Saturday, November 15, 2014

AVG Technologies in Play, an Alternative Look at Q3 Financial Results

The San Francisco Giants win the World Series in even numbered years.  Rumors circulate about AVG Technology being an acquisition candidate occurs in odd number years. Okay, even numbered as well. Couple that with  so-so financial results? You may want to sell, as well.  

Even before AVG went public, there were “always” rumors about them being for sale as the right price.  Companies being mentioned usually included Hewlett Packard and Cisco. Earlier this year, AVAST Software, an AVG competitor, signed a binding  agreement with CVC Capital Partners for a major investment in the company. The investment valued Avast at about $1 billion US.

Other than throwing off cash for the investors, AVG has   been something of a disappointment. The plan was to go public in early 2012  at $16 to $19.  Instead, they opened and closed around $13. AVG’s market cap, as of 11/15 is just under $1 B.

From a technology standpoint, AVG's growth has been through purchase rather than developing things in house. In September, 2014 they purchased Location Labs, a provider of security for mobile technology.

AVG  entered the mobile security market by purchasing the Israeli firm DroidSecurity in late 2010 DroidSecurity had both a free and paid prospect).  They   increased their share by quietly giving the product away on certain Huawei mobile phones in India (That  announcement appeared on the web and disappeared quickly.  Huawei was being investigated in the 2012 time frame  by the US congress for potentially posing a security threat).

In product testing (ability to stop malware), AVG has failed to be one of the leaders. In AV-Comparatives October Real World Protection tests, AVG came in 10th out of 22. In the September, "File Detection Test of Malicious Software", AVG received on star,finishing 20th out of 22.
(  In the Virus Bulletin ( ) RAP (Reactive and Proactive test), they weren’t in the top 20. (

On to the financials. AVG Technologies has their headquarters in the Netherlands. They have an office in Ireland.   Those interested can find multiple stories on the “Double Irish” or “Double Irish Dutch Sandwich”, a technique to significantly g reduce US taxes.  Just saying! Apple and a number of US companies are being creative in using this technique.

For those focused only on revenue (hello analysts), AVG’s 9 months subscription revenue and SMB revenue (less than 15% of their business), is up for the first 9 months of 2014 versus 2013. Trailing revenue, Consumer and Total Revenue, and US Revenue, all down.

For those focusing more on  the bottom line, net income, consumer income, Net Income, Consumer Income, SMB Income, and Operating Income are all down for the first 9 months of 2014.

For those focusing on cash, Net Cash provided by operations is down 35% for the first nine months of this year. The data below is from their latest Form 6-K, available on AVG's web site. 

One would have thought that the positive vibes and karma emanating from the SF Giants home ball park (ATT Park) would have rubbed off on AVG Technologies, given AVG’s US headquarters near proximity to the park. Not the case, however.  

Sunday, August 03, 2014

AhnLab Faces Uphill Battle in US – An Addendum

This is an addendum the February blog - “AhnLab Faces Uphill Battle in US against FireEye with AhnLab Malware Defense System (MDS)”
If AhnLab is going to make a go of it with their Advanced Persistent Threat product, Malware Defense System (MDS), they must be doing it in incredible stealth mode.  And they must be trying to do it from Korea, where AhnLab is headquartered. 

  • Their top US technology person left for a start-up early this year
  • There have been no press releases added to the US web site since November 2013
  • The company did appear at the Gartner Risk Security & Management Summit in June following up their appearance at RSA SF.  At RSA, they re_announced AhnLab MDS
  • AhnLab had posted that they were going to appear at Black Hat Las Vegasin August.  This was removed from their web site.
  • Both AhnLab and FireEye complained about an update NSS Labs issued to their 2013 Breach Detection study.  In the original, AhnLab and FireEye finished second and third respectively.   In the original update, they finished fifth and sixth respectively.  In the post complaints update, AhnLab MDS ranked sixth and FireEye fifth.  Both were far below the other four companies, SourceFire, Trend Micro, Fortinet, and Fidelis.  The updated value map is available at
  • If you try to reach AhnLab at their 800 number, 800.511.Ahnlab (2465), you will receive a “you’ve reached a number that has been disconnected or is no longer in service” message.

Perhaps AhnLab is still trying to break into the US licensing Malware Defense System.  If so, they are being incredibly quiet   about it.

Saturday, August 02, 2014

An Alternative Look at AVG Technologies’ Q2 Earnings Report

AVG Technologies accounted their Q2 earnings report on July 30.  The stock fell about 13% as the company missed the Q2 revenue consensus of $91 M with revenues of $88 million.  The stock proceeded to drop from $19.65 to $17.10 and they closed the week at $17.05.  To put a long-term perspective on this, AVG went public at around $16 in February 2002, and had a pop.  A negative pop.  Closing the day at just over $13.

Nonetheless, CEO Gary Kovacs stated,  "I am pleased with our continued execution against our long term strategy toward becoming the online security company.”

