Cyber Defense Weekly: August 20, 2010 PDF Print E-mail
Friday, 20 August 2010 20:06
Intel to acquire McAfee
Richard1croppedEvery network security vendor has to review the trade off between custom chip architectures and using off-the-shelf CPU's for network and content processing.  Every new generation of silicon from Intel sparks an investigation on the part of established and up and coming vendors.  Should they continue to invest in specialized network and content processing chips or should they revamp their products to take advantage of the multi-core parallel processing now available?  Even Fortinet, which has invested everything in custom ASICs, is faced with this analysis. 

The network security industry is poised at what Andy Groves would have called an inflection point: the abandonment of custom chips and the move to Intel multi-core.  Now Intel has taken disruptive action that could abort this move.  By stepping directly into the security space they will alienate McAfee's competitors in network security, making the sort of partnership required to develop content processing unlikely.

What do I really think about the Intel acquisition of McAfee?

Some deals just don't make sense.  Some have underlying motivations that are not immediately apparent.  Intel's announced intention to acquire McAfee for $7.68 billion is a deal that does not make sense no matter what perspective you take.

Technology acquisition. One argument put forth by analysts so far is that by acquiring a market leading anti-virus software company Intel will be able to add security features to their core business, chips.  $7 billion dollars is a lot to pay for technology when there are 27 such technology companies, that would cost less to acquire ( Symantec, of course being more expensive).  Intel could acquire one of many anti-malware companies that have arguably better technology, better research, and much less baggage.

Brand enhancement. While there is a good argument to be made for technology vendors to acquire security companies to enhance their brands (EMC + RSA a notable example) Intel is not going to accomplish that by acquiring McAfee.  Intel already has one of the most recognized brands in all of technology and they have no negative perceptions because of a lack of security association.  Intel is highly respected across the board and is rarely faulted for lack of security.  This acquisition does not bolster their brand at all. If anything it dilutes Intel's brand.

Government play. With a tremendous increase in government spending on cyber security projected one could argue that acquiring McAfee gives Intel a piece of the action. McAfee's EPO desktop security suite is already short listed within most of the US Defense Department and the firewall business McAfee acquired with their Secure Computing acquisition has a large federal component.   But Intel is already entrenched in all aspects of state, local and federal government in almost every country in the world with their ubiquitous CPUs.  Intel needs no help getting government business.

Network play. McAfee has invested considerable time and effort in revamping the Secure Computing line into a credible network security play.  They also have one of the largest install bases of Intrusion Prevention  (IPS) solutions.  Will Intel work to enhance those network security products by supporting multi-core architectures in them?  What does that mean to every other networking company that could have been big consumers of Intel CPUs?  How will they feel about using chips from a direct competitor?  And if the acquisition is a networking play why would Intel put McAfee in their Software and Services division?

Investment.In the tradition of conglomerates and holding companies this acquisition could be viewed as an investment in the relatively stable security industry.  The plan would be to streamline operations and increase profitability.  Is Intel really trying to become the next GE or ITT?  Is that its core strength? Did it look at other investment opportunities?  I understand beach front property on the Gulf coast is looking pretty good right now.

At $7.68 billion this is the biggest acquisition of a pure play security company ever.  It is also the worst. There is no synergy, no channel benefits, marginal revenue enhancement (considering the price),  no new markets, and no meaningful strategy.

Special edition of the Cyber Defense Webcast on BrightTALK
The size of the Intel+McAfee deal and its potentially disruptive impact on the security industry justifies a webcast dedicated to dissecting the event. 

Tune in Tuesday, August 24, at 2 PM to this special event.

Cyber Defense Weekly, August 10, 2010 PDF Print E-mail
Friday, 20 August 2010 20:04
What CXO's fail to grasp about cyber security
Richard1croppedIT security is often a nagging thorn in the side of enterprises and those that lead them.  It is viewed as a technical issue that should just be fixed.  In last week's lecture track on security that I delivered for Internet Evolution's 60 Days of Executive Education I started off with three things that CXOs consistently fail to grasp about enterprise security.

Good security operations is not the same as good security.

Why security investments never end.

Audit and compliance get in the way of good security.

