Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Check Point’

Cisco Bolts Into High-End Network Security — Again!

Wednesday, October 6th, 2010

If you look at revenue numbers, Cisco is the clear leader in network security. That said, the company has been far less visible over the last few years–especially at the high-end of the market in consolidated data centers, wired and wireless carrier networks, and cloud computing infrastructure. This opened this lucrative market to Juniper’s SRX and the security duo of Crossbeam Systems/Check Point.

As the saying goes, “never wake the sleeping giant.” In an unprecedented series of announcements yesterday, Cisco announced its new high-end security system, the ASA 5585X. Cisco’s deepening data center chops are clearly evident here. The ASA 5585X is a 2 rack unit appliance, a small form factor that one-ups the competition in terms of power, space, and cooling but still delivers massive data center performance from 2Gb to 20Gb of throughput. Cisco also demonstrated that it is paying attention to the mobile Internet market by emphasizing that the 5585X can deliver up to 350,000 connections per second — a metric that will really appeal to wireless carriers.

The ASA 5585X announcement was one drop of a veritable waterfall of news coming out of Cisco yesterday. Whether you love Cisco or hate it, you have to give the company credit — all of the announcements were strong on their own, tied together with overall company initiatives, and supported one another. For example, the ASA 5585X announcement:

  1. Balanced security and performance. Beyond announcing a “hot box,” Cisco is also reminding the market of its security prowess. The 5585X combines traditional defenses like firewall and IDS/IPS but it also leverages IronPort services for content security, web security, and its security reputation database.
  2. Ties into the Secure Borderless Network Initiative. Here, Cisco is highlighting that the 5585X supports AnyConnect, Cisco’s “always-on” VPN client. AnyConnect is designed to created trusted client/server relationships, encrypt all traffic, and ease connectivity for mobile workers. By linking these two products, Cisco can compete for network security in the wireless carrier space AND push AnyConnect as a universal endpoint standard.
  3. Focuses on the new data center. Cisco can bundle the 5585X into huge deals that also feature UCS, Catalyst, Nexus, etc.

I don’t know how the ASA 5585X compares to the competition, but speeds-and-feeds are somewhat beside the point. The ASA 5585X gets Cisco back in the game. Combined with Cisco’s growing portfolio, data center experience, and un-matched marketing messages, it will most certainly sell a lot of high-end security boxes.

HP Buys ArcSight: More Than Just Security Management

Monday, September 13th, 2010

The waiting and guessing games are over; today, HP announced its intent to buy security management software leader ArcSight for $1.5 billion. I didn’t think HP would pull the trigger on another billion+ dollar acquisition before hiring a new CEO, but obviously I was wrong.

ArcSight is a true enterprise software company. As I recall, many of the early ArcSight management team members actually came from HP OpenView. With this model in mind, ArcSight went beyond technology and invested early in top field engineers, security experts, and sales people. This vaulted the company to a leadership position and it never looked back.

For HP, ArcSight fits with its overall focus on IT operations software solutions for Business Technology Optimization. In the future, security information will be one of many inputs that helps CIOs improve IT management and responsiveness. It won’t happen overnight, but think of all sources of IT management data (i.e., log data, SNMP, network flow data, configuration data, etc.) available for query, analysis, and reporting in a common repository. This is what HP has in mind over the long haul.

In the meantime, HP should get plenty of ArcSight bang-for-the-buck over the next 12-24 months by:

  1. Aligning ArcSight and EDS. Security is a top activity within professional services firms. Given ArcSight’s enterprise play, EDS will likely double down on IT risk management and push ArcSight wherever it can.
  2. Using ArcSight as a door opener in the federal market. Yes, HP already sells plenty of products and services to Uncle Sam, but it now has access to a CISO community with deep pockets. With CNCI 2.0 and FISMA 2.0 upon us, this will only increase.
  3. Bringing ArcSight into the virtual data center strategy. According to ESG Research, many enterprises don’t do a good job of coordinating security with server virtualization. This is a big problem given virtualization growth — which is why VMware was so vocal about its recent vShield announcement. HP can and should bring ArcSight into its strategic vision for CIOs with massive data center projects.