One problem with the press is that   they will often only look at the company’s most recent earnings report and compare revenue figures to target and nothing else.  Some will do a comparison to the most current quarter versus the same quarter last quarter.  What they should do is a deeper dive into income, cash flow, margins, etc.  The table below compares the first six-month’s figures for AVG, versus the same time frame last year. They should also look at test results from firm's like and Virus Bulletin.  But that's potential material for another blog.

Subscription revenue and SMB revenue for AVG Technologies is up over that period.  Everything else is down.  Even though SMB revenue increased, income decreased.  Revenue decreased across all regions of the world.  Revenue from Google dropped precipitously.  That may be why on August 1, AVG announced that they were extending their partnership with Yahoo.

For those who want to look at cash flow to do their analysis - net cash provided by operations dropped by 37%. 
There is a lot of red in financial trends for AVG year over year.  Pdf’s of AVG Technologies financial results are available at

Saturday, June 14, 2014

AV-Comparatives Releases Results of May Real World Protection Test. Testing Firm Now ISO 9001 Certified

Austria based AV-Comparatives has released the results of their May “Real World Protection Test”.  Bitdefender, the best anti-malware company you may have never heard of topped all companies, with a 100% score and zero false positives.  Only Panda also blocked 100%.  This was with their free product!  Avira had the top score among the largest freemium vendors (with their internet security suite), blocking 99.5%.

At the other end of the spectrum, Korea based AhnLab ranked at the bottom of products tested, blocking only 87.5% of the threats (ouch), the only company tested at less than 90%.  McAfee had the most false positives, with 16.  The trend of market share leaders not being market performance leaders continued, as both McAfee, and Trend Micro finished in the bottom 1/3 of companies tested.  Symantec has opted out of being tested by AV-Comparatives (a disservice to customers, IMHO).  Man-up, SYMC.

The products included in the test were a mix of anti-virus, internet security suites, paid, and free products.  The exact versions used are listed in the report and on the website.

The Real World Protection Test is just one of a number of tests AV-Comparatives performs over the course of the year.  They can be downloaded from the company web-site

AV-Comparatives’ Real-World Protection Test framework has been recognized by the “Standortagentur Tirol” with the 2012 “Cluster Award for innovation in computer science” and by the “Austrian Government” with the 2013 “Constantinus Award.

AV-Comparatives Receives ISO 9001 Certification

AV-Comparatives is now an ISO 9001 certified organization.  AV-Comparatives received the certificate from TÜV Austria for their management system for the scope: “Independent Tests of Anti-Virus Software” in early June.

"ISO 9001:2008 specifies requirements for a quality management system where an organization needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements.  The organization has to  enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements."  ISO 9001 is currently under revision with the final release of the new standards due by the end of 2015.

About AV-Comparatives

AV-Comparatives is an independent not-for-profit organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises.  Using one of the largest sample collections worldwide, it creates a real-world environment for truly accurate testing.  AV-Comparatives offers freely accessible results to individuals, news organizations, and scientific institutions.  Certification by AV-Comparatives provides an official seal of approval for software performance.  

Thursday, May 01, 2014

Palo Alto Networks, Check Point top Products in Gartner Magic Quadrant for Enterprise Network Firewalls - 2014

As is probably no big surprise to those in the industry and those purchasing network security products, Palo Alto Networks (PAN) and Check Point had the top rated products in the 2014 Gartner Magic Quadrant for Enterprise Network Firewalls.  The report came out in April.  These are the only two companies in the Leaders Quadrant, with Palo Alto Networks leading on Completeness of Vision and Check Point for Ability to Execute. Fortinet and Cisco were the closest to the in the Challengers quadrant.   The report, ID:G00258296 is available on the PAN web site for those who register.

Palo Alto Networks pretty much was the originator of the acronym NGFW or Next Generation Firewall, and PAN and Check Point Software Technologies companies compete for many of the same customers. Last year, PAN   introduced their Wildfire infrastructure, enabling the PAN firewall to detect and stop Advanced Persistent Threats (APTs) This is offered to customers via the public cloud or can be deployed as a private cloud.   Gartner also wrote that PAN    was consistently on most NGFW competitive shortlists.  PANS Advanced Persistent Threat Solution   was not among those recently tested by NSS Labs in their April Breach Detection Study.   

Check Point was cited by Gartner as being the market share leader in firewall installed base. They offer an extensive line of security appliances and were also delivered the industry’s first flexible, extensible security architecture, the Check Point Software Blade Architecture.   Check Point’s Anti-Bot Software Blade detects bot-infected machines, prevents bot damages by blocking bot C&C communications. This isn’t a comprehensive Advanced Persistent Threat Solution, but it helps protect the network.

PAN’s product portfolio isn’t quite as extensive Check Point’s,   they do offer a virtualized firewall platform in addition to the more traditional appliance offering, threat subscriptions for URL filtering, and a management platform.  

Fortinet was rated a Challenger by Gartner. They stated Fortinet was “not often beating Leaders in mainstream enterprise selections based on features and vision, nor causing Leaders to react to Fortinet.”

Cisco was rated a Challenger as well.  Gartner didn’t seem them displacing   PAN nor Check Point on the basis of visions or features.  They saw Cisco winning firewall business through channel “execution and “aggressive discounting”.

