Posted on

Production complete of Security Yearbook 2020

You could argue that IT-Harvest has been in the book publishing business since 2012 when it published UP and to the RIGHT: Strategy and Tactics of Analyst Influence. But that, and our other books, were published via Create Space (now transitioned to Kindle Direct Publishing). It’s a different matter entirely to contract with a printer to produce books in volume. But the cost is dramatically lower. About one third the cost of Print on Demand.

For Security Yearbook 2020 we had visibility into potential sales. Secure Cloud Transformation has already sold 30,000+ copies. So, why not cut out the Print on Demand middleman and sell direct?

The process is similar: write a good book, format the interior, create a great cover, and submit files. But this time the files went to a printer, Sheridan Books, in Chelsea, Michigan. You may be surprised to learn that the Ann Arbor, Michigan, area is the epicenter of book printers in North America.

But, instead of a digital press, the files are converted to sets of pages that are etched onto aluminum plates on a giant laser printer pictures below. The flexible plates are wrapped around cylinders that print the pages at high speed. This is called off-set printing. The paper is sliced and cut and assembled into signatures that are sewn down the middle. Those are collated and bound together and then the hard covers are added.

No alt text provided for this image

Finally, the books were packed in boxes and shipped to Fulex, the fulfillment warehouse in Warren, Michigan.

No alt text provided for this image

Now for the next steps. Create an online shop to sell the books directly. That is hosted here at it-harvest.com.

Security Yearbook 2020 is already available for pre-order on Amazon.

No alt text provided for this image

If you are coming to the RSA Conference in San Francisco at the end of the month you can find copies all over. Check out Where to Find Stiennon at RSAC 2020.

Posted on

5G Is Going to Disrupt the Traditional Network Security Appliance Industry

Gen Bufort

Always look at infrastructure changes to make easy predictions about the future. You could get very rich.

A decade ago I attended meetings around the world where the topic was “how can we, as a country, join the Internet revolution?”  Brazil and Columbia stick in my mind. Don’t even get me started on Australia and their wasteful endeavor to create a National Broadband Network(NBN). I never had the floor but I wanted to stand up and shout “deregulation!” That is what sparked the internet revolution in the United States. In 1993, here in Michigan, it cost 8 cents a minute for telephone calls that went outside your immediate area code. You could be a mile away from your ISP’s nearest POP (Point Of Presence) and see outrageous phone bills that ratcheted up quickly at $4.80 an hour. At RustNet we sold internet access for $19.50/month. If we wanted to get customers in a different area code we had to put stacks of dial-up modems in an office in that area code. Then we backhauled the traffic to our main office and sent the packets out to the internet through our upstream provider in Chicago. (Anyone remember Net99?).

The big break up of AT&T had occurred in 1982 and the regional telephone companies (Baby Bells) started to compete for business after the 1996 telecom deregulation. Per minute charges went away just in time to fuel the rapid growth of internet subscribers. By that time the telcos offered their own backhaul so you did not need to maintain huge stacks of modems in every POP. You just paid for a T1 to the telephone company’s Central Office (CO) and they delivered the calls to you.

In 1995 I published a business plan for How to Start an ISP. It gave me great visibility into the wave of deregulation that was sweeping the world. As each country figured out that per minute charges were holding them back they would deregulate, encourage competition, and I would see sales of the plan going to that country. South Africa and Mozambique used my plan as a starting point. The internet took off. By 2005 you could tell which countries still had per minute charges. They had Internet Cafes because people could not afford to dial-in.

Of course 4G spelled the end to all that. Now you can get internet on your phone and, if you can tether your phone to your computer, you use that for internet access. I can get 95 Mbs over Verizon 4G.

Well 5G is going to explode many things. And it is coming fast. Ericsson predicts there will be one billion 5G subscribers in six short years.

What is different about 5G? It is very, very, fast. Huawei has tested 5G connections at 70 gigabits per second. Gigabits. At that speed even immersive experiences like SecondLife will work. No wonder people are excited.