In spite of its security services and thought leadership, HP’s name has been notably absent from IT security leadership discussions in the past. ArcSight should change that.

A few other quick thoughts:

  1. In the past, ArcSight was built exclusively on top of Oracle databases. Great in terms of enterprise functionality, but it made the product expensive to buy, expensive to operate, and somewhat weak in terms of queries across large data sets. Look for HP to accelerate plans to decouple ArcSight from Oracle ASAP.
  2. If HP is still in buying mode, the obvious question is, “who is next?” Would anyone be surprised if HP made a move for Check Point, F5, or Riverbed soon?

VMware vShield: A Good Start, but . . .

Wednesday, September 1st, 2010

You’ve got to hand it to VMware — it clearly understands the strengths and weaknesses of the ESX environment and is focused on improving the platform. Case in point: this week’s VMworld, when the company announced the VMware vShield family of security products.

From the early announcement, it seems that vShield is composed of:

  • vShield Edge. To enable secure multi-tenancy, vShield Edge virtualizes data center perimeters and offers firewall, VPN, Web load balancer, NAT, and DHCP services.
  • vShield App. VMware calls this hypervisor-based application-aware firewall that creates application boundaries based upon policies. It’s a bit confusing, but I believe it manages and secures VM-to-VM traffic in a logical virtual application. VMware needs to clarify this as the term “application firewall” has a completely different meaning.
  • vShield endpoint. This one’s much easier to understand: rather than run endpoint security software on each virtual endpoint, vShield endpoint virtualizes security components like signature databases, scanning engines, and schedulers. Much more efficient than pretending that virtual endpoints are physical devices.
  • vShield zones. Again, a bit confusing, but it seems like basic ACL capability built into vSphere.

Now I’m not at VMworld, so I’m reading between the lines. Nevertheless, I like the direction VMware is taking. ESG Research indicates that security is a big issue with server/desktop virtualization. This is true for everyone from virtualization newbies to sophisticated shops.

The vShield products are a great foundation for VMware, but I believe there is still a lot of work to do beyond clearing up the messaging. I suggest that VMware:

  1. Dedicates ample resources for user education. ESG Research points to a general lack of virtualization knowledge and skills, especially with security professionals. Note to VMware: If security professionals don’t understand the ESX environment, they won’t buy your products.
  2. Clarifies its partnering strategy. I can’t really tell if VMware intends to partner with or compete with companies like F5, Juniper Networks, Check Point Software, etc. I’m sure I’m not the only one.
  3. Works on standards. If my standard firewall is a Juniper SRX, I really don’t want a one-off VMware product in my virtual infrastructure. If vShield can’t “talk” to other products through some new security standards, no one will want it.
  4. Stop talking about “better than physical security.” I get the concept, but the vast majority of users don’t have the baseline knowledge about server virtualization to believe this. Improved security should be a destination/vision and not an overly bold tag line.

Why Intel Bought McAfee, Hint: It’s All About Massive Changes In the Security Market

Thursday, August 19th, 2010

Before the bell rang on Wall Street, Intel shocked the army of Latte sipping financial wonks by announcing its intentions to buy security leader McAfee. The deal is valued at $7.7 billion or $48 per share, about a 60% premium on the stock price.

A few financial analysts who cover Intel say that this is about Intel’s mobile device aspirations. Maybe, but McAfee just got into the mobile device security market and my guess is that this business accounts for $5 million in revenue or less.

Sorry Wall Street but that ain’t it at all. I believe that Intel sees the same thing I see. The security market is wildly fragmented with vendors producing tactical point products for its customers. These point products can no longer address the environment of sophisticated and massive threats. In the very near future, enterprise and service provider security technologies must deliver unprecedented levels of scalability, manageability and integration.

Guess what? In today’s market there isn’t a single vendor who can deliver a security product suite anywhere near what’s needed in the market. Get it Wall Street? There is massive emotional demand but no supply. Here’s the kicker — without significant improvements in security, this whole Internet party hosted by companies like , eBay, , , etc. could get really, really ugly soon.

To be fair, McAfee can’t deliver the level of scale, manageability and integration that the market demands but it’s as close as any other vendor. Combine this with Intel hardware, money, and brainpower and you’ve gotten something.

