Face to Face With a Zealot – Why Innovation Gets Throttled

March 23, 2010

I had an interesting brush with zealotry the other day that served as a stark reminder of what those of you who make IT security decisions for your respective organizations face on a daily basis.  This experience folded nicely with a great blog post by Rich Mogull in the Securosis blog (“There is No Market for Security Innovation“) because I think the zealotry I experienced is one of many factors that throttle innovation.

I was on the phone with a partner discussing how we could align our respective products to cooperatively go to market.  Joining the call was a product manager (who I shall call PM going forward) for a specific product within the partner’s product line.  I was asked to describe what our product could do, and after doing so, was immediately met with PM conveying a general sense of “my product does all of that and more” as I was subjected to an enthusiastic Gatling gun fusillade of breathless features and counterclaims.

By the time the PM was done describing the length, breadth and depth of PM’s product, I could almost feel the hair growing back on my bald spot and my previously receding hairline reclaiming lost ground on my forehead.  I am quite sure world hunger was also on the decline and cold fusion was only minutes from discovery.  Fortunately, as my cynicism and hair loss problem probably indicate, this is not my first rodeo, and I had done some pretty extensive competitive research on PM’s product.  Suffice to say the general consensus amongst the analysts and reviewers (including user feedback) does not reflect the unbridled enthusiasm of PM.

After the call I stepped back to think about the exchange and tried to put myself into the shoes of the prospects I see almost daily.  I got the sense that PM either did not care to hear me or the zealotry simply overwhelmed him/her.  What was most important to PM was to tell me all of the things the product could do rather than align with me as a partner.  I am quite certain the same thing would have happened if I was a buying prospect – I would have been told what the product would do rather than how it would help address my specific problem.  Any question I had would have been met with an enthusiastic “Yes” before I got half of my sentence out.  I am not accusing PM of being deceptive – I choose the word zealot because zealots honestly believe they have that capability.

Mogull notes that buyers don’t consider innovative products until they believe “existing tools are failing so badly that you can’t keep the business running”. An exchange with a zealot such as I experienced would certainly give a buyer enough assurances – whether the buyer believes it or wants to believe it to avoid a purchase – to step away from making a bet on a newer product.

Prior to RSA I had a blog entry where I described similar zealotry on the exhibit floor under the name denial of innovation attack (Beware the “Denial of Innovation” Attack at RSA).  My encounter with PM reminds me that this is not an RSA specific phenomenon and is in fact a daily occurrence.  I appreciate that PM was doing his/her job, but it was a stark reminder to be on the other side of the equation and it certainly gives me a renewed appreciation for those of you who make buying decisions for your respective organizations.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

Tired of the Term Advanced Persistent Threat – How About Cold Harsh Reality?

March 15, 2010

I read a very insightful guest editorial in the Zero Day blog in ZDNet by Matthew Olney of Sourcefire on Friday about how the term “Advanced Persistent Threat” had reached a level of overexposure and may have, as they say, jumped the shark.  After reading his article I started to think about some new alternative terms for the evolving nature of malicious attacks while putting some of the hype into perspective.

My first new alternative name for APT is Cold Harsh Reality (CHR).  As Olney points out, the term APT has been used by the defense industrial base (DIB) for years.  Of course, if something works to steal military data, it will soon find its way to the hands of those who seek financial gain.  The attacks once seen only in the intelligence and DIB community are now being aimed at financial institutions, retailers, energy companies and just about anywhere else where financial data or sensitive information can be had.

This is not rocket science, just good coding methodology.  The bad guys do not have to build elaborate zero day attacks to evade detection as there are plenty of ways to get around traditional defenses without expending massive amounts of effort.  And of course if the bad guys run out of exploits, Microsoft and Adobe stand ready to snap off a couple of new ones for their convenience.

My point, maybe we don’t need the term APT anymore, because it was used to characterize something that started in a relatively isolated world that has moved into the mainstream.  It is our new cold, harsh reality, and therefore requires no special designation. There will still be pedestrian attacks that AV will continue to block well, but these now look amateurish in the face of the CHR attacks that many are dealing with on a continuous basis.