But what could this do for security?

5G introduces new networking paradigms. It is going to have dramatic effects on the Internet of Things (IoT) as very small, low power radios will be able to connect. That will pose an opportunity for data theft and continue the weekly news cycle of privacy violations that we have come to know and love.

But think about what these speeds will do to your typical enterprise (and SMB) networks. Why would anyone use the pokey internet connection at work when they get 5G at home and on their smart devices? Businesses have already moved the critical tools they need to the cloud, (email to Office365, document sharing to Microsoft hosted Sharepoint or Google Docs, or DropBox, HR systems, Salesforce, etc. They don’t need your network at all. And if you force them in through a VPN they are going to be tunneling through your pokey network to get access to those mission critical services.

One company, Zscaler, saw this coming and started addressing the issue of protecting mobile connections a decade ago. 5G opens up some new business models that will compete directly with Zscaler’s offering of hosted network policy enforcement and traffic scrubbing.

Ever see the scene in Gettysburg where General Buford rants about how clearly he can see what will happen in the morning?

The hardwired connection is dead for office use. Sure, every firewall vendor will add 5G radios to their UTM devices for remote offices and HQ, just as they have added 4G. But going through a gateway means dealing with the slow wifi in the office. It will be faster for users to jump on the 5G network themselves. So they will.

Goodbye cable triple play. We won’t need twisted pair, CAT5, or fiber to the home anymore. All home devices, including your TV, will connect directly to the internet via 5G.

New, very fast growing, businesses will start up to address these problems.

Here is what happens next.

Stage 1. A startup that is probably already out there will introduce a policy overlay to the carrier networks. An enterprise will just enroll all employ devices and manage what they can over the network. It will be like a virtual UTM. They will encrypt traffic, filter content, and apply firewall rules. Managed Service Providers will do that policy work for SMBs.

Stage 2. The carriers will recognize that they have created a monster as every enterprise starts cancelling their lease line subscription. Seeing the opportunity, they will start to develop their own service offerings for security.

Stage 3. One carrier, late to the game, will acquire the fastest growing 5G security management platform from Stage 1.

Stage 4. All the other carriers will cut off that 5G management platform for their own networks and make their own acquisitions.

Stage 5. All carriers will bundle security into their offerings. Network security will finally be part of the internet.

This whole time frame will play out by 2030.

Thank you technology.

This article was updated slightly from the original post on Forbes.com from December 6, 2017

Posted on

When UP is Better Than RIGHT

Cover image

Cover image
UP and to the RIGHT

The following excerpt is from UP and to the RIGHT: Strategy and Tactics of Analyst Influence, 2nd Edition.  (That’s right look for a 2nd edition to UP and to the RIGHT, coming late 2018.)

There is a cadence to every journey UP and to the RIGHT in the Magic Quadrant.  And that cadence is different for every vendor and the journey can take many diverse paths.
The team responsible for charting the course UP and to the RIGHT is under tremendous pressure to achieve results. No board or senior executive will be happy until the only dot in the Leaders Quadrant belongs to them, or at the very least, their dot is the highest and farthest to the RIGHT.
Before discussing the value of UP versus RIGHT it is important to reiterate the difference in perception of MQs between the participating vendors and the ultimate buyers on which the MQ exerts so much influence.
Vendors tend to completely stress out over relative positioning and changes from one year to the next. Buyers look at MQs only in terms of the most current version and spend very little time parsing the nuances of which vendor is positioned in what way compared to the others.
Buyers are not stupid. They look to the MQ to validate and support their choices for short listing. They may talk to every Leader and short list a few of them for trial or proof of concept. In specific regional or vertical niches they will also talk to Niche vendors. If they are a big IBM (or Oracle, or SAS, or CA, or HPE) shop they will choose a Challenger.
To a buyer a vendor’s position in the current MQ is immediate validation. Typically they are completely unaware of the history of the path a vendor has taken to get where they are. They look at the position, they read the description and the Cautions, and make their decision on which to talk to.
Meanwhile vendors spend inordinate amounts of time and effort sweating about the deltas from year to year. While I have articulated a strategy of planning that movement, because without a plan you have no MQ strategy, it is still important to recast that strategy every year as the die is cast and the dots are placed.