Readthe rest of my thoughts on this topic at

Israel sees electronic warfare as an alternative to investing in F-35s

There are a few interesting items in a recent issue of Aviation Week and Space Technology. Apparently Israel is rethinking their original plan to purchase 100 of the advanced Joint Strike Fighter.  With a focus on modern warfare and fighting non-state adversaries Israel is faced with the rapid development of technology, in particular unmanned aerial vehicles (UAV), electronic jamming and attack, and cell phone tracking and targeting.

Active electronically scanned arrays (AESA) are the latest tool in electronic warfare.  Israel is investigating the use of ASEA first as an alternative to advanced stealth technology in expensive to fighter jets.  By equipping their current fleet of F-16s and F-15s with AESA and putting the dollars saved into new UAVs they can also start to invest in the cyber attack potential of ASEA. 

The cyber attack capability was supposedly demonstrated by the US Suter Program, described as firing "data beams packed with exploitive algorithms into antennae arrays" that would grant the attacker administrator access. 

The Wikipedia entry on Suter has this to say:

Three generations of Suter have been developed. Suter 1 allows its operators to monitor what enemy radar operators can see. Suter 2 lets them take control of the enemy's networks and direct their sensors. Suter 3, tested in summer 2006, enables the invasion of links to time-critical targets such as battlefield ballistic missile launchers or mobile surface-to-air missile launchers.

In addition Israel is investing in cellular telephone intelligence technology, which had also garnered interest from the CIA according to a law suit pending between Netezza and Intelligent Integration Systems Inc., or IISI, both based in Massachusetts.

India ramping up cyber capabilities
In response to recent attacks attributed to China, India is apparently going to engage in their own cyber espionage. According to The Economic Times,  the National Technical Research Organisation (NTRO) along with Defence Intelligence Agency (DIA) will be responsible for creating cyber-offensive capabilities. 
This is in reaction to the seminal research provided by The Citizen Lab at the University of Toronto which reported in April that  "hackers based in China had conducted extensive spying operations in India, pilfering confidential documents from the defence ministry." 

Tektronics Communications acquires Arbor Networks
The thriving netflow analysis and DDoS defense company Arbor Networks is being acquired by Tektronics Communications.  You may be familiar with Tek's lab equipment and network QOS products. They have a large overlap with Arbor's customer base in the carrier space.  According to a conversation I had with Colin Doherty, CEO of Arbor Networks and  Rich McBee, Senior Vice President and General Manager at Tektronix Communications, the value is in introducing Arbor's technology to the wireless carrier space that Tek is strong in. 

I have long held that "security sells" and that non-security vendors in the networking and computing space would make security acquisitions in order to 1. expand into a growth market, and 2. reap the benefit to their brands by being associated with good security technology.  You can see evidence in this by the recent acquisition of Narus by Boeing, TippingPoint/3com by HP, and Dell's partnership with Juniper/Secureworks.

According to McBee and Doherty, Arbor will stay a stand-alone business unit, preserving its brand and engineering teams.  This is a positive event for Arbor, enhances Tek's brand and reach, and will help further the battle against cyber attacks.

Learn more about Tek and the Arbor acquisition at this week's Cyber Defense webcast on BrightTALK.

Other industry news
Northrop Grumman partners with the University of Cincinnati to offer Masters Degree in Cyber Security. The press release hinges on Northrop Grumman's Xetron business unit based in Cincinnati and reflects the growing demand for engineers with a cyber security background.

Air Force lays foundation for strong cyber defense. An update on the 24th Air Force at Lackland. Slow but positive progress.

Upcoming events
Hear more of my thoughts on cyber defense and recent developments on this Tuesday's Cyber Defense Webcast, 2 PM Eastern on our BrightTALK channel.
Cyber Defense Weekly, July 23, 2010 PDF Print E-mail
Friday, 20 August 2010 20:02
Cyber Defense News
Richard1croppedIT-Harvest is re-launching the Cyber Defense Weekly with a new format.  Instead of the news snippets we used to collect and publish every week we are going to provide analysis of those news events. Every week I will present the important developments in technology, attacks, government preparedness and vendor solutions in my own words. 

In addition I am hosting a webcast every week to discuss these events. Please join us Tuesdays at 3 PM Eastern for the Cyber Defense Webcast on BrightTalk.