The other alternative is Uncomfortable Inconvenient Truth (UIT – hey, AL Gore got us into this mess by inventing the Internet, so I don’t feel bad for borrowing from him).  While I agree that some of the noise around APT is hype, a lot of the shouting is from innovative companies that are struggling to be heard above the FUD from the AV vendors who know they are exposed by their failure to evolve to the changing threats.

This is where the uncomfortable and inconvenient part comes in.  The large AV vendors have sold a lot of companies on the idea of the consolidated suite for protection, and those companies have invested a lot of money in those suites.  Such decisions are strategic and large enough to get visibility at the highest levels of the organization and the individuals who made the ultimate choice have much of their personal reputation riding on the results.

As the game changed and it became increasingly obvious that the AV tools cannot stem the tide of evolving attacks, the AV vendors and the internal sponsor in the organization that made the decision to buy the suite are at risk.  The AV vendors don’t want to lose control of the account and have new tools added to the mix, and the internal sponsor does not like the idea of having to tell management that they need additional software.  The increasing evidence only serves to make facing the truth more uncomfortable (but unavoidable), while the tight economy makes having to take action increasingly inconvenient.

The AV vendors have been countering their risk by telling everyone that they have it covered by trotting out extensions to the suite such as heuristics and behavioral analysis, and when those did not get the job done, whitelisting and prevalence.   The internal sponsor is motivated to believe that their vendor will find a way to address the problem, because it represents the least friction organizationally and professionally.  To be clear, I am not suggesting malfeasance or coercion or any other malicious intent – it is an observation of human nature and buying psychology.

But the tide continues coming in. This is where smaller companies (even the ones that have a legitimate product that can help) are driven to hype.  Trust me when I tell you that it takes enormous energy and perseverance to get your message heard above the “don’t worry, we have that covered” message from the big AV companies.  So if APT is getting the attention of security people and organization decision makers, you can bet that small companies will jump on the bandwagon.  Because even when I do get in and get the chance to tell my story, I know the big AV vendor is just outside the door ready to do dismiss what we say.  Such is the cold, harsh, uncomfortable and inconvenient reality of my world.

I am not defending my fellow marketers who take it the use of APT too far; I am just saying there is a perspective here worth examining.  The APT hype cycle is not all the fault of marketers – it is a symptom to a larger problem as the security market ecosystem is forced to deal with the evolving threats.  What is true is that organizations are getting attacked, and as Olney and others have said, there is no magic silver APT bullet.  But there may be some products that can help if you can filter out the noise on the subject.

Let me end with some disclaimers.  You will not see the term Advanced Persistent Threat on the Triumfant web site or in our materials, and if it is mentioned in the context of Triumfant it is used to reference the types of attacks characterized by APT.  I have discussed the topic hear on the blog, but I am always very clear that while we are a good detection tool for the attacks most associate with APT, we do not claim to be a solution for APT.  I agree with those who say that anyone claiming to be so should be instantly ignored.

Leave a Comment » | Endpoint Security | Tagged: , , , | Permalink
Posted by Jim Ivers

RSA Shocker (Not): Symantec Admits Traditional Signature Based Tools are “Not Keeping Up”

March 9, 2010

“Traditional signature-based approaches to security are not keeping up.  What we’ve had to do is come up with a new approach. The idea is it has to be able to deal with attacks that we’ve never seen.”

Words from some maverick security company?  Hardly.  These are the words of Symantec CEO’s Enrique Salem from his Tuesday RSA Conference keynote.  And he is about to tell the assembled RSA crowd that Symantec’s prevalence technology is the answer to the vexing problem of rapidly emerging and constantly evolving threats.  I can’t fault his message – his company paid handsomely for that keynote spot so he can proclaim his new technology as the 2010 silver bullet.  But in my opinion, Salem and Symantec’s new found honesty regarding the efficacy of AV is late, awkward, and does little to provide real leadership to the market.  The industry leaders should not feel all self congratulatory in finally admitting a problem they have ignored for far too long.