DISRUPTION

In every technology industry there is a cycle of disruption. The innovators disrupt the established order with a technology that gets the job done better. Their journey involves displacing the established order. By engaging and influencing Gartner they can accelerate disruption if they can convince the analysts that they are 1.  visionary, and 2. they have demonstrated momentum.
But the current day Gartner analyst is often as conservative as their own client base. Gartner has often admitted that their own client base consists of primarily late adapters. They don’t want to change. They want to make safe decisions. They are not risk takers. If an analyst is actually visionary, if he or she has that Ah Ha! moment: this is the way the entire industry has to go, they risk everything by declaring so. This leads them to couch everything in terms of gradual changes and hope that the disruptive technologies being introduced will conform to the old way of doing things with minor enhancements.
In this way Gartner has often gotten it wrong. From networking to desktop operating systems they have missed predicting the waves of the future.
Every vendor that sets out to disrupt an industry hungers for a visionary analyst that will “get it” and help change the world by jumping on board early. That rarely, if ever, happens. The analysts have to be led the whole way. This is the reality of dealing with industry analysts, a reality that must be incorporated in an analyst relations strategy.

VISION Versus Ability to Execute

Now we turn to a specific path that a disruptive vendor takes to market leadership. Early success for a disruptive technology, especially if it generates sufficient industry buzz, gets recognized by the Gartner analyst. The most important driver for this recognition is inquiries from the Gartner client base. Early adapters (there are a few) report success with the new technology: cost savings, effective deployments, better performance, even displacing the incumbents altogether.
When the exhaustive MQ questionnaire is submitted it turns out the innovator qualifies for inclusion! It may make its first appearance as a Niche vendor to watch or even as a Visionary.  That inclusion should be leveraged as much as possible. The sales and marketing team can use inclusion in the MQ to open doors and at least start conversations. If the written commentary is positive too, the MQ can open doors to trials and eventually sales.
The real opportunity for any disruptive vendor is when its dot on the MQ starts to move upwards. This indicates that subsequent results as reported through the NDA protected questionnaire demonstrates growth in revenue, customer acquisition, partnerships, and channel participants.
Never forget that the “vision” axis of the MQ represents the Gartner analyst’s vision, not the vendor’s vision. In other words a disruptive vendor, one that is actually changing the makeup of an industry will not always be properly identified as the most visionary. That slot is held for the vendor whose products most closely match where the industry analyst sees the industry going. And analysts get it wrong. A lot.
But ability to execute, the vertical MQ axis is somewhat more objective. It includes real reported revenue. (Keeping in mind that some vendors lie. One network security vendor reported revenue based on list prices for years; in other words what customers might have paid had there been no discounts. That presented a particular problem for the new CMO who had to bring their reported revenue in line with reality at some point.)  Ability to execute also takes into account geographic expansion, funding, marketing and sales team growth and investment in product development.

UP over RIGHT
The key to understanding the value of vertical placement versus horizontal placement is understanding the buyer’s perspective. A CIO or whoever must make the vendor choice does not look at the history of previous MQs. He or she looks at the current one. Almost by definition, this is a person who is relying on a two axis chart to make important buying decisions, and they are going to be conservative, late adapting, typical Gartner clients.
The first impact of placement on the MQ is whether or not a vendor has crossed the line into the upper right quadrant, the Leaders Quadrant.  Being there means a good shot of being short listed for at least a meeting–a chance to make a sale or at minimum progress to the bake-off or Proof of Concept phase.
The second impact is validation. A buyer is leaning towards a new vendor, one which can displace the old technology that is not working. Here Ability to Execute is everything, while Vision can be a detractor. A buyer, especially a late adapter,  is not looking for vision, whiz-bang, cutting-edge, or change everything technology. The buyer is looking for a viable solution that will be the least disruptive to their current organization.  The higher the vendor places in Ability to Execute the better the validation the MQ provides.
This is why a vendor should not strive to be the most visionary. Demonstrated ability to execute is a much stronger indicator to the buyer that they are making a good decision. Gartner backs them up. Leave the “most visionary” position to the startup that happens to match the Gartner analyst’s perception of where the industry is going. Push that dot up rather than over. Get into the Leaders Quadrant early. As soon as that happens the disrupting vendor is on the same footing as the industry dinosaurs and only has to deliver to succeed.

