Adam Hils

Remember those old peanut butter cup commercials from the 1970’s? In security-land, vendors are beginning to combine their chocolate and peanut butter into combined product/SaaS offerings. A spate of acquisitions, including Barracuda’s recent Purewire purchase, and  yesterday’s announced Cisco’s ScanSafe takeout, signal that SaaS offerings are becoming a mainstream SMB delivery mode for certain security controls, and that traditional product vendors understand the need to jumpstart their security as a service portfolios and (hopefully for them) combine two great tastes that taste great together.

I’ve published a Q&A note  (for Gartner customers) about what this means for multifunction firewalls and the SMB customers who love them.  In it we answer the following questions:

• When does it make sense to consider a hybrid security-as-a-service and premises-based solution?
• When building an RFP for an SMB mixed-mode multifunction firewall (UTM), what factors must be considered?

We expect single-vendor multi-mode solutions to come online relatively soon, and offer the following Strategic Planning Assumption:

• By year-end 2012, 20% of new SMB multifunction firewall deployments will include email or Web security-as-a-service.

Vendors are mixing their peanut butter and chocolate because customers anticipate yumminess. Vendors must build in easy-to-manage, seamless goodness, and customers must insist that the finished product mixes well at a low cost and satisfies their appetites without making their IT environments undigestible, security budgets bloated, protection postures slouchy, and users nauseous. Otherwise, rueful network security pros will recall this advertisement .

Gartner’s First Take, which I co-wrote with Peter Firstbrook, just published here.

This is clearly a play by Barracuda to jump further into SaaS, as it must.  SaaS services are increasingly critical in the SMB space. Although SaaS for secure web gateway (SWG), Purewire’s offering, comprises just 4% of the market today, that percentage is growing rapidly. And sub-1,000 seat customers make up 75% of the existing SWG SaaS market.

Just as important to Barracuda’s leading line of business, email security, SaaS offerings constitute well over 30% of the total market, so jumpstarting their SaaS capabilities with a strong platform makes a lot of sense. 

I expect that Barracuda will encounter some challenges as it tries to ratchet up its larger enterprise sales, but you can read about those in the research note.

Personally, I am happy for Purewire, whose execs are Atlanta security veterans (and good folks), most of whom hail back at least to CipherTrust’s halcyon days, and they have innovation in their bloodstream.  I look forward to watching them innovate under a new logo.

My colleague Greg Young recently heard from some Bigfoot videographers after his post “Unicorns, Pixies, and Enterprise UTM”, wherein he correctly stated that, “At Gartner, we haven’t seen enterprises shifting to using UTMs or SMB multifunction firewalls, nor do we forecast that this will happen any time soon.” Remember, Gartner hears from many thousands of customer organizations of all sizes, and rarely do we hear about core UTM deployments among large customers. When we do get inquiries about this, they are almost uniformly about firewall/IPS-only deployments in boxes with “UTM” on the bezels. 

I won’t rehash all the arguments Greg’s critics have put out there. Sure, they probably do know of a few enterprises with full-on UTM deployments, especially if they have (or have had) some connection with an “enterprise UTM” vendor. For the sake of argument, let’s call these “Bigfoot sightings”. People see large hairy creatures, find physical evidence, perhaps even interview corroborating witnesses; at the end of the day, however, actual enterprise (not branch) UTM deployments make real core UTM sightings worth noting for their extreme oddness.Don’t just take my word for it, ask the companies themselves, as we have in our IT Key Metrics studies, wherein

• Approximately 15% of respondent companies have gross revenues greater than $40 billion.
• Slightly more than 33% of respondent companies have gross revenues between $10 billion and $40 billion 
•  The remaining 52% companies/organizations have gross revenues of less than $10 billion.

See the following chart – not just UTM, but any integrated security appliance ranks last on the list of respondents’ 2009 priorities, unchanged from the previous year’s results.. I’ve obscured the list of technologies to avoid “giving away the farm” in a blog post, but suffice it to say that “Integrated Security Appliance” ranks well behind “Intrusion Detection/Prevention” and “Firewalls”, and trails “Spam Filtering” and “Web Site Filtering/Blocking” as well. 

IT Key Metrics Security Priorities, 2009

 What’s most interesting about these results is not that “Integrated Security Appliance” is last in a best-of-breed enterprise security buying world, but that it has not improved its standing year over year.