I had a similar experience listening to a CEO in denial say something equally late and awkward before at the 1999 Sapphire Conference (SAP user conference) in Philadelphia.  SAP was acting like the World Wide Web was simply not happening all around them because it was so foreign to their core technology.  In his keynote, then SAP CEO (or COB) Hasso Plattner grudgingly referenced the internet as an “emerging technology” but was still ultimately dismissive.  I remember thinking “sir, I think the internet has already emerged and no dismissal from you can change that fact”.  Actually, I think my exact thought was “Emerging? Dude, internet done emerged!”

What confounds me is that companies still somehow either believe or want to believe that companies like Symantec can solve this problem.   Not one person in a company or government agency that fights what has been called the advanced persistent threat tells me that they believe that prevalence technology is a viable solution for what Salem calls “the attacks that we’ve never seen”.  Same with whitelisting, which is the proposed answer for companies like McAfee and Lumension.

(As a complete aside, one vendor actually touted “intelligent whitelisting” at RSA, I assume implying that somehow intelligence had been left out of previous whitelisting attempts.  I could see people everywhere saying “AH! I was supposed to be intelligent about whitelisting!  Now I get it.”)

I think it is disingenuous for companies that have been at the front of the A/V wave to feign public shock that signatures are no longer viable when their own customers have been pleading with them for years and years to step up and make the jump to newer technology.   We of course have been pointing out the problem for some time, with our Worldwide Malware Signature Counter providing a visual for the problem.  I also think it odd that a company like Symantec would post a reports showing that 100% of the enterprises they polled for a recent study had been attacked (see an interesting view of FUD surveys in John Pescatore’s blog here).  The math is simple: if Symantec represents 40% market share and 100% were attacked, aren’t they saying that they failed to protect 40% of the enterprises represented in the survey? Seriously, am I missing something here?

Let me be clear.  The answers to the problem Salem raises do exist.  You and your organization are simply going to have to look outside of your AV suite vendor to find it.

Leave a Comment » | Endpoint Security | Tagged: , , , , | Permalink
Posted by Jim Ivers

More Random Thoughts, Observations, and Musings from RSA 2010

March 4, 2010

More quick hits from RSA as I get ready for the last day on the show floor:

  • Great traffic to our booth with great conversations about how we can help organizations plug gaps in their endpoint security.  Given we are such a different approach, it is always fun to watch people process how we approach endpoint security and configuration management.  My favorite is their parting words which are usually something like “thank you, that was interesting”, then there is a pause as they continue to process what they have seen and heard, followed by a “very interesting”.  I always like that response because they get it and now they are mentally extending what they have heard to the needs of their organization.  I think most people think the time at the booth is time well spent.
  • Triumfant will be included in an announcement by SRA today aboutTriumfant being part of the team for SRA’s One Vault Cyber Security Suite.  We are excited to be teaming with SRA and are looking forward to being a part of this exciting offering.  SRA is extremely progressive about finding new ways to help secure their customers and we are pleased to be part of that process.  More announcements about Triumfant and SRA to come.
  • We have been seeing a steady stream of vendors coming to the booth to learn about what we do.  This is a good indicator that the word is spreading about our capabilities and that these vendors have to answer their customers and prospects pointed questions about how they compare.  Some are open about working for a vendor, some try to sneak in.  Just walk up and shake hands, folks – we have nothing to hide.  Besides – it is for your own good: the more you know about what we do the less likely you will be to tell customers and prospects that you can do it when they hear about us.   Sorry, but true.
  • Not one person has come to the booth looking for a solution to the advanced persistent threat (APT).  Or any other phrases that get knocked around the press and the blogs.  Sure you hear some of the concepts, but at least the people coming to our booth don’t adopt the names such as APT.  I guess when you spend the day fighting it you don’t get caught up in what to call it.
  • RSA is a great show but it is very frustrating for a new vendor.  Getting a speaking slot is next to impossible, and the system for booth placement almost guarantees you a less than favorable slot.  Money in the form of a larger booth or an expensive sponsorship will of course fix a lot of that problem, but it is a huge bite of any smaller company’s budget.  I can see why the B-sides movement is gaining momentum.
  • I am always amazed at the amount of money companies will literally dump onto the floor at RSA.  I get marketing obviously, but I can’t imagine anyone altering a buying decision based on a room drop card, a beer tap at the booth, or some fabulous take-away trinket.  I must be getting old and either wise or jaded.
  • I was invited to Mitre’s celebration of the 10 year anniversary of CVE last night.  Great party full of the dedicated folks who tirelessly continue to promote standards for security.  Like I said in a previous blog – I have all the respect for the patience and perseverance of the people who continue to push for these standards.
  • Went to the bloggers meetup last night.  Thanks @RSABloggers2010 for the invite.  I normally stay along the back because the group is gracious enough to let me attend even with my two strikes: being a vendor makes me suspect, but having a Chief Marketing Officer title is the real kicker.  I am sure many of the bloggers feel a disturbance in the force when I enter the room.  So I see some familiar faces and make sure I don’t engage in anything resembling marketing speak.  It is a fun group and the reception is always lively and I always appreciate the invite.