HR 2271 Shades of things to come? analysis

There is a disturbing tendency on the part of the US Congress to legislate the Internet.  A case in point is HR 2271 backed by eleven US Representatives and submitted to review by the House Energy and Commerce and Foreign Affairs Committees last May(2009).  Thankfully, there has been no serious deliberation on this proposed measure which intends to somehow regulate the Internet to promote, ironically, freedom of speech.

If you are a technology vendor read more details on this proposed bill at the link above. The consequences are frightening.

There seems little danger of HR 2271 ever coming to a vote but...We must keep a wary eye on this 111th Congress that has over 40 measures under consideration that bear on highly technical issues. A misstep could be costly and have debilitating consequences for a fragile economy.  Global Internet Freedom will be best served by governments of all types avoiding any meddling in the still young Internet.

Siemens reports exploit of SCADA networks
From engaging with various insiders on Linkedin it quickly becomes evident that threats to industrial networks, including oil and gas and power distribution are common. Yet, there are few public incidents to point to which makes Siemens' revelation last week all the more important to pay attention to.

The malware used in these attacks targets an unpatched vulnerability in Microsoft shell code that has become know as the ShortCut vuln because it takes advantage of the way Microsoft has implemented shortcuts on the desktop.(See fix here) A researcher in Belarus discovered that malware delivered by USB drives was targeting machines running Siemens SCADA software.  Since then Symantec researchers have determined that the majority of 14,000 machines infected are in Iran where Siemens happens to do a lot of business. 

Industrial processes are extremely vulnerable thanks in large part to the seemingly blind deployment of Windows system to the plant floor. Vendors such as Industrial Defender and SecureCrossing are rolling out network defense tools that target this issue.  Now would be a good time for manufacturers and operators of critical infrastructure to review their control systems. There is now a clear and present danger that must be addressed.

WikiLeaks drops other shoe: reveals friction between US and Pakistan
It is not unexpected that dealings between two countries in the fight against Taliban insurgents should be relatively secret. But WikiLeaks published 76,000 classified communications on Sunday (July 22, 2010) that indicate collusion between Pakistan and the Taliban. From the New York Times:
Taken together, the reports indicate that American soldiers on the ground are inundated with accounts of a network of Pakistani assets and collaborators that runs from the Pakistani tribal belt along the Afghan border, through southern Afghanistan, and all the way to the capital, Kabul.

Look for these reports to have lasting repercussions on the war in Afghanistan.  At the same time, the existence of a widely viewed source of classified information is going to challenge the US especially as it's State Department promotes freedom of speech on the Internet.

Robert Knake on attribution
Robert R. Knake has contributed some important thoughts to the debate on cyberwar. First with the book he cosponsored with Richard Clarke, Cyber War: The Next threat to National Security and What to do About it.
And now in testimony presented to the House Committee on Science and Technology which is holding "hearings on planning for the future of cyber attack."  (Note the chairman, David Wu, was one of the sponsors of HR 2271 mentioned above.) 
Read Knake's testimony here.  He argues that the lack of attribution in cyber space has been over hyped. He calls for stronger cooperation between law enforcement of different nations. And he calls for the development of stronger options in responding to cyber threats. 

Cyber Defense Industry News
Fortinet, the UTM vendor announced stellar quarterly numbers thanks in large part to the growing adaption of their products in large enterprise. My analysis was posted to GLG. Also read UTM is The Next Generation Firewall.

OISF announces first release of Suricata 1.0 a competitor to Snort.  While it shares a lot of similarities with Snort and does not go far enough to address the noisy flood of alerts and lack of real defense, Suricata is an alternative. Our hope is that it leverages the security community to leap beyond Snort in defensive capability but it will be hard to match the investment Sourcefire is making in their technology base. 

SonicWall left the ranks of public companies as it was acquired by private equity firm Thoma Bravo. That makes three UTM vendors in the hands of PE. Watchguard is owned by Vector Capital and Francisco Partners, and the Carysle Group has a big piece of Cyberoam based in India.

