Rational Survivability

On September 24-25th, InfoWorld will host their Virtualization Executive Forum in NYC which promises "…two days of
technical breakout sessions, case studies and industry expertise on
server, desktop, application, storage and file virtualization
technologies."

Here’s the overview:

Designed for those
who are evaluating where to begin and for those already implementing
virtualization technologies, InfoWorld’s Virtualization Executive Forum
features:

• Analyst perspectives on innovative uses of virtualization adoption
  rates and trends, and policy-based datacenter automation
  
• In-depth
  sessions examining Virtual Machines and Security, Open Source
  Virtualization, Business Continuity/Disaster Recovery, and more.
• Industry
  Keynotes from IT end users addressing the challenges, pitfalls,
  results, and benefits of their implementations
• A
  spotlight on Green IT practices and its potential for cost savings and
  reducing power and cooling needs in large datacenters.
  

In
addition to the in-depth case studies and industry panels you have come
to expect from InfoWorld’s Executive Forums, this fourth edition has
added another key ingredient to the mix: more opportunities for you and your peers to  collaborate and share experiences.

For an "executive forum" they have an interesting split-track breakout agenda; one track features case studies and the other focuses on technical presentations and panels.

Here’s the rub, did you notice that the word "security" appears only twice in the entire agenda, once in the keynote address and once more in a case-study breakout session on day two regarding applications of virtualization.  While I recognize that this is supposedly targeted at "executives," let’s take a look at the technical track breakout topics:

• 
  Vendor Crossfire: x86 Server Virtualization
• Getting Started with Server Virtualization
• Technical Track: Physical to Virtual Migration
• Leveraging Virtualization for Information Availability and Business Continuity
• Lessons from Big Iron: The Power of RISC UNIX Virtualization
• Open Source Hypervisor: Zeroing in on Xen
• VM Management and Monitoring
• Scaling Virtual Infrastructure

Not a mention of security in the bunch.  This is asinine. If you’re at all curious as to why security is an after-thought in emerging markets, look no further than this sort of behavior. 

…and don’t just tell me that security is "assumed."

If the executives who attend this two day forum walk away with a head full of fun new ideas and cautionary tales regarding virtualization and the closest thing to security they got was the valet guarding the doughnuts during the break, don’t anybody get surprised in 18 months when the house of cards come tumbling down.

InfoWorld, what the hell!?  How about ONE session — even a panel — titled something as simple as "Virtualization and Security – A Discussion You Need to Have."

In fact, you’re welcome to at least just print out my presentation from a couple of days ago and give it to your attendees.  At least they’ll walk away with something relating to security and virtualization.  850+ people from my blog already have more information on security and virtualization *for free* than is being presented at the forum.

Listen, I feel so strongly about this that I’ll speak for free on the topic — I’ll pay my own hotel, airfare, etc…and you can keep the doughnuts during the break.

By the way, I find it deliciously ironic that when I clicked on the "Visit Virtualization Portal" link in the above graphic, I was greeted by this little gem:

I’m sure this is probably running on a "real" server.  A virtualized instance would never have this sort of problem, right? 😉

/Hoff

Mark Wood from nCircle blogged about his recent experience at the Gartner IT Security Summit in D.C.  Alan Shimel commented on Mark’s summary and both of them make an interesting argument about how Gartner operates as the overall gauge of the security industry.  Given that I was  also there, I thought I’d add some color to Mark’s commentary:

In 2006, there were two types of solutions that seemed to dominate
the floor: network admission control and data leakage (with the old
reliable identity and access management coming in a strong third). This
year, the NAC vendors were almost all gone and there were many fewer
data leakage vendors than I had expected. Nor was there any one type of
solution that really seemed to dominate.

…that’s probably because both of those "markets" are becoming "features" (see here and here) and given how Gartner proselytizes to their clients, features and those who sell them need to spend their hype-budgets wisely and depending upon where one is on the hype cycle (and what I say below,) you’ll see less vendors participating when the $ per lead isn’t stellar.  Lots and lots of vendors in a single quadrant makes it difficult to differentiate.

