Posts Tagged ‘Kennedy’

Adapting the Network to New Technologies

Friday, March 29th, 2013

Daniel Kennedy, Research Director for Information Security

When network managers participating in the 9th Networking Study were asked how the design of their internal networks would change based on new technologies including cloud deployments, unified communications, virtualization and mobile proliferation, the top answer beyond not doing anything was ‘increase bandwidth.’ This is, in part, driving 10-Gigabit Ethernet rollouts in enterprises, which are a top new project in this study, reflected in responses such as ‘core refresh,’ the sixth-ranked answer below.

The response ‘server virtualization’ is tied to how managers are handling virtualization. Following that are a series of answers tied to making more efficient use of existing network bandwidth, including implementing quality of service (QoS), at 6%; WAN optimization, at 3%; and network segmentation, also at 3%.

When it comes to making the network responsive to new technologies, respondents had the following points to make:

  • “We are segmenting the voice and data bandwidth.”
  • “I think that the biggest thing is compression due to bandwidth restraints.”
  • “QoS may be more of an issue in the future. Perhaps, UCS with media added may have some significant results in the future. We may have to rethink policies due to bandwidth needs.”
  • “Not really, we did a lot of the design last year with a 10Gb backbone.”

Tripwire to Acquire Vulnerability Assessment Provider nCircle

Thursday, March 21st, 2013

Daniel Kennedy, Research Director for Information Security

Although deal details remain confidential, Tripwire has announced a definitive agreement to acquire vulnerability assessment provider nCircle. Both vendors offer fairly staple security technologies (file integrity management and vulnerability assessment), both address compliance-driven security requirements, and vulnerability assessment is generally a good entry for a firm’s complementary security offerings. According to 451 Research’s M&A KnowledgeBase, nCircle had sales of around $35-40m last year, with approximately 20% year-over-year growth. The vendor offers both in-house (IP360) and cloud-based (PureCloud) vulnerability assessment options.

A brief look at the vulnerability assessment space from an enterprise point of view shows nCircle as a notable player in a crowded field. Qualys certainly takes pole position, with 20% of respondents having its tools in use. Rapid7, Tenable (Nessus), McAfee (Foundstone) and outside assessment services (Verizon, Trustwave) form a secondary group of which nCircle is a part. Homegrown/open source implementations still form a dominant piece of the vulnerability assessment practice at large enterprises as well.

Meanwhile, Tripwire has seen increased enterprise presence since its acquisition by Thoma Bravo. Narrative commentary from interviewees on Tripwire included the following:

  • “I like the upgrades that Tripwire has made.”
  • “Tripwire is trying to move from being an IT security company to an enterprise security company. It’s a huge transformation, and I hope they can pull it off.”
  • “Want to expand Tripwire beyond the compliance arenas to cover the entire enterprise.”
  • “I think Tripwire is way up there and really the only vendor that comes into mind [for file integrity monitoring].”

Compliance Is Calling the Shots

Monday, March 11th, 2013

Daniel Kennedy, Research Director for Information Security

When it comes to how projects end up in the information security manager’s queue, the overwhelming answer among the infosec pros we interviewed is that compliance decides what gets done. This isn’t surprising; audit/compliance activities in the wake of regulation, notably Sarbanes-Oxley, are being reported at a high level within large organizations. If these issues find their way to the board of directors or CEO’s desk a few times, that gives a person auditing IT systems and processes a very large stick with which to influence project direction. That said, does this approach ensure that the right security projects are being implemented, based on actual organizational risk?

Some manner of ROI calculation comes in as the second method; however, this may be a misnomer. Many CISOs admit to having few projects that fall into a classic ROI calculation, even in terms of performing the measurement using cost savings rather than additional new revenue. Many times mathematical gymnastics are performed to show some manner of cost avoidance with these calculations, but they are largely performed as a required fill-in to project submission.

Perhaps alarmingly, project approval based on the results of a risk assessment is tied for a distant third.

