Cyphort vs. FireEye – FireWhy? The Breach Detection, Advanced Persistent Threat Battle

Cyphort is taking a different tact versus the others in the breach detection, Advanced Persistent Threat (APT) market with their Cyphort Advanced Threat Protection solution (claim: complete 360º APT defense!)   Cyphort positions the company as both superior to FireEye and  able to  coexist with FireEye. Getting their nose under the tent for when renewals coming up? Shortening the review cycle when renewals come up?  Coverage for areas of a company where there aren’t FireEye appliances?  Cyphort didn’t participate in the NSS Labs Breach Detection study.

    

 FireEye is the 800-pound gorilla with respect to market revenue and visibility.  The David vs. Goliath analogy won’t work since FireEye’s CEO’s first name is Dave! Cyphort’s 2014 revenue was around $14 million. FireEye’s was $426 million (this includes revenue from the Mandiant acquisition).

Cyphort claims that their solution delivers malware lateral movement detection. They define this as "the ability to combine advanced targeted attacks and Advanced Persistent Threats (APT) detection with lateral movement." They say that their product provides a  picture of the attack as it happens and the potential spread within an organization, in real-time.

The Cyphort solution is delivered as software that can be installed on general-purpose hardware, virtual machines and cloud environments. The solution consists of four core components:

Collector:  Software-based probes deployed at strategic network locations (Internet egress points, data centers, etc.)   to collect suspect objects and communication.

Core:   This is the centralized detection component of Cyphort’s solution; Cyphort Core analyzes the collected suspicious network objects and associated metadata from the Collectors 

Manager: This is a  web-based,  administrative Interface.  It enables someone to manage the distributed deployment and provides access to reports

Threat Network: This cloud service feeds global threat intelligence to the Cyphort Core for enhanced detection of current threats. It aggregates threat information across all Cyphort installations

At RSA earlier this year,  Cyphort's co-founder and Chief Strategy Officer Fengmin Gong  said, "Today, solutions must look at every stage of the cyber kill chain."  

It’s always good to have more competition. Based on press, one would think that the APT market is the exclusive domain FireEye and the other seven companies that are part of the most recent NSS Breach Detection Systems (BDS) test!

 Is FireEye Cyphort’s Friend or Foe?

On the Cyphort site at http://www.cyphort.com/products/firewhy/   there are pair of threads prospects can go down.  

For those who already have FireEye, Cyphort claims that their Cyphort Advanced Threat Protection solution can be used to address gaps in the FireEye solution.  Their pitch is that they enhance protection.

Enterprise-wide Coverage: Unprotected sites and data centers can be covered with a single global license

Enterprise-wide Deployment: Deployment in days using the virtual machine approach

No appliance proliferation:  Cyphort claims that they cover & correlate email/web/file traffic across multiple operating systems, all in one solution

The second thread is for those considering FireEye.  Cyphort claims that they are   “the clear alternative”.  They have a nice (of course, it’s selective) grid containing points of differentiation (FireEye in ( ) :

Detection: Sandbox evasion detection, Data exfiltration detection, Multi-part threat detection, Golden image sandbox for contextual detection.  (no for all four )

Coverage: Distributed/Decoupled Design for Global Deployment using collectors (Monolithic) , Hardware/Software/VM deployment  (hardware only), Integrated Web/Email threat detection for Windows and Mac OSX threats (multiple appliances needed)

Action: Risk-based Threat Prioritization , Containment Using Existing Firewall, Web Gateway and IPS Devices, Endpoint Infection Verification (no for all three)

Scale and Flexibility: Scalability, clustered design to support any load (limited by highest appliance capacity for FireEye );  IT ecosystem Integration, open API (limited); Licensing is enterprise wide by bandwidth (per appliance for FireEye)

The Radicati Group has a  APT market share and  2015-2019 APT forecast  report available for purchase ($3000)  Radicati APT-Protection-Market-2015-2019-Brochure.pdf

For those wanting another company’s view of Cyphort’s and FireEye’s offerings, LastLine has performed  their own analyses:

Lastline vs. Cyphort

Lastline vs. FireEye

Products in the Breach Detection Systems (BDS) Security Value Map™ 2015

In the August NSS Breach Detection Systems Test,  Cisco had the highest detection rate, Blue Coat the lowest TCO.  FireEye - lower left in the grid.  As mentioned earlier, Cyphort was not in this study.

Five of the eight received a recommended rating (Those on the upper right corner of the value map). Some of the companies tested have the individual reports available on their web site.  To purchase reports, see below.  For the BDS Security Value Map Graphic:

• bds-security-value-map-graphic

Participants in the NSS Breach Detection Systems  Study:

• Blue Coat Security Analytics and Blue Coat Malware Analysis Appliance
• CheckPoint 13500 Next Generation Threat Prevention Appliance with Threat Emulation Cloud Service
• Cisco Advanced Malware Protection
• Fidelis XPS Direct 1000 & Fidelis XPS Internal 1000
• FireEye EX-3400 & NX-4400
• Fortinet FortiSandbox-1000D
• Lastline Breach  Detection Platform
• Trend Micro Deep Discovery Inspector 

 Studies are available on the NSS site. Some are available for free on the participant's site.