Posted on

Where’s Stiennon? Upcoming speaking gigs

Stiennon RSAC TV

The post-RSA lull is coming to an end. Here are some events coming up where you can see me. Make sure to drop by!

Monday, April 18, I will be at the Eskenzie PR IT Security Analyst-CISO forum in London. In addition to one-on-ones with vendors I get to meet many of my fellow industry analysts.

From London I head to Washington DC for the Information Security and Compliance Forum April 20. It’s free so if you are in DC make sure to sign up. I will be presenting the closing keynote and signing copies of There Will Be Cyberwar.

I get a week at home before heading Down Under for the National FinTech Cyber Security Summit in Sydney on Tuesday, May 2. I will also be addressing an invite only dinner the night before at Allens, one of the largest law firms in SE Asia.

That Thursday, May 5,  Arbor Networks is taking advantage of my presence in Australia to host a breakfast seminar. Bringing Order to the Chaos of Advanced Threats.  There are already 30 people signed up but I am sure they can make room if you want to join us!

It’s back to Washington DC on May 17 for the DCOI USA-Israel Cyber Security Summit. My partner at TrueBit Cyber, Debbie Taylor Moore and I will acting as co-MCs for the event which includes such luminaries as Admiral Michael Rogers, Check Point Software CEO Gil Shwed, General David Petreous, and Richard Clarke.

May 23 I will be in Philidelphia to open Evanta’s CSIO Executive Summit.

And June 7 I will speaking in Detroit of all places on behalf of an Avnet partner. Stay tuned for details.

That should do it for the season I think. I already have two dates in September for interesting events in Texas and New York City. Details to come.

 

 

Posted on

Looking at the entire IT security industry

When IT-Harvest was launched we took a stab at cataloging the entire IT security vendor space.  It took six months and a team of five to collect information on 1,200 vendors. We also invested in a developer to create an app which we sold subscriptions to. That effort was curtailed when I joined Fortinet. After relaunching in 2008 we continued to track those vendors but a year ago decided to make a concerted effort to gather and put into categories as complete a list as possible. I presented some of the results at RSA this year on the RSA TV stage:

Screen Shot 2016-03-23 at 1.54.20 PM

Immediately after RSA I began working with friends in Israel and India to cast my net wider. We found 41 total vendors in India and 228 in Israel. Those numbers were published at my new column as an IDG Contributor: Stiennon’s Security Scorecard.

Screen Shot 2016-03-23 at 1.59.59 PMI will be revealing lots of great data about our space in future columns. In the meantime I am using that data to create market sizing reports. Those are available at www.ith-research.com

And yes, we will be building an app to make our entire database available to subscribers.

Posted on 1 Comment

IT-Harvest analysis: Threat Intelligence Market Growing at 84% CAGR. To Hit $1.5 Billion in 2018

IT-Harvest analysis: Threat Intelligence Market Growing at 84% CAGR. To Hit $1.5 Billion in 2018
Birmingham, Michigan March 16, 2016 Technology News

(PRLEAP.COM) IT-Harvest, an independent research firm covering the cybersecurity industry, has published a Market Research Report on the threat intelligence sector. The report includes 21 vendors that research and provide threat intelligence to the enterprise. These include iSIGHT Partners, recently acquired by FireEye, Cyveillance+LookingGlass, Digital Shadows, Intel471, RecordeFuture, and Flashpoint Intel. A growing segment within the space includes the 10 Threat Intelligence Platform (TIP) vendors, led by ThreatStream, ThreatConnect, ThreatQuotient, and BrightPoint Security. TIPs collect threat intelligence from multiple sources and integrate with internal data and enforcement technology to maximize the value of threat intelligence.