Juniper Networks completed the trio of companies in the Challenger quadrant.  McAfee was a leader in the Niche quadrant.

Offerings from F5, Arkoon-Netasq, and AhnLab were the furthest down and to the left in the Magic Quadrant.

Check out the complete report.  For an assessment of all sixteen vendors in the report. Some names you’re familiar with may be missing due to consolidation. Gartner also has some brief information on why virtualized firewall penetration is a less than two percent.  “Security-minded enterprises are also rightly skeptical of running firewalls within a hypervisor that is between the threat and the firewall,” according to Gartner. 

 Regarding the Leaders quadrant from the Gartner Magic Quadrant Endpoint report - “A leading vendor isn't a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.  Some clients believe that Leaders are spreading their efforts too thinly and aren't pursuing clients' special needs.”

For more details on the Magic Quadrant and how it is created, read “Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors within a Market”.     Sometimes a leader is not the best solution for a particular customer.  Despite that, you will see many   presentations where the vendor uses being in the Leaders quadrant   as a reason to buy from that particular vendor.  Who would have thought that they would do that?

Some of NSS Labs reports are available at no charge.

craig kensek

Wednesday, April 30, 2014

AhnLab Raises Issues with Recent NSS Labs Breach Detection Study

FireEye isn’t the only vendor displeased with their results and NSS Labs' methodology for their  latest Security Value Map.  AhnLab, whose Malware Defense System (MDS) product finished near the bottom of the Breach Detection Systems Security Value Map adjacent to FireEye, has posted their displeasure with the testing on their home page. 

AhnLab declined to participate in the 2014 public test. AhnLab, Fidelis, and FireEye had participated in the 2013 private test. Ultimately, Fidelis made their results publicly available on their website. Neither FireEye nor AhnLab chose to do so, though AhnLab did release some of the Malware Defense System results.

NSS Labs’  test evaluated 6 products from leading BDS vendors.  Four of the six products received the   "Recommended" rating from NSS, Sourcefire, Trend Micro, Fortinet, and Fidelis.  Neither FireEye nor AhnLab didn’t.   

AhnLab’s  Main Points

  1. Two separate public tests, were consolidated into one report without notice -   AhnLab wrote that NSS never informed them the results would be published regardless of participation. This may or may not be true as many of the participants on the AhnLab side are no longer with the organization.
  2. Two separate tests from two different years require two separate reports -  If the same malware sample set was used from 2013 for the 2014 test, AhnLab felt that it  would be inaccurate to publish all of the participants, from 2013 and 2014 together,  because newcomers to the study may have (had) a time advantage.

For a copy of the NSS Labs April Breach Detection Systems Security Value Map (SVM) and Comparative Analysis Reports (CARs), go to

Some of the above sounds like a failure to communicate on both NSS Labs and AhnLab’s part. Neither side appears to have done due diligence here.

Only three companies completed participation in the 2013 test, not ten or more, as AhnLab writes in their response.  They may have a valid response about products with several more months “experience” having their results compared to products without that experience.   That notwithstanding, 3rd party test results is one aspect of comparing products that companies need to utilize. The test results demonstrate that there is more than just FireEye, Fidelis, and AhnLab that need to be considered.

Sunday, April 20, 2014

When Being an “A” Company Rates a “D”. AV-Comparatives Releases “File Detection Test of Malicious Software” Report

Not a stellar performance by three firms beginning with A in AV-Comparatives March “File Detection Test of Malicious Software.”  Avast – 20th, missing 2.3% of the samples.  AVG Technologies – 21st, misses 2.5% of the samples, and AhnLab 22nd, missing 11% of the samples.  Baidu broke the A’s stranglehold on the bottom by leading all companies with 111 false positives, followed by Avast with 95.

Sixteen products did receive AV-Comparatives’ three star designation, led by Kaspersky, F-Secure, and eScan, respectively.  Avira, another A company, also received three stars. 

AV-Comparatives takes care to point out that for this test, “Although very important, the file detection rate of a product is only one aspect of a complete anti-virus product.  AV-Comparatives also   provides a whole-product dynamic “real-world” protection test, as well as other test reports that cover different aspects/features of the products”.
The “Whole Product Dynamic Real World Detection" and “File Detection Test of Malicious Software”  tests   are both   available on the AV-Comparatives web site,

One interesting thing about the products tested in this report is that nine of the engines under the hood in testing were licensed from two companies, BitDefender and Avira.  Details are available in the report.  BitDefender  has an overall detection rate of 99.5%.

About AV-Comparatives

AV-Comparatives is an independent not-for-profit organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises.  Using one of the largest sample collections worldwide, it creates a real-world environment for truly accurate testing. 

Sunday, April 13, 2014

Fire in FireEye Valuation Gets Doused (slightly) With Release of NSS Breach Study Report – He Said, She Said Begins

 NSS Labs issued their Breach Detection Security Value Map on April 2  Neither FireEye nor AhnLab can be pleased.  In brief, the Value Map  measures security effectiveness on the Y-axis and Total Cost of Ownership (TCO) per protected MbPS on the X-axis.  AhnLab and FireEye finished in the dreaded lower left hand corner with FireEye coming in last in security effectiveness (AhnLab was close).  AhnLab had the highest TCO per Protected MBPS. The other four company’s products were in the upper right hand quadrant (Quadrant 1), Fidelis, Fortinet, Trend Micro, and SourceFire. They were all around 98% to 99% effective in NSS testing.  SourceFire was the winner, overall. 