Carly Fiorina and Her Record at HP

Presidential candidate Carly Fiorina has been taking a lot of heat and defending her record while at Hewlett-Packard ten years ago. Below are a couple of charts summarizing HP’s stock performance during those years. You can draw your own conclusions. Suffice it to say that many employees were glad that Carly Fiorina  was removed from Hewlett-Packard. Unfortunately, by the time she was gone, the “HP Way” had all but disappeared.

And in another chart:

 The sources and crisper images are below. You can also click on the images to expand them.  The analyses point out that the economy was not great during those years. Neither article gives Fiorina  an "A" for her performance, though. 

http://www.marketwatch.com/story/carly-fiorina-failed-at-h-p-but-so-has-everyone-else-2015-09-18?siteid=yhoof2

http://www.bloombergview.com/articles/2015-09-18/carly-fiorina-s-hewlett-packard-record-in-one-chart?cmpid=yhoo

AV-Comparatives Mobile Security Review – August 2015

Austria based AV-Comparatives has released their Mobile Security Review -  August 2015.  This is quite an extensive document, providing a comprehensive review of sixteen security packages running on Android.  The document runs  seventy pages. Ten of the sixteen products are free.  Almost 2400 malicious applications were used in the test.

Mobile security is crucial for both home users (who are constantly checking their mobile) as well as businesses. The BYOD camel has entered its nose into the intranet tent and it’s not going to be removed.  Mobile devices are a major weak spot for network access, as well as a place where data can be accessed. Data stored on the phone can be stolen, as well.    The Global BYOD market is expected to grow at a CAGR of 25.32% from 2014 to 2019 according to a   new market research report published on September 15.    whattech.com market research report  . These devices need to be protected.

AV-Comparatives, while giving each of the products an approved rating, nonetheless found that the there was overall a “significant overall improvement” in the standard of the products.

Four of the  products provided 100% protection:   Trend Micro with no false alarms, BitDefender,   G Data (both with three  false alarms) and Antiy (with five) rounded out the top four.

AVG Technologies  offering trailed all products tested with 98.4% protection and 4 false alarms. Just above AVG Technologies was Sophos with 99.2% protection and 0 false alarms. 

For those who are interested in a tabular deep dive comparison, the first table compares which of 75 permissions are in each of the products. No product had all of them.

The Feature List table compares the products on over forty attributes, broken down into categories including Anti-Malware, Anti-Theft, Anti-Spam, Parental Control, Authentication, Additional Features, and Support. McAfee Mobile Security lacked the fewest, missing only three.  This product drained the mobile battery a bit more than the others did.

A great deal of work went into this document. The Mobile Security Review can be found free (!) at

http: //www.av-comparatives.org/mobile-security/  .  Complete copyright and disclaimer information is contained in the document and more information about test procedures is on the website.

AVC UnDroid Analyser

AV-Comparatives (www.av-comparatives.com) has also introduced a slick malware analysis tool, the UnDroid Analyser that is free to users. It’s a static system for detecting suspected Android malware and adware and generating some statistics about it. Check it out at http://www.av-comparatives.org/avc-analyzer  .

Addendum

 View AV-Comparatives September Malware Removal Test at

Malware Removal Test - September 2015

Black Eye for FireEye - Hitting Researchers with Injunctions

Sometimes security companies can be a little too heavy handed. Or their lawyers have too much time on their hands. FireEye cleared this hurdle, recently.

Felix Wilhelm, a security researcher working for  Germany based ERNW, was going to present his findings on some vulnerabilities he had found with FireEye’s software.  He was going to present at the 44CON Cyber Security Conference (www.44con.com ) during the week of September 9.  The flaws had been fixed, by the way.

The two parties had a series of discussions regarding what could go into the report (FireEye was concerned about not exposing information on their product’s IP).  To be brief, the parties supposedly agreed on a final report around August 5.  FireEye then sent Wilhelm a cease and desist letter on August 6, obtained a court injunction on August 13 and delivered it to Wilhelm on September 2, a week before the 44Con conference.  Ultimately, Wilhelm did present his findings with some material redacted.

FireEye has a procedure for researchers   to “disclose and inform us of potential security issues”. In this case, FireEye was extremely heavy handed . Their action does little to encourage researchers to share (stifle?) at security conferences.  This comes across as “attacking the messenger”. They also attacked the messenger with  NSS Labs a couple of years ago when FireEye e came in last in a multi-company Breach Detection Systems Test. 

FireEye came in last again in a NSS Break Detection Systems Test (BDS) earlier this year. Eight companies were in the test:   Blue Coat, Check Point, Cisco, Fidelis, FireEye, Fortinet, Lastline, and Trend Micro. The test measured security effectiveness, performance, and total cost of ownership.

To obtain a copy of the Value Map:  NSS Security Value Map Graphic

To read the complete Forbes article “FireEye Scolded For Injunction Stopping Security Researcher Revealing Source Code”: Forbes - FireEye Scolded 

Is FireEye Fireproof?

Addendum - December 7 :  On 12/7 - FireEye reached a fifty two week  low of  $19.76  This is lower than their IPO opening bell price.

