« June 2009 | Main | August 2009 »

July 28, 2009

IANS Research Team: A Day of IBM Announcements

Busy day at IBM today. Entirely by chance, IBM announced both the acquisition of Ounce Labs (undisclosed amount) in the application security space and SPSS ($1.2 billion) in the business intelligence market.

In Ounce Labs, IBM adds static code analysis capabilities to its Rational Software portfolio and helps to round out the AppScan suite. This complements their earlier acquisition of Watchfire which brought them web application vulnerability testing capabilities. The acquisition better positions IBM against competitors, mainly HP, in the software development market by providing a broader framework for building secure code.

A long partnership gave IBM a good view of what was under the hood at Ounce, and despite a rosy announcement by Ounce Labs earlier this year, IANS assumes IBM was able to strike a very favorable price for the company which eased some of the pain early investors must be experiencing.

As we’ve written before, consolidation will continue in the information security software marketplace, as weaker private companies succumb to financial pressure, their investors lose patience, and larger players seek opportunities to grab compelling intellectual property to bolster their growing suites.

The 24-month history of the software security marketplace proves this out. SPI Dynamics and Watchfire were acquired in 2007 by HP and IBM, respectively, Security Innovation recently sold its European operations to Cigital. On the flip side, Veracode recently received $10 million in funding, Fortify continues to flourish while Klocwork and Coverity are still in the mix.

"The security market is continuing down a classic consolidation path" says IANS Faculty member Peter Kuper. "IBM has moved from buying scale (ISS) to incorporating complementary functionality as evidenced by the Ounce Labs announcement."

We expect the overall consolidation trend to further reveal the two or three dominant providers that will either reach sustainable independence or become an integral part of a larger organization. For security professionals, aligning with those few strong players will provide not only best-in-class technology but also a longer more valuable strategic relationship regardless of the acquiring entity.

We stick by our advice to enterprise buyers, however, that a solid group of high-quality, independent, reliable players still remains that do provide superior technology/service. The question at hand is whether or not application/software security will remain a standalone part of the security market or eventually become a feature of two distinct areas: software development and vulnerability management.

In SPSS, IBM is pushing to give clients “not just insight, but foresight.” The acquisition continues what was started with the Cognos acquisition back in late 2007, continuing the battle between Oracle, SAS and IBM for advantage in that marketplace.

“It’s a good fit for IBM,” says Tom Davenport, Lead Faculty Member at the International Institute for Analytics. “SPSS was the only remaining analytical software provider of any size that anyone could buy. It augments IBM’s business intelligence capabilities in Cognos, and its optimization and rule engine capabilities in ILog - not to mention its 4000-strong Business Analytics and Optimization unit in Global Business Services. IBM is clearly making a major play in analytics. It will be very interesting to see how the company combines all these businesses and goes to market with them.”

Where is the tie between the two announcements? The future of information risk management is moving from reactive to predictive. One obvious example: where will the SIEM space go? It has to move toward being able to predict attacks, not just telling when they occurred.

And how big a role will business intelligence and analytics play in making all industries more competitive? Stay tuned for more developments…

Not by chance, however, with a concentrated research focus in both information risk management and business analytics, IANS sees these two spaces being closely aligned going forward.

Posted at 05:19 PM in Financial Analysis | | Comments (0) | TrackBack (0)

July 24, 2009

Peter Kuper: No Help for the Little Guys

The latest VC data continues to reveal the pressure on private companies needing capital. The steady decline that began over two years ago is still continuing its downtrend.

Quarterly VC
Source: Thomson Reuters, National Venture Capital Association


This is definitely not a good thing, as we have consistently looked to the private sector to develop the next-generation solutions needed to keep up defenses against the ever-evolving hacker community. The problems go beyond the money - even if the fortunate few see deposits in their corporate checking accounts the valuations of these investments add to the burn.

Flat or Down Rounds

Source: Cooley, February 2009

These trends further support our look to the government initiatives such as I4 as the private sector is under stress. The cynic in us can’t help but touch on the topic of bailouts for all the big boys, be they banks or botched auto companies, but what about the smaller players - the ones with the normal assumption of real job growth, let alone the real innovation that produces new products and whole product categories?

 That said, we know of a very large group of private companies that are doing very well, including BigFix, Verdasys, and Qualys. Overall, we still recommend buyers look to the privates, especially given some of the antiquated wares of the public companies. Yes, they may be financially stronger -- but what protection are you getting for your scarcer dollars?

 Our recommendations have centered around:

  • Product strength (worth the risk of linking up)
  • Management team (ability to execute)
  • Investors (history, viability of the backers)

 Overall, we still endorse the private sector but need to caution IANS members to check out the firm before they “leap”. This applies to public companies as well - just because you’re big doesn’t mean you can’t be bought, as we have seen from the original ISS acquisition and more recently the previously-envied Sun Microsystems. We’re watching that deal very closely to see which Identity & Access Management solution service is phased out in favor of the other. Costs still matter, no matter how big or small.

