Thursday, August 24, 2006

IBM's acquisition of ISS for $1.6Bn


It was inevitable that ISS would eventually be acquired. As network, systems and security management are all converging, and security technology starts becoming assimilated by the gorillas into networking fabric (Cisco) and operations systems (Microsoft), and the lines between security & network management start to blur, it stands to reason that ISS on its own would eventually be orphaned in 2-3 years time. This move does signal a milestone however, for convergence of security.

If all proceeds according to plan, IBM will leverage ISS in three ways.
  1. It will integrate ISS as a business unit within the infrastructure management services unit, part of IBM Global Technology Services - this is a good move as we will see below, security belongs in infrastructure management and not on its own
  2. It will integrate some of ISS's technologies and consoles into its Tivoli systems-management software - less convincing long term benefit I think.
  3. It will mandate IBM Global Services to promote and sell ISS-derived managed security services to enterprise customers -obviously just continuing off their existing relationship but these services will become indistinguishable over time with those provided by the infrastructure management BU as we discuss later.
Although this is one of 3 acquisitionss by IBM to invest in new areas to bolster flagging revenues this deal is probably better for ISS than IBM. Many analysts and the press are touting this buy as a move by IBM into the growing managed security services space, but one needs to dig deeper into what they have actually bought.

The acquisitionn of ISS is an investment by IBM in a security technology company that derives a huge chunk of its services revenues from maintenance sales and support of enterprise software agreements made 4-5 years ago with large clients who still have a lot of shelfware on their hands from the heady days when ISS made a name for themselves in the IDS market. ISS also sells newer IPS and management technology under its Proventia range. It is debatable how well they are faring in the rapidly growing IPS market space which seems to be dominated by Cisco, McAfee and 3Com (Tipping Point). Yes, ISS do have security consulting divisions and do have some traditional "remote managed security services" offerings, but once again I have yet to see anyone making major inroads into the traditional MSSP space, let alone stop losing money. Since the consulting and MSSP components of ISS are not that substantial in relation to the rest of their revenues its questionable if those parts of ISS can add any major incremental value to IBM other than the existing relationship in the short term.

IBM is a technology company too, and with the acquisitionion they get good security technology to flog to their clients. In fact, much of the press is touting the acquisitionion as a good move to "bolster IBM's existing security portfolio". Well I suspect a massive chunk IBM's existing security portfolio comes from Cisco and I just cannot see Cisco being very enumerated with having their technology "bolstered" by arch-enemy ISS in the security space. This is going to be interesting.

I have long held the controversial view that the pure-play MSSP (Secure Operations Centres and bunkers with people in white lab coats scanning your logs for nasties and configuring your security devices for you) is an endangered species. In fact, customers have never quite embraced this business model en-masse as everyone predicted, and in fact if they have gone this route it was probably to get a tick in the compliance checkbox more than anything else.

Three things are going to disintermediate the traditional MSSP. The 1st is Convergence of security, systems and network management as networks and operating systems embed more and more security. The 2nd is IPS and vulnerability management technology which will keep evolving and making a dramatic difference through automation and increased intelligence. The 3rd nail in the coffin is admission controlled architectures such as NAC, NAP and TNC. The security management function will become more about infrastructure, configuration, asset and identification management coupled with the activities to ensure smooth running of automated IPS/VM/NAC ecosystems and less about managing discreet security boxes and looking at alerts. More intelligent & automated technologies coupled with admission controlled architectures form the basis of the "adaptive self defending network" concept and this is where I believe clients are going to want to throw their dollars, not for people in a remote SOC. Granted,the need for managed services will indeed increase to ensure these converged, intelligent and automated admission controlled networks are running smoothly, but the need for discreet security management will wane (but not disappearear).

As this trend evolves, clients will repeatedly look to one service provider to manage and secure their infrastructure, desktops, servers and operating systems as a cohesive whole. This sets the stage for systems integrators and infrastructure management companies, maybe even Telcos, to dominate the security services market, and the role of the pure play MSSP and security boutiques will diminish over time as a result.

So lets summarize:

IBM have seen the convergence trend and their Global Services business unit probably stands to gain the most from this. Their integration of ISS into Global Services under the infrastructure management group therefore makes sense. But for now they bought a technology company with a lot of services around that specific technology.