To date, FireEye seems impervious to poor test results.  The market has been more interested in revenue growth. In the NSS Labs Breach Detection Systems Comparative Report issued in Augst, five of the eight vendors tested received a Recommended rating. FireEye was not one of them. 

   

FireEye did not test well in the   NSS Labs report, finishing last, with the lowest security effectiveness (in the 50’s, with the next lowest vendor in the 80’s) and the highest TCO per protected Mbps.

September 28 Addendum - FEYE closed at $31.51. Its opening day closing price was around $36.

Cisco had the highest effectiveness of the eight products tested and Blue coast the lowest TCO per protect Mbps.  FireEye protested the testing methodology when NSS first performed this test a couple of years ago.   

A Frost and Sullivan report “Network Security Sandbox Market Analysis, APTs Create a “Must Have” Security Technology”, gives FireEye 62% of the market.

 From a financial perspective, FireEye sales and marketing expenses as a percent of revenue have finally dropped below 100%. Operating cash flow is finally positive. The company is still losing ”tons” of money. The market finally seems to be paying more attention cash flow, margins, and future profitability.  

The company as of mid August is trading in the low $40’s, well off its peak of $97 in March 2014 (giving executives a chance to cash in for a nice gain) and   above the bottom of $25 in October 2014.  The $40’s is in the area of the pop FireEye had when it first went public. The company CFO, Michael Sheridan, resigned shortly after the last earnings announcement to join DocuSign.

 A free copy the Breach Detection Systems Security Value Map can be obtained at https://www.nsslabs.com/bds-security-value-map-graphic  The full report is available for purchase. A number of the vendors in the report are making their individual vendor reports available.  

Cyphort, one of the vendors tested, is aggressive on their website explaining why they would make a great addition to companies already using FireEye and why they feel they’re the “clear alternative” for companies considering FireEye. People can learn about this at http://www.cyphort.com/products/firewhy/  as well as view a (small) capabilities comparison grid.

AV-Comparatives Mac Security Test and Review – July 2015

Austria-based AV-Comparatives  has released the results of their Mac Security Test and Review, July 2015. This report   evaluates ten products users can license for their Mac systems. Products tested were a combination of free and paid solutions. Overall, nine of the products reviewed received AV-Comparative’s Approved Security Product award. 

Malware Tests

Seven of the ten products scored 100% in the Mac Malware Protection Test. None of the tested products scored lower than 98%.

Many Mac security vendors claim that their products detect Windows malware as well as Mac malware. In the Windows Malware Detection Test, seven of the ten products scored 100%. While Macs cannot be infected by these files, the Macs can distribute them, hence the value of testing with Windows malware.

Mac Review and Usability Test

AV-Comparatives used the following criteria in compiling their 64-page review. The appendix provides a comparative checklist that summarizes protection, features, and support for each product. For the test, evaluators use the following as a guideline:

•    Product version reviewed

•    Operating systems supported

•    Additional features

•    Installation

•    Main window

•    Operating system integration

•    Maintenance

•    Non-administrator access

•    Scanning

•    Settings quarantine and logs

•    Malware and phishing alerts

•    Help

 “Our Mac Security Test and Review document comprises a comprehensive evaluation of the ten products we tested,” said Andreas Clementi. “It’s a valuable document that should help enable users to determine which product is the best for their needs. Mac products are not immune from infection by malware, contrary to the belief held by many individuals.  Users consider performing  their own examination of a few products, where 30-day evaluations are available. We don’t recommend not using a security product!”

A more complete list of antivirus programs for the Mac is available at:

http://www.av-comparatives.org/av-vendors-mac

AV-Comparatives performs af  number of tests  over the course of the year. Reports can be downloaded from the company website at:  http://www.av-comparatives.org/  Their “Real World Protection Test March – June 2015” can be found here. Products from Bitdefender, Kaspersky, and Avira were the top three in this test.  

The Mac Security Test and Review can be found at:

http://www.av-comparatives.org/mac-security-reviews/

About AV-Comparatives

AV-Comparatives is an independent organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises. AV-Comparatives offers freely accessible results to individuals, news organizations and scientific institutions. Certification by AV-Comparatives provides an official seal of approval for software performance that is globally recognized.

AVG Technologies Financial Results 2014 – An Alternative View (some quick thoughts on issues for 2015) and AVG ME

AVG Technologies released their financial results in February.  As usual, the focus was on revenue.  Per their announcement,   “Subscription revenue increased 12% to $281.6 million from $250.8 million year over year. Our consumer subscription business grew 11% to $223.1 million and our small business segment by 18.7% to $58.5 million. For the fiscal year 2014, total revenue was $374.1 million”

Looking at the numbers versus fiscal 2013 and Q4 2013 versus 2014 is a little troubling, as a lot of red is involved in the changes.

With the exception of Subscription Revenue, all other figures above were lower in  Q4 and for 2014 overall versus 2013.  Much of the drop in platform derived revenue was expected, however.  The increase in subscription revenue didn’t make up for the decline in platform derived revenue.  AVG’s focus is going to be on subscription revenue.

