Archive for March, 2007

RSA Conference Virtualization Panel – Audio Session Available

March 15th, 2007 No comments

According to the folks at RSA, people really wanted the audio recording  of the DEPL-107 "Virtualization and Security" panel session I was on @ this year’s RSA show. 

The room was filled to the brim and I think ultimately it’s worth the listen.  Good balance of top-down and bottom-up taxonomy of the challenges virtualization brings to the security world.

The kind folks @ RSA decided that rather than charge for it, they would release it for free:

"Demand for these six sessions was so high at RSAR Conference 2007 that we’re providing the audio recordings for all to enjoy for free. Please download the session audio files below, and enjoy!"

If you think I write a lot, I talk a hell of a lot more!  Yikes.

Here is the link to the .mp3 of the DEPL-107 Session.

Enjoy.  /Hoff

How to make a Security Sandwich out of Ron Gula and Stephen Toulouse? Just add Hoff…

March 14th, 2007 2 comments

Firstly, my apologies to both Ron and Stephen for the grotesque visual…especially when you consider that this ridiculous analog is all the more absurd when you consider that I’m suggesting I’m the bologna in the middle. 


As I write this, I regret it immediately.

I’m referring to being included — along with the usual cast of characters; Rothman, Shimel, Williams, Stiennon, etc. — in’s Top 59 Influencers in IT Security listing.  I’m #24, right in between Gula and Toulouse!  This is how we roll, yo!

I’m sure Alan’s going to complain that Amrit beat him out for #1, but I find it hysterical that John Thompson and Tom Noonan are below me!  Technically, I’m listed twice; once in the bloggers section and again under the Corporate Security Officers section. 

The only way this list is in actual order of anything is the possibility that the ranking represents the number of complaints regarding content from my rabid blog readership of 4 (and you know who you are.)  Nonetheless, thanks for voting 6 times each, ya’ll!   

You can check out this interesting list of people here.


The semantics of UTM messaging: Snake Oil and Pissing Matches

March 14th, 2007 No comments
Those of you who know me realize that no matter where I go, who I work for or who’s buying me drinks, I am going to passionately say what I believe at the expense of sometimes being perceived as a bit of a pot-stirrer. 

I’m far from being impartial on many topics — I don’t believe that anyone is truly impartial about anything —  but at the same time, I have an open mind and will gladly listen to points raised in response to anything I say.  I may not agree with it, but I’ll also tell you why. 

What I have zero patience for, however, is when I get twisted semantic marketing spin responses.  It makes me grumpy.  That’s probably why Rothman, Shimmy and I get along so well.

Some of you might remember grudge match #1 between me and Alex Niehaus, the former VP of Marketing for Astaro (coincidence?)  This might become grudge match #2.  People will undoubtedly roll their eyes and dismiss this as vendors sniping at one another.  So be it.  Please see paragraphs #1 and 2 above. 

My recent interchange with Richard Stiennon is an extension of arguments we’ve been having for a year or so from when Richard was still an independent analyst.  He is now employed as the Chief Marketing Officer at Fortinet. 

Our disagreements have intensified for what can only be described as obvious reasons, but I’m starting to get as purturbed as I did with Alex Neihaus when the marketing sewerage obfuscates the real issues with hand-waving and hyperbole. 

I called Richard out recently for what I believed to be complete doubletalk on his stance on UTM and he responded here in a comment.  Comments get buried so I want to bring this back up to the top of the stack for all to see.  Don’t mistake this as a personal attack against Richard, but a dissection of what Richard says.  I think it’s just gobbledygook.

To be honest, I think it took a lot of guts to respond, but his answer makes my head spin as much as Anna Nicole Smith in a cheesecake factory.  Yes, I know she’s dead, but she loved cheesecake and I’m pressed for an analogy.

The beauty of blogging is that the instant you say something, it becomes a record of "fact."  That can be good or bad depending upon what you say. 

I will begin to respond to Richard’s retort wherein he first summarily states:

Here is where I stand. I hate the huge bucket that UTM has become.  Absolutely every form of gateway security can be lumped in to this
category that IDC invented. We discussed this at RSA on the panel that
Mr. Rothman so graciously hosted.