Narrative commentary from interviewees on the topic of project prioritization and approval included the following:

  • “Driven by compliance for the most part, plus a demonstrable metric for risk reduction.”
  • “First and foremost, compliance driven. ROI doesn’t play a big role here. The risk posture is key.”
  • “CIO talks to his boss (CEO) and they determine about CIO’s priorities – not a formal process at all.”
  • “We have a business justification form we fill out, and it goes to CIO and if approved we rock and roll. For compliance we take to chief counsel and then we rock and roll.”
  • “Compliance driven!”
  • “Sacred cow. When management wants it, they get it.”

10-Gigabit Ethernet Underpins Key Networking Business Projects

Thursday, February 28th, 2013

Daniel Kennedy, Research Director for Information Security

Networking projects tend to fall into one of two categories: first, projects that are in direct response to and easily explained as business requirements, and second, projects that ensure that the corporate network can support the performance and capacity needs of the business. Usually the first is used to ‘sell’ the second to internal stakeholders.

One of our interviewees alluded to the relationship between these types of projects during an interview in the recent networking study: “[10-Gigabit Ethernet is] limited in use, but it will spike next year as part of UC implementation.” In doing so, the respondent demonstrated how certain business projects, in this case unified communications, can depend on more general performance upgrades, such as the rollout of 10GigE.

10GigE rollouts ‘to the server’ experienced a jump ‘in use’ between the 2010 study and the most recent one, from 35% to 46%. Continued short-term growth is predicted by 8%, with a further 17% having rollouts penciled into their longer-term plans. Fifty-six percent (56%) of respondents with the technology ‘in use’ or ‘in plan’ expected to increase their spending levels on the technology in 2012.

Respondents discussing the rollout of 10GigE mentioned the following:

  • “The core will be 10 gig.” – LE, Energy/Utilities
  • “Both backbone and systems connections for 10 gig.” – LE, Education
  • “We are implementing UCS along with 10 gig networking and Nexus switches.” – LE, Financial Services
  • “That’s part of our background upgrade to 10 gig.” – LE, Industrial/Manufacturing
  • “We only think we’ll need 10 gig between the switches.” – MSE, Education

APT Is Marketing

Monday, February 25th, 2013

Daniel Kennedy, Research Director for Information Security

When presented with a Rorschach Test-style opportunity to say the first thing they thought of when they heard the term ‘APT,’ the largest percentage of security managers, 23%, replied ‘marketing.’ The term, like others such as ‘defense in depth,’ migrated over from a military usage and stands for ‘advanced persistent threats.’ The term has come into popular usage by firms that have been breached (“we were breached through a highly sophisticated attack”), those selling solutions into the security space, and those attempting to draw a line between the opportunistic attacker and one who, for whatever reason, is targeting you.

As with many amorphous terms, there are as many different definitions of APT as there are security companies that have tried to define it. At 451 we have toyed with the idea of converting the word ‘advanced’ to ‘adaptive’ per Josh Corman’s suggestion, to try and more accurately capture what makes the behavior of this type of actor distinctive from others. Some have tried to say that APT represents only a well-funded adversary such as one sponsored by a nation-state. A highly motivated attacker targeting a specific victim with a desired outcome who is also capable of achieving that outcome seems to cover most of the bases of what might make a threat an APT.

Despite their characterization of APT as most often being ‘marketing,’ 68% of interviewed security managers stated they believed that APT represented a unique threat to enterprise security. Sixty-one percent (61%) believe their enterprises have been the target of an APT.

Narrative commentary from interviewees on the topic of advanced persistent threats (APTs) included the following:

  • “Nothing specific to APTs, just protecting against techniques such as social engineering that would be used in non-APT attacks.”
  • “I don’t think the term APT is a buzzword and doesn’t really describe anything in particular, but the whole idea of advanced malware is truthfully becoming a problem. It’s very targeted and runs at a low level where it is hard to detect.”
  • “The human firewall – human behavior – how to moderate and address it. Also, which technologies are hype? I want to know what NOT to waste my time on. APT and DLP come to mind – are they real?”