In the transcript to the press conference, CEO Kovacs commented that, “We have also exceeded a very important user count milestone, as we came in at over 101 million mobile users, to give a total user count reached of 197 million. Both of these are well on our way to the important milestones

Two potential red flags with this.  There may be double counting of users, if a user has AVG product installed on both a smart phone and a laptop.  Also, several years ago, AVG promoted that they had  on the order of 130 million users. This was before they acquired their way into the mobile business (Israeli based company acquisition).   Doing the math, they may have lost, market share on the order of   34 million desktop users.  That’s quite a bit.   How user is/was defined may have changed over the years.  5 million of the additional users were through the acquisition of Location Labs. 

Paid user count for 2014 on the desktop was approximately 19 million.  The means the majority of the consumer base was free, which means zero switching costs and the possibility for churn.

2014 acquisitions by AVG included acquisitions of Locations Labs, Norman Safeground and Winco.  Revenue from these were not broken out separately.

Some Threats for 2015

SMB

In 2014, AVG’s SMB revenue grew by an impressive 18.7% to $58.5 million. On February 24^th, AVG competitor Avast announced their free Avast for Business.  This product is designed to protect small and medium-sized businesses (SMBs) against viruses and cyber attacks.   

Avast pointed out as part of the introduction  that it plans to introduce programs for MSPs and resellers that enable them "to benefit from the power of free." This could pose a risk to AVG’s growth with their SMB product.  To build their presence in the business marketplace, Avast recruited AVG’s VP of Sales and Operations in June, 2014.

In the Desktop and Android Market

• AVG has not tested well in some product tests by well known vendors.  This could impact market share growth.
• AV-Test (www.av-test.org) released a report in December on “The best antivirus software for Windows Home Users”.   AVG’s products tested came in 18 and 22 out of the 27 tested.
• AV-Comparatives (www.av-comparatives.org ) - In AV-Comparatives’ September “File Detection Test”, AVG was awarded 1 star. 18 products were awarded 2 or 3 stars.
• However,  in the AV-Compararatives.org summary report for 2014, AVG  was one of nine vendors to receive a Top Rated designation. Bitdefender won Product of the Year.
• Av-Test (www.av-test.org ) released a report on “The Best Antivirus SW for Android”.  31 products are in the report.  28 products scored higher the free AVG offering that was tested.
• AVG was not part of the AV-Compasrative September “Mobile Security Review”.

To jump start even further installations on mobiles, AVG may need to do something like they did with Huawei  and give away paid AVG product. They did this with   Huawei mobiles in the India market, and with Samsung phones in the UK market. This was a  couple of years ago. 

   

AVG ME

The rumor mill has AVG Introducing “AVG ME”  sometime in the first ½ of this year , potentially as soon as March.   With this product, AVG ME will be providing publishers and advertisers access to validated user data (gathered with customer permission).  Revenue from this is TBD.

The Usual Acquisition Stories

In November, the Wall Street Journal reported that AVG Technologies had been approached by potential buyers.  Nothing has really been in the press about this since then.

http://www.wsj.com/articles/avg-technologies-approached-by-potential-buyers-1415316140

Av-Comparatives Summary Report – 2014

For those who haven’t made a habit of downloading and looking at the many test reports  test group AV-Comparatives publishes, their AV-Comparatives Summary Report of anti-virus products has been released.  Some of the products in the test were the company’s internet security offerings. The report lists the winners in a number of categories:

• Overall winner
• Top rated products
• Real world protection test
• File detection
• False positives
• Overall performance 
• Proactive (heuristic/behaviors)
• Malware removal

Congratulations to BitDefender for being product of the year, receiving 3 stars in all the tests! Two other companies achieved this level with their products, Kaspersky, and Eset.

Most of the products tested were “paid” versions, products from Panda, LavaSoft, and Avast being the exceptions.  Among these three, Panda was the “winner”, finishing twelfth overall.  In alphabetical order, the bottom three companies were AhnLab, McAfee, and ThreatTrack Vipre.

This 151 page report also contains an extensive user interface review section of almost two dozen products.  One of the companies on the list even begins with an S.  Sorry. It’s not Symantec.  One of these days, they’ll step up and be tested.

The demise of anti-virus products and companies offering them  is vastly pre-mature.  The endpoint needs protection. The level of protection provided by these products is superior to that provided years ago, when heuristic technology wasn’t in many endpoint solutions, and there were no cloud solutions for the endpoint. Leave your laptop or tablet unprotected at your own risk!

This report demonstrates quite clearly that the market share leaders in the endpoint security space are not necessarily providing the best security nor performance.  Kaspersky, and Eset, are known in the industry but not as much to the public.  But you can buy them online and in some stores.  

BitDefender has an active and successful OEM program for their antimalware engine. Download and take a look at the AV-Comparatives Anti-Virus Comparative Report.  It’s free. And in 2015, do look at their other reports.  You can also go onto their site and view their results from their dynamic  Real World Test.    http://www.av-comparatives.org/dynamic-tests/   

About AV-Comparatives (www.av-comparatives.org )

AV-Comparatives is an independent organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises. Using one of the largest sample collections worldwide, it creates a real-world environment for truly accurate testing.  AV-Comparatives offers freely accessible results to individuals, news organizations and scientific institutions.  Currently, the  AV-Comparatives' Real-World Protection Test is the most comprehensive and complex test available when it comes to evaluating the real-life protection capabilities of antivirus software

AVG Technologies in Play, an Alternative Look at Q3 Financial Results

The San Francisco Giants win the World Series in even numbered years.  Rumors circulate about AVG Technology being an acquisition candidate occurs in odd number years. Okay, even numbered as well. Couple that with  so-so financial results? You may want to sell, as well.  

