Archive for the ‘Marketing and PR’ Category
Symantec to Apple: “You are not a beautiful or unique snowflake”
November 15th, 2006
So,
I just downloaded the
Symantec DeepSight report on OS X security after I came across
a headline about it
on SecurityFocus (which, just for the record, is owned by Symantec), and I have
to say that I have mixed feelings about it: mixed feelings because I usually
don’t expect much from Symantec, and also because the document is not exactly
"chock full" of original content (much of the data/information is repackaging of
publically available material.) However, at the end of the day I have to
give this report a rating of "on the right track" because it does a good job of
calling out some of the mythology surrounding OS X.
Of course, you have to take a minute to consider Symantec’s goal in doing this -
they’re
not the most unbiased party in the world. It financially benefits them
to establish OS X as an attack-prone platform. So take the report with a
grain of salt. However, as one Mac owner (and fan of
user-choice) to another, I’m terrified by Apple’s marketing: they keep banging
the "Mac users don’t need to care about security" drum – going so far as to
advertise that message on national TV that Mac’s don’t get malware or get
hacked. I’ve made the point again and again that the facts do not support
this; Apple users need to pay attention to security just as much as other
computer users. Apple’s encouraging their user base to ignore security is
a disservice. I would ask fellow Mac users this question: Apple advertises
that Macs
don’t freeze or crash; if you use a Mac, compare that with your own
experience. Do you think the "Macs don’t need security" message is any
different?
But, those things aside, here’s some highlights from the report:
OS X is not BSD: So, we’ve all heard about about how
Apple is more secure because it’s based on BSD, right? From a marketing
standpoint, it’s pretty much "front and center" in Apple’s OS X claims. You
know, like when Apple says, "Beneath the surface of Mac OS X lies an industrial-strength UNIX
foundation … Time-tested security protocols in Mac OS X keep your Mac
out of harm
Posted in 
Webroot – Emerging vendor? Or something else?
November 14th, 2006
Because I’m into that kind of thing, I usually start off the day by reading the press releases from security (and other IT) vendors. Usually, this stuff isn’t very exciting (there’s a lot of bluster and hot-air on the wire), but today I found an interesting one – or at least one that made me think.
This morning, Webroot announced their addition to CRN magazine’s 2006 Emerging Technology vendor list. Alright, that in and of itself is not that interesting – but what *is* interesting is reading between the lines to
speculate how Webroot is faring over all based on this announcement. As you know, Webroot is privately-held, so we don’t get
the same kind of insight into their economics as we do with their publically-held
competitors. So any clue that we can get is a good one.
Now, before getting into this, I want to go on record as saying this is
entirely speculation and I am not doing down Webroot;
I actually happen to like Webroot. In addition, I reserve the right to be
totally wrong, so this could all just be hot-air. However, if you'll
indulge me in a bit of speculation, this announcement does not appear to me as
if it bodes well for Webroot's long-term health. What? It’s true – it looks
good on the surface, but even though the announcement sounds positive, I don’t think it is.
Let's break it down, and I think you'll start to see why I say that:
Non-dominant market share: If you take a look at the criteria for how CRN chooses emerging vendors, you’ll notice that
market share is the number one most important criteria – but not in the way
you'd probably expect; to make this list, you have to not be the market leader in your space. More specifically, according to CRN, “1. In established markets/product categories, the vendor could not be a dominant market-share player.”
Last year. Webroot was
dominant in the spyware space; as a result, they would have been ineligible for inclusion in this
particular directory. So last year they had the market and now they don’t?
Woah Nelly, that's not a good sign… particularly in an industry that tends to favor the market leader.
Direct vs. Channel Sales: Number four criteria for inclusion in the list is, “4. The company had to demonstrate that its direct-sales mix was trending down, as evidenced by the company’s revenue history.” Now, we know that Webroot’s long term goal is to be 100% channel by 2007, so in-and-of-itself, this is not a warning sign. Where I think the warning sign is, however,
is why they want to be 100% channel; more specifically, what does the
100% channel model imply about the makeup of the Webroot customer base? We know that channel sales
are a very effective SMB sales tool, but
we also know that they're not as effective a tool for the large enterprise. Reading between the lines, I interpret Webroot’s strategy as moving toward concentration in the SMB
while moving away from larger enterprises. Now, that's not to do down SMB – there’s a market there to service for sure – but I had thought the Webroot direction was toward the larger enterprise.