The United States government is having a difficult time hiring a “cybersecurity czar“, leading to much consternation in security circles; on the other hand,  it also has managed to refrain from launching a super-secret “naughty boy” hacker network.

I recently ran across the NIST (National Institute of Standards & Technology) guide, “Small Business Information Security: The Fundamentals,” a draft created by NIST computer scientist Richard Kissell.

In it, NIST attempts to instruct what it terms “small business” on security best practices. I was happy to see this effort, as small businesses often have real difficulty with creating sound information security foundations. Upon reading the document, I find areas where it could improve significantly.

The first problem with NIST’s approach is that it provides guidance for “a business or organization with up to 500 employees”. Generally speaking, there is a big difference in security needs and sophistication between organizations with, say, 50 employees, and those with 450. This guide seems built for businesses with fewer than 100 employees, without even basic security knowledge.

The piece veers between too-generic-to help –  “When hiring new employees, conduct a comprehensive background check before making a job offer” – to being overly granular, as when the author, in excruciating detail, describes how to do monthly manual data backup.

NIST would be more helpful to small businesses if it started with some of the exercises in the appendices in order to force small businesses to think about security systematically, using criticality of data as a guiding principle. The appendices provide formats for thinking about business data and how to protect it. These are valuable as jumping off points for doing the hard work of prioritizing and building a security strategy.

Instead, the guide jumps rather quickly into “must-do’s” and “should-do’s”, which make little sense in a strategy-less vacuum

Given the nature of this quide, let’s examine NIST’s 10 “absolutely necessary” protections:

• Protect information, systems and networks from damage by viruses, spyware and other malicious code.

This means “get antivirus and keep it updated”, which is a fine way to address known threats, but known threat signatures are the least of the small business’ security problems right now. NIST would do better to advise small companies to adopt endpoint protection platforms, which put several host-based protections in the same software package.

• Provide security for Internet connections.

Yes. Network firewalls are indeed necessary. Small businesses should be advised not to over-buy here,  but to find one that fits their internet gateway needs and that multi-function firewalls (aka UTMs) can provide extra potential email and Web security, issues the NIST guide for some reason gives short shrift.

• Install and activate software firewalls on all business systems.

Yes. However, this is often taken care of by buying the endpoint anivirus stipulated in the first bullet. Buying a separate personal firewall (or implementing the Windows XP version) should be redundant with a modern endpoint protection platform in place.

• Patch operating systems and applications.

 Of course. But setting apps and systems to patch automatically, under all circumstances, can bring systems down, sometimes making the solutions worse than the original security vulnerability.

• Make backup copies of important business data/information.

This advice is fine, as far as it goes. The author should also mention the cloud backup services now available for low cost to small businesses.

• Control physical access to computers and network components.

This is obvious stuff. Advice like “spotcheck for unlocked employee workstations” would be a useful hint.

• Secure wireless access points and networks.

Yep.

• Train employees in basic security principles.

This stuff about training is putting the cart before the horse for many small companies. Before they can train employees about security policies, small companies must have them, and they must be well-considered. Many do not. The kinds of formal security training described in this guide will divert human and capital resources from basic security projects that could protect the business.

• Require an individual user account for each employee on business computers and business applications.

Strong password and password aging tips provided here are okay, but no consideration is given to employees with multiple passwords who write them down on Post-Its and stick them to their terminals. Seriously. Changing strong passwords frequently has potentially negative security ramifications.

• Limit employee access to data and information, and limit authority to install software.

Here’s a place where the author could give real prescriptive advice about using Microsoft Active Directory (for example) to build groups with specific access rights to certain apps or parts of the network.

A long time ago, Aristotle posited his horror vacui theory: Nature abhors a vacuum, therefore empty spaces suck in gases or liquids. This principle was later reinforced but modified by The Second Law of Thermodynamics, wherein it was found that matter moves to the vacuum as it seeks the area of greatest entropy.

When a new strategy, process, or application catches fire within IT departments, a security vacuum (and potential entropy is created). Security vendors scramble to try and fill this vacuum with new or repackaged security solutions. Virtualization and Microsoft Sharepoint are examples of new strategies or applications that have unleashed potential security entropy, creating voids that vendors have created “matter” to fill. As in physics, this is a natural process that repeats again and again.