Even before AVG went public, there were “always” rumors about them being for sale as the right price.  Companies being mentioned usually included Hewlett Packard and Cisco. Earlier this year, AVAST Software, an AVG competitor, signed a binding  agreement with CVC Capital Partners for a major investment in the company. The investment valued Avast at about $1 billion US.

Other than throwing off cash for the investors, AVG has   been something of a disappointment. The plan was to go public in early 2012  at $16 to $19.  Instead, they opened and closed around $13. AVG’s market cap, as of 11/15 is just under $1 B.

From a technology standpoint, AVG's growth has been through purchase rather than developing things in house. In September, 2014 they purchased Location Labs, a provider of security for mobile technology. http://now.avg.com/avg-solidifies-leadership-in-growing-mobile-security-market-with-acquisition-of-location-labs/

AVG  entered the mobile security market by purchasing the Israeli firm DroidSecurity in late 2010 DroidSecurity had both a free and paid prospect).  They   increased their share by quietly giving the product away on certain Huawei mobile phones in India (That  announcement appeared on the web and disappeared quickly.  Huawei was being investigated in the 2012 time frame  by the US congress for potentially posing a security threat).

In product testing (ability to stop malware), AVG has failed to be one of the leaders. In AV-Comparatives October Real World Protection tests, AVG came in 10th out of 22. In the September, "File Detection Test of Malicious Software", AVG received on star,finishing 20th out of 22.

(www.av-comparatives.org)  In the Virus Bulletin (www.virusbtn.com ) RAP (Reactive and Proactive test), they weren’t in the top 20. ( https://www.virusbtn.com/vb100/rap-index.xml)

On to the financials. AVG Technologies has their headquarters in the Netherlands. They have an office in Ireland.   Those interested can find multiple stories on the “Double Irish” or “Double Irish Dutch Sandwich”, a technique to significantly g reduce US taxes.  Just saying! Apple and a number of US companies are being creative in using this technique.

For those focused only on revenue (hello analysts), AVG’s 9 months subscription revenue and SMB revenue (less than 15% of their business), is up for the first 9 months of 2014 versus 2013. Trailing revenue, Consumer and Total Revenue, and US Revenue, all down.

For those focusing more on  the bottom line, net income, consumer income, Net Income, Consumer Income, SMB Income, and Operating Income are all down for the first 9 months of 2014.

For those focusing on cash, Net Cash provided by operations is down 35% for the first nine months of this year. The data below is from their latest Form 6-K, available on AVG's web site. 

One would have thought that the positive vibes and karma emanating from the SF Giants home ball park (ATT Park) would have rubbed off on AVG Technologies, given AVG’s US headquarters near proximity to the park. Not the case, however.  

AhnLab Faces Uphill Battle in US – An Addendum

  

This is an addendum the February blog - “AhnLab Faces Uphill Battle in US against FireEye with AhnLab Malware Defense System (MDS)” http://kensek.blogspot.com/2014/02/ahnlab-faces-uphill-battle-in-us.html

If AhnLab is going to make a go of it with their Advanced Persistent Threat product, Malware Defense System (MDS), they must be doing it in incredible stealth mode.  And they must be trying to do it from Korea, where AhnLab is headquartered. 

• Their top US technology person left for a start-up early this year
• There have been no press releases added to the US web site since November 2013
• The company did appear at the Gartner Risk Security & Management Summit in June following up their appearance at RSA SF.  At RSA, they re_announced AhnLab MDS
• AhnLab had posted that they were going to appear at Black Hat Las Vegasin August.  This was removed from their web site.
• Both AhnLab and FireEye complained about an update NSS Labs issued to their 2013 Breach Detection study.  In the original, AhnLab and FireEye finished second and third respectively.  http://kensek.blogspot.com/2014/04/ahnlab-raises-issues-with-recent-nss.html   In the original update, they finished fifth and sixth respectively.  In the post complaints update, AhnLab MDS ranked sixth and FireEye fifth.  Both were far below the other four companies, SourceFire, Trend Micro, Fortinet, and Fidelis.  The updated value map is available at http://www.fortinet.com/sites/default/files/whitepapers/NSS-Labs-2014-BDS-SVM_0.pdf
• If you try to reach AhnLab at their 800 number, 800.511.Ahnlab (2465), you will receive a “you’ve reached a number that has been disconnected or is no longer in service” message.

Perhaps AhnLab is still trying to break into the US licensing Malware Defense System.  If so, they are being incredibly quiet   about it.

An Alternative Look at AVG Technologies’ Q2 Earnings Report

AVG Technologies accounted their Q2 earnings report on July 30.  The stock fell about 13% as the company missed the Q2 revenue consensus of $91 M with revenues of $88 million.  The stock proceeded to drop from $19.65 to $17.10 and they closed the week at $17.05.  To put a long-term perspective on this, AVG went public at around $16 in February 2002, and had a pop.  A negative pop.  Closing the day at just over $13.