This has been a great RSA, but I am ready to finish this last day of the exhibit hall and start packing for home.  Thanks to all who came by the booth.

Leave a Comment » | Endpoint Security | Tagged: , , | Permalink
Posted by Jim Ivers

Random Thoughts, Observations, and Musings from Monday at RSA

March 2, 2010

I have lost my normal first-morning-of-a-west-coast-trip battle with my body clock so what better thing to do at 5:15 am than to provide you some random observations and musings from Monday at RSA.

  • My initial read of the show is that there is a general sense of renewed optimism that is a marked reversal from the heavy gloom that seemed to permeate last year’s conference.  Let’s hope that this optimism continues, because I like this year’s vibe much better.
  • I took a pre-opening walk around the exhibit floor and found myself experiencing some serious booth envy because the booths in this year’s show are some of the best designed I have seen in many years.  I am human with an ego, and sometimes I miss the days of having a big budget for the show, particularly when you see high levels of creativity.
  • After dealing with my booth envy issues I came to an important realization:  I can honestly say that I would not trade products with anyone on the show floor.  The Triumfant product is truly different and continually proves that delivers as advertised.  Our engineers have made change detection a viable process for detecting malware and enforcing configurations and policies.  So much of what I see on the floor sounds and feels like slight variations of the same themes.  I can honestly say we represent something very different that fills real gaps in endpoint security.  No booth budget can buy me that.
  • I have made two quick passes through the floor looking for “hamster wheels of pain” to photograph and share with you.  So far I have found none to report.  Well done, my fellow marketers.
  • Across the aisle from our booth is a China-based security company.  As a marketing person my first thought was: could there be a harder job than to market a Chinese security company?  I have no knowledge of this company and my comment is in no way designed to cast any aspersions or doubts their way.  But the current association between China and cyber crime would seem to make it a difficult sell.
  • I actually had someone come to the booth and say that they read this blog.  I was humbled and flattered.  I enjoy doing the blog and try to make it informative and at least a little entertaining, but you never really know if anyone really reads what you write until someone says something like that.
  • For those of you who have never been to RSA there is are two main sets of doors into the exhibit hall and between them is a coffee counter.   I would really like to know what one’ day’s receipts are from that counter during RSA, because my guess is that it is remarkable.  Location, location, location.
  • Our team walked about 15 blocks for dinner last night and passed countless homeless along the way.  The juxtaposition between the amounts of money spent on the exhibit floor and the view of someone sleeping in a doorway can’t help but stir the heart and mind.  When you see yards of white thick pile carpeting being laid out in booths and wonder what the cost of that carpeting could do for any one of these people on the street it keeps what we do in stark perspective.
  • Today I start my analyst briefings, which is always a fun part of the trip.  Analysts are both leading (what is on the horizon) and trailing (are their customers asking about Triumfant and what problem do those customers think Triumfant will address) indicators of the market and are valuable to small companies looking to chart a clear path.  The analyst/vendor relationship is always an interesting dynamic, but if you are willing to be open minded and really listen to their feedback, there is always valuable data and insights available.
  • According to the forecast and the drops on my hotel window, we start what looks to be two days of non-stop rain.  At least it is a change from snow.

Please come by the booth (756) and say hello if you are on the floor.  And don’t forget the malware detection challenge.

Leave a Comment » | Endpoint Security | Tagged: | Permalink
Posted by Jim Ivers