Key findings:

The 2015 threat intelligence market was $190 million and is growing at 85% annually. The TIP space accounted for $61 million and is growing at 84%. In addition the total 2015 market for threat intelligence products was $251 million and is on pace to exceed $460 million in 2016. At current growth rates the market for threat intelligence products will exceed $1.5 billion in 2018.

The seventeen page Market Research Report is available at www.ith-research.com. It provides a guide to the industry and a summary of each vendor’s capabilities.

About IT-Harvest:

IT-Harvest uses a unique methodology to track industry sectors. This human augmented machine analysis is integrating automation with human insight to perform comprehensive market sizing analysis. The Threat Intelligence MRR is the first of such reports, to be followed by: User and Entity Behavior Analytics (UEBA), Firewall Policy Management, Deception, Security Analytics, Cloud Security, and Information Governance.

To contact the author, Richard Stiennon, email: richard@it-harvest.com

About Richard Stiennon:

Richard Stiennon is Chief Research Analyst for IT-Harvest, the firm he founded in 2005 to cover the 1,440 vendors that make up the IT security industry. He recently completed a year long effort to categorize all of those vendors. He is the author of Surviving Cyberwar (Government Institutes, 2010) and There Will Be Cyberwar. He is a member of the advisory board at the Information Governance Initiative and principal of TrueBit Cyber Partners. Stiennon was Chief Marketing Officer for Fortinet, Inc. and VP Threat Research at Webroot Software. Prior to that he was VP Research at Gartner, when he was recognized as One of the 50 Most Powerful People In Networking by Network World Magazine. He has a B.S. in Aerospace Engineering and his MA in War in the Modern World from King’s College, London.

Posted on

That’s a Wrap. Until Next Year, RSAC.

My experience at the annual gathering of what seems like the entire IT security industry is different than most. Each year at the RSA Conference in San Francisco IT-Harvest reserves one of the biggest hotel suites in the city and outfits it as a video studio. Our flawless team of videographers at New Leaf Media haul in several carts of equipment, push all the furniture into a corner, hang an elaborate backdrop, and set up for a three-camera shoot.
studioshot
While everyone else is busy meeting, going to sessions, presenting, and walking the show floor, I am ensconced in our suite from 8 AM to 6 PM recording video interviews with industry executives, technologists, and thought leaders. Over the last six years we have recorded 150 such interviews.  I use them in my own research and embed them in my writing. If you are new to the IT security industry you could get up to speed quickly by watching these. They are hosted at www.vimeo.com/itharvest.

Here is the complete list of 29 video interviews conducted at RSAC 2016. We will be uploading them over the next several weeks.

Comodo. John Peterson is an old friend. We have interviewed him before. He joined us to talk about Comodo, which in addition to being the largest issuer of SSL certificates, offers PKI solutions for enterprise and endpoint protection for the desktop.

Vidder. I met Junaid Islam, CTO,  for the first time as I interviewed him about Vidder’s PrecisionAccess. Think white listing for access control. Users and their devices are authenticated before being granted access to only allowed applications.

Untangle. Untangle’s CEO, Bob Walters, explained how this UTM vendor is successfully executing on a go to market strategy for SMB; a rare approach in the UTM space where everyone wants to be an enterprise player.

vArmour. Former Deputy Under Secretary for Cybersecurity for DHS, Mark Weatherford, talked to me about VArmour’s security for workloads in the cloud.

CloudPassage. Amrit Williams, CTO of CloudPassage, and fellow alumnus of Gartner, talked about cloud security and protection across multiple platforms.

Digital Shadows. James Chappell, CTO and co-founder, introduced the concept of cyber situational awareness, an all-encompassing take on threat intelligence as it pertains to each customer.