Nonetheless, CEO Gary Kovacs stated,  "I am pleased with our continued execution against our long term strategy toward becoming the online security company.”

One problem with the press is that   they will often only look at the company’s most recent earnings report and compare revenue figures to target and nothing else.  Some will do a comparison to the most current quarter versus the same quarter last quarter.  What they should do is a deeper dive into income, cash flow, margins, etc.  The table below compares the first six-month’s figures for AVG, versus the same time frame last year. They should also look at test results from firm's like AV-Comparatives.org av-test.org and Virus Bulletin.  But that's potential material for another blog.

Subscription revenue and SMB revenue for AVG Technologies is up over that period.  Everything else is down.  Even though SMB revenue increased, income decreased.  Revenue decreased across all regions of the world.  Revenue from Google dropped precipitously.  That may be why on August 1, AVG announced that they were extending their partnership with Yahoo.

For those who want to look at cash flow to do their analysis - net cash provided by operations dropped by 37%. 

There is a lot of red in financial trends for AVG year over year.  Pdf’s of AVG Technologies financial results are available at www.investors.avg.com

AV-Comparatives Releases Results of May Real World Protection Test. Testing Firm Now ISO 9001 Certified

Austria based AV-Comparatives has released the results of their May “Real World Protection Test”.  Bitdefender, the best anti-malware company you may have never heard of topped all companies, with a 100% score and zero false positives.  Only Panda also blocked 100%.  This was with their free product!  Avira had the top score among the largest freemium vendors (with their internet security suite), blocking 99.5%.

At the other end of the spectrum, Korea based AhnLab ranked at the bottom of products tested, blocking only 87.5% of the threats (ouch), the only company tested at less than 90%.  McAfee had the most false positives, with 16.  The trend of market share leaders not being market performance leaders continued, as both McAfee, and Trend Micro finished in the bottom 1/3 of companies tested.  Symantec has opted out of being tested by AV-Comparatives (a disservice to customers, IMHO).  Man-up, SYMC.

The products included in the test were a mix of anti-virus, internet security suites, paid, and free products.  The exact versions used are listed in the report and on the website.

The Real World Protection Test is just one of a number of tests AV-Comparatives performs over the course of the year.  They can be downloaded from the company web-site http://www.av-comparatives.org/

AV-Comparatives’ Real-World Protection Test framework has been recognized by the “Standortagentur Tirol” with the 2012 “Cluster Award for innovation in computer science” and by the “Austrian Government” with the 2013 “Constantinus Award.

AV-Comparatives Receives ISO 9001 Certification

AV-Comparatives is now an ISO 9001 certified organization.  AV-Comparatives received the certificate from TÜV Austria for their management system for the scope: “Independent Tests of Anti-Virus Software” in early June.

"ISO 9001:2008 specifies requirements for a quality management system where an organization needs to demonstrate its ability to consistently provide product that meets customer and applicable statutory and regulatory requirements.  The organization has to  enhance customer satisfaction through the effective application of the system, including processes for continual improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements."  ISO 9001 is currently under revision with the final release of the new standards due by the end of 2015.

About AV-Comparatives

AV-Comparatives is an independent not-for-profit organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises.  Using one of the largest sample collections worldwide, it creates a real-world environment for truly accurate testing.  AV-Comparatives offers freely accessible results to individuals, news organizations, and scientific institutions.  Certification by AV-Comparatives provides an official seal of approval for software performance.  

Palo Alto Networks, Check Point top Products in Gartner Magic Quadrant for Enterprise Network Firewalls - 2014

As is probably no big surprise to those in the industry and those purchasing network security products, Palo Alto Networks (PAN) and Check Point had the top rated products in the 2014 Gartner Magic Quadrant for Enterprise Network Firewalls.  The report came out in April.  These are the only two companies in the Leaders Quadrant, with Palo Alto Networks leading on Completeness of Vision and Check Point for Ability to Execute. Fortinet and Cisco were the closest to the in the Challengers quadrant.   The report, ID:G00258296 is available on the PAN web site for those who register. http://connect.paloaltonetworks.com/gartner-mq-2014

Palo Alto Networks pretty much was the originator of the acronym NGFW or Next Generation Firewall, and PAN and Check Point Software Technologies companies compete for many of the same customers. Last year, PAN   introduced their Wildfire infrastructure, enabling the PAN firewall to detect and stop Advanced Persistent Threats (APTs) This is offered to customers via the public cloud or can be deployed as a private cloud.   Gartner also wrote that PAN    was consistently on most NGFW competitive shortlists.  PANS Advanced Persistent Threat Solution   was not among those recently tested by NSS Labs in their April Breach Detection Study.   

Check Point was cited by Gartner as being the market share leader in firewall installed base. They offer an extensive line of security appliances and were also delivered the industry’s first flexible, extensible security architecture, the Check Point Software Blade Architecture.   Check Point’s Anti-Bot Software Blade detects bot-infected machines, prevents bot damages by blocking bot C&C communications. This isn’t a comprehensive Advanced Persistent Threat Solution, but it helps protect the network.