The question is: What does this mean? On the one hand, I continue to
be staggered by the number of new vendors in the security space. They
seem to be like ants in the kitchen — acquire one and two more crawl
out of the cracks in the window sill. It’s madness, I tell you! There
were a good half a dozen names I had never seen before and I wonder if
the number of companies that continue to pop up is good or bad for our
industry. It’s certainly good that technological innovation continues,
but I wonder about the financial status of these companies as funding
for security startups continues to be more difficult to get. There sure
is a lot of money that’s been poured into security and I’m not sure how
investors are going to get it back.

Without waxing on philosophically on the subconscious of the security market, let me offer a far more simple and unfortunate explanation:

Booth space at the Gartner show is one of, if not the most, expensive shows on the planet when you consider how absolutely miserable the scheduling of the expo hours are for the vendors.  They open the vendor expo at lunch time and during track sessions when everyone is usually eating, checking email, or attending the conference sessions!  It’s a purely economic issue, not some great temperature taking of the industry.

I suppose one could argue that if the industry were flush with cash, everyone showing up here would indicate overall "health," but I really do think it’s not such a complex interdependency.  Gartner is a great place for a booth if you’re one of those giant, hamster wheel confab "We Do Everything" vendors like Verisign, IBM or BT.

I spoke to about 5 vendors who had people at the show but no booth.  Why?  Because they would get sucked dry on booth costs and given the exposure (unless you’re a major sponsor with speaking opportunities or a party sponsor) it’s just not worth it.  I spoke with Ted Julian prior to his guest Matasano blog summary, and we looked at each other shaking our heads.

While the quality of the folks visiting are usually decision makers, the foot traffic is limited in the highly-compressed windows of availability.  The thing you really want to do is get some face time with the analysts and key customers and stick and move. 

The best bang for the exposure buck @ Gartner is the party at the end of the second day.  Crossbeam was a platinum sponsor this year; we had a booth (facing a wall in the back,) had two speaking sessions and sponsored a party.  The booth position and visibility sucked for us (and others) while the party had folks lined out the door for food, booze and (believe it or not) temporary tattoos with grown men and women stripping off clothing to get inked.  Even Stiennon showed up to our party! 😉

On the other hand, it seemed that there was much less hysteria than
in years past. No
"we-can-make-every-one-of-your-compliance-problems-vanish-overnight" or
"confidential-data-is-seeping-through-the-cracks-in-your-network-while-you-sleep-Run!-Run!"
pitches this year. There seems to be more maturity in how the industry
is addressing its buying audience and I find this fairly encouraging.
Despite the number of companies, maybe the industry is slowing growing
up after all. It’ll be interesting to see how this plays out.

Well, given the "Security 3.0 theme" which apparently overall trends toward mitigating and managing "risk", a bunch of technology box sprinkling hype doesn’t work well in that arena.  I would also ask whether or not this really does represent maturity or the "natural" byproduct of survival of the fittest — or those with the biggest marketing budgets?  Maybe it’s the same thing?

/Hoff

Interop has has been great thus far.  One of the most visible themes of this year’s show is (not suprisingly) the hyped emergence of 10Gb/s Ethernet.  10G isn’t new, but the market is now ripe with products supporting it: routers, switches, servers and, of course, security kit.

With this uptick in connectivity as well as the corresponding float in compute power thanks to Mr. Moore AND some nifty evolution of very fast, low latency, reasonably accurate deep packet inspection (including behavioral technology,) the marketing wars have begun on who has the biggest, baddest toys on the block.

Whenever this discussion arises, without question the notion of "carrier class" gets bandied about in order to essentially qualify a product as being able to withstand enormous amounts of traffic load without imposing latency. 

One of the most compelling reasons for these big pieces of iron (which are ultimately a means to an end to run software, afterall) is the service provider/carrier/mobile operator market which certainly has its fair share of challenges in terms of not only scale and performance but also security.