I believe Intel sees a market opportunity, not a product opportunity. Yes, there is plenty of room to integrate McAfee with mobile phones, microprocessors, and NSPs but this is a footnote to the story.

A few other observations:

  1. With its deep pockets, Intel should free McAfee to continue to bolster its portfolio. McAfee should grab ArcSight soon to fill its security management gap with an enterprise leader.
  2. The next logical candidates to double down on security are IBM and /RSA. The next logical target, Check Point — maybe others like Fortinet, Sourcefire, RedSeal, Nitro Security, LogRhythm, etc.
  3. While Symantec’s position just got stronger, Wall Street is waiting to see how the company will digest, integrate, and build upon recent acquisitions PGP and Verisign.
  4. If there is a better CEO success story than Dave DeWalt’s, I’m not aware of it. DeWalt came in a few years ago when McAfee was knee deep in a stock options scandal. He took over, changed the culture, acquired well, pointed the company at the enterprise and voila, sells the whole enchilada to Intel. Not sure if Dave will stick around but I’ll bet HP’s interest in him is sky high.
  5. The combination of Intel and McAfee is a “dream team” for the Feds’ cybersecurity efforts. The two together have security software and can throw massive amounts of hardware at monitoring, filtering, and recording all of the traffic on Federal networks. McAfee already gets hundreds of millions from the Feds. I can see this revenue going beyond $1 billion over the next few years.

Check Point Application Control and Beyond

Monday, August 2nd, 2010

Check Point made a pretty significant move today when it announced its new application control software blade. Built upon technology that Check Point acquired from FaceTime, the new application control software blade can help organizations create and manage usage policies for 50,000 Web 2.0 and social networking applications and widgets.

  1. This is a pretty big deal for three reasons:Traditional firewalls offer limited help. Web 2.0 applications and social networking widgets bypass network firewalls over wide open Port 80, opening the enterprise to a new threat vector. Check Point can now address this vulnerability.
  2. Check Point throws its hat into the Palo Alto Networks ring. To date, Palo Alto Networks has created a market with a unique Web application-specific firewall. Check Point can now compete with Palo Alto on specific application security deals or push Palo Alto aside in its installed base.
  3. The introduction of the application control software blade is just the latest offering in a growing and integrated portfolio. Very quietly, Check Point has put together exactly what enterprise organizations are looking for — a tightly integrated, comprehensive security suite. If Check Point improves its sales and marketing skills, it could push tactical competitors aside and open itself to extremely big enterprise opportunities.

Check Point’s application control software blade is a winner on its own, and even more so in a broader Check Point security architecture. Gil Schwed and Co. need to broadcast this news.

The Future of Endpoint Security

Wednesday, May 19th, 2010

If you do some research on endpoint security you’ll quickly read one analyst or another’s claim that antivirus software is dead and that there is a pressing need for some new model like cloud security services, white listing, black listing, virtual desktops, etc.

Antivirus is dead? Hmm, I wonder if these analysts have been following the financial results of Kaspersky, McAfee, Symantec, Trend Micro or a host of others who continue to make money on endpoint security software.

As you can tell by my sarcasm, I don’t subscribe to this theory but I do believe that endpoint security is going through massive changes in order to best address new threats and new requirements. Now and into the future, endpoint security will:

  1. Follow a hybrid model. Yes, you will still install bits on your PC but resident software will be increasingly supported by cloud services. This will break the endpoint security reliance on signature downloads, minimize the device-based footprint, and help alleviate patching fire drills. Additionally, the hybrid nature of endpoint security will vary by device. Androids and iPhones will have thin agents and rely mostly on the cloud while PCs will continue to leverage local disk, memory, and processors.
  2. Fatten the feature set. Antivirus became endpoint security as vendors added anti-spyware, HIPS heuristics, and whitelisting to their code. Look for more web threat integration as well as products that throw in full-disk encryption.  PC backup will also become a “must have” –Symantec is ahead here.
  3. Feature identity protection. For the average consumer, it is probably worth a few extra bucks to get an identity protection service like LifeLock, TrustedID, or IDWatchdog. Look for these services to be commodified and offered as a feature in products from folks like Panda and Sophos.
  4. Feature consolidated pricing. Like most geeks, I have numerous PCs and consumer devices that need protecting. Pricing models will change to accommodate this increasingly typical use case. One user, one price, multiple devices, common reporting.
  5. Leverage common agents. Check Point and Symantec are already talking about one agent for multiple endpoint security functions. Cisco is going a different way with its AnyConnect client that consolidates Scansafe, TrustSec, and VPN clients. We’ll see more of this as vendors bundle additional functionality for WAN optimization, PC configuration management, backup, etc.
  6. Provide PC tuning. TV ads for services like “finallyfast.com” may be prosaic, but any money going to these fly-by-night services is not going to McAfee and Trend.

