Face to Face With a Zealot – Why Innovation Gets Throttled

I had an interesting brush with zealotry the other day that served as a stark reminder of what those of you who make IT security decisions for your respective organizations face on a daily basis.  This experience folded nicely with a great blog post by Rich Mogull in the Securosis blog (“There is No Market for Security Innovation“) because I think the zealotry I experienced is one of many factors that throttle innovation.

I was on the phone with a partner discussing how we could align our respective products to cooperatively go to market.  Joining the call was a product manager (who I shall call PM going forward) for a specific product within the partner’s product line.  I was asked to describe what our product could do, and after doing so, was immediately met with PM conveying a general sense of “my product does all of that and more” as I was subjected to an enthusiastic Gatling gun fusillade of breathless features and counterclaims.

By the time the PM was done describing the length, breadth and depth of PM’s product, I could almost feel the hair growing back on my bald spot and my previously receding hairline reclaiming lost ground on my forehead.  I am quite sure world hunger was also on the decline and cold fusion was only minutes from discovery.  Fortunately, as my cynicism and hair loss problem probably indicate, this is not my first rodeo, and I had done some pretty extensive competitive research on PM’s product.  Suffice to say the general consensus amongst the analysts and reviewers (including user feedback) does not reflect the unbridled enthusiasm of PM.

After the call I stepped back to think about the exchange and tried to put myself into the shoes of the prospects I see almost daily.  I got the sense that PM either did not care to hear me or the zealotry simply overwhelmed him/her.  What was most important to PM was to tell me all of the things the product could do rather than align with me as a partner.  I am quite certain the same thing would have happened if I was a buying prospect – I would have been told what the product would do rather than how it would help address my specific problem.  Any question I had would have been met with an enthusiastic “Yes” before I got half of my sentence out.  I am not accusing PM of being deceptive – I choose the word zealot because zealots honestly believe they have that capability.

Mogull notes that buyers don’t consider innovative products until they believe “existing tools are failing so badly that you can’t keep the business running”. An exchange with a zealot such as I experienced would certainly give a buyer enough assurances – whether the buyer believes it or wants to believe it to avoid a purchase – to step away from making a bet on a newer product.

Prior to RSA I had a blog entry where I described similar zealotry on the exhibit floor under the name denial of innovation attack (Beware the “Denial of Innovation” Attack at RSA).  My encounter with PM reminds me that this is not an RSA specific phenomenon and is in fact a daily occurrence.  I appreciate that PM was doing his/her job, but it was a stark reminder to be on the other side of the equation and it certainly gives me a renewed appreciation for those of you who make buying decisions for your respective organizations.

More Random Thoughts, Observations, and Musings from RSA 2010

More quick hits from RSA as I get ready for the last day on the show floor:

  • Great traffic to our booth with great conversations about how we can help organizations plug gaps in their endpoint security.  Given we are such a different approach, it is always fun to watch people process how we approach endpoint security and configuration management.  My favorite is their parting words which are usually something like “thank you, that was interesting”, then there is a pause as they continue to process what they have seen and heard, followed by a “very interesting”.  I always like that response because they get it and now they are mentally extending what they have heard to the needs of their organization.  I think most people think the time at the booth is time well spent.
  • Triumfant will be included in an announcement by SRA today aboutTriumfant being part of the team for SRA’s One Vault Cyber Security Suite.  We are excited to be teaming with SRA and are looking forward to being a part of this exciting offering.  SRA is extremely progressive about finding new ways to help secure their customers and we are pleased to be part of that process.  More announcements about Triumfant and SRA to come.
  • We have been seeing a steady stream of vendors coming to the booth to learn about what we do.  This is a good indicator that the word is spreading about our capabilities and that these vendors have to answer their customers and prospects pointed questions about how they compare.  Some are open about working for a vendor, some try to sneak in.  Just walk up and shake hands, folks – we have nothing to hide.  Besides – it is for your own good: the more you know about what we do the less likely you will be to tell customers and prospects that you can do it when they hear about us.   Sorry, but true.
  • Not one person has come to the booth looking for a solution to the advanced persistent threat (APT).  Or any other phrases that get knocked around the press and the blogs.  Sure you hear some of the concepts, but at least the people coming to our booth don’t adopt the names such as APT.  I guess when you spend the day fighting it you don’t get caught up in what to call it.
  • RSA is a great show but it is very frustrating for a new vendor.  Getting a speaking slot is next to impossible, and the system for booth placement almost guarantees you a less than favorable slot.  Money in the form of a larger booth or an expensive sponsorship will of course fix a lot of that problem, but it is a huge bite of any smaller company’s budget.  I can see why the B-sides movement is gaining momentum.
  • I am always amazed at the amount of money companies will literally dump onto the floor at RSA.  I get marketing obviously, but I can’t imagine anyone altering a buying decision based on a room drop card, a beer tap at the booth, or some fabulous take-away trinket.  I must be getting old and either wise or jaded.
  • I was invited to Mitre’s celebration of the 10 year anniversary of CVE last night.  Great party full of the dedicated folks who tirelessly continue to promote standards for security.  Like I said in a previous blog – I have all the respect for the patience and perseverance of the people who continue to push for these standards.
  • Went to the bloggers meetup last night.  Thanks @RSABloggers2010 for the invite.  I normally stay along the back because the group is gracious enough to let me attend even with my two strikes: being a vendor makes me suspect, but having a Chief Marketing Officer title is the real kicker.  I am sure many of the bloggers feel a disturbance in the force when I enter the room.  So I see some familiar faces and make sure I don’t engage in anything resembling marketing speak.  It is a fun group and the reception is always lively and I always appreciate the invite.

