In the article “Security Vendors Revamp Desktop Suites,” Andrew Conry-Murray presents a very interesting challenge. He states that the “ideal goal” of a unified threat management framework is “impossible.”

I would like to present an alternative view to Mr. Conry-Murray’s as presented in his article. I propose that helping clients proceed along a defined Capabilities Maturity Model, such as the SSE-CMM is not only a noble cause, but a desirable one. Each cycle towards maturity brings along not only improved security, but better data protection and operational efficiency. Such is the case with integration between individual products to yield a working solution.

As the security market has matured, we have seen a call for integrated suites, which is reflected in how the major analysts are now grading us. It is no longer merely an AV Magic Quadrant, or Wave, but rather an Endpoint Security or Desktop Suite that is being assessed as an integrated solution. The truth is that, properly configured and managed, the sum is greater than the individual parts that compose a suite. It is not mere bundling anymore. It is integration at the code level, with months of engineering cycles to achieve it, not just marketing hype.

When critical pain points are identified, the build vs. buy decision that McAfee makes mirrors that of our customers. The identification of data loss prevention and mobile security fueled the acquisitions of Onigma in October 2006 and SafeBoot in October of 2007. These acquisitions will create a new business unit that will focus efforts on meeting customer needs on this under-served market. Through actions and proper organization, we are working hard to protect what you value.

Last week, Websense announced that it will acquire SurfControl, swallowing up one of its chief competitors in the content filtering space.

It’s pretty clear that content filtering is going to become an important protection component in our complex world of threats. It is not so clear that we need or want it as a standalone solution. Protecting surfing behavior is important, as the nature of threats has evolved from attacking our PCs to custom-made hacker vulnerabilities for mobile devices. McAfee’s acquisition of SiteAdvisor proves the point: 50 million users clearly see the value of proactive protection.

Were you were at RSA this year? There were so many small companies in the in “outer reaches.” It doesn’t take much to figure out that consolidation is the next logical step. I overheard someone say that those booths should have a price tag on them, almost like a claiming race. So, what are the implications of this particular deal?

SurfControl and Websense share the same core business model and have been competitors in the Internet access control (web filtering) market for many years. Both companies have been trying to expand beyond web filtering by getting into the network and desktop security market with security solutions based mostly on their web content inspection technology. It’s a smart play for them, as they struggle to maintain relevance in a converging market. It is a fortification strategy in a point product space that could prove to be flawed for Websense. From my point of view, Port Authority made more sense as an acquisition for Websense. This deal, valued at $400 MM, seems like sacrificing a bishop or a knight in order to take out a pawn.

Another point solution. Is that what enterprises need? Or do they need a proactive risk management strategy? That’s what’s resonating with everyone I talk to. So this news is really not a big deal when it comes to putting together the right components for the large enterprises. Our customers choose us because they recognize that security risk management is an ongoing process. One of our mantras is “complete visibility” on every level – from policy to compliance to enforcement. It’s only a matter of time before the value of this approach is realized by all companies and organizations who want to ensure the best security for their networks, not just the early adopters.

Security starts with identifying your core assets and setting the right processes in place to ensure those assets are protected. However, when an organization moves from tactical threat response to strategic risk management, they look to move the protection closer to the data. I don’t see this acquisition helping Websense customers move in that direction.

The acquisitions going on in the security industry are similar to a chess match. One company might take another company to advance to a more strategic position. In the end, it’s all about protecting the king – the precious data that organizations rely on to advance their core business.

Good medicine addresses root causes; bad medicine merely addresses symptoms. Likewise, good risk management methodologies address root causes; bad risk management merely addresses symptoms.

Aside from the now well-worn stories about data breaches at TJX, and the brouhaha about data leakage issues at Wally World, there is a new story going around about how the U.S. Department of Energy’s Counterintelligence Directorate has lost several computers. I don’t know about you, but the way I understand, this is the agency that’s supposed to protect some of our most important national secrets (like nuclear stuff) from espionage…yet, it can’t keep track of its computers.

What’s interesting, however, is that the DoE’s Counterintelligence Directorate claims that it was using an inventory application to track the computers. This highlights one of the big problems with bad risk management. When there’s a problem, the first instinct is to just purchase some application that is supposed to deal with the symptom, and then assume that the entire issue has been solved, rather than driving down to the root cause.

