Once again I am covering a Gartner Security Summit. This is my ninth I believe. Watch this space for my thoughts on various announcements from the vendors and prognostications from the analysts.

The first vendor announcement worth thinking about is Tufin’s Automatic Policy Generation tool that is part of their complete firewall policy management solution. The problem that APG addresses is that of deploying a new firewall to a network segment that has gone unprotected in the past. Certainly universities and research institutes have lots of these! Many enterprises may also find that an audit or tightening security controls identifies the need for a new deployment. Perhaps in front of HR or between the core and the transaction processing systems. The question is: how does one determine the rule set for the new device?

Tufin provides a methodology: deploy the firewall in logging only mode, record all traffic, and use that data to devise a security policy based on real usage. Do a little clean up just in case the network is host to active bots and Trojans or there is abuse of the network and voila! you are done. Of course, you might want to use the same capability to replace a legacy firewall with a new one. You might have a PIX or Gauntlet running on IRIX 6.0 (still my favorite OS) and need to upgrade to something that is supported.

See my presentation on the evolution of firewall policy management here along with an introduction to Tufin from its founders and a panel discussion I led at RSA when Tufin announced their open platform that allows third party vendors to integrate with Tufin.

I had a chance to talk about the topic of cyber warfare with Steven Fox of Secure Lexicon. Steven is focused on applying the teachings of Sun Tsu’s “Art of War” to the concepts of cyber warfare.

Listen to the podcast as Steven asks me about “Knowing thy enemy”, “lessons learned”, “crowd sourcing attacks”, “understanding environmental and cultural context”, “Iranian cyber war”, and “political goals”.

We recorded this over Skype so there are some interesting audio effects that I kind of like. Makes it sound like I am on the moon or something. :-)

• Art of cyber war podcast posted: http://www.securelexicon.com/media.php #
• Not a bad day. Interviews with SCMagazine, Birmingham Eccentric, Reuters, and the NYT piece published. #
• Michigan spammers plead guilty http://tinyurl.com/nmj5v2 Face 5 years in jail. #
• security for Android. Liking this: http://mocana.com/NanoPhone-Android.html #
• Now I am an expert on Birmingham? http://tinyurl.com/lfq5pa #
• Amazing pic of volcanic plume take by Space Shuttle Astronauts. http://tinyurl.com/nq43pl #
• OK, let’s try this again. Back at SFO this afternoon. Still trying to get home to Michigan. #fb #
• I get a day at home before heading to DC for Gartner Security Summit. #GartnerSecurity #

• RT @cyberwar Funny stuff going on in Iran’s Internet transit. http://bit.ly/3sgaIq #
• RT @cyberwar http://tinyurl.com/lpjgo9 Crowd Sourced hacktivism in action as anti-Iranian DDoS encouraged on Twitter. #
• RT @TehranBureau confirmed the Tehran protest from Enghelab to Azadi, tomorrow (Monday) and a national strike on Tuesday. #Iran #
• Great collection of writing habits of authors: http://bit.ly/ZEk4b #
• Most of my tweets on #iranelection and raging cyber attacks are being posted @cyberwar Follow me there. #
• RT @cyberwar Operation Freebird. http://arielsilverstone.com/freebird set up to help Iranians get word out. #iranElection #cyberwar #
• Damn, no press pass for competitors to Gartner at their Security Summit in DC. Anyone want a nice room at the Gaylord? #
• Uh oh. #followFriday trends higher than #IranElection. #

The State Department for some reason is claiming that they were the ones to convince Twitter to delay a scheduled down time until today. (Which has been successfully completed.)

From the Twitter blog:

When we worked with our network provider yesterday to reschedule this planned maintenance, we did so because events in Iran were tied directly to the growing significance of Twitter as an important communication and information network.

They also verified that yes, they had talked to the State Dept.

It’s humbling to think that our two-year old company could be playing such a globally meaningful role that state officials find their way toward highlighting our significance. However, it’s important to note that the State Department does not have access to our decision making process.

In a press briefing early this morning Ian Kelly, spokesperson said:

“I began to recognize the importance of new social media as a vital tool for citizens’ empowerment and as a way for people to get their messages out.”

I am not sure why the State Department felt it was necessary to highlight their involvement with Twitter but Iran has taken notice. According to CBS Iran accused the US of “intolerable meddling in it’s internal affairs.”