Individual vendors and end users run into trouble when they misjudge the size and potential negative consequences of the vacuum. Surviving worm mitigation vendors that had sprung up in 2004 to address one vacuum that quickly got overfilled with vendor “matter” moved to their next void, NAC. With the NAC vacuum increasingly addressed by network and endpoint platform vendors, many of the NAC void-fillers are going out of business or desparately thrashing out a new business plan to address the next vacuum.

Leading edge customers, on the other hand, are very good at watching security vacuums form in their IT infrastructures as employees hook their iPhones to the corporate networks or data centers are virtualized without security’s input. In such cases, some hyper-Type A customers shoot first and aim later, buying immature technologies that don’t work as advertised or address a problem that will either will not materialize or will take a different form.

The early days of network IPS provide an example of solutions – if deployed in full blocking mode with too many signatures enabled without copious testing - that often created challenges with false positives and/or network performance slowdown much greater than the security problems they solved. In this case, however, the void was large and risky enough that vendor signature sets got better and end users got smarter, and the market is large and robust today.

Security end user pros, of course, should always seek new potential areas of void and try to minimize entropy, but they must do so deliberately and systematically. Security vendors must realistically assess (and reassess) areas of emerging customer need by asking the following questions:

1) Is the potential security entropy real? Will it cost the customer money, endanger their data, or otherwise threaten their business?

2) How long will it take before the majority of customers realize the problems caused by the security vacuum?

3) How big will the vacuum be, and are other vendors better positioned to fill it?

This week, as we head into Labor Day weekend, I’ve had occasion to reflect on The State of the InfoSec Worker. And it could be worse.

An acquaintance of mine has been laid off after working for a F50 company for 15 years in various roles, including network engineer, Java developer, and software tester, to name just a few. His employer, which offered a fairly generous severance, is willing to reimburse for job retraining and industry certifications. Over the years he’s developed an interest in security, and his question for me was, given the recession and the overall difficult employment employment picture, is security worth going into?

I had the think about it for a while. Believe me, in these last several months I’ve seen information security friends, acquaintances and clients laid off as their employers attempt to make their books balance. Being unemployed, especially in this environment, makes things personally bleak, and the landscape is dotted with very smart security people who are currently between gigs. On the supply side, some vendors (see John Pescatore’s NAC post) are feeling the pinch of security people rationalizing their project portfolios, um, rationally.

Then it occurred to me: The state of information security employment, though not robust, is relatively healthy. Consider this:

• Security as a percentage of IT budgets has risen this year
• Security spending next year is expected to rise a bit, outdoing other technology areas
• Gartner’s numbers for 2010 indicate that personnel will continue to account for about 20% of info sec budgets.
• Security as a percentage of IT budgets has risen
• Security spending on “blocking and tackling” security functions continues, as various inputs, including Gartner customer inquiries, indicate; top customer spending priorities include intrusion prevention, vulnerability assessment, identity management, endpoint protection, and security information and event management (SIEM)

So, given my acquaintance’s particular situation (broad/deep IT experience, time to train/interview, strong skill acquisition capabilities), I advised him that security would be a good field to enter.

Removing my rose-colored glasses for a moment, I know things are tough out there. I also spoke this week to a Director-level IT manager at a mid-sized financial services company whose security staff comprised one full time employee and one full time contractor. Those two, who were responsible for all security functions in a 1,000-person, heavily-regulated company, accounted for less than 3% of the IT workforce, an incredibly low number for the industry. This Director needed assistance finding benchmarks and other metrics to justify hiring the contractor as a company employee for less money than the organization was paying the contracting firm.  When I showed her how much she had underspent other similar firms, she exclaimed “Wow! Yay me!” and went away armed, ready not only to hire the contractor but to make the case for a third resource.

Information security pros are doing more with less, keeping their organizations safe against long odds. On this Labor Day weekend, I hope you get a chance to cut communication with work for a bit, celebrate the job you’re doing under heavy constraints (”Yay you!”), and take some comfort in the expectation that things may soon improve.

“Everything should be made as simple as possible, but not simpler.”