PAN’s product portfolio isn’t quite as extensive Check Point’s,   they do offer a virtualized firewall platform in addition to the more traditional appliance offering, threat subscriptions for URL filtering, and a management platform.  

Fortinet was rated a Challenger by Gartner. They stated Fortinet was “not often beating Leaders in mainstream enterprise selections based on features and vision, nor causing Leaders to react to Fortinet.”

Cisco was rated a Challenger as well.  Gartner didn’t seem them displacing   PAN nor Check Point on the basis of visions or features.  They saw Cisco winning firewall business through channel “execution and “aggressive discounting”.

Juniper Networks completed the trio of companies in the Challenger quadrant.  McAfee was a leader in the Niche quadrant.

Offerings from F5, Arkoon-Netasq, and AhnLab were the furthest down and to the left in the Magic Quadrant.

Check out the complete report.  For an assessment of all sixteen vendors in the report. Some names you’re familiar with may be missing due to consolidation. Gartner also has some brief information on why virtualized firewall penetration is a less than two percent.  “Security-minded enterprises are also rightly skeptical of running firewalls within a hypervisor that is between the threat and the firewall,” according to Gartner. 

 Regarding the Leaders quadrant from the Gartner Magic Quadrant Endpoint report - “A leading vendor isn't a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.  Some clients believe that Leaders are spreading their efforts too thinly and aren't pursuing clients' special needs.”

For more details on the Magic Quadrant and how it is created, read “Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors within a Market”.     Sometimes a leader is not the best solution for a particular customer.  Despite that, you will see many   presentations where the vendor uses being in the Leaders quadrant   as a reason to buy from that particular vendor.  Who would have thought that they would do that? www.gartner.com

Some of NSS Labs reports are available at no charge.  www.nsslabs.com

craig kensek

AhnLab Raises Issues with Recent NSS Labs Breach Detection Study

FireEye isn’t the only vendor displeased with their results and NSS Labs' methodology for their  latest Security Value Map.  AhnLab, whose Malware Defense System (MDS) product finished near the bottom of the Breach Detection Systems Security Value Map adjacent to FireEye, has posted their displeasure with the testing on their home page. 

AhnLab declined to participate in the 2014 public test. AhnLab, Fidelis, and FireEye had participated in the 2013 private test. Ultimately, Fidelis made their results publicly available on their website. Neither FireEye nor AhnLab chose to do so, though AhnLab did release some of the Malware Defense System results.

NSS Labs’  test evaluated 6 products from leading BDS vendors.  Four of the six products received the   "Recommended" rating from NSS, Sourcefire, Trend Micro, Fortinet, and Fidelis.  Neither FireEye nor AhnLab didn’t.   

AhnLab’s  Main Points

1. Two separate public tests, were consolidated into one report without notice -   AhnLab wrote that NSS never informed them the results would be published regardless of participation. This may or may not be true as many of the participants on the AhnLab side are no longer with the organization.
2. Two separate tests from two different years require two separate reports -  If the same malware sample set was used from 2013 for the 2014 test, AhnLab felt that it  would be inaccurate to publish all of the participants, from 2013 and 2014 together,  because newcomers to the study may have (had) a time advantage.

For complete details, go to http://us.ahnlab.com/html/notice/20140408.jsp

For a copy of the NSS Labs April Breach Detection Systems Security Value Map (SVM) and Comparative Analysis Reports (CARs), go to https://www.nsslabs.com/breach-detection-systems-bds-security-value-map-download

Some of the above sounds like a failure to communicate on both NSS Labs and AhnLab’s part. Neither side appears to have done due diligence here.

Only three companies completed participation in the 2013 test, not ten or more, as AhnLab writes in their response.  They may have a valid response about products with several more months “experience” having their results compared to products without that experience.   That notwithstanding, 3^rd party test results is one aspect of comparing products that companies need to utilize. The test results demonstrate that there is more than just FireEye, Fidelis, and AhnLab that need to be considered.

When Being an “A” Company Rates a “D”. AV-Comparatives Releases “File Detection Test of Malicious Software” Report

Not a stellar performance by three firms beginning with A in AV-Comparatives March “File Detection Test of Malicious Software.”  Avast – 20th, missing 2.3% of the samples.  AVG Technologies – 21^st, misses 2.5% of the samples, and AhnLab 22^nd, missing 11% of the samples.  Baidu broke the A’s stranglehold on the bottom by leading all companies with 111 false positives, followed by Avast with 95.

Sixteen products did receive AV-Comparatives’ three star designation, led by Kaspersky, F-Secure, and eScan, respectively.  Avira, another A company, also received three stars. 

AV-Comparatives takes care to point out that for this test, “Although very important, the file detection rate of a product is only one aspect of a complete anti-virus product.  AV-Comparatives also   provides a whole-product dynamic “real-world” protection test, as well as other test reports that cover different aspects/features of the products”.

 

The “Whole Product Dynamic Real World Detection" and “File Detection Test of Malicious Software”  tests   are both   available on the AV-Comparatives web site, www.av-comparatives.org

One interesting thing about the products tested in this report is that nine of the engines under the hood in testing were licensed from two companies, BitDefender and Avira.  Details are available in the report.  BitDefender  has an overall detection rate of 99.5%.