It is also unclear how this technology is going to keep from being disintermediated as Cisco & Microsoft continue embededd more security functionality into their products. After all they literally own the infrastructure and desktop/server space. The true self defending network will have various embedded products closely working together and the ISS technology could become orphaned over time. So the placement of existing ISS technology into Tivoli doesn't make long term sense from this aspect, but could yield short term benefit for the swing toward IPS and automation currently underway.

Finally IBM are going to push ISS's MSSP service. As stated above I am very sceptical of this as a standalone answer to clients security management needs in the short term, unless some very problematic areas need critical addressing or there is a compliance need. Clients should be rather investing in infrastructure with embedded security capability, investing in IPS and other automation and start laying the groundwork for NAC. Any dollars spent on security services should be around the assurance of the above ecosystem and the proper operational management of all the components as opposed to management of discreet security products and alerts.

Note : the views expressed here are not necessarily those of Dimension Data!

CATEGORIES : 1aquisitions, 1trends, 1convergence, 1NAC, 1mssp, 1IBM, 1ISS
Rate this post: (Provided by NewsGator)

Tuesday, August 01, 2006

The challenge of Cisco Network Device Patching

We haven't posted something about Ciscogate for quite a while now. However I came across this BlackHat posting dated April 25th 2006 which was quite interesting. It was written by a BlackHat member that works for Gartner.

Traditional, monolithic IOS is a proprietary operating system that runs Cisco routing and most switching devices. It has required an image replacement and reboot to upgrade. IOS is not able be patched while running. The criticality of routers to the operation of a network means that rebooting a router typically takes down the network and severs all connections which can crash applications and have serious consequences for businesses that rely on uninterrupted network connectivity.

The monolithic nature of traditional IOS where a patch required a new binary image resulted in over 850 discrete production builds of IOS over 20-30 product families. This situation raises the complexity of IOS management in most large enterprises. Most enterprises are not able to keep track of which build is running on each of their hundreds or thousands of networking devices. Cisco has gone through a streamlining process to reduce the number of IOS versions about 75% from 850 discrete builds to about 150 discrete builds by YE05. Despite the reduction in IOS builds, most large organizations find themselves running dozens of different IOS versions in their network.

Cisco's modular operating system ION (Q106 planned) makes it easier to patch certain subsystems without a reload but ION will only run on the 6500 series through 2006. ION is an internal name. The external name will be ModularIOS. Cisco is also working on full IOS In-Service-Software-Upgrade (ISSU) functionality to support reloading IOS without service interruption. This is particularly important for upgrading edge routers that point at or within the service provider cloud. Initial deliveries of ISSU, beginning on the Catalyst 12000, are projected by Cisco to be Q206.

Gartner recommends that organizations upgrade to modular IOS over the next year and develop more mature processes to address network device patching. To begin with, enterprises should familiarize themselves with Cisco's disclosure process and subscribe to and review Cisco vulnerability disclosures. This is a shift in perspective for most organizations. Network device patching will likely remain more challenging than server operating system patching but organizations need to move towards improved vulnerability management processes. Some Gartner clients have not upgraded IOS in over 5 years on certain devices. This is unacceptable given the changing threats against IOS, especially on edge routers.

CATEGORIES : 1ciscogate, 1ios, 1vulnerabilities, 1best practices
Rate this post: (Provided by NewsGator)

Happy Birthday, SOX

Rate this post: (Provided by NewsGator)

CISO's overpromoted technologists

An interesting 4 part series by Network World on the challenges faced by CISO's (Chief Information Security Officers) trying to promote and sell the merits of information security internally in their organisations. CISO's are having a hard time getting their ideas accepted from the board level down and are just "overpromoted technologists".

Consultants suggest that the easiest and best way to overcome this problem is to start with some quantititaive ways of meauring how the organsiation is doing with security. They also point out to avoid droning on about the standards when approaching senior management for funding in security, otherwise "their eyes glaze over."

My company has deployed exactly such a tool over the last 12 months for 50 CISO's around the globe called the CxO Security Assessment . The interesting by-product of its quantititaive nature is the capability to perform industry sector benchmarking which has become an immensely useful tool for CSO's to unlock budget and get management to take security seriously.

CATEGORIES : 1compliance, 1benchmarking, 1trends, 1assessment, 1riskmanagement
Rate this post: (Provided by NewsGator)