This has been a great RSA, but I am ready to finish this last day of the exhibit hall and start packing for home.  Thanks to all who came by the booth.

Random Thoughts, Observations, and Musings from Monday at RSA

I have lost my normal first-morning-of-a-west-coast-trip battle with my body clock so what better thing to do at 5:15 am than to provide you some random observations and musings from Monday at RSA.

  • My initial read of the show is that there is a general sense of renewed optimism that is a marked reversal from the heavy gloom that seemed to permeate last year’s conference.  Let’s hope that this optimism continues, because I like this year’s vibe much better.
  • I took a pre-opening walk around the exhibit floor and found myself experiencing some serious booth envy because the booths in this year’s show are some of the best designed I have seen in many years.  I am human with an ego, and sometimes I miss the days of having a big budget for the show, particularly when you see high levels of creativity.
  • After dealing with my booth envy issues I came to an important realization:  I can honestly say that I would not trade products with anyone on the show floor.  The Triumfant product is truly different and continually proves that delivers as advertised.  Our engineers have made change detection a viable process for detecting malware and enforcing configurations and policies.  So much of what I see on the floor sounds and feels like slight variations of the same themes.  I can honestly say we represent something very different that fills real gaps in endpoint security.  No booth budget can buy me that.
  • I have made two quick passes through the floor looking for “hamster wheels of pain” to photograph and share with you.  So far I have found none to report.  Well done, my fellow marketers.
  • Across the aisle from our booth is a China-based security company.  As a marketing person my first thought was: could there be a harder job than to market a Chinese security company?  I have no knowledge of this company and my comment is in no way designed to cast any aspersions or doubts their way.  But the current association between China and cyber crime would seem to make it a difficult sell.
  • I actually had someone come to the booth and say that they read this blog.  I was humbled and flattered.  I enjoy doing the blog and try to make it informative and at least a little entertaining, but you never really know if anyone really reads what you write until someone says something like that.
  • For those of you who have never been to RSA there is are two main sets of doors into the exhibit hall and between them is a coffee counter.   I would really like to know what one’ day’s receipts are from that counter during RSA, because my guess is that it is remarkable.  Location, location, location.
  • Our team walked about 15 blocks for dinner last night and passed countless homeless along the way.  The juxtaposition between the amounts of money spent on the exhibit floor and the view of someone sleeping in a doorway can’t help but stir the heart and mind.  When you see yards of white thick pile carpeting being laid out in booths and wonder what the cost of that carpeting could do for any one of these people on the street it keeps what we do in stark perspective.
  • Today I start my analyst briefings, which is always a fun part of the trip.  Analysts are both leading (what is on the horizon) and trailing (are their customers asking about Triumfant and what problem do those customers think Triumfant will address) indicators of the market and are valuable to small companies looking to chart a clear path.  The analyst/vendor relationship is always an interesting dynamic, but if you are willing to be open minded and really listen to their feedback, there is always valuable data and insights available.
  • According to the forecast and the drops on my hotel window, we start what looks to be two days of non-stop rain.  At least it is a change from snow.