I also assume that this means Richard hates the bit buckets that Firewall, IPS, NAC, VA/VM, and Patch Management (as examples) have become, too?   This trend is the natural by-product of marketers and strategists scrambling to find a place to hang their hat in a very crowded space.  So what.

UTM is about solving applied sets of business problems.  You can call it what you like, but the only reason marketeers either love or hate UTM usually depends upon where they sit in the rankings.  This intrigues me, Richard, because (as you mention further on) Fortinet pays to be a part of IDC’s UTM Tracker, and they rank Fortinet as #1 in at least one of the product price ranges, so someone at Fortinet seems to think UTM is a decent market to hang a shingle on.

Hate it or not, Fortinet is a UTM vendor, just like Crossbeam.  Both companies hang their shingles on this market because it’s established and tracked.

When trying to classify a market you
look for common traits and, even better, common buying patterns, to
help lump vendors or products in to a category. But for Crossbeam,
Fortinet, and Astaro to be lumped together has always struck me as a
sign that the UTM "market" was not going to work.

You’re right.  Lumping Crossbeam with Fortinet and Astaro is the wrong thing to do.  πŸ˜‰

Arguing the viability of a market which has tremendous coverage and validated presence seems a little odd.  Crafting a true strategy of differentiation as to how you’re different in that market is a good thing, however.

I much prefer the Gartner view (as I would) of Security Platforms.
These are devices that are able to apply security policies using a
bunch of different methods and they can loosely be thrown on to a grid…

So what you’re saying is that you like the nebulous and ill-defined blob that is Gartner’s view, don’t like IDC, but you’ll gladly pay for their services to declare you #1 in a market you don’t respect?

Now, yes, I did join a company that IDC considers to be a major UTM
player- leading in volume shipments in those parts of 2006 that they
are reporting. But, I was an independent analyst and I NEVER classified
Fortinet as a UTM play.

You mean besides when you said:

"By all accounts the so called UTM market is doing very well with players like Fortinet, Barracuda, Sonicwall, Astaro, and Watchguard, evidently seeing considerable success" 

Just in case you’re interested, you can find that quote here.   There are many, many other examples of you saying this, by the way.  Podcasts, blog entries, etc.

Also, are you suggesting that Fortinet does not consider itself a UTM player?  Someone better tell the Marketing department.  Look at one of your news pages on your website.  Say, this one, for example — 10 articles have UTM in the title and your own Mr. Akomoto (VP of Fortinet, Japan) says "The UTM market was pioneered by us," says Mr. Okamoto, the vice-president of Fortinet Japan. Mr. Okamoto explains how Fortinet created the UTM category, the initial
popularity of UTM solutions with SMBs…" 

Heck, in the 24 categories for the security
market that I maintained I did not even track UTMs. As I tracked
Fortinet over the years I considered them a security platform vendor
and one that just happened to be executing on my vision for the network
security space.

Yes, I understand how much you dislike IDC.  Can you kindly show reference to where you previously commented on how Fortinet was executing on your vision for Secure Network Fabric?  I can show you where you did for Crossbeam — it was at our Sales Meeting two years ago where you presented.  I can even upload the slide presentation if you like.

As you know Chris I have always been a big fan of Crossbeam and in
the interest of full disclosure, Crossbeam was a client while I was a
Gartner analyst and my second client when I launched my own firm. Great
people and a great product.

Richard, I’m not really looking for the renewal of your Crossbeam Fan Club membership…really.

Crossbeam is the security platform of
choice for running legacy security apps.

Oh, now it’s on!  I’m fixin’ to get "Old Testament" on you!

Just so we’re clear, ISV applications that run on Crossbeam such as XML gateways, web-application firewalls, database firewalls and next generation network converged security services such as session border controllers are all UTM "legacy applications!?" 

So besides an ASIC for AV, what "new" non-legacy apps does Fortinet bring to the table?  I mean now.  From the Fortinet homepage, please demonstrate which novel new applications that Firewall, IPS, VPN, Web filtering and Antispam represent?

It must suck to have to craft a story around boat-anchor ASICs that can’t extend past AV offload.  That means you have to rely on software and innovation in that space.  Cobbling together a bunch of "legacy" applications with a nice GUI doesn’t necessarily represent innovation and "next generation." 