From NSS, “Quadrant 1 contains those products that are recommended for both security effectiveness/management and value.  These devices provide a very high level of protection, manageability, and value for money.”  This document is publicly available from Fortinet as is a detailed report for their FortiSandbox 200D appliance.

Key findings mentioned in the press release - “Four of Six Leading Vendors Receive Coveted NSS ‘Recommended Rating’”
  • Four of six products tested achieved over 95% in overall security effectiveness:   five of the six also received a 0% false positive rate.  AhnLab was the sixth with a 7% false positive rate.  FireEye had the lowest security effectiveness, around 94.5%. 
  • Money Doesn’t Always Buy the Best Security: Total Cost of Ownership per Protected-Mbps ranged from $231 to $468 with the highest priced solution,   Conversely, Sourcefire (Cisco) had the lowest TCO and also received one of the highest security effectiveness ratings.
  • All BDS Solutions Performed At or Above Vendor Throughput Claims

NSS Labs did not receive any compensation in return for vendor participation; All testing and research was conducted free of charge.

FireEye Stock Price (FEYE)

FireEye stock has dropped 49% percent from its March high of $97.35 to closing at $47.33 on April 11.  52-week range - $33.30 - $97.35.  It will be interesting now to see how the stock performs.  Q1 results won’t be announced until May 6.  Note -  The stock was at   $61.49 on April 2 when the report was released.  FireEye's  Q1 results won’t be comparable to    last year’s Q1 since revenue from their Mandiant acquisition after January 1 will be included.  The stock is up about 15% since the beginning of the year.  NASDAQ is down about 3% ovr the same period of time.

When you’re the market share leader, finishing low in an impartial test, one defense is to attack the attacker.
He Said - FireEye

"We are a vendor that specializes in advanced attack detection, not in detecting known, stale samples,” Gupta, FireEye Vice President of Products said.  "We ran their malware samples in our lab and detected every single one of them." A valid test would have used a zero-day exploit to evaluate the detection capabilities of the appliances or, at a minimum, the testing could have been done in a live, customer environment, Gupta added.

FireEye was quick to reply in a blog “Real World vs. Lab Testing: The FireEye Response to NSS Labs Breach Detection Systems Report” At a high level: 
  • Issue #1:  Poor sample selection
  • Issue #2:  Differing definitions of advanced malware
  • Issue #3:  Poor test methodology.   

FireEye offered several paragraphs of detail for each of the above.  It is worth reading the blog.

“The best way to evaluate FireEye is for an organization to deploy our technology in their own environment and they will understand why we are the market leader in stopping advanced attacks, “said Dave Merkel, CTO in an April 2 Network World article.

She Said – NSS Labs

NSS Labs was also quick to replay in a blog “Don't Shoot the Messenger”
Their response is also good reading as most of the response consists of   a 20-bullet point “FireEye Claim” and “NSS Response” table.

“Not everyone can end up in the top right quadrant of the NSS Labs Security Value Map™ (SVM), so it is not unusual for someone to be unhappy.  It is, however, unusual for someone to behave the way FireEye did in this instance.  Normally we would not respond to such attacks, but there are a number of untruths and misdirection’s in their blog post that we feel we must address”, stated Bob Walder, President, and Chief Research Officer at NSS.  “FireEye’s results were not that bad.  The real issue here is that FireEye now has credible competition in the BDS market place and the data from this NSS test shows it.”

How Did This Begin

Three companies were tested last summer by NSS Labs in their initial breach study, AhnLab, FireEye, and Fidelis.  Fidelis made their report publicly available and challenged FireEye to do the same.  AhnLab issued a press release about their results, and in a blog went, “FireEye, hello?”  No press release by FireEye on their results.  Demerits to publications not asking about this!  With respect to the three companies, NSS has a multi-page document letting the firms tested know what they can do with the test results.  One thing they can’t do is start-doing comparisons with other companies, combining charts, et cetera from the reports.  The reports were available for purchase.

And What about NSS Labs’ Reputation?

In “IT Security Survey 2014” by  test group AV-Comparatives (,   issued in February, NSS Labs came in ninth out of 15 vendors.  Over 5800 users responded to the survey.  

Timing Means Everything When Stock is Sold

On March 12, insider transactions of FireEye stock at $79.54 included: 
  1. Norwest Venture Partners IX, LP sold 2 million shares, grossing $160 million.
  2. FireEye CTO Aziz Ashar sold 1.04 million shares, grossing $83 million
  3. FireEye CEO Dave DeWalt sold 486 thousand shares grossing $38 million

Insiders can’t sell shares whenever they want.  There are windows near the release of financial results that they can’t do anything.  A more comprehensive list of insider transactions can be viewed at

It’s difficult to test security products.  Every environment is unique.  The best way for companies to evaluate products is to bring them in and to look at tests by reliable test groups.  The report by NSS Labs probably means   that FireEye will face more testing in house by potential vendors  rather than just be evaluated separately. 