Oracle Gains Foothold in VoIP With Acme Packet Buy

Thursday, February 14th, 2013

Daniel Kennedy, Research Director for Information Security

Oracle has acquired session border controller provider Acme Packet for approximately $2bn in cash, providing a networking foothold especially among service providers as VoIP implementations, and more importantly unified communications implementations, continue to grow. Acme had suffered a bit prior to this acquisition, with sales down 10% through the first three quarters of 2012 and the company slipping into the red after previous years of being in the black. The 451 M&A KnowledgeBase contains further information on the details of the acquisition.

Session border controllers (SBCs) are a specialty device most often associated with VoIP implementations, responsible for the signaling and data streams in setting up, conducting and tearing down interactive communications, notably phone calls. The penetration of such devices is much more significant in service provider networks than in enterprise system environments, as demonstrated by the chart above, reflecting 22% ‘in use.’ That said, interviewees are considering Acme Packet for new enterprise deployments.

Security Convergence Went Nowhere

Wednesday, February 6th, 2013

Daniel Kennedy, Research Director for Information Security

A topic in security media around four years ago was ‘convergence,’ an irritatingly generic word used to describe the fusion of physical and information security disciplines under a single umbrella. This largely came into view based on a steady evolutionary path that saw the bulk of resources used to protect corporate assets shift from the protection of physical assets to the protection of information as it was held and passed around IT systems. That said, the human resources used to protect physical assets versus virtual ones were still largely different in demographic, coming to the positions via different experiential and educational paths. Still the idea of having a single strategic leader overseeing both teams, and thus ensuring the touch points between each type of security function were efficiently exploited, was and is a compelling one.

While a great deal of mental gymnastics have been conceived over the years so that folks could say they were ‘converged’ because their physical and information security teams worked together in some way, in practical terms convergence is largely implemented by having a single corporate leader in charge of both.

In looking at convergence from this practical standpoint, in a black and white comparison separated by whether there is a single corporate leader responsible for both physical and information security, we find largely that there is not. Only 27% of the large US enterprises participating in our current Information Security Study reported having both functions bubble up to a single executive leader.

Narrative commentary from interviewees on the topic of security convergence included the following:

  • “Our IT sec guy was put in charge of physical security.”
  • “We are unusual in having a strong relationship with physical security people. At physical security conferences people ask, ‘How do you get IT people to do things?’ Physical security piece has traditionally been separate.”
  • “Security – it is an IT solution, [not just physical security,] not a stand-alone security solution; it’s not what it used to be. For example, the security for just the doors, that’s an enterprise security system. All of our facilities tied into one here, and that’s responsible for disseminating security and updates. It travels on the network. It’s [security is] not what it used to be.”

The Network Manager’s Top Projects

Friday, February 1st, 2013

Daniel Kennedy, Research Director for Information Security

As part of the Wave 9 Networking Study, network manager interviewees are asked for their top three projects. We then bubble the results to see which projects are at critical mass. A quick review finds that core networking upgrades, routers and switches, dominate the agendas of senior network managers at large North American enterprises, and this directly benefits core networking leader Cisco. This is little surprise, as the results were similar last year, and reflect a gradual easing of the constrictions put on network technology budgets in the start of the economic downturn in 2008.

The related project, a more general technology refresh, which includes firewalls and other equipment, takes the third spot, providing benefit to both Cisco and Check Point. Network expansion comes in at sixth place. General ‘wireless’ projects and the more specific installation or upgrade of wireless LANs take both the second and fifth positions, respectively, benefiting Cisco and Aruba Networks. Business-driven initiatives including VoIP (and unified communications) as well as WAN optimization round out the top efforts, benefiting Cisco and Avaya for the first, and primarily Riverbed for the second.