Please come by the booth (756) and say hello if you are on the floor.  And don’t forget the malware detection challenge.

Intel Notes Attack on 10K – Are We Heading to Mandated Disclosure of Cyber Attacks?

As we move toward RSA I am really intrigued by the fact that Intel included a note in their recent 10K that they experienced an attack resembling the recent Google attack.  I am not surprised about the attack, but I think the mention in the 10K is interesting.

Intel noted the recent attack in the section of the 10K called “Risk Factors” where a company discloses to investors and potential investors external factors that can affect company performance.  In other words, potential problems that may cause direct impact to the stock price.  In the words of Intel “Our business could be subject to significant disruption, and we could suffer monetary and other losses, including the cost of product recalls and returns and reputational harm, in the event of such incidents…”.

I have written 10Ks and I can tell you that items are not put onto the document on a whim.  I cannot speak for Intel, but I think it is reasonable to say that the frequency, complexity and depth of the attacks they experience has reached a place where the company feels compelled to explicitly reference these attacks as a potential risk to company performance.  We truly have come a long way from the Anna Kournikova virus and attacks for bragging rights.

Are we nearing a point where the government will step in and require disclosure of attacks?  The analogy can be found in the laws that emerged around personally identifiable information (PII) where companies were required by law to notify individuals if their PII was acquired by an unauthorized party from company systems such as California law SB 1386.  Many of the PII breaches we have seen over the past five years may have never surfaced into the public eye without such laws.

So will the SEC come to the place where the relentless attacks on corporate IP and confidential data will be seen as something that must be disclosed when such an attack is successful in order to protect investors from the potential fallout of such an attack?  What will be the criteria to require disclosure?

This much is sure – the stakes for IT security get higher every day.  If attacks are being discussed on 10Ks, then we can reasonably assume that there is much greater visibility to things such as the Advanced Persistent Threat at the executive level.  That visibility can only help the cause and move IT security from a grudge spend to a strategic investment in the fiscal health of the company.

Beware the “Denial of Innovation” Attack at RSA

We are on the final countdown to RSA and I find myself at an interesting place mentally and emotionally about the conference.  I enjoy the interaction with customers, analysts and the other vendors.  I enjoy the opportunity to connect with old acquaintances that I sometimes only see this one time a year.  I learn some things and come away energized – particularly about our product and the obvious gaps that we fill in the industry.

I also come away frustrated and a little sad by what I have named the “denial of innovation” attack that is becoming increasingly prevalent at the show.  RSA is full of noise and FUD, and the larger companies in the middle of the floor rule both the microphone and the exhibit floor, and to some extent, throttle the smaller voices of innovation in the room.   They do so by using their industry standing and deep pockets to overwhelm the mental bandwidth of the attendees – hence the use of the “denial of innovation” descriptor.

For these companies, their huge revenue streams are their power and their problem.  It is their power because they can afford to buy the premium sponsor slots and deliver “keynotes” that are in fact well crafted marketing messages.   Their booths are an adventure in excess – people, show floor technology and the best give-aways.   At least one will have a display device that costs as much or more than what Triumfant will spend on our entire booth.

It is their problem because the message they deliver is predicated on protecting the revenue stream, and the act of protecting revenue is often an inhibitor to innovation.   This is not unique to the security industry – it is a well worn path as companies grow large and make decisions based more on the effect to stock price over advancing technology.  The problem may be in fact more pronounced in IT security because so many of the largest companies are so closely wed to older technologies such as signature based tools, and they simply cannot afford to put the revenue streams from these products at risk by admitting it is time for a new approach.  You can also read numerous discussions about the Advanced Persistent Threat where the DoD and other agencies and organizations have been pleading with the large A/V vendors for years to step up to the evolving threats and the waning ability of antivirus tools to address such threats.  In Mike Cloppert’s blog he notes that the “defense industrial base has been pleading with the AV industry for innovation to address more sophisticated threats and detection resiliency for at least 5 years, likely longer”.

Those big vendors that will have a new approach to tout at this year’s show will likely be doing so because of technology obtained through acquisition and not through internally driven innovation.  While the vendor may earnestly believe their new offering is a step forward, do not discount the fact that the financial markets and shareholders demand that they show a positive effect to the bottom line from that acquisition.