Illumio. Andrew Rubin, CEO, returns to talk about how Illumine enforce policies across all workloads via a lightweight software agent that is installed in the operating system of any server, VM, or container. It collects network flows and workload information, and programs the native stateful firewall in the host (iptables in Linux, Windows Filtering Platform) to enforce inheritable protections.

Onapsis, the SAP security platform is described by Mariano Nunez, co-founder and CEO.

Cylance. Stuart McClure dropped by to update us on his machine learning informed endpoint protection solution. After two years, Cylance is gaining traction across many enterprises.

Hexatier is the re-branded GreenSQL.  I talked to the newly appointed CEO, Dan Dinnar, about enterprise adoption of cloud database firewalls.

FourV. Casey Corcoran, VP Strategy, described how FourV’s risk management platform calculates risk factors, in real-time, from the flood of existing security and IT systems data.

Flashpoint. Lance James, Chief Scientist, barely took a breath as he described the value proposition and power of mining the Deep&Dark web for threat intel.

Evident.io.  Tim Prendergast visited our studio to talk about Evident.io’s easy to deploy cloud policy management platform.

ThreatQuotient. John Czupak and Ryan Trost tag teamed an interview to talk about Threat Intelligence Platforms (Read more about TIPs in the IT-Harvest Threat Intel Market Research Report just published.)

Fortinet. Once again we talked to John Maddison, Senior VP at Fortinet about their extraordinary growth.

whiteCryption. Thorsten Held, Managing Director, introduced me to whiteCryption’s software HSM. A critical component of trusted communications.

Entrust Datacard. Datacard bought Entrust at an opportune time. I talked with CEO Todd Wilkinson about the growing market for digital certificates for identity.

Gemalto. Jason Hart, VP and CTO, had a wide ranging discussion about hardware HSMs and the wide breadth of enterprise security products at Gemalto.

Barracuda. I talked with Klaus Gheri, VP Network Security, about a new product Barracuda introduced to tie remote facilities back to the head office securely.

Cyren is executing on its strategy to branch out from being purely an OEM provider of URL and reputation feeds to dozens of security vendors. Lior Kohavi  returned to give us an update on Cyren’s stand alone product for advanced malware defense in the cloud.

Solutionary. John Petrie, CISO, talked about the company’s progress since the acquisition by NTT Docomo and future plans to consolidate MSSP services under a global umbrella.

Bomgar. Matt Dirks, the CEO of Bomgar, explained how the company saw an opportunity to expand from a secure remote desktop for customer support to privileged user management.

Vasco. Ken Hunt, a youthful CEO of one of the oldest security companies, described Vasco’s two-factor authentication and digital signature solutions for financial institutions and other industry verticals.

RedSeal. It was a pleasure talking to Ray Rothrock, CEO of RedSeal, once again. He introduced the concept of digital resilience and how RedSeal is building it into their risk management dashboards.

Arbor Networks. It is well worth watching the series of interviews I have conducted with Dan Holden, Director of ASERT, Arbor’s research team. This year, as always, we had a free ranging discussion on the past year’s developments in the threat space and trends he sees in the industry.

RSA Security. I talked with Sanjay Raja, Senior Director of Product Marketing. We had a great conversation about RSA’s product coverage and future plans.

Skybox. This year I talked once again with CEO and Founder Gidi Cohen. Skybox is looking to expand its position in the risk management space aggressively with the help of a recent infusion of $96 million. Ravid Circus chimed in on the technical side.

PhishLabs. John LaCour, Founder, talked about advanced techniques for hardening an enterprise against the scourge of phishing attacks.

Versasec. Joakim Thoren, CEO, introduced me to Versasec’s complete line of smartcard enabling products.

You can imagine that my head was packed full after three days of intensive talks with so many technology vendors. I think I was in a fog by the time I stumbled onto the show floor to see as many exhibitors as possible. I did take 15 minutes to present the results of just completed research on the entire IT security vendor space for RSA TV. Much more on that to come.