Real risk management means looking at the problems and coming up with actual solutions to the root-cause issue – not just band aids.

We see the same shoddy approach to many of the latest data breaches. Companies that are caught with their cyber pants down are more interested in driving attention to the peripheral issues, and to blaming the human factors, than addressing the distinct fact that they failed to protect the life-blood of the business they were chartered with protecting – the data. At the risk of sounding too much like James Carville, “It’s the Data, Stupid!”

I find it amusing when I hear stories about security budgets
that are sliced after a year – just because the organization wasn’t
decimated by a widespread worm or virus outbreak. While some
re-justification is relevant with each new cycle (or new management), I
would hate to think that companies would use the “clothing closet”
standard on corporate security. You know, if you haven’t worn it in a
year, get rid of it. To see how silly that is, extend the concept to a
lighthouse’s budget. After a year of no ships running aground, the
budgeting authority cuts costs by only turning the lighthouse on during
high risk times, like storms. There would be a token allocation to
improved education, so that skippers would be better equipped to find
shorelines. Of course, documentation, in the form of navigating charts,
would probably still be archaic, Vespucci-era charts.

Lucky enough to go through two years without a ship running aground?
Great! Let’s “re-engineer” the lighthouse. After the third year, maybe
the infrastructure could be re-purposed as a seaside silo to store grain
for seagulls.

Any site that manages their infrastructure thusly should be deemed
highly risky. Maybe SiteAdvisor should include a “management approach
to security” as a vector in their risk ratings.

ISO 17799 password best practices require that passwords be
changed every 6 weeks, at least 8 characters, unlike the last 12,
contain upper-case, lower-case, and special characters, and not contain
any words that are in a dictionary. Great concepts. But just like
sunlight, vitamins, exercise and just about everything, too much of a
good thing is bad. In this case, if you enforced all of those rules you
are, in short, forcing users to write down their passwords.

Mike Rothman makes an excellent point about the Economic
aspects of the Symantec/Altiris deal. Unfortunately, the view is
somewhat myopic.

If McAfee’s plan were to keep Citadel as a stand alone company,
revenue would indeed be the primary driver for an acquisition. However,
the technology, and the ability to combine it with our existing
technologies, is what McAfee is presenting as a comprehensive and
integrated Security Risk management approach, matters much more because of the gestalt effect of multiple solutions working together, and
leveraging a common framework.

Integration at the paycheck level, where you acquire a company
just to reap their profits, is not what McAfee’s strategy pursues.
Instead, engineering level integration, with multiple solutions working
together allows us to provide better solutions that help our customers
by yielding back resources, both at the desktop and in management.

I’d like to wish Symantec the best luck on its recent announcement regarding the acquisition of Altiris. They seem to be following well along the Security Risk Management approach that McAfee took on and has been delivering on for the last 3 years.

Symantec is clearly going to need all the luck it can get. After all, the company doesn’t exactly have the best track record when it comes to integrating acquisitions. Even setting the huge cultural hurdle of the Veritas merger aside, they have had trouble digesting a spate of smaller deals, including Sygate, Bindview, Riptech and Recourse. In fact, Riptech, which was acquired over five years ago, is still operating mostly independently. If history is any guide, it seems safe to say that Altiris will be YANISA (yet another non-integrated Symantec acquisition).

For the moment, let’s just give the company the benefit of the doubt, and assume that somehow they’ll make Altiris fit into the broader company structure… I’m still wondering what the Symantec was thinking when it agreed to spend so much for the technology. At $880 million, it’s far more than the $56 million that McAfee paid for Citadel, an acquisition that gave us essentially the same capabilities. Compare the prices. An interesting question was raised by David Peltier at TheStreet.com: “Has Symantec dug itself a new hole with this acquisition, or has the stock already sold off too much?”

If anything, the Symantec announcement completely validates the price McAfee’s paying for Citadel, as CIOs and others involved in buying have been given confirmation that remediation is a critical aspect of security, and that security and network management go hand in hand. And while we’re on the subject, the integration of Citadel is going just fine. Expect the process to be complete shortly, about eight months after the announcement.

At least Symantec is consistent, as it treats its business the same way it treats your networks and computers. It’s too complicated, not integrated, and it overtaxes available resources while trying desperately to get the job done.