So, unlike Russia, who to this day has successfully denied participation in cyber attacks on Estonia, Lithuanian, and Georgia; or China who vehemently denies their massive cyber espionage activities, the US has pretty much lent its support to a communication vehicle that is writing a new chapter in the history of cyber warfare. (Which I am recording by the way)

As an example of the damage that can be caused using Twitter check out http://greenmov.persiangig.com/green.html or rather, don’t check it out. As soon as you hit the page multiple frames open up and refresh continuously, causing a denial of service attack against their targets: Iranian media and government sites.

Twitter has an issue ahead of them. After this experience the general populace has learned how to participate in cyber civil unrest. Twitter will be used in the future for hacking attacks and the targets of attacks may find legal cause to complain.

The State Department has created a huge issue by supporting Twitter. I hope they know what they are doing.

There is much interest in recent weeks in cyber warfare. The Obama administration has identified cyber defense as a top priority and is ready to appoint a Cybersecurity Policy Coordinator. Whitehall in the UK is thinking about appointing a Cyber Czar. The Cooperative Cyber Defence Centre of Excellence (CCD COE) in Tallinn is hosting a Conference on Cyber Warfare this week. Yet, while talk proceeds action is taking place in response to the disputed election in Iran. As millions of Iranians flood the streets in protest a few are getting through to Twitter via SMS and dial up lines. They are giving us real time information that the traditional media is slow to gather and report.

Cyber hackers are posting instructions on how to hack Iranian websites including this GoogleDoc that has a list of URLs that will create Denial of Service Attacks against:

Governmental and HARDLINE NEWS:
OFFICE of AHMADINEJAD & KHAMENEIE:
STRATEGIC PLANNING:
POLICE,MINISTRY OF INTERIOR
CENTRAL BANK, COMMERCE BANKS:
OIL,GAS,PETOCHEMICAL
ECONOMY,TRADE,EXCHANGE:
JUDICIARY:
Transportation:

A Cyberwar Guide was reposted by BoingBoing which suffered a DDoS outage either through friendly fire or malicious. I will post updates as that story develops.

Update: Joel Johnson of BoingBoing had this to say

Update: It’s not a DDoS. It’s probably us being dumbfucks.

Twitter has postponed a scheduled maintainence because its service is playing a vital role in facilitating communications in Iran right now.

The amount of traffic on Twitter and the number of people spreading the word about DDoS efforts points to a scenario that has not been explored before. Internet meltdown from social upheaval. Street protests have played an important role in many regime changes. The French Revolution, the Boston Tea Party, Solidarnos, and the Orange Revolution in Ukraine come to mind. As Twitter and other social networking services grow to double, triple or ten times their penetration today what are the implications for future turbulence? What would have happened if Twitter and the spread of DDoS guides was present during the “hanging chad” fiasco of the 2004 US Presidential elections? What will happen during some future cause celebre? If one million Tweeple target one thousand sites with auto-refreshing browsers what happens to the Internet backbone?

Something to think about.

Update. The US State Dept is reportedly interested in Twitter staying up and keepin glines of communication open.

Update. This site makes it even easier to engage in hacktivism. Just open the one page and it opens multiple frames each using pagereload.com to DDoS a particular Iranian server. http://greenmov.persiangig.com/green.html Don’t go there as you will be enlisted in the cyber war.

Bill Brenner just published the results of his quick survey on “what mergers would you like to see in the security industry?” A few follow up comments are in order. Brenner implies that there is something wrong with having lots of vendors in a space while also saying the industry is consolidating.

He says:

After all, the market has become saturated with so many vendors it can be difficult determining who sells what your enterprise truly needs to tackle a given malware or compliance issue.

Well, I don’t know about “saturated”. I guess every market fills to meet demand. I really don’t think that acquisitions are good just because they reduce options as Bill seems to argue. Acquisitions are usually pretty good for the investors and founders of startups. Sometimes, rarely, they are good for the acquirer. Certainly the owners of Alteon made out alright when they sold to Nortel for $7.8 billion. And I believe Radware is going to do OK with the acquisition of the same assets for $18 million.