Watch this space where we will be posting each of the videos as they come out of post-production. That will give us enough content to talk about until BlackHat when we will be recording more!

Posted on

Have you scheduled your RSAC 2016 video interview?

IT-Harvest is launching some exciting initiatives in 2016. Throughout 2015 we worked to rebuild our database of over 1,450 IT security vendors and group them into more than 80 categories. We are working through the fastest growing categories (threat intelligence, deception, security analytics, cloud security) and getting ready to publish market research reports that catalog all the players, their estimated revenue, and their growth rates. Primary audiences are the investor community and buyers of technology products.

In addition, IT-Harvest Press will be publishing guides to each of these segments in book form. Be sure to look for them!

Also, in 2016, Richard Stiennon will be a regular contributor of articles about the industry to CSO Magazine.

All of this activity means more exposure for your video content: a professional video interview with Richard Stiennon shot and produced in San Francisco just three blocks from Moscone Center. See all 140 videos we have already produced for many of the leading IT security vendors here. Of course you can embed your video anywhere you like and reuse the content.  As always, contact Rich Montoya to get more information. richard.montoya@it-harvest.com

BrightPoint Security
BrightPoint Security

Video interview
LookingGlass

Posted on Leave a comment

Taking the Backroad to a Secure Enterprise

It is often the case that rapidly changing technology allows laggards to leapfrog leaders. Rather than follow the same path as the trailblazers, those who come behind can take a shortcut. A country in South America bent on joining the modern world does not have to string phone lines across its mountains and jungles to achieve universal access to communications. It can build an LTE infrastructure, allowing its people to skip the fixed line stage and jump right to the latest smartphones and apps for Facebook and Instagram.

So too can an enterprise that is poorly defended get ahead of the race to security. The very best security infrastructures can be found at large financial institutions and defense contractors. Both have been battling targeted attacks for over a decade. They have purchased, deployed, and staffed every new technology brought out to combat every new threat: banks to counter cybercrime, the defense industrial base (DIB) to combat cyber espionage.

In 2003 these organizations had firewalls and Anti-Virus. As worms managed to get by their defenses they deployed Intrusion Prevention (IPS) and patch management systems. Eighteen years later they have large staffs populating Security Operation Centers. They have deployed and are managing sometimes hundreds of separate security products, most of them plumbed to report to a SIEM (Security Information and Event Management) solution. They are well positioned to take the next step, which is to incorporate threat intelligence feeds and security analytics to hunt down intruders.

But what about the laggards?  Those that don’t have a CISO, have not kept up because they were under the blanket of misunderstanding:; “we have nothing worth stealing, who would target us?”

We know who the laggards are by the breaches we read about in the New York Times. Universities, retailers, movie studios, industrial control systems, and yes, even federal agencies.

What are the laggards to do once they finally come to that moment when they realize that they truly are targets of attack? Most appear to be frozen in the headlights of the threat. There is too much to do. They need help. They need funding. They need Congress to do something. How can an electrical utility in Detroit attain the same cyber defense posture as Lockheed Martin?

Do it backwards. Learn to hunt and kill intruders before investing in moats, barbed wire, guard towers, and walls.

Start with gathering information from your network. Collect netflow data from your firewalls, routers, and access points. Capture full packets where you can. The technology is there. All these devices just need to be configured to report what they see. Evidence of attacks is in that data. Botnet beaconing? Easy. Exfiltration of intellectual property? Even if it is encrypted you can see it going out. Lateral movement? It’s in there.

You can do this manually, but investing in hunting technology (I sit on the advisory board of one such technology vendor check out Sqrrl’s hunting platform) is the best way to leapfrog. You need tools that allow you to piece together disparate evidence of malicious behavior. You can set an alert for unusual traffic originating inside your data center and heading to China. But you still need to hunt down the root cause, the patient zero of a malware infection., It might be a vulnerable database server, or a mis-configured firewall.  What where the attackers after? Payroll servers? Customer data? Are they using your privileged access to one of your customers as a stepping stone? You can link all the artifacts to tell a story and answer these questions.