Twitter - ckensek

Sunday, March 16, 2014

Just When You Thought the Target Breach Story Was Over. A Tale of Advanced Persistent Threats (APT), FireEye, and Warnings Ignored

In the previous chapter of this adventure, Target CIO Beth Jacob had taken the hit and was going to resign.  Target was going to implement new processes in protecting their network. Prior to this, Target had gone through a number of phases since the attack began in late November – denial, CEO Gregg Steinhafel is  nowhere to be found, “Houston, we’ve got a problem”, “Let’s give customers a ‘we’re sorry’” discount”, CEO is found (finally, some look at a book on crisis management), transparency, free credit watch software for customers, etc.  The Russian hackers involved in this incident were not even very sophisticated with their coding.

Techtarget’s definition of Advanced Persistent Threat – “An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time.  The intention of an APT attack is to steal data rather than to cause damage to the network or organization.  APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry.”

In the Bloomberg story “Missed Alarms and 40 Million Credit Card Numbers.  How Target Blew It”, the author writes about how Target HAD Advanced Persistent Threat appliances from FireEye (an APT company that went public several months ago for a gazillion dollars (Side note – FEYE’s  market cap was $10 B as of February 14, though their stock has dropped a bit less than 20% from its high).

The malware had completed most of the phases of the hacker’s objective. Credit card numbers were being stored on a Target server as they were swiped on store terminals. All that was left was for the numbers to be transmitted the cyber criminals for subsequent sale to other cybercriminals.  In November and early December, the hackers went about installing the SW that would send the customer info out to staging points, (probably a botnet), and then to Russia.  Busted!  Well. Sort of. FireEye appliances sent an alert to Bangalore. They alerted the people in Minnesota and…  Minnesota did nothing!  Then, the transmittal of ultimately 40 million records began (a nagging question – was there a DLP (Data Loss Prevention), installed on the network?  It wasn’t until mid-December when the Department of Justice got involved, that Target really began investigating.

By the way, the option for the FireEye appliance to  automatically delete malware as soon as it was  detected was turned off.  What’s even more ludicrous is that Symantec’s Endpoint Protection software, also identified the malware.  $61 million spent by Target so far. Lawsuits, Abysmal Q4 profit (down almost 50%).

Read the Bloomberg/Business Week article. It’s quite interesting.

McAfee this week wrote  that this particular attack  was "Far from 'advanced,' The BlackPOS malware family is an 'off-the-shelf' exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”  If this was the case, this is even more embarrassing for Target and their IT team.

Takeaways from this - If your network does not have them.  Look at investing in an APT solution.  Look at investing in a DLP solution. Don’t ignore your security solutions when you get flagged. NSS Labs, Ellen Messmer at Network World, and Lawrence Pingree at Gartner. , ,  have all written about Advanced Persistent Threat vendors. Type “advanced persistent threat” into a Google search and a slew of vendors will show up on the RHS.  

Craig Kensek  - Twitter - ckensek

Thursday, February 20, 2014

Gartner Magic Quadrant for Endpoint Protection Platforms- 2013

 Gartner  has  released  their 2013 Magic Quadrant for Endpoint Protection Platforms,   ID:G00247705.  Five performers are in the Leaders Quadrant.  Their approximate order in the report: McAfee, Symantec, Kaspersky, Trend Micro, and Sophos.  This is a little bit of a switch from 2012 when the order was Symantec, McAfee, Sophos, Kaspersky, and Trend Micro Microsoft, like in the 2012 report, was the only company in the Challenger portion of the grid.   Analysts for the report - Peter Firstbrook, John Girard, and Neil MacDonald.  Congrats to all in this portion of the quadrant.

Probably not so pleased with the report are Threatrack Security, Beyond Trust, and Check Point Software Technologies.  These were    the bottom three in the Niche Players portion of the quadrant.  Beyond Trust was the overall lowest in the quadrant with respect to ability to execute.  Check Point Software  slipped from the Visionary portion of the grid to this quadrant.  Not good.

McAfee continues its assimilation into Intel, who purchased them a couple of years ago.  The McAfee name will disappear and become   Intel Security.  Kaspersky continues their assault on Trend Micro. Sophos is aggressively expanding their business offerings, has revamped their channel program,  remaining (and probably will remain)  a business focused security vendor.

The   Gartner Magic Quadrant for Endpoint Protection Platforms report is available for purchase on their website.  Some vendors such as Symantec have it available on their website for those who register.

Regarding the Leaders quadrant from the Gartner Magic Quadrant Endpoint report - “However, a leading vendor isn't a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.  Some clients believe that Leaders are spreading their efforts too thinly and aren't pursuing clients' special needs.”

For more details on the Magic Quadrant and how it is created, read “Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors within a Market”.     Sometimes a leader is not the best solution for a particular customer.  Despite that, you will see many   presentations where the vendor uses being in the Leaders quadrant   as a reason to buy from that particular vendor.