The growth curve usually encompasses SMB first and then branching out to larger
and larger firms – the reverse, moving from larger to smaller, is usually a sign
of decline in the marketplace. Additionally, I'm wondering about the
investment they've already made. The large enterprise play is certainly marketed by them and discussed by analysts – -
clearly they've invested heavily. If so, why are they backing off?
Comparison with other vendors: The complete list of other emerging security vendors at CRN is as follows: 8e6 Technologies, Application Security, Array Networks, BioPassword, Bit9, Bradford Networks, ConSentry Networks, FireEye , Lightspeed Systems, MX Logic, Network Management Group, Palisade Systems, Passlogix, Port Authority Technologies, Red Condor, Senforce Technologies, Solutionary, TrustELI.
Now, trust me, I am *not* about to do-down these other vendors… There are some great players in that list
and a number of firms that I watch closely and strongly support. However, what I would point out is the
discrepancy between the funding received by Webroot (for example, the 108 million dollar influx of last year) and the funding received by the other vendors on the list.
For example, Senforce and MXLogic (their peers according to CRN) received
12 million dollars
and
26 million
respectively… not the same ballpark. Recall Webroot’s competition: Symantec, CA, McAfee, Trend, and Microsoft…
If it was me, I’d be pretty scared if two of the top five largest software companies in the world were my competitors,
and more scared to peered with firms with 1/10th my backing.
Now, I reserve the right to be totally wrong, and I certainly mean no disrespect
to folks over at Webroot. But I'm not sure this is good press for them; I
question why they would concentrate their marketing dollars here.
Yesterday, I probably would have speculated that Webroot's in good health.
Today, I'm not so sure.
Turns out Allchin’s OK. Can we pig-pile on Oracle instead?
November 13th, 2006
Have
you seen the ads for the "Truth
in Software Commission" hearings over at BigFix. If you haven’t seen
it, I highly recommend checking it out. Their satirical content is
absolutely hilarious and it’s very much worth the trip (trust me, it’s long on
laughs and short on the hard-sell for their products.) Not to wax verbose
on this, but even their logo is laugh-out-loud funny (provided they don’t move
it anytime soon, you can see it on the right of this entry.) The tagline,
"Duc Ergo Sum", could be roughly translated to "You build [it] therefore I am".
Classics humor… not something you see in infosec very often.
All very interesting, and I found it somewhat ironic that the article I saw it
on (the article on which I saw the advertisement) was one of the original
"post-retraction" articles where Microsoft president Jim Allchin was paraphrased
as saying that Windows Vista is so secure
it won’t require AV. Now, before you
get
all worked up like I did when I first heard that, take a moment and look at
his response to all the hubbub… it turns out that he said something
a bit more reasonable than how it was originally portrayed – what he really
said was hubris-free, unlike how it was originally spun. And as of now,
we’re pretty much back to where we started – except with a bunch of
retractions,
clarifications, and general
backtrackery in the industry press.
So all-in-all, we’re net-zero after the "Allchin Incident". Now you might
be wondering – if we’re net-zero, why am I bringing it up? Because of an
interesting lesson in all this… Now, on the surface, there’s the obvious
lesson of "don’t believe everything you read", but that’s not the lesson I’m
talking about… misquotes and misinterpretations of statements happen, so I
don’t think we should expect that they won’t (or shouldn’t). Instead, the
lesson I’m talking about is the willingness on the part of the public and the
part of the journalist community to expect hubris on the part
of Microsoft and damn them for it when it happens. Now, that’s OK, but
what I think is unfair is piling on the big M while simultaneously ignoring (or
encouraging) the same type of hubris from other firms. Here’s what I
mean… This thing with Allchin was a pig-pile, right? I mean, it
was the same kind of journalistic feeding-frenzy you see in post-midterm
Whitehouse press briefings… brutal. But compare that frenzy with the
reaction of the press to statements made by Oracle VP Hasan Rizv’s comments
earlier this year:
In an IT environment there are lots of complexities and if you look at
the Oracle software, people have to apply the patches… Our customers are
so used to high security that when there is a vulnerability they don’t apply
the fix because they are not used to it, which is an interesting position to
be in.