Now let’s address the concept of running multiple security defenses
on one security platform. Let’s take three such functions, Firewalling,
VPN, and IPS. Thanks to Checkpoint, firewalls and VPN are frequently
bundled together. It has become the norm, although in the early days
these were separate boxes. Now, you can either take a Snort
implementation and bolt it on to your firewall in such a way that a
signature can trigger a temporary block command ala Checkpoint and a
bunch of other so called IPS devices or you can create a deep packet
inspection capable firewall that can apply policies like: No Worm
Traffic. To do the latter you have to start from scratch. You need new
technology and several vendors do this pretty well.

It’s clear you have a very deluded interesting perspective on security applications. The "innovation" that you’re suggesting differentiates what has classically been described as the natrual evolution of converging marketspaces.  That over-played Snort analogy is crap.  The old "signature" vs. "anomaly detection" argument paired with "deep packet inspection" is tired.  Fortinet doesn’t really do anything that anyone else can’t/doesn’t already do.  Except for violating GPL, that is.

I suppose now that Check Point has acquired NFR, their technology is crap, too?  Marcus would be proud.

So, given a new way to firewall (payload inspection instead of
stateful inspection) what enterprise would choose *not* to use IPS
capability in their firewall and use a separate device behind the
firewall? See the trouble? A legacy firewall is NO LONGER BEST OF
BREED! The best of breed firewall can do IPS.

Oh come on, Richard.  First of all, the answer to your question is that many, many large enterprises and service providers utilize a layered defense and place an IPS before or after their firewall.  Some have requirements for firewall/IDS/IPS pairs from different vendors.  Others require defense in depth and do not trust that the competence in a solutions provider that claims to "do it all."

Best of breed is what the customer defines as best of breed.  Just to be clear, would you consider Fortinet to be best of breed?

If you use a Crossbeam, by the way, it’s not a separate device and you’re not limited to just using the firewall or IPS in "front of" or "behind" one another.  You can virtualize placement wherever you desire.  Also, in many large enterprises, using IPS’s and firewalls from separate vendors is not only good practice but also required.

How does Fortinet accomplish that?

Your "payload inspection" is leveraging a bunch of OSS-based functionality paired with an ASIC that is used for AV — you know, signatures — with heuristics and a nice GUI.  Whilst the Cosine IP Fortinet acquired represents some very interesting technology for provisioning and such, it ain’t in your boxes.

You’re really trying to pick a fight with me about Check Point when you choose to also ignore the fact that we run up to 15 other applications such as SourceFire and ISS on the same platform?  We all know you dislike Check Point.  Get over it.

I have spent eight of the last 12 weeks on the road meeting our
large enterprise clients in the Americas, Asia, and EMEA. None of them
shop comparatively for UTM appliances. Every single customer was
shopping for firewall upgrades, SSL VPN, spam or virus filtering
inline, etc.

Really?  So since you don’t have separate products to address these (Fortinet sells UTM, afterall) that means you had nothing to offer them?  Convergence is driving UTM adoption.  You can call it what you want, but you’re whitewashing to prove a flawed theorem.

During the sales process they realize the benefit of
combined functionality that comes with the ability to process payloads
and invariably sign up for more than just a single security function.
Does that mean UTM is gaining traction in the enterprise? To me the
answer is no. It means that the enterprise is looking for advanced
security platforms that can deliver better security at lower capex and

…and what the heck is the difference between that and UTM, exactly?  People don’t buy IPS, they buy network level protection to defend against attack.  IPS is just the product catagory, as is UTM. 

I would lay off the Bourbon Chris. Try a snifter of my 16 yr old
Lagavulin that I picked up in London this Friday. It will help to
mellow you out.

I don’t like Scotch, Richard.  It leaves a bad taste in my mouth…sort of like your response πŸ˜‰

Risk Assessment Does Not Equal Risk Management

March 12th, 2007 1 comment

Symantec announced the acquisition of 4FrontSecurity today and will absorb their product/service offerings into Symantec’s Security and Compliance Management group.  The press release sadly describes the deal within the context of a very myopic view of managing risk today:

[the acquisition will]…bring new tools to capture and track procedural controls and measure them against a variety of industry best practices and standards

Put another way, "we’ll dress up compliance management by calling it Risk Management."  And just to be clear, risk assessment is not the same as risk management.