The day you start hunting for intruders is the day you start to improve your security.  Vulnerability management is one of the most onerous tasks for an IT department. The existence of a vulnerability in a critical system does not justify taking that system offline to patch it. But discovering an intruder on that system exfiltrating data justifies an immediate response. Revamping access controls is expensive and disruptive to operations. The day you discover someone logging in remotely using stolen credentials is the day you change your access policies and deploy strong authentication technology.

After only several weeks of hunting, finding, and stopping intruders, you will be able to justify expenditures for technology to reduce the work load of the hunters. Upgrading from the firewalls you bought when you first connected to the Internet to a modern full-stack gateway security appliance will stop a lot of noise. The root cause of many intrusions will turn out to be users clicking on links to malicious content. Deploy a secure web gateway to eliminate those issues.

Is there a particular database the intruders are after? Harden those servers, and encrypt that data. Are intruders getting access credentials? Get your IAM under control (Identity and Access Management).  Are you being targeted with bespoke malware that sidesteps your defenses? Deploy sandbox devices to detonate and reveal new malware. Are your suppliers and partners the source of attacks? Share information with them. Teach them how to hunt.

Coming at cyber security backwards in this way can quickly get you ahead of not only the technology curve, but of the attackers. You will have an elite team of experienced hunters equipped with the best technology. Your security program will be driven by defense, not compliance. You will know what to invest in. You will know how to deploy new IT projects without exposing yourself to new threats.

Let the attackers show you the way to securing your enterprise. You will be watching and on the hunt.

Posted on Leave a comment

Getting to Know the IT Security Industry

When IT-Harvest launched in 2015 we had grand plans to reinvent the industry research business. I had had four years of experience as a Gartner analyst and was frustrated at the lack of access to data. Of course Gartner had DataQuest which had been acquired for $80 million from Dun and Bradstreet in 1995. When it came time to generate a Magic Quadrant we would ask for the latest list of vendors and their revenue in a certain space like Firewalls or IDS.

But DataQuest got its numbers by surveying vendors and it has to be acknowledged that vendors are not always completely forthright when it comes to self reporting numbers. At one point DataQuest was telling me that CA had the biggest market share in IDS even though they did not have a product page for IDS and I had never talked to anyone who used CA for IDS.

IT-Harvest was going to change all that. When we got started we hired a developer to create an elaborate data entry tool for recording details about all security vendors. My task was to find them and assign them to a category. Our researchers, primarily located in Salt Lake City, would use the tool to fill in office locations, products, and key executives. Within six months we had compiled a database of 1,200 vendors and offered a subscription to that data for $4,500/year.

We were successful in getting subscribers but a strange thing happened. Not a single person ever logged into the tool we had invested so much in developing. They saw the real value in having access to the analyst–me!  So, after a brief hiatus, when I suspended IT-Harvest to be CMO of Fortinet, we abandoned the elaborate tools and subscription model and went with the traditional analyst model of retained access, white paper generation, speaking, and strategic engagements.

But I still need that data. Over the last several months we have repopulated the database. We are already learning a few things. There are now 1,930 vendors in our database and more to add as we discover them. I have developed a methodology for estimating company size that will be used to create market scope reports, which we will sell at a fraction of the $5-9K typically charged by market research firms. Those reports will be created quarterly so we will be able to extract trends from the data.

We will not use surveys at all. I have too many friends in the analyst relations profession to submit them to yet another lengthy spreadsheet to fill out. Besides, my numbers come from outside data so will not be subject to subterfuge like reporting revenue based on list price instead of actual sales.

There are lots of ways to skin the industry analyst cat. There are several attempts to crowd source product and company information. There are subject matter expert dating sites. And of course there are the Gartners, Forrestors, IDCs, and Ovums.  IT-Harvest will continue to focus on the IT security industry as it grows at 24% a year.  If we can keep pace we will be doing well.