments while maintaining a healthy security profile. There are four main categories that can be used by IT and security vendors to help prioritize security programs and refine their value to sales prospects. In these lean times, it is important to make these hard decisions.

Virtualization challenges traditional security concepts

Article posted on Information Security/SearchSecurity.com on 17 Feb 2009.

Virtualization challenges traditional security concepts

There’s no doubt you’ve heard from those who question how traditional security controls will work in virtual environments. Despite the uncertainties inherent in any new technology, there are a number of ways virtual systems actually improve security and make it more difficult for an attacker to steal sensitive information.