Lest you think this is a jealous rant of a small vendor, Bill Brenner of CSO magazine today reported on a movement called Security B_Sides has started that offers a forum for the innovative companies that are squeezed out of forums like RSA by the big guys (full disclosure: Triumfant submitted a proposal for a presentation on how our analytics eliminate the false positive problems of anomaly detection, and was rejected).  Such forums are a positive step toward getting exposure to new and innovative technologies that address very real problems.   If smaller, innovative companies had a voice at places like RSA, there would be no need for something like Security B_Sides.

I also understand that there is a buying dynamic at work in the IT security market.  The volume of vendors and offerings on the RSA floor is a confusing mass of noise to buyers who have strained budgets and their own professional standing on the line.  The old saying “no one gets fired for picking IBM”  gets translated in IT security to the choice to go with the larger omnibus product set of a large and well known security vendor rather than having to pick smaller vendors to cover requirements and then be faced with the very difficult task of integrating those products.   And for some companies the big vendors may be the right choice and all that they need.  But for other organizations who are under the constant barrage of advanced threats, the easier path may not be the answer.

The big vendors know this, and if you see something innovative and raise it to someone in a big vendor booth, they will very likely tell you they “have that” and you don’t need another product.  I am not accusing these vendors of being deceptive – they honestly believe they have that capability. Remember the famous line by George Kostanza from Seinfeld: “if you believe it, it is not a lie”.  I cannot tell you how many times I provide an overview of the Triumfant product to someone from such a vendor and get that response.  But if that person will take the time to drill down to our actual approach and functionality, they understand the innovative nature of the product and will sheepishly admit that they really do not have comparable capabilities.

RSA has become the embodiment of a self-perpetuating cycle that seems to become more pronounced every year, and this is what makes me frustrated and sad.  I wrote a somewhat fanciful piece on the animals of the RSA zoo, describing the various company profiles on the floor.  Savvy veterans of the show know that the innovation is on the edges of the exhibit floor in the smaller, less descript booths.   But unfortunately, the bright lights and “don’t worry, be happy” messaging at the large booths in the middle provide many a warm sense of assurance even if it may be at least partially false.

So if you are on the way to RSA, do yourself a favor and don’t give yourself over to the denial of innovation attack.  Go and enjoy the bright lights and frothy promises at the booths in the middle of the floor, grab that invite to the swanky party, and get your stash of give-aways to bring back to the office or home to the kids.  But then break away and head for the edges of the exhibit floor.  You may find something that really solves a problem you have in a way that cannot be found in the glitz and glamor.   Because the heart of RSA is not at the center of the floor – it beats strongly in the innovative vendors that reside at those edges.

Triumfant Malware Detection Challenge at RSA – You Bring It; We Find It

Today we are announcing that Triumfant will be holding a malware detection challenge in our booth (756) at RSA 2010.  The challenge is amazingly simple: you bring us malware on a USB stick or CD, and we will put it onto a Windows XP machine running our software and detect it.  No smoke, mirrors, celebrity look-alikes, flashing lights, or slickly animated and over-produced presentation.  Just your malware against our ability to detect what evades other traditional malware detection tools.  Straight up, and we will show you the results.

We are doing the challenge because sometimes when a product breaks down constraints that have been generally accepted as unbeatable that product can be perceived as too good to be true, raising doubt and suspicion even people see the product work in person.  Such was the case at last year’s RSA when we did our three minute malware challenge – people were really impressed, but some looked to discount what they observed firsthand as a set-up given that the malware used was selected by us.

So this year we will remove all doubt by using malware that anyone is willing to bring to the booth.  The information and rules about the challenge can be found here and here.

“But wait, there are restrictions!”, you say.  Yes there are and unashamedly so because we at Triumfant have always been very clear as to what we can and cannot do.  That is because we enjoy the luxury of having software so unique and so differentiated that we do not have to stretch the truth.  We have always said that Triumfant sees attacks with at least some form of persistence, and is not effective for attacks that are completely memory based or bios based.  We also know that there will be some (we think 5%-10%) rootkits that can get lower in the stack than we will see, but we will still gladly take rootkits in the challenge.  And even with the restrictions, we are still addressing a very significant and sizable problem.

“What if you fail?”, you may ask. Let me start with the easy answer – we are quite sure we will have a far higher detection rate than any of the traditional tools.  Of course the bar is pretty low (ok, that was a cheap shot).  The better answer is that we are very confident that we will succeed convincingly, if not perfectly.  Our success rate will certainly be high enough to effectively show the power and value of our product.