Aside from market demand, security vendors will go down this path for defensive reasons. Free AV software from AVG and Microsoft is plenty good for casual users.

Will all of these features mean an uber fat client application? No. Like hybrid threat protection, vendors will offer a lot of these features as cloud services and rely on a lightweight agent to orchestrate the process. Finally, users will choose what they want and how much they want via a pricing calculator. Think online PC sales as an analogue.

Security purists may claim that endpoint security changes mean giving up control but the business case is too attractive for both users and vendors to pass up. Broad based solutions that cover requirements like threat management, performance management, backup, identity protection, and configuration management across multiple devices per user are simply the next phase of an evolutionary life cycle.

Symantec Moving to Define an Encryption Architecture

Thursday, April 29th, 2010

Today, Symantec announced that it is acquiring two encryption companies: GuardianEdge and PGP. Some will see this as a late counter-punch to Check Point‘s acquisition of PointSec, McAfee‘s acquisition of SafeBoot, and Sophos‘s acquisition of Utimaco. In other words, Symantec is finally getting in the full-disk encryption game, primarily on laptops.

Wrong interpretation. Symantec does get endpoint encryption technology, but there is a lot more here than meets the eye. In my humble opinion, Symantec also gets:

  1. A killer install base. Between the two companies, Symantec gets a foothold in the enterprise and midmarket across the globe. Symantec also bolsters its federal government business, where encryption is a very big deal.
  2. Encryption beyond PCs. Check Point, McAfee, and Sophos bought good companies, but the focus in all cases is on endpoints–PCs, mobile devices, USB keys, etc. Symantec gets this, but also gains encryption technology for file systems, e-mail, mainframes, etc. This gives Symantec a leg up.
  3. A leading key management platform. A wise man once said, “encryption is easy, key management is hard.” PGP recognized this and built a great key management platform to manage encryption keys for mobile devices, PCs, e-mail, mainframes, etc. Symantec also gets a seat at the KMIP and IEEE encryption standards table.
  4. An encryption and key management play. In discussing these deals, I haven’t seen anyone mention the added value Symantec gets from PGP’s recent acquisitions of TC Trust Center and Chosen Security. Symantec gets a root CA capable of offering PKI as a service. This gives a tremendous opportunity. Symantec can become an identity broker in the cloud for enterprise authentication, B2B trust, consumer identity protection, etc. Imagine what Symantec can do if it ships every copy of endpoint security software with an X.509 certificate. In my mind, this opens up a whole host of possibilities.

In the next few years, large organizations will realize that encryption technologies have become ubiquitous across the enterprise with no central management. This could be a real problem for data restoration, especially in a disaster recovery situation. At that point, they will look for partners to bring order, processes, and central control to this chaos. As of today, Symantec is extremely well positioned for this burgeoning–and extremely critical–market opportunity.

Venture Capitalists MUST Invest More in Cybersecurity

Friday, April 16th, 2010

There is a glimmer of good news on the venture capital front. In Q1 2010, venture funding rose 38% from a year ago to $4.7. What’s more, the pool of VC money is spread over 681 companies–a 7% increase from Q1 2009.

Good, but not great news. Most of the dough is going to biotech companies while investment in clean technology tripled.

The bad news? Investment in software declined 1% year over year. Remember that in Q1 2009, we were preparing for runs on banks and Hoovervilles.

While I have no data, there is anecdotal evidence suggesting additional bad news. I speak with security companies all the time and I simply don’t see VCs investing heavily in this space.