^{- Albert Einstein}

Here’s a bit of a rant:

Security folks love to construct elaborate conspiracies to explain how their sensitive data gets exposed. I have had some conversations recently with security professionals who are convinced beyond a shadow of a doubt that their organizations are being victimized by targeted attacks employing cutting-edge, custom-developed techniques probably designed by disgrunted unemployed computer science PhDs from <name your country-of-choice here>. (These beliefs are most pervasive in the weeks following Black Hat). Here’s some advice: Rather than assuming that a highly-skilled clandestine Eastern European cybercrime ring has perpetrated the most skillful data-grabbing hack ever, check to see if an employee has unwittingly sent an email containing sensitive data to the wrong BCC list.

To some extent, information security professionals must start in any investigation of a security breach with Occam’s Razor (The principle that, all other things being equal, the simplest explanation is the best) in hand. Occam’s Razor is a heuristic that helps security people stick to the facts and not make baseless assumptions.

Humans introduce risk, and your organization is composed of humans. As the facts get clearer, it may well become evident that your organization has been victimized by a gang of Dr. Evils; until evidence crystallizes, however, it’s best not to violate Hanlon’s Razor (”Never attribute to malice that which can be adequately explained by stupidity”).

No security pro can afford to become “The boy who cries wolf.” Using Occam’s Razor as a rule-of-thumb will help avoid that.

Just published a note today (for Gartner subscribers) that describes moderate-but-encouraging projected security software and services growth in 2010 enterprise security budgets (From Gartner’s recently-administered “Base Budget” survey. The research note includes a Strategic Planning Assumption for those building 2010 IT security budgets.

Add this data to those gathered and described in my previous research and blog on the subject, and it appears that the security industry (and security budgets) have, so far, avoided disaster.

Here are the main bullets from my previous blog describing “5 Indicators that Security Spending Is Holding Up”, all of which are still in evidence:

1. 2009 spending plans indicated a slight rise in security spending, as Gartner customers can see here:
2. Security spending on “blocking and tackling” security functions continues, as various inputs, including customer inquiriues indicate; top customer spending priorities include intrusion prevention, vulnerability assessment, identity management, end point ptotection, and security information and events management (SIEM). More exotic, cutting edge security projects are often being placed on hold.
3. Gartner’s security analysts are seeing a fairly significant year over year increase in end user customer inquiries, and they’re mostly not about which security projects to cut.
4. Where there is softness in security spending, some may be attributed to the growth in customers adopting security-as-a-service where it makes sense (e.g., email security) to smooth out capital expenses in a rough economic environment. In this case, security spending is less now, but will accrue over the life of the service contract.
5. Publically-traded information security companies are, overall, reporting better-than expected earnings.   To this list we’ll add….
6. 2010 IT security budgets project moderate but meaningful spending increases in security software and services (growing faster than other infrastructure software and IT services areas)

Am I being a Pollyanna? Are there prophets of gloom out there who disagree?

Gartner has written extensively about security problems in public consumer-grade micro-blogging platforms, as John Pescatore does very wittily here and Greg Young does here.

As a person who thinks, writes, and speaks about information security for a living, I know that these platforms are scarily rife with potential security holes, and must be integrated carefully into an organization’s business processes, balancing security risk and business reward.

But security and privacy are not my chief concerns about micro-blogging. My main concern is that communication mode impacts quality of communication.  

Think of all the great writers, scientists, and thinkers who left behind volumes of letters, written on paper, that were every bit as illuminating as their “official” work. When is the last time you wrote or received a long, thoughtful letter? Forget for a moment the security holes left wide open in consumer-grade micro-blogging platforms: Consider instead, as 140-character-limited communiques grab more of our communication time, how we are intellectually and culturally affected by by micro-blogging immersion: Complete sentences are luxuries, and paragraphs are delightful artifacts of a bygone era. Our attention flits from one medium to another as we gather disjointed, clattering shards of data that become almost impossible to assimilate, connect, and communicate.

Micro-blogging is here, giving us yet another tool in our communications asenal. Heck, I myself tweet (“I tweet myself” seems an unfit thought for a workplace blog). Using micro-blogging securely is a challenge that we will begin to solve as platforms mature and enterprises demand enterprise-grade security. Using micro-blogging as a primary communication vehicle while maintaining the ability to communicate in richer, subtler, more complex ways will present perhaps a greater, more vexing challenge.