The bigger question may be how the market reacts to our success.  Detecting the attacks that evade other tools under live conditions pretty much removes reasonable objections.

But wait, there is more (I am in marketing, after all).  We have not mentioned the automated remediation capabilities of Triumfant.  For persistent attacks and rootkits, we will be able to take the detailed information generated during the detection process and generate a situational and contextual remediation for the attack, returning the victim machine to its pre-attack condition.  The only attacks that we will not be able to remediate will be those that exist partially in memory – we will identify the persistent artifacts but not all of the memory based elements.

So come by the booth and see for yourself.  If you can’t find a snarling nasty bit of malware to bring along, we will have plenty to demonstrate the product to you.  Or you can watch while someone brings their sample to the booth.  Either way, I am absolutely sure you will be impressed.

Oh the Animals You Will See at the RSA Zoo (Conference)

We are now 10 days away from the RSA Show.  For those of you who have never had the pleasure of attending the yearly security conference, it is, to say the least, a happening. It is certainly a loud, confusing and busy show with hundreds of undifferentiated vendors screaming for your attention.

Some would characterize RSA as a zoo and zoos of course have animals, and I, being the helpful guy that I am would like to give you a short guide to some of the animals you will see.

Hamster. As in the “hamster wheel of pain” graphic prominently displayed on the booth (see examples here and a fun cartoon inspired by Andrew Jaquith here) to illustrate why the vendor’s product is essential to you.  Ever since I was introduced to the term I vowed never to use a wheel graphic in my materials again.  Each year at RSA I do a “hamster wheel” walk and laugh at the examples.  The more items on the wheel the better – the record sighting is 14.

Fudasaurus. These are the easiest booths to spot at RSA because of their size, noise, and the fact that they have graphical display devices that cost far more that I will spend on our entire booth.  Because the fudasaurus was built on traditional (translation: aging) product like signatures and antivirus, there will be an emphasis on how the latest acquisition really (no, really) solves the known gaps in their product.  The fudasaurus is always surrounded by swirling hoards of like-dressed acolytes that share a common ailment: pre-mature affirmation or PMA.  PMA is characterized by the afflicted answering “yes” before the person asking the question completes the query.  Here is a sample dialogue:

Attendee: “Does your product…”

Acolyte: “Yes – we are in fact the world leader”

Attendee: “But I did not finish.”

Acolyte: “Yes”

Attendee: “But what if I was to say male pattern bald…”

Acolyte: “Yes”

PMA is somewhat analogous to the very advanced application of Maslow’s quote “If the only tool you have is a hammer, you tend to see every problem as a nail.”  This year’s new hammer and newly acquired problem solver for the fudasaurus is whitelisting.

Ants. These are the complete antithesis of the fudasaurus, relegated to small, non-descript booths at the edges of the show.  But pound for pound, an ant’s product may lift ten times its body weight, and the ants are tireless and industrious. Unfortunately, attendees are so distracted by the other animals they often do not take the time to visit the ants, which is a shame because it is the ants who may actually have the solution for their problem. (see last year’s blog entry about a View from the Edges)

Blowfish.  These are the vendors that want to look like they cover far more security functions than their actual technology will support.  Luckily the blowfish does eventually have to breathe out and if you are lucky you will be able to spot their true capabilities.  Blowfish are also spotted by the use words like comprehensive, suite, single pane of glass, one stop shop, and holistic. The blowfish aspires to be a fudasaurus.

Peacock. These are the booths where the inhabitants all strut gloriously as if they have invented sliced bread and cold fusion.  The peacock often has interesting technology that, while visually compelling and breathlessly described, seems to solve a problem no one has.  Perhaps a hamster wheel graphic would help.  The relentless strutting and preening is mostly to catch the eye of the Fudasaurus for mating…sorry… acquisition activity. The most aggressive peacocks will claim a solution for the Advanced Persistent Threat at the risk of great ridicule from the roaming bloggers.

Chameleon. These are the vendors that have one basic type of product and are now passing themselves off as something much different and hopefully grander.  For example, patch management and helpdesk tools that now present themselves as security configuration management tools.  Hmmm, I thought we have configuration management issues because patch management has historically failed, but I digress…

So have fun, spot the hamster wheels, and enjoy the show.  And do yourself a favor and make sure you visit the ants.