Upcoming events
Hear more of my thoughts on cyber defense and recent developments on this Tuesday's Cyber Defense Webcast, 3 PM Eastern.
Cyber Defense Weekly. August 2, 2010 PDF Print E-mail
Friday, 20 August 2010 19:59

August 2, 2010

Cyberwar is not the Cold War
Richard1croppedThe recurring use of the Cold War as analogy for cyberwar is not well thought out.  At Black Hat last week in Vegas, Jeff Moss recalled his youth and the gloom that overhung the world knowing there was the threat of global annihilation that could occur with only twenty minutes warning.  The US, China, and USSR built up massive stockpiles of nuclear warheads and the missiles, bombers, and submarines needed to deliver them while engaging in espionage to uncover the others' strategies, technology, and movements.   This balanced threat of massive retaliation or an overwhelming first strike capability led to an uneasy global peace that has lasted 65 years.  Yes there have been regional wars in Korea, Vietnam, Iran-Iraq that have cost millions of lives, but nothing like the all out war that could have occurred between the Soviet Union and Western Europe, or China and the Soviet Union, either one of which would have pulled the US into WWIII.   The Cold War ended in 1990 when the Soviet Union dissolved. The world's democracies and the peoples of Estonia, Ukraine, and the other ex-Soviet states were the winners. 
But cyberwar is not the Cold War. There is no balance of power, there Is no imminent threat of the world coming to an abrupt end.
Read the rest of my thoughts on this topic at

How Charlie Miller would engage in cyberwar

Researcher and hacker Charlie Miller presented at Black Hat last week. His thesis was based on the hypothetical scenario of his being retained by North Korea to attack the US.   His war fighting technique was the recruitment of 100 million bots and using them in massive DDoS attacks.

I like to see the security community engaging in these types of flights of fantasy. They have more credence than those coming from traditional war colleges.  Yet, Miller's proposal lacks an understanding of defensive technologies that are already available. There are some limitations on the effectiveness of DDoS that he ignores and he cannot provide the justification that North Korea would have for this level of attack.

Firms like Akamai, Verisign, and Prolexic have been ramping up their abilities to mitigate DDoS to the point where they will soon be able to block and filter out DDoS attacks that can consume a terabyte of bandwidth. Many US government servers are already protected by these services. 

The Internet itself is not robust enough to deliver a terabyte of attack to a target. So the idea of a massive botnet being a super weapon is not valid.

And finally, what would be the point of North Korea attempting this?  They have nothing to gain, cannot follow through, and the repercussions would be devastating.

So, sorry Charlie, not the right avenue of investigation.

Former head of NSA keynotes Black Hat
Gen. Michael Hayden(retired), the former  director of the NSA and the CIA, also spoke at Black Hat last week. He credits the audience with creating today's vulnerable Internet which is a little over the top but he had some good observations. 

Hayden contributed two important points to the ongoing debate on cyberwar.

1. Cyber espionage is not cyberwar.  So true.

2. International cooperation is needed to curtail use of DDoS.  There should indeed be high level agreements on limiting the use of cyber attacks. DDoS is just one of the concerns.

Industry news
Sourcefire was in the news last week. They reported a great  second quarter revenue of $30.6 million, up 38% from second quarter a year ago and up nearly 19% from the first quarter. They are well on their way to a $120 million year.  Sourcefire is one of the primary security firms that is profiting directly from increased government investment in cyber security.

Sourcefire's vulnerability research team, the VRT, also announced the availability of Razorback, a security intelligence framework that will tie together all of an enterprise's security assets.  While these types of overlays are hard to impliment and can be even harder to sell, it gives Sourcefire a vision that they previously lacked.

Boeing completes acquisition of Narus, the network monitoring and recording company.  You may recall that Narus is the technology used by the NSA to snoop on ATT's network.  I expect more acquisitions of security vendors by defense contractors this year.

Dell partners with Juniper and SecureWorks to offer UTM and managed security services.

Upcoming events
Hear more of my thoughts on cyber defense and recent developments on this Tuesday's Cyber Defense Webcast, 2 PM Eastern.

Join me today for the first segment of Internet Evolution's 60 Days of Executive Education where I will be covering security topics every day this week at 3 PM Eastern (GMT-5). Today's topic: What CXOs consistently fail to grasp about enterprise security.
Cyber Defense Webcast PDF Print E-mail
Friday, 20 August 2010 19:49

Every week IT-Harvest Chief Research Analyst Richard Stiennon provides his views, commentary and analysis of developments in the cyber realm. Tune in live or come back and view the recorded sessions anytime.

Last Updated on Friday, 20 August 2010 20:12
<< Start < Prev 1 2 3 4 Next > End >>

Page 1 of 4