The security industry is driven by a different dynamic than the rest of Information Technology. That’s why I enjoy being an analyst in the space. Journalists have been talking about the “consolidation” of the security industry for the ten years I have been covering it. Consolidation comes with maturity. The security industry will not reach that phase until the threats stop changing. And, obviously, we are in a phase of very rapid escalation in the threats. So look for more innovation, more company startups, and yes, more acquisitions.

Let me expand on five acquisitions I pointed out to Brenner.

Reflex + RSA. Reflex was born as an IPS vendor, arguably the inventor of IPS but late to maketing their solution. Two years ago Reflex developed tools to provide security for dynamic virtual environments; a way to see and control deployments of virtual machines in a data center. They sidelined the IPS solutions in favor of the virtualization security. EMC acquired RSA Security with the stated intent to acquire their way to $1 billion in security revenue by 2010. They have some catching up to do and should have no problem finding great companies to buy. Their strategy is to focus on solutions that have synergy with their storage and data center operations. As many have pointed out, data centers are moving to virtualization in one of the most dramatic shifts in computing since the days of CDC and Boeing Computing Services and time shared computing. EMC should acquire Reflex if they want a security play in the future data center.

Juniper and Fortinet. This recommendation is slightly on the flippant side. Fortinet is growing at a tremendous rate. I expect them to have 30% growth in 2009 which is extraordinary in a time of global recession. I estimate that Fortinet has over 50,000 customers world wide. They are much more successful than Netscreen was when Juniper bought it. I really do not expect any acquirer to have either the vision or the capital to acquire Fortinet which is my number one candidate for a technology IPO in 2009. (Full disclosure: I was employed by Fortinet up to January 2008. I do not have any knowledge of their IPO plans.)

Kaspersky, Eset, AVG, Panda, and AhnLabs (for an uber-AV company)

There are dozens of successful anti-virus companies. I could add BitDefender and Avira to this list. Obviously, the Big Three, McAFee, Symantec, and Trend, are not dominating what should be a mature space. The combined revenue of these seven companies is probably $560 million. Think of the synergies to be realized by combining research, sales, and marketing teams! To my knowledge there has never been a vertical roll-up in the security space (Network Associates was a horizontal roll-up). In another time the private equity players would have been all over this.

(Of course, Secure Computing ended up with all the also-ran firewalls but there is another word for that.)

Crossbeam and StoneSoft

I was never enthralled with Crossbeam’s strategy of building a hardware platform to run best-of-breed security products in a load balanced blade configuration. It seemed like a play at carving out the high end of what Nokia was doing with their Ipsilon derived product line. Now that Check Point has acquired that business Crossbeam is in direct competition with their most important partner.

I have worked with StoneSoft’s products for fourteen years. They have the most mature software firewall with the most sophisticated management console. As StoneSoft created their firewall to be a replacement for Check Point’s FW-1 it would make a perfect combination if they joined forces with a top notch appliance vendor.

AlgoSec and Cisco

Another flippant suggestion. Thanks to the maturity of the firewalls in most organizations the management of firewall policies had become a major challenge, one that is giving rise to a new sector that I am covering: firewall policy management. Watch this blog as I post video interviews with the major players and spell out the requirements for selecting a firewall policy management solution. The firewall vendors have been caught out with a lack of features to help manage thousands of rules, detect redundancies, and optimize rule sets. Third party product vendors are coming on the scene and seeing rapid deployments of their products. Tufin has what I believe to be the most well thought out strategy for this space that goes beyond just firewalls and has had the most success in the large enterprise where the need is highest. Athena Security, Algosec, and Secure Passage (spin off from the security reseller Fishnet) have great tools and are getting traction.
Cisco is the firewall vendor with the least mature management capability and could profit from acquiring technology from one of these vendors. Of course, one of the primary strengths of the firewall policy management vendors is that they support multiple platforms. So an acquirer would not benefit from their complete value proposition. The real story here is the combination of firewall policy management and network management. More later.

I can’t resist commenting on the other suggested acquisitions in Brenner’s article.

First Lawrence Pingree:

* 1. McAfee bought by Microsoft. No way. Won’t happen. Too many conflicts.
* 2. Sourcefire absorbed by Symantec Nope. Symantec tried the IDS space already.
* 3. Imperva bought by Checkpoint I don’t think so. Too much history.
* 4. Palo Alto Networks bought by RSA Gag! RSA is not making network security purchases. PAN is too immature.
* 5. Sophos bought by IBM Yawn. Whatever.