Perhaps they got burned investing in the 5th NAC, anti-spyware, or UTM vendor. Maybe they think that Cisco, Check Point, Juniper, McAfee, Symantec, and Trend Micro have everything covered. It could be that many believe that the whole tech space is mature, so they are chasing the new new thing in other technical areas.

I’m not sure why the VCs are eschewing security investments, but I do know that this is a problem. Why? At a time when attack volume is steadily increasing, cybercriminals operate like Fortune 500 companies, and FBI directors characterize cybersecurity attacks as “an existential threat to our nation,” the VCs are moving on to perceived greener pastures. In other words, there is serious demand for next-generation security skills and technology, but the supply-side continues to invest elsewhere. Bad economics and bad for the digital assets we all depend upon.

Okay, I understand that the VCs are in it for the money and nothing else, but something is wrong with this picture. It seems to me that when demand exceeds supply, there is money to be made. I’d like to see the VCs invest in security as a patriotic act, but I’m not optimistic. Therefore, I have a few ideas for the “smartest guys in the valley” on Sand Hill Rd.

  1. Co-invest with In-Q-Tel. In-Q-Tel is a VC firm that came directly out of the CIA. On its web site, the firm’s mission statement reads as follows, “In-Q-Tel identifies and partners with companies developing cutting-edge technologies to help deliver these solutions to the Central Intelligence Agency and the broader U.S. Intelligence Community (IC) to further their missions.” The key here is to find the smartest security firms whose technology is good enough for the CIA, DOD, and NSA and can be adapted for commercial use. Given the recent string of private attacks, the private sector would welcome military-grade protection.
  2. Explore other direct federal funding. It’s likely that DARPA, NSF, DOE, and other agencies will have money to spend on cybersecurity research and development. Smart VCs will figure out ways to hedge their risks by getting these agencies involved.
  3. Partner with Universities. UC-Berkeley, Carnegie-Mellon, MIT, Purdue, Johns Hopkins, and Cornell are all doing advanced research in various security disciplines. The VCs need to buddy up to these prestigious institutions and find investments that provide mutual benefits.
  4. Seek out Israeli money. Educated at Tel Aviv University and Technion and then saturated in security in the IDF, Israel produces some of the smartest security minds in the world. I’d like to see more American investment in Israel and more outreach to Israeli VCs from Sand Hill Rd.

The lack of VC investment in security could have broad implications moving forward, so the VCs can’t sit on the sidelines. It’s time for the rich guys to get more involved and proactively champion security innovation and investment rather than sit back, drink Merlot, and wait for business plans to come in. Our digital security may depend upon this.

Network Security Renaissance

Friday, March 19th, 2010

ESG’s research indicates that network security spending will be a focus area for 2010. Nearly half (48%) of midsized (less than 1,000 employees) and enterprise (more than 1,000 employees) organizations will invest in network security technologies like firewalls, IDS/IPS, gateways, and threat management solutions.

Yes, all of these technologies are important components of a defense-in-depth security architecture, but they are also quite mature. Why the network security renaissance? Because of:

  1. Equipment consolidation. I see lots of organizations replacing individual firewall appliances with big network security gateway products running virtual firewall instances. This simplifies the network and cuts down on software licensing costs. Good news for Check Point, Crossbeam Systems, and Juniper Networks.
  2. Network upgrades. There is plenty of 10GbE activity in the data center and in network backbone upgrades. Fast network throughput demands new security equipment. Advantage IBM/ISS, McAfee, Sourcefire, and TippingPoint (HP).
  3. Integrated security. Most enterprises are replacing standalone security devices with more integrated threat management solutions.
  4. New threats. The bad guys are way more sophisticated than an IPS device circa 2007. Large organizations need better threat detection, prevention, and mitigation. Furthermore, network security must work as a team with desktop, server, messaging, and other security defenses.

With all of this activity, many networking vendors stand to benefit. Cisco and Juniper have great network security offerings that interoperate with their core networking products. HP will pick up TippingPoint with 3Com, but it needs to build an architecture story quickly. Brocade is working with partners and must continue to make this a core part of its value. Other networking vendors need to make similar moves.

Security gets more complex each day, so state-of-the-art devices may have a short shelf life. Expect continuous investment in network security moving forward. Networking vendors that recognize this will put themselves in the best position.