Now, I blogged
about this because the hubris of that statement (not to mention it’s
inaccuracy) seriously got under my skin, but there was pretty much no response
from the mainstream industry press… other that is than the sound of crickets
all around. Or remember when Larry Ellison went on record saying that
Oracle hasn’t
had a security problem in twenty years? Where was the pig-pile then?
Ellison’s statement was inaccurate, misleading, and dangerous. But still
the crickets won the day.
Or take Apple… who has unrelentingly pushed the "no malware" message in
absence of provability and contrary to empirical evidence. I’ve
griped about
that plenty in the past, so I won’t go through it again. But guess what?
When Apple makes a statement like this – not only does it not hit the press (at
least as something negative,) but humble bloggers who dare to criticize it get
their email boxes filled with hostility. So here’s my question: clearly,
we’re more eager to tear Microsoft down for doing this than other firms. Why is
that? Shouldn’t we hold other firms to the same standard? Isn’t it
just as offensive when a Oracle makes a statement like this (and really means
it)? Shouldn’t it be? I’m not going to say we should tolerate hubris
from Microsoft. Clearly, we should react in the way that we did and call
them on it. But why do we continue to tolerate this from everybody else?
Symantec Business Model 2.0
October 16th, 2006
Wow, all this news about Symantec’s Security 2.0: it was covered in the Register, in news.com, in Information Week and so on. Apparently calling the malware problem “solved”, John “we’re more than antivirus” Thompson is apparently moving the firm in an entirely new direction (for them) – a direction that has them concentrating on transactional elements of information security rather than platform aspects; a strategy of trust rather than a strategy of fear. Interesting. But what’s more interesting than that, in my opinion, is the change to the way that Symantec typically does business.
In past, for example, we’ve seen a typical pattern emerge in the way that Symantec approaches building the enterprise portfolio – we’ve seen them buy products to round out the portfolio like Veritas or BindView and we’ve seen them buy service companies like @stake. However, this new strategy of partnership with service companies in combination with development (rather than purchase) of new products is a new one. I’ll be curious to see if it works the way Thompson is hoping. I’m also interested to see what type of marketing dollars Symantec is willing to spend to get the kind of adoption that they need for the products to be a success. I guess we’ll have to wait and see…
RiskAnalysis.is hits one out of the park…
October 4th, 2006
Hey, are you reading RiskAnalysis.is? You should be. Even if you don’t read it on a regular basis, go and read Fear and Loathing in OS X Security Land; and then when you’re done, read it again. Check out some of the awesome stuff:
Never take a magazine rating at face value. In fact, tell magazine reviewers that they need to put a metric up
Hot or Not: SC Magazine’s New Feature
October 3rd, 2006
So, I got an email the other day from SC magazine informing me that they have a new feature called “Hot or Not” which claims to take the media to task for their hype. That sounded appealing as did the “hot or not” part (because much like Project Runway, in security you are either hot or you are not.)
For background, SC has apparently decided that there’s quite a bit of media hype in infosec, and they’ve apparently decided to separate the wheat from the chaff and tell us if stuff is really a threat – or if it’s just hype. Reading the description, I approached the column with cautious optimism: optimism because I’m all for people calling out the media hype, but caution because to do this correctly SC will need to be ready to take the occassional controversial stand on things and cut against the traditional wisdom.
In the first edition of this new feature, SC tells us that laptop theft is, in fact, “hot” and not just wind:
Should I be worried? Yes. Every organization that deals with PII should be concerned about proper protection and potential loss wherever the data resides.
Agreed; I think it’s probably “hot” too. Of course, I think you’d be hard-pressed to find anyone who doesn’t agree with that assessment. As to what practical things that they recommend that practitioners do to mitigate laptop theft:
Procedures should separate PII from other general user population information. The enterprise should employ hard disk passwords, disk encryption or file encryption for computers that must contain PII. In addition to the built-in (but not automatically enabled) file system encryption that PCs (EFS) and Macs have, there are other hard-drive encryption solutions on the market. Additionally, developers or programmers should not work with live data.