4FrontSecurity is a small company that is focused on an emerging market niche that allows companies to automate the collection, processing, articulation and compliance measurements of risk assessment data.  Again, that’s not the same thing as managing risk.  Managing risk includes asset mapping, business impact, remediation and modeling, amongst other things.  Until we are also able to factor in the human element, risk management tools will never be truly complete. 

I posted last week about Skybox in particular.  RedSeal Systems also has a similar product.  Each of these products provides for the articulation of a company’s risk posture from a slightly different perspective.  I have not had any hands-on experience with RedSeal, but I have with Skybox.  I had zero visibility into 4FrontSecurity’s products, so I have no empirical way of comparing the three products. 

I am frustrated to see that the trend continues as these larger security Risk Management companies (a la Symantec, McAfee, etc.) start to encapsulate this compliance-driven measurement approach within their larger "risk management" messaging while continuing to expand upon their toolset portfolios one acquisition at a time.

Recently, PatchLink acquired STAT from Harris to "…allow PatchLink to improve its vulnerability
management products to help enterprises address risk management and
policy-based compliance."  Vulnerability and patch management does not equal risk management.

I’m glad to see companies using the term Risk Management, I just wish it was within the proper context and wasn’t done to perfume a pig.


Categories: Risk Management Tags:

In the UK this Week…

March 7th, 2007 No comments

Forgot to mention that I’m in the UK this week.  I’m sure you’re all relieved to know that.  Not to worry, I shall continue to execute on my Blogsolidation strategy and bring you the best in Web2.5.

DangerousgolfcourseJust so as nobody feels sorry for me, we have a two day event at Turnberry in Scotland. Amazing place for golf, this.  I shoot in the 70’s…any colder than that I won’t play πŸ˜‰

If you’re in London, Edinburgh or Glasgow, ping me and I’ll buy you a beverage of
your choice.  If you happen to be going to the 6 Nations Ireland vs. Scotland match on Saturday, I’ll be there!  Because our VP of Customer Support is Scottish, I am obligated to cheer for them.  I will be drinking Guiness, however.  Just to be fair, you see.


Categories: Travel Tags:

Massive Security Blog Consolidation Underway: RationalSecurity to Acquire “StillSecure After All These Years” Blog

March 3rd, 2007 11 comments
BOSTON MA, March 3 /PRNewswire/ - Rational Security 
BlogoDomination Corp. (RSBC) announced its intention
today to continue the expansion of its consolidation
strategy in the overly saturated Security Blog Market
with the unsolicited hostile takeover bid and acquisition
of Alan Shimel's "StillSecure After All These Years
(SSAATY)" Blog.

Christofer Hoff, CEO and Dark Overlord of the Security
Blogsolidation Dominion, today announced that upon
release of SSAATY's recent earnings report showing a
marked uptake in revenues with income hovering at over
$18 per month, that RSBC would offer an unheard of 20X
revenue multiplier in a stock-for-stock exchange and
an "I (heart) NAC" bumper sticker.

Alan Shimel, SSAATY's CEO/CTO/CMO/CIO/CFO/CSO refused
comment other than to crisply and vehemently reject
Hoff's bid citing unacceptable terms; balking at only a
20X multiplier, he pointed to Ken Xie's $4B sale of
NetScreen to Juniper and suggested that Hoff "...get real if he expects this bulls**t
takeover attempt to warrant any sort of attention other than a trackback and lower
Technorati rating." 

Art Coviello, CEO of RSA, complemented his prognostications from his recent 2007 RSA
Security Conference keynote wherein he stated that there would there not be any
independent security companies in 3 years, and Hoff's RSBC would "...subsume all
security blogs within the same timeframe."  Mike Rothman was quoted as "...not giving
a crap because neither of them purchased a copy of the P-CSO." 

Hoff's response was just as shrill, "If Shimel doesn't pony up like the little bitch
that he is, I'll buy his lap dog Mitchell's blog instead."


Christofer Hoff Alan Shimel
CEO and Dark Overlord of the Security CEO/CTO/CMO/CIO/CFO/CSO
Blogsolidation Dominion StillSecure After All These Years

When Blogging goes bad…

March 3rd, 2007 3 comments

Hey, do you remember reading this little snippet as a quote from a certain industry personality we all know and love in regards to his lack of love for UTM?