To see a blog on last year’s results -

ckensek on Twitter.

Tuesday, February 18, 2014

RSA Conference USA 2014 – Where the World Talks Security - March addendum at the end

Original Post

It’s that time of the year again.  Not the coming of spring, but RSA Conference USA 2014, where the world talks security.  Over 350 security vendors seeking mindshare and wallet share.  RSA San Francisco is running February 24 through 28 at Moscone Center in San Francisco.  For those who haven’t used their free pass code, too late.

Before going, place a bet with your colleagues as to what you think the main theme will be.  Breaches and Advanced Persistent Threats may come back for a second year in a row. You may not be visiting Target as much this year. Though there is one on the same street as RSA!

This is Part 1 of Probably 3 about RSA Conference San Francisco 2014.  Don’t look for depth.  I’ll be looking more at things such as who has the best-looking booths, which booths someone on a budget can go to for   coffee, cookies.  In addition, and most importantly for some of you, what are the best tchotchkes being handed out?  

I’m not going to make it totally easy for people.  It’ll be a coin flip as to whether I just mention the tchotchke, or if I share the vendor name and booth location.

The usual suspects will be giving keynotes, it appears (sponsorship $$).  The final keynote by Stephen Colbert should be interesting.

For those who actual want to create a filtered list of whom to visit, the following link should be useful

One would think that vendors would take advantage of this, and possibly put in their competitors names.  I entered “Advanced Persistent Threat” and only five companies came up.  The companies - Lastline, LOGbinder, NPCore, Viewfinity, and Websense.  Sorry, companies that Gartner or Ellen Messmer  lists as being in this space that aren't showing up, you’re not going to be mentioned here.  That may put a fire in your eye, but I’m not going to do it.

For all attendees -   if you’re bringing your laptop, smartphone, or tablet to the event.  Leave them turned off as much as possible.  Install security SW before getting to the event.  If you log onto the RSA net, make sure it is the RSA network.  

It’s show time for some of the less desireables attending RSA.  Reporters at Sochi were finding their devices being attacked literally, as soon as they turned on their devices.  Remember to pack your “mdse”.

For Newbies at RSA Conference USA 2014

The attractive women (and men) working in the booth, don’t work for the company.  Any mobile numbers you received will be fake.

Wearing an “I worked with Edward Snowden” tee may get you some attention.

How many free pens and stress balls do you really need?

Are you ever going to reference or read the book that you stood in line for 20 minutes to get an autographed copy?  What’s your time value of money?

Are you really ever going to wear a tee shirt from a vendor that’s excessively big for you?

Unless you’re collecting them for other people, don’t’ bother.  Trade show vendor tee shirts will not make you a magnet.  If you must collect them (and they do fit!), promise yourself, that you’ll donate two of the ones you have at home to charity that you collected from last year’s RSA conference.

If the collateral is online, why collect it at the event?

Turning your badge backwards to collect competitive intel screams, “I work for a competitor.”  You should have gotten a free exhibitor pass and registered with that.  Did that already?  Are you wearing your booth shirt?  Busted!

If bored during a presentation, count the number of typos that appear on screen during a presentation. An alternative, sneeze or cough, every time an overused phrase or word appears.  Suggestions – leading edge, next generation, intuitive interface   plug and play, and ROI.  Has there ever been a company promoting a non-intuitive interface?  Make your own list using one of the many pens you’ve collected.

Watch one of the booth presentations where they have better tchotchkes, but require that you answer a question or be part of a group on stage.  Don’t register.  Come back later and play.  They’ll often be asking the same questions.

Go up to someone in the booth who doesn’t look like a salesperson, and ask them, “what are the top 3 or 5 things that make you better than (fill in one of their competitor’s names)?"  Go to that competitor’s booth.  Do the same thing.  Bonus points if you then return to booths and say, “Here’s what I’m being told by (fill in the blank).”  You may be given some better intel (or another pen).

On the last day of the show, do an exhibition hall sprint and collect the tchotchkes that you really want.  You probably may not even need to be scanned.

Have a good time!     Remember, you do have to justify the expense when you return to the office.  Pack those mds.


No parts 2 and 3.  Rain tempered the crowds a bit this year. The FireEye robot was nowhere to be seen.  People were lined up for a few of the keynotes.  Some helicopters were given away in drawings at booths.  The usual iPads at others.  The high tech equivalent of a fashionable women's LBD (little black dress) was given out a a number of booths, the LBT (little (actually, usually large or extra large) little black tee.   One give out read, "Life's a Breach", another read "We take the a** out of passwords.

Products in booths seemed to be more evolutionary rather than revolutionary  in nature.

A suggestion  to the RSA people and the presentation theatres in the exhibition halls.  A 42" monitor doesn't cut it when there are over 10 rows of people seating.  In a living room setting, 42" is ideal for sitting about 5 to 7 feet from the screen. Not good for reading multi line, multi font size presentations!  Open the top floor of the South Exhibition hall (not where the exhibits are) on the first day of the keynotes at the same time as the keynotes are given . Some people want to work rather than attend  the first two keynotes. was raining.  

