Thursday, June 18, 2009

If you were Check Point, who would you buy?

I gave this feedback to a senior editor at MergerMarket. Since they provide a subscription service I thought it would be interesting to also dream about Check Point M&A here.

Check Point is an interesting company with a healthy revenue stream, big bank account, and dominant market position. They haven't shown a great desire to grow by aquisition in the past, and the vision of the Zone Labs and Nokia deals doesn't particularly wow me. Still, they can print money so they're clearly doing a lot of things right!

Check Point Software Technologies is a software company specializing in network inspection and processing. I would think the first wave of merger activity would be to diversify from security into adjacent areas of networking. If you think about it, a firewall's job is to let traffic into the network so I tend to think Check Point can better use its checkbook to improve connectivity for its customers.Here are three areas I would recommend for Check Point corporate development:

WAN optimization. Performance over the Internet is critical to capturing new customers and improving business processes. Riverbed would be the number one target. RVBD would allow Check Point to combine security features with web access, accelerated storage, and more. Check Point is good at terminating WAN connections so this is a natural fit.

Virtual Desktop and Virtual Machine delivery. Virtualization will continue penetration in the datacenter and we will see more enterprises solving labor intensive endpoint complexity and security problems with virtualization. Picture a remote user connecting by VPN through a firewall to a network server to run or download a virtual application. Most of the companies in this space are small, with software implementations that Parallels and perhaps the smaller MokaFive and Ring Cube. It would be bold and cool if they could scarf up Citrix but I'm not sure that Checlk Point's pockets are that deep.

Network Management. An under-appreciated strength of Check Point is its management capability. The company gets great stickiness and loyalty from its base that shies away from command line interpretters and script-writing. The trick is to combine mergers in this area with WAN optimization of virtualization. I would look towards companies like Reflex Systems, DynamicOps, or FastScale to allow organizations to quickly take advatage of a compelling Check Point infrastructure. Those are tiny companies - I'm sure there are public ones that also fill this bill it is just too late for me to think of them ;)

I'm not big on Check Point acquiring hardware capability (e.g. Crossbeam) because Check Point is a software company and it is difficult for hardware product lines to thrive in a company with a software DNA - just look at McAfee's history with hardware. I also don't think it makes much sense to commoditize adjacent security vendors (been there with Sourcefire, and what does it really add for customers that can't be done through parternships?). Though maybe they'll score Imperva to get Shlomo Kramer back in the fold or put Code Green on one of their software blades.

Virtual appliances boost flexibility, improve security

The latest TechTarget post highlights the innovative use and device sharing possibilities afforded by virtual appliances.

"Security products purchased as virtual appliances give IT greater flexibility in deployment than traditional security hardware devices. The concept of treating network security as a software application has proven to be successful. Organizations can save money by re-purposing expensed servers as security devices, achieve a performance boost by placing network-oriented security on a faster processor and consolidate security functions on fewer servers to save on administration while making the security function a bit greener." ...

Monday, June 15, 2009

Security pros find corporate firewall rules tough to navigate

Posting on June 15th to SearchSecurity:

"Corporate firewalls usually contain a security-Pandora's box of rules, representing prioritized sequences of allow or deny decisions that only the most brave security operator dares to modify. Removing or re-sequencing firewall rules runs the risk of blocking approved business communications or of opening a hole exposing the business to unauthorized traffic. It is near impossible for a human to manually audit firewall rules across the enterprise to reduce risk, optimize firewall device performance, and streamline data paths through routers, switches and firewalls. Security teams are turning to firewall management tools to perform security audits of the infrastructure and automate operational control of the firewalls. ..."

Cloud security begins with infrastructure assessment

Posted June 10th on TechTarget's SearchSecurity:

"Security professionals are facing the difficult challenge of extending security requirements to take advantage of cloud computing and software-as-a-service applications. Particularly difficult is finding ways to secure the new boundaries between the enterprise, the cloud service and the end user while managing dependencies on off-premise infrastructure and privileged operators. And they have to do all this without inhibiting flexibility and agility. ..."

Sunday, June 7, 2009

Early Vibe: Triumfant

Triumfant is an up and coming endpoint security product vendor headquartered in the Washington, DC area. The company takes a holistic approach to endpoint security, detecting changes to the environment, auditing activity, and restoring the endpoint to a compliant state after an attack. This is a sharp contrast to traditional anti-virus approaches that can never catch all the exploits and behavioral approaches that fail to unwind from a detected attack. I believe the security experiences of Triumfant’s leadership team, and the uniqueness of its technology, give the company a promising future if it can navigate the pitfalls associated with growing an “A” round company.

The secret sauce for Triumfant is the capability to define and manage the drift of adaptive baseline configurations of endpoints under protection. This allows the technology to detect unauthorized changes, such as those caused by malicious code, and to reset the endpoint to the latest baseline. Agent software scans the local environment for changes, and also uses signature and behavioral techniques to increase the chance of detecting an attack. The centralized server allows IT to manage baseline definitions, to automatically allow for configuration drifts by auditing endpoints under Triumfant protection, and to reset a non-compliant endpoint to the latest pristine image without the need for an IT refresh. The approach is refreshing as most endpoint security vendors completely ignore the need to reset an endpoint without IT intervention.

Triumfant will face challenges as it grows, and must carefully choose product features that keep it ahead of the slower moving vendors. The two greatest impacts may come from anti-virus vendors and virtual desktop vendors. IT cannot conceive of an endpoint security world without AV, no matter how many times AV is proven to be effective. Triumfant should bundle an optional AV in its solution to be able to displace installed competitors with a more comprehensive endpoint security solution. Virtual desktops offer the ability to reset the desktop to pristine compliant images when an infection is detected. Triumfant can fill the gap for virtual desktop vendors by enabling desktop resets of virtual images.

Customers need to demand more from all endpoint security vendors and not just accept a status quo that does not work often enough. Triumfant is rising to this challenge with an innovative approach to protect servers and desktops from attacks, and to give IT relief from attack recovery procedures. It is an interesting play that lends itself well to servers and will inevitably become popular on desktops too.

Thursday, June 4, 2009

IT pros can detect, prevent website vulnerabilities, thwart attacks

Posted on SearchSecurity June 3rd.

"IT is left to its own ingenuity to weave diverse products into a Web security protection scheme. Security practitioners will have to categorize externally facing websites and then make security investment decisions among technologies such as scanners, penetration testers, Web application firewalls, source code scanning and security development lifecycle (SDL) investment. There is no one best practice when protecting websites, which is a worrisome state for businesses and helps explain why security vendors report that most attacks penetrate browsers through infected webpages."

Tuesday, June 2, 2009

WH cybersecurity plan needs private sector guidance

Posted this week on

President Obama's announcement last week of the creation of a White House senior cybersecurity coordinator has put a dramatic shift in emphasis on critical infrastructure protection that is long overdue -- the country runs on networked applications and other countries have targeted critical elements of the U.S. infrastructure. There were ideas expressed in the Cyberspace Policy Review that are worth calling out ...