"I have a problem with the idea of Universal Threat Management
appliances.  Leaving aside the horrible terminology (Who wants to
manage threats? Don’t you want to block them and forget about them?)
the question that I always ask is: If best-of-breed is the standard for
large enterprises why would it be good practice for a smaller entity to
lump a lot of security functions such as firewall, email gateway, spam
filter, anti-virus, anti-spyware, IDS, IPS, and vulnerability
management all in one under-powered device?"

I’ll give you a hint.  It was posted here by the original author and I responded to it, here.

That’s right!  It was my buddy, Richard Stiennon — lambasting Universal (sic) Threat Management appliances…like those of Fortinet, before they offered him a job.  Perhaps Fortinet doesn’t count because they make Unified, not Universal, Threat Management devices?

Don’t hate the player, baby, hate the game!  (i.e., be careful what you blog, it could come back to hire haunt you.)

Sorry, Rich.  3 Bourbons and a long week make Johnny a lit boy.  Couldn’t help myself.  Fire Away!


Chuck Norris Can’t Kill SOA

March 3rd, 2007 3 comments

As a reprise to the cartoon published earlier today, here’s all you ever need to know about SOA; well, a few things actually.  The entire list is here. 

  • SOA is the only thing Chuck Norris can’t kill.
  • SOA invented the internet, and the internet was invented for SOA.
  • SOA is not complex. You are just dumb.
  • In the last year, SOA increased Turkey’s GDP by a factor of 10.
  • One person successfully described SOA completely, and immediately died.
  • Another person successfully described SOA completely, and was immediately outsourced.
  • Larry Ellison once died in a terrible accident, but was quickly
    given SOA. He came back to life, built a multibillion dollar software
    company, and now flies fighter jets.
  • Guns don’t kill people, the SOA WS-* stack kills people.
  • SOA can write and compile itself.
  • SOA is an anagram for OSA, which means female bear in spanish. It
    is a well-known fact in the spanish-speaking world that female bears
    are able to model business processes and optimize reusable IT assets
    better than any other hibernating animal.
  • SOA is so great 10 facts aren’t enough.
  • SOA is the mistress to all CIOs.
  • SOA is just one letter away from SOB. On purpose.
  • If a tree falls in the forest, SOA knows about it.
  • If you google ‘SAP’ and ‘Chuck Norris’, the top site is SOA Facts.
  • SOA is being used in the developing world to solve hunger. Entire populations will be fed on future business value.

…now you know.

Categories: Uncategorized Tags: calls out boxes that go Whirr in the night…

March 2nd, 2007 No comments

Funny.  For more chuckles, see SecurityBullshit!Appliancebs_1

Hey, at least I’ve never said "military grade hardware." πŸ˜‰

Categories: General Rants & Raves Tags:

Web 2.0 can’t be protected by Web 1.0 Security Models when Attackers are at Attacker 3.0…

March 2nd, 2007 No comments

Gunnar Peterson (1 Raindrop blog) continues to highlight the issues of implementing security models which are not keeping pace with the technology they are deployed to protect.  Notice I didn’t say "designed" to protect.

Specifically, in his latest entry titled "Understand Web 2.0 Security Issues – As Easy as 2, 1, 3" he articulates (once again) the folly of the security problem that we cannot solve because we simply refuse to learn from our mistakes and proactively address security before it becomes a problem:

"So let’s do the math, we have rich Web 2.0 and its rich UI and lots
of disparate data and links, we are protecting these brand new
2007-built apps with a Web 1.0 security model that was invented in
1995. This would not be a bad thing at all if the attacker community
had learned nothing in the last 12 years, alas they have already
upgraded to attacker 3.0, and so can use Web 2.0 to both attack and distribute attacks.

2.0 functionality, 1.0 security, 3.0 attackers. this cannot stand."

A-Friggin’-Men.  Problem is, unless we reboot the entire human race (or at least developers and security folk) it’s going to take a severe meltdown to initiate change.

Oh, and BTW, just because it bugged me when Thomas Ptacek bawked while asking what I meant in a presentation of mine where I said:

"What happens when we hit Web3.0 and we’re still only at
Security 2.4beta11?"

…and he asked:

What does this even mean?

…the answer is simple: Please see Gunnar’s post above.  It’s written much better, but i trust this is all cleared up now?