Posted at 09:35 AM in Financial Analysis | | Comments (0) | TrackBack (0)

July 22, 2009

IANS Research Team: Personalizing Enterprise Assets - The Limits

All of a sudden this month the security implications of the “power to the people” revolution are coming into focus. More and more Ask an Expert research queries from client security teams are centering on securing one of three new security vectors:

  1. Unsanctioned, personal wireless devices (e.g  smartphones) accessing network assets of all types. POPing email is the most common; sensitive asset access the most concerning.
  2. Workers using social networking resources on company time, for what they deem appropriate job-related reasons
  3. Rogue cloud computing applications that are being requisitioned by well-intentioned business unit managers “because it’s so easy and cheap.”

 The IANS research team is working on a Point of View (POV) report that will explore the technical, policy, and privacy issues this movement is continuing to raise.

We recently completed the one-day gathering of members participating in our Security Maturity Benchmarking study, and it was quite the eye-opener. 

 A few of the highlights:

  1. Benchmarking your team’s maturity against relevant peers is viewed by CISOs as the best way to make the resource/budget case with senior management
  2. High-performing IT security teams have adopted a “service delivery” model internally to accurately reflect to business units the value of security
  3. The optimal organization structure chosen by high-performing IT security teams is a small centralized operation (SOC) with dotted-line reports out in the operating divisions.  These agents live inside the business, but enforce the standards set by central command.

Finally, we’re seeing a stronger and stronger interest in the GRC (Governance, Risk & Compliance) space as more CISOs are seeking a true risk management measurement tool to centralize the view of organizational risk.

We’ll host an Interactive Phone Conference on the topic on August 6.

Posted at 11:49 AM in Research | | Comments (0) | TrackBack (0)

July 20, 2009

Peter Kuper: Talking Cybersecurity in Washington (State, that is)

I recently participated in the Information and Infrastructure Integrity Initiative (I4) Annual Advisory Review meeting at the Department of Energy’s (DOE) Pacific Northwest National Lab (PNNL).  (You can tell it’s a government thing given all the acronyms…)  As part of PNNL, I4’s mission is to develop “innovative and proactive science and technology to prevent and counter acts of terrorism, or malice intended to disrupt the nation’s digital infrastructures resulting in a safer and more secure digital infrastructure.” I have served on the Advisory Board since its inception and have been wholly impressed with the quality of the research work done under the guidance of Initiative Lead Deb Frincke .

 

By mandate, I4 is to go on that bleeding edge that most commercial efforts would never consider given the risk of failure – and this is why we love being part of the Initiative. The I4 researchers toil to define the next-gen approaches needed to thwart the constantly-evolving threats to our national security. Predictive, adaptive, high-volume complexity challenges are the main project foci; “transformational” or “contributing” technologies to enhance the cybersecurity landscape is the ultimate goal. To achieve this, the researchers identify the cutting-edge theoretical approaches and then turn to PNNL to fund the development. The theories are morphed into prototypes, and those that are proven useful are then further honed and developed to handle the scale and demands of the government networks. The Advisory Board was established to help validate those projects or research efforts that have the greatest chances of success to further enhance the integrity of our infrastructures.

 

This year, we reviewed efforts in predictive systems - a requisite for proactive solutions and the eventual shift from the dominant signature-based security solutions that are hindering better computing integrity today. “Adaptive” is also an overriding mandate and without revealing too much, we are feeling confident that at least one research project is a potential game changer in a most subtle way by taking another approach. Using bioinformatics to address the security problem can lead to some very powerful developments. We also spent a good amount of time pondering SCADA-related assurance initiatives. Protecting our national infrastructure goes beyond IP-based traffic; without reliable electricity, none of the former matters. The lab has Henry Huang spearheading the research here and the IEEE Magazine named Henry its Outstanding Young Engineer.

 

The technologies developed here for government use can eventually find their way into the commercial market. Starlight is one example – a dynamic visualization tool that we first saw in action over six years ago. PNNL has licensed this technology to Future Point Systems and while the visualization market is still relatively nascent, the ever-growing amount of data and multiple applications for visual analytics to us is a clear, steady driver for mass adoption. How useful is 3 million links on a Google search result page, really? How would an intelligence agency analyst mine 14 million records including newspaper articles, blog entries, and images to identify and track a person of interest? Many of the problems that challenge the three-letter agencies are also relevant to the rest of us. Next-gen business intelligence solutions could clearly benefit from the lab’s efforts.

 

It isn’t just PNNL working on cutting edge technologies that can make their way into your company or home. The Idaho National Lab, another DOE facility, has spun out a few hits of its own, most recently RFinity, a secure RFID communications technology. RFinity is an example of a product of lab research that has a high probability of commercial viability, so the founders used the “technology transfer process” to spin out of the lab, license the technologies, and raise capital to get rolling. This is being overseen and managed by IANS Faculty and now RFinity CEO Aaron Turner.

 

Recent efforts have been made to enhance the process of getting technologies from these labs into your hands. In particular, PNNL has Gary Morgan specifically charged with getting the I4 (and other lab) technologies into the commercial market thus potentially greatly increasing our overall security posture.

 

As IANS Faculty in Residence, I am excited to share my involvement in I4 with the IANS community. We look forward to advising you on the adoption of future solutions to information security problems as these technologies reach the commercial market.

Posted at 11:53 AM | | Comments (0) | TrackBack (0)