Interviewees provided the following narrative commentary around their top projects:

  • “Replacing hardware in all warehouses – removed all Nortel to go to Cisco. Going to Motorola for wireless from old 900MHz stuff from Sada. We are removing old Cisco firewalls. IPS is also going away. Replacing with Palo Alto across the whole enterprise.”
  • “We haven’t touched our network architecture in 10 years or so. If someone were to call 911, our system would not tell security where the person is on campus.”
  • “Moving MPLS to a managed service – I don’t want to buy any new routers any more. We’ve done a managed service standalone from our corporate network. The carrier has better visibility.”
  • “Most of the core switches will be replaced. Wireless implementation for all offices. Haven’t yet decided the type mobile device security. We’re ad hoc today on device preferences.”

Dell Acquires Credant

Monday, January 21st, 2013

Daniel Kennedy, Research Director for Information Security

Late in December, Dell announced the completion of the acquisition of its OEM partner Credant Technologies, whose Data Protection Suite is available on Dell laptops and workstations. While deal terms weren’t disclosed, our own M&A team notes that recent similar deals have been in the range of two to four times revenue and that Credant likely had revenue in the $20-30m range.

With Credant’s encryption capabilities, Dell has now firmed up its security portfolio. However, some may have overlooked that Credant’s endpoint data-loss prevention (DLP) product is a legitimate enterprise option in what is a hot security technology. Endpoint DLP ranked second in TheInfoPro’s Information Security Heat Index.

Endpoint DLP showed an 8% short-term growth rate among interviewees in 2011 and very nearly filled that quota in 2012, moving from 21% to 28% ‘in use’ at respondent enterprises. 2012’s study predicts 10% short-term growth alongside 14% penciling in DLP in the longer term. Fifteen percent (15%) of respondents with DLP said their spending will increase. The market is currently dominated by two of the large endpoint security providers: Symantec and McAfee.

Narrative commentary from interviewees on Credant as well as previous and potential Dell acquisitions included the following:

  • “Just migrated to Credant from PointSec on one side and PC Guardant on the other company side.”
  • “I like SonicWall; big concern now is that Dell is looking to buy them. You have to pay for every feature, too many different licensing requirements. Every time you turn a feature on, performance drops. I think they over-rate their abilities at times as well.”
  • “Chief Executive Auditor is leading the pack on vulnerability assessment. Dell’s recent acquisition provides broad security protection. Impressed on their speed in this arena.”
  • “We have used Dell SecureWorks for three years. Originally they were a division of VeriSign. Firewall and security services were originally SecureWorks. Under VeriSign they were more focused and customer aware. It’s our largest contract. They don’t understand our environment very well — especially our firewalls, which are pretty cookie-cutter. They have difficulties understanding the one-offs.”

Network Vendors That Are ‘Locked In’

Monday, January 14th, 2013

Daniel Kennedy, Research Director for Information Security

The Wave 9 Networking Study, as all studies at TheInfoPro, looks closely at what is causing network managers pain and which vendors they are considering switching off of. The corollary to that information is how difficult it would be to switch from a networking vendor’s product and services. How many hooks do they have into the enterprise network that raise the relative amount of pain they need to cause to actually be removed from the environment? TheInfoPro measures that level of ‘technical stickiness,’ by having interviewees provide information on vendor lock-in strength.

While many customers value modularity and the ability to switch products as needs progress, the reality is that for vendors this is not necessarily a positive; instead, once installed they would like to be a difficult provider to remove (ostensibly of course the greatest preference is to have total client satisfaction alongside dependency). Comparing vendors this way can be somewhat difficult, as providers sell very different products to the enterprise market as well, meaning comparing routers to Web content filters, for example, comes with some caveats.

F5 Networks, with interviewees primarily discussing application delivery controllers, was cited as this study’s vendor that was easiest to remove from an environment from a technical standpoint. Microsoft, mainly discussing OS, and Cisco, mainly discussing core networking equipment, were viewed as the most difficult to displace technically.