I blogged a couple of weeks ago regarding the resurgence of what can be described as "clean pipes" wherein a service provider applies some technology that gets rid of the big lumps upstream of the customer premises in order to deliver more sanitary network transport.

What’s interesting about clean pipes is that much of what security providers talk about today is only actually a small amount of what is actually needed.  Security providers, most notably IPS vendors, anchor the entire strategy of clean pipes around "threat protection" that appears somewhat one dimensional.

This normally means getting rid of what is generically referred to today as "malware," arresting worm propagation and quashing DoS/DDoS attacks.  It doesn’t speak at all to the need for things that aren’t purely "security" in nature such as parental controls (URL filtering,) anti-spam, P2P, etc.  It appears that in the strictest definition, these aren’t threats?

So, this week we’ve seen the following announcements:

• ISS announces their new appliance that offers 6Gb/s of IPS
• McAfee announces thei new appliance that offers 10Gb/s of IPS

The trumpets sounded and the heavens parted as these products were announced touting threat protection via IPS at levels supposedly never approached before.  More appliances.  Lots of interfaces.  Big numbers.  Yet to be seen in action.  Also, to be clear a 2U rackmount appliance that is not DC powered and non-NEBS certified isn’t normally called "Carrier-Class."

I find these announcements interesting because even with our existing products (which run ISS and Sourcefire’s IDS/IPS software, by the way) we can deliver 8Gb/s of firewall and IPS today and have been able to for some time.

Lisa Vaas over @ eWeek just covered
the ISS and McAfee announcements and she was nice enough to talk about
our products and positioning.  One super-critical difference is that along with high throughput and low latency you get to actually CHOOSE which IPS you want to run — ISS, Sourcefire and shortly Check Point’s IPS-1.

You can then combine that with firewall, AV, AS, URL filtering, web app. and database firewalls and XML security gateways in the same chassis to name a few other functions — all best of breed from top-tier players — and this is what we call Enterprise and Provider-Class UTM folks.

Holistically approaching threat management across the entire spectrum is really important along with the speeds and feeds and we’ve all seen what happens when more and more functionality is added to the feature stack — you turn a feature on and you pay for it performance-wise somewhere else.  It’s robbing Peter to pay Paul.  The processing requirements necessary at 10G line rates to do IPS is different when you add AV to the mix.

The next steps will be interesting and we’ll have to see how the switch and overlay vendors rev up to make their move to have the biggest on the block.  Hey, what ever did happen to that 3Com M160?

Then there’s that little company called Cisco…

{Ed: Oops.  I made a boo-boo and talked about some stuff I shouldn’t have.  You didn’t notice, did you?  Ah, the perils of the intersection of Corporate Blvd. and Personal Way!  Lesson learned. 😉 }

According to the folks at RSA, people really wanted the audio recording  of the DEPL-107 "Virtualization and Security" panel session I was on @ this year’s RSA show. 

The room was filled to the brim and I think ultimately it’s worth the listen.  Good balance of top-down and bottom-up taxonomy of the challenges virtualization brings to the security world.

The kind folks @ RSA decided that rather than charge for it, they would release it for free:

"Demand for these six sessions was so high at RSAR Conference 2007 that we’re providing the audio recordings for all to enjoy for free. Please download the session audio files below, and enjoy!"

If you think I write a lot, I talk a hell of a lot more!  Yikes.

Here is the link to the .mp3 of the DEPL-107 Session.

Enjoy.  /Hoff

Africa.  Check.

San Francisco.  Check.

Barcelona.  Here I come.

Divorce Court.  Hope not!

I’ll be heading to Barcelona for the 2007 3GSM World Congress.  No speaking engagements, but much to Alan’s delight and to avert more disgust regarding objectifying women in the security industry, we’ve opted not for booth babes, but instead, I’ll be parading around our booth in a thong with a 1990’s Motorola StarTac duct-taped to my head.

I apologize in advance.

If you happen to be in Barcelona or Madrid (later in the week,) please let me know.  I’ll buy you a beer (or Sangria.)

Chris