Mike Rothman’s
* 1. HP and a Big AV vendor TBD Ha! Not likely. The AV space is too fraught with challenges for HP.
* 2. Cisco and Fortinet Well, why not. Cisco can afford it.
* 3. Oracle and Imperva (or Guardium) Hmmm. Maybe.
* 4. Symantec and GuardianEdge (or CREDANT) Also Maybe.
* 5. IBM and Fortify Could work.

There are over 1,200 vendors in the security space and I am briefed by new ones every week. There are many acquisitions to come as the fun continues.

As news trickles in about the events in Iran, where apparently students are protesting the results of the elections and the government is cracking down on media outlets and journalists, there are DDoS instructions being posted to Twitter. The targets of the packages include:

http://www.leader.ir/
http://president.ir/
http://www.irib.ir/
http://www.iribnews.ir/

Here is one of the posts to Twitter:

Pagereload.com is evidently a way to get your browser to hit a site. The service is owned by someone in Karachi, Pakistan. LOIC is Low Orbit Ion Cannon, another Denial of Service tool. Another tool being linked to is BWRAEP, a GET flood tool, with a list of image files to grab from the above sites, causing the web servers to fail.

Meanwhile the brilliant folks at Renesys have posted a chart of network outages in Iran that are probably feeble attempts by the government to restrict Internet access.

While Twitter is not contributing to the action in the street (it is blocked in Iran by most reports) it Is being used to spread this type of cyber crowd sourced attacked.

A couple of good Twitter IDs to follow for updates on the situation in Iran: TehranBureau and persiankiwi

Update June 15. A Google Doc has been published and spread via Twitter with many more target sites and links built for pagereboot.com

• Hops are thriving. pics: http://tinyurl.com/omxa4w Perfect crop for the lazy farmer. #
• New acquisition. An antique drill press. Pic. http://www.flickr.com/photos/netman21/3603348553/ #
• RT @cyberwar Even if the President appointed a security policy dictator there would be no improvement in security. http://tinyurl.com/l6xrqc #
• DHSAC members. http://bit.ly/2Ug0H #
• Thanks @coachkiki . @totalcio and I are even connected on Linkedin! #
• OK, that was cool. Just got briefed by Art Of Defense, German Web App Sec company. #
• Video interview with Radware: http://bit.ly/QzALO #
• T-Mobile confirms p0wnage http://bit.ly/aCAkX #
• I’ll be on TechTidbits this morning on BlogTalkRadio - http://tobtr.com/s/559508 with Debbie Mahler #
• In NoCal on the 23? Stop by the Churchill Club meeting on Security Challenges. http://bit.ly/SyZkG
  #fb #
• Going to CBI seminar June 15th http://bit.ly/1Lj9c
  it’s in Troy MI #
• #followdriday @ArielSilverston, @W2Comm, @cyberwar, #
• Great recorded briefing on attribution (as in cyber attacks) by Justin Hornberger. http://justinhornberger.com/Attribution/ #

Radware has been raising some eyebrows lately. Although they have a global presence they have not established a huge footprint in North America. But when they hired away one of Fortinet’s top SE’s in Canada I started to get the idea that they were ready to come back. Then they announced the acquisition of Nortel’s Alteon business for a mere $18 million. While the Alteon products have not necessarily kept up with the advances in network and application protection Radware can change that pretty quickly. Obviously acquiring a lot of customers is of great benefit to Radware as well. I would suspect that support contracts alone could provide a good ROI on the acquisition. With a market cap of $137 million I wonder if Radware considered buying all of the bankrupt Nortel which is trading at a market cap of $89 million today.

I had a chance to talk to Avi Chesla, Radware’s VP Security Products. Listen to the interview to learn about their APSolute Immunity concept which combines signature and behavior based detection. Avi also talks about what he calls unknown vulnerability based attacks.

And, to really get up to speed on Radware’s DefensePro Intrusion Prevention and DoS Protection Appliance watch this outstanding demo by Ron Meyran.

I did 31 video interviews while at RSA. This is the second I have posted. Check out the first interview with Mark Shavlick. And check back often as I get caught up on posting the rest of the video interviews.

—————–