True, true. My only issue with this would be with the degree of difficulty in doing these things. Having implemented EFS, for example, I can tell you with certainly that it is a technology that’s difficult to implement (and of questionable utility) in the best of situations and less than useless in the worst of them. Additionally, I have yet to come across an enterprise where developers don’t work with production data somewhere in the firm (I’m not saying it’s right mind you, just that everybody’s doing it – kind of like speeding.) Useful material around this would be a “real world guide to implementing EFS for laptop protection” if somebody would care to write it; of course, SC might not be the best forum for that…
So, I’ll remain cautiously optimistic about this new feature; if SC decides they don’t mind pissing off a few readers, authors, and sponsors by actually taking the hype to task (consider “hot or not: source code scanners”, “hot or not: web application firewalls”, “hot or not: phone-borne malware”, etc.) then I’ll keep reading it. On the other hand, if they stick to topic guaranteed not to stir the pot, then I’ll probably stop reading after a few entries.
Why Symantec needs a unified voice
September 25th, 2006
Once an organization gets to a certain size, it becomes exceptionally important that organizations have a central message and that the central message is unified and focused. Otherwise, statements made by one area can diluate statements made by another area; it’s actually worse than not publishing the messages at all if they contradict – “net zero” (no effect) would be if contradictory messages just cancelled each other out – but that’s not what happens. Instead, disparate messages either leave readers scratching their heads wondering “WTF” (best case) or they can have other side effects like making the firm look hypocritical or self-serving. Here’s what I mean.
The other day, SYMC VP David Sykes went on record indicating that it’s “pointless to speculate about software that isn’t released yet” in reference to the debate about Vista’s new security features and potential threats to those features by EU regulators. Now, while I wholeheartedly agree with Mr. Sykes that it’s not usually productive to speculate about software that’s not released yet, this message dilutes the efficacy of work being done in other areas of the firm. Specifically, Symantec has recently published concentrated research dealing with the security and performance of Windows Vista; they published a report entitled Windows Vista: Network Attack Surface Analysis as well as made statements to the press indicating that Vista is likely to be less stable/secure than XP. They’ve also gone on record by highlighting potential attacks against the yet-to-be-released product.
So, while Symantec’s pointed criticism to the press saying it’s unwise to speculate about the security of unreleased products would be valid on its own, it appears disingenuous at best (or hypocritical at worst) when viewed in light of public comments made by other areas of the firm. Worse yet, it obviates the investment made by Symantec in authoring and publishing their Vista research.
Totally unrelated to that, I found the little WTF guy in the picture on the internet a few months ago and thought it was absolutely hilarious; however, I can’t find out who drew it to give it attribution.
Humorous Press Release
June 6th, 2006
So, in case you missed it, the other day MicroWorld put out a press release for the eConceal product. For some reason, the first sentence (“MicroWorld Technologies launched its futuristic, enterprise class firewall eConceal”) caught my attention (due, I think, to the fact that “futuristic” struck me funny) and caused me to read on:
“Extrusion” Prevention?!?!
February 1st, 2006
Every once in a while, I hear a marketing term that stops me in my tracks for one reason or another. This is one of those times. Maybe I’m out of the loop on this one, but have you heard about “extrusion prevention” yet? Seriously – extrusion.
Here’s the back-story: back in 2004, Danny Lieberman came up with “extrusion” as a concept for information leaving a company in contrast to “intrusion”. It’s a clever way to grab a reader’s attention if you’re a journalist, so props to Danny. Since the original coining of the term, various product vendors like Fidelis and Datamation have picked it up and run with it to the point that now we have papers being written about “extrusion prevention” and “buyers guides for extrusion prevention.”
Now, don’t get me wrong – these are probably good products, and I’m sure they’re useful. My only issue here is with the continued use of “extrusion” as the catch-word – maybe we ought to start considering the literal definition of a term before borrowing it for marketing purposes. Take a look at the literal definition. Not pleasant; consider:
compacting… and forcing… through an orifice
Outward displacement of the contents of an organ.
squeezing out by applying pressure
Eww. Can we, as an industry, please have a moritorium on marketing terms that are literally defined as “squeeze forcibly through an orifice?” I don’t particularly like the organ reference either.