Note to Cisco: Pick Your Security Battle

Thursday, February 11th, 2010

I’ve written some not too flattering things lately about Cisco. Now I’ve got nothing against Cisco — I’m actually quite impressed with its broad portfolio, M&A strategy, and sales/marketing muscle. Cisco also has a lot of Chutzpah — taking on Dell, HP, and IBM on next-generation servers wasn’t a move you’d see from a risk-averse company.

In general, I admire Cisco, but I’m not sure where it is going with security. I’ve written a few blogs about flat revenue, changing agendas, and product commitments in the past that I’m sure haven’t played well in San Jose. The pushback I tend to get is that Cisco builds security into all of its products so individual security products aren’t the right thing to focus on.

Hmm, this may be so but in my humble opinion Cisco is fighting on two fronts and right now it can’t win on either one. Allow me to elaborate.

Front number one is traditional security products. Aside from a few exceptions like IronPort, Cisco security products haven’t kept up with the competition. You can build all the security you want into products but you still need firewalls, IDS/IPS, gateways, etc. Cisco is losing a lot of these security product sales. The other problem here is that Cisco doesn’t cover all security areas. It has no desktop presence, limited application presence, no database presence, etc. This is the front where I’ve been most critical of Cisco. The only way Cisco can bounce back here is with a big acquisition (McAfee, Check Point?) or with a lot of strategic little ones.

Front number two is business security solutions. What I mean by this is more end-to-end security solutions that secure enterprise or vertical industry business processes. I believe Cisco is trying to go in this direction based on its new positioning and tag lines like, “enabling the next-generation workforce to collaborate with confidence.” Cisco’s instincts are spot on — enterprise organizations are now trying to secure business processes not just IT infrastructure. The move to secure business solutions means that deals get bigger and executives get involved with security decisions. Good news for Cisco except that it can’t hold a business security solutions candle to others like HP, IBM, Accenture, SAIC, etc. When push comes to shove, these others have vertical industry and business process mojo that Cisco just doesn’t have.

Cisco should go after the business security solutions market but it can’t just throw around new marketing initiatives and succeed like it has in the networking space. I suggest that Cisco do one, a few, or all of the following:

  1. Buy a services company. Dell, HP, and IBM are all using services as a differentiator and winning the secure business solutions battles (note:  I realize that a professional services acquisition would be far more strategic for Cisco than security alone). I don’t think Cisco can win by being Switzerland with everyone else. Cisco needs to acquire someone like CSC or (dare I say?) Unisys for services muscle. This will help with UCS sales AND business security solutions. Note that HP is very successful at selling business security solutions yet it has few security products. The reason? Services strength, global reach, business process expertise, and lots of industry experience.
  2. Double down on identity management. In my mind, the identity space is perfect for Cisco. Why? The technology is rapidly changing and it will likely end up as a network service. Identity is also a key component of cloud computing. Cisco owns Securent and Rohati but that’s not enough. Courion is out there as a product and Ping Identity as a SaaS/network service (note: I like the Ping or network services play best). Alternatively, if Cisco buys a professional services company, it could make identity a core skill set and work with independent leaders like CA and Oracle.
  3. Get vertical. Cisco does a bit of this but it is mostly through its sales and marketing effort. My contention is that Cisco should acquire and build vertical solutions for health care, financial services, and the Federal government or get super aggressive with partners (note: HP and IBM may have locked up the best ones). Cisco can’t just deliver pipes, it needs entire secure solutions.
  4. Go deep with compliance. For years Cisco looked at compliance as a subset of security management. This may have been true 4 years ago but is no longer the case. Since increasing regulation impacts all industries, Cisco’s commitment here could complement all of my other suggestions.

Cisco has dabbled with a similar business security solutions strategy. For example, ScanSafe is a potential great adjunct to UCS, data center products, and cloud/service provider sales and marketing. That said, Cisco has yet to jump in with both feet.

Note to John Chambers: If you want to compete with HP and IBM you need more than marketing magic that sits on the network — you need real business security solutions.

Given its security leadership history, I believe Cisco can be successful here with the right investments but I don’t believe that Cisco can fake its way through, or compete on security products and business security solutions from its current weak position.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site