Saturday, February 15, 2014

AhnLab Faces Uphill Battle in US against FireEye with AhnLab Malware Defense System (MDS)

Silver sponsorship at RSA Conference USA 2014 in San Francisco  notwithstanding,  South Korea based AhnLab may face an uphill battle achieving success in the US with AhnLab Malware Defense System (MDS).  MDS is designed to combat Advanced Persistent Threats (APTs) and Advanced Malware.  No press release has been issued, but AhnLab will also be showing AhnLab Malware Defense System   Enterprise (MDSE). This version of Malware Defense System isn’t described on AhnLab website yet. The below isn't a technical evaluation of Malware Defense System, MDS or MDSE. It's more of a business analysis. 

Why It May Be Difficult for AhnLab and AhnLab Malware Defense System (MDS) in the US

FireEye ( is the 800-pound gorilla in the industry.  They offer more form factors for their APT solutions over AhnLab Malware Defense System.  For example -   their NX series to combat web-based attacks has six flavors, supporting 50 to 40k users.  Their FX series for file protection comes in 2 sizes; up to 80k and up to 160k files per day, respectively.  The acquisition of Mandiant gives them an endpoint solution.  On Valentine’s Day, FireEye announced an Intrusion Prevention product FireEye® MVX-IPS.  Well, they pre-announced the product.  They are shooting for availability during the first half of 2014.  They promote that they have customers in over 40 countries.   

Crowded marketplace   - AhnLab is among the double handful of competitors Gartner mentions in their August paper “Five Styles of Advanced Threat Defense”.  Competitors besides FireEye include   dedicated APT vendors Lastline, Bromium, and Damballa.  Other competitors (Googling Advanced Persistent Threats) include Palo Alto Networks, Cisco, McAfee, Fidelis Security Systems, Trend Micro,  Bit9, and Tenable.  Everyone has their eye on FireEye 

Limited US Presence -   AhnLab decreased their staffing in the US at the start of the year to a handful despite having just opened their US/EMEA headquarters in the Santa Clara, CA less than two years ago.    

It takes a channel and partners - Two ways to try to   grow sales quickly are to  OEM your product and agressively develop a channel.  AhnLab devotes one  page to recruiting partners.  No Partner Portal.  No Education Portal.  FireEye has a well-developed partner program, including VARs, Value Added Distributors, System Integrators, MSSPs, and Technology Alliance Partners (over a dozen listed in their site).  FireEye’s reseller program seems “standard” with three tiers.

It takes customer support - FireEye has a multiple levels of support for their customers.  For Malware Defense System, AhnLab will have to build off a single email address they currently have for US/EMEA customers.  This suggests that support will be coming from South Korea.  Nothing about multiple levels of support.  Barracuda Networks has an amusing radio commercial asking if you want phone trees  and long distance support for your products.

It takes customers who will talk about your Advanced Persistent Threat product - It is difficult to get customers to publically talk about what security products they have on their network.  FireEye has Sallie Mae, Equifax, and the Department of Defense listed as well as a dozen anonymous case studies across a number of industries. FireEye claims that over 100 of the Fortune 500 are among their customers.
It takes marketing and noise - FireEye is “everywhere”.  They appear on multiple security web sites. Multiple CIO and CISO events.  Going public created a lot of visibility.  Their reports and Mandiant’s whom FireEye acquired shortly after the first of the year, get a lot of visibility.  FireEye is aggressive in issuing press releases about threats they have discovered and investigated.  They’re promoting fourteen security events (four in the US),   they’ll be at during the first half of the year.  AhnLab will be at two.  Most PR firms would consider just putting up a product description on your web site a sub-optimal way to announce a product.  That’s not the usual marketing strategy in the North America marketplace.

What AhnLab Malware Defense System May Have Going For it

NSS Breach Detection Study -   AhnLab, Fidelis Security Systems, and FireEye were the only three companies to complete a breach detection study by NSS Labs, ( ) last summer.  Fidelis put out a press release about their results, made their report available at no charge, and wrote a blog challenging FireEye to make their summary report available.  AhnLab put out a press release but hasn’t made the report available on their website.  FireEye wrote nothing.

Three types of protection in a single appliance - AhnLab promotes that they provide Web, email, and Content Security in a single appliance.  With FireEye, you would have to purchase three products.

Profits - AhnLab is one of the largest security companies in South Korea.  And profitable.  FireEye has yet to show a profit.  For 2013, Sales and Marketing expenses, by themselves, exceeded Revenue.  Profits and positive cash flow are good things for the long term.

Ultimately, prospects will have to bring the products in house and test them.  Gartner has looked at a number of companies offering a solution.  NSS Labs issued their reach study last summer and undoubtedly has another APT study going on.

For people visiting RSA 2014 in San Francisco  a number of the vendors offering solutions will be present.  Coffee and cookies in the AhnLab booth, at 11:30 each morning during the exhibition!  “Learn about the ultimate threat defense.  AhnLab’s announcing APTs Dead!”  (Sic) will be the topic of a talk by AhnLab executive Leo Versola on Wed. February 26 at 1:00PM in the North Expo Hall Briefing Center. Too late for a free RSA pass.

The window is closing for AhnLab and other Advance Persistent Threats vendors.  Obviously, FireEye has made it through.  AhnLab and other vendors are going to have a battle to be one of the other survivors and get share.  The press over some major attacks from cyber criminals Target Stores and over 110 million, among others during 2013  ensures  athat companies will be looking for a solution. craig kensek

twitter - ckensek

Wednesday, January 29, 2014

OPSWAT Market Share Analysis of Antivirus, Public File Sharing and Threat Detection - January 2014


San Francisco based software company OPSWAT has released their January 2014 Market Share Analysis of Antivirus, Public File Sharing and Threat Detection.

The top 5 vendors on the OPSWAT report were (Vendor market share) 

  1. 23.0% - Microsoft
  2. 15.9% - Avast
  3. 8.9% - AVG
  4. 8.1% - ESET
  5. 8.0% - Symantec

One interesting product that differs from the others are the offerings from Malwarebytes.  OPSWAT found that Among Malwarebytes users (4.2% share), more than 93% have another product installed, compared to 24% of users of other products.  This indicates that Malwarebytes Anti-Malware and Malwarebytes Anti-Malware Pro are largely used as supplemental products to add additional security to a protected device.  All devices in this data set have at least one antivirus product installed.

Using their GEAR technology, OPSWAT looked at detected threats on the endpoint that had AV installed and found that 4.7% had over 10 perceived threats. “The new section in this report that focuses on perceived threats detected by the installed antivirus software provides interesting new data about how actively antivirus products are protecting users, commented OPSWAT employee Alec Stokes. "We’re excited to dive more into this analysis in future reports.”

Other statistics contained within the report include (and more):
  • Public file sharing files installed
  • Hard drive usage
  • Operating systems share


OPSWAT’s many reports are available at

OPSWAT has a number of “paid products” as well as a free app remover utility.


OPSWAT is a San Francisco based software company that provides solutions to secure and manage IT infrastructure.  Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and that help organizations protect against zero day attacks by using multiple antivirus engines scanning and file filtering.  OPSWAT’s intuitive applications and comprehensive development kits are deployed by SMB, enterprise, and OEM customers to more than ­million endpoints worldwide.


Friday, January 17, 2014

Target Data Breach – Target CEO Belatedly Starts to “Man Up”

Target and CEO Gregg Steinhafel have finally downloaded a book on crisis management and are following the script for when a company crisis occurs.   They could have begun a lot earlier after this November/December data breach occurred. Right after the breach was discovered.  They have managed to never say the phrase “Advanced Persistent Threat (APT)” in their communications. I would imagine that any company offering an APT solution has contacted them.

On January 14th, Target ran a full page ad in a number of major US newspapers. Below are snippets of the four bullet points and my comments. These adverts do cost $$.  Earlier blogs on this topic are on

  1. Closed the access points that were used and removed the malware.  I should hope so!  Preferably, this was done a month ago.
  2. Hired a team of data security experts to investigate how this happened.  Good.  Hopefully this happened a month ago. The internal IT department kind of messed up here.  However, most current security technology is unable to stop these kind of attacks. Hence, the number of APT solutions being offered.
  3. Communicated that  guests will have zero liability for any fraudulent charges.  First, they’re customers, not guests.  A bit of a $$ olive branch. Usually, customers have a small window of  to dispute charges on debit cards and credit cards. The rules vary. They don't have unlimited liability.  But a person’s checking account could, in theory be emptied.  This communication hopefully happened right after the breach was discovered and closed.
  4. Offered one year of free credit card monitoring and identify theft protection.  This should have happened weeks ago.  Target – do not auto renew this on Target debit cards. That would be tacky.
Target is now doing much of the right thing. Steinhafel even said, “Sorry”.    All the above   was late. The crisis management book would have had Steinhafel front and center right after the breach was discovered, rather than having an update section on the Target web site.
Demerits for Target for not being transparent early to customers. Demerits for not keeping Target employees in the trenches in the loop immediately and ongoing about this.  Target should even consider having something conspicuously posted (with copies available) at checkout lines at their stores.  The 10% additional weekend discount offered was barely an olive branch.
It now appears that even non Target customers are now getting emails from Target. These read, in part,  from one article on the topic: 
"The good news first: A Target spokeswoman has confirmed to Consumerist that the email is “an official communication,” despite it seeming like the perfect chance for hackers to strike yet again. So, whew. But when we asked where Target obtained email addresses for people who are not now and have never been customers of the retailer, the spokeswoman simply said, 'The information was obtained by Target through the normal course of our business.'" 

Target IT employees. Start evaluating APT solutions.

Why hasn’t Target and/or the relevant financial institutions gone out and immediately sent out replacement cards?  First, a less costly solution would be if all customers would go and change their passwords. This isn’t going to happen. The information (fortunately a lot of it encrypted) has already been stolen. Second – behind the scenes, the financial institutions and Target are probably pointing fingers at each other regarding inadequate protection.  Third – the cost of sending out replacement cards is around $10.  This could be   an up to $440 million hit in revenue to Target and/or the affected financial institutions. So, this isn’t going to happen.