About AV-Comparatives

AV-Comparatives is an independent not-for-profit organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises.  Using one of the largest sample collections worldwide, it creates a real-world environment for truly accurate testing. 

Fire in FireEye Valuation Gets Doused (slightly) With Release of NSS Breach Study Report – He Said, She Said Begins

 NSS Labs issued their Breach Detection Security Value Map on April 2  Neither FireEye nor AhnLab can be pleased.  In brief, the Value Map  measures security effectiveness on the Y-axis and Total Cost of Ownership (TCO) per protected MbPS on the X-axis.  AhnLab and FireEye finished in the dreaded lower left hand corner with FireEye coming in last in security effectiveness (AhnLab was close).  AhnLab had the highest TCO per Protected MBPS. The other four company’s products were in the upper right hand quadrant (Quadrant 1), Fidelis, Fortinet, Trend Micro, and SourceFire. They were all around 98% to 99% effective in NSS testing.  SourceFire was the winner, overall. 

From NSS, “Quadrant 1 contains those products that are recommended for both security effectiveness/management and value.  These devices provide a very high level of protection, manageability, and value for money.”  This document is publicly available from Fortinet as is a detailed report for their FortiSandbox 200D appliance.

http://www.fortinet.com/resource_center/whitepapers/breach-detection-systems-beyond-hype.html

Key findings mentioned in the press release - “Four of Six Leading Vendors Receive Coveted NSS ‘Recommended Rating’”

• Four of six products tested achieved over 95% in overall security effectiveness:   five of the six also received a 0% false positive rate.  AhnLab was the sixth with a 7% false positive rate.  FireEye had the lowest security effectiveness, around 94.5%. 
• Money Doesn’t Always Buy the Best Security: Total Cost of Ownership per Protected-Mbps ranged from $231 to $468 with the highest priced solution,   Conversely, Sourcefire (Cisco) had the lowest TCO and also received one of the highest security effectiveness ratings.
• All BDS Solutions Performed At or Above Vendor Throughput Claims

https://www.nsslabs.com/news/press-releases/nss-labs-reveals-first-security-value-map%E2%84%A2-breach-detection-systems

NSS Labs did not receive any compensation in return for vendor participation; All testing and research was conducted free of charge.

FireEye Stock Price (FEYE)

FireEye stock has dropped 49% percent from its March high of $97.35 to closing at $47.33 on April 11.  52-week range - $33.30 - $97.35.  It will be interesting now to see how the stock performs.  Q1 results won’t be announced until May 6.  Note -  The stock was at   $61.49 on April 2 when the report was released.  FireEye's  Q1 results won’t be comparable to    last year’s Q1 since revenue from their Mandiant acquisition after January 1 will be included.  The stock is up about 15% since the beginning of the year.  NASDAQ is down about 3% ovr the same period of time.

When you’re the market share leader, finishing low in an impartial test, one defense is to attack the attacker.

  

He Said - FireEye

"We are a vendor that specializes in advanced attack detection, not in detecting known, stale samples,” Gupta, FireEye Vice President of Products said.  "We ran their malware samples in our lab and detected every single one of them." A valid test would have used a zero-day exploit to evaluate the detection capabilities of the appliances or, at a minimum, the testing could have been done in a live, customer environment, Gupta added.

FireEye was quick to reply in a blog “Real World vs. Lab Testing: The FireEye Response to NSS Labs Breach Detection Systems Report” At a high level: 

• Issue #1:  Poor sample selection
• Issue #2:  Differing definitions of advanced malware
• Issue #3:  Poor test methodology.   

FireEye offered several paragraphs of detail for each of the above.  It is worth reading the blog.

http://www.fireeye.com/blog/corporate/2014/04/real-world-vs-lab-testing-the-fireeye-response-to-nss-labs-breach-detection-systems-report.html

“The best way to evaluate FireEye is for an organization to deploy our technology in their own environment and they will understand why we are the market leader in stopping advanced attacks, “said Dave Merkel, CTO in an April 2 Network World article.

She Said – NSS Labs

NSS Labs was also quick to replay in a blog “Don't Shoot the Messenger”

Their response is also good reading as most of the response consists of   a 20-bullet point “FireEye Claim” and “NSS Response” table.

“Not everyone can end up in the top right quadrant of the NSS Labs Security Value Map™ (SVM), so it is not unusual for someone to be unhappy.  It is, however, unusual for someone to behave the way FireEye did in this instance.  Normally we would not respond to such attacks, but there are a number of untruths and misdirection’s in their blog post that we feel we must address”, stated Bob Walder, President, and Chief Research Officer at NSS.  “FireEye’s results were not that bad.  The real issue here is that FireEye now has credible competition in the BDS market place and the data from this NSS test shows it.”

https://www.nsslabs.com/blog/dont-shoot-messenger

How Did This Begin

Three companies were tested last summer by NSS Labs in their initial breach study, AhnLab, FireEye, and Fidelis.  Fidelis made their report publicly available and challenged FireEye to do the same.  AhnLab issued a press release about their results, and in a blog went, “FireEye, hello?”  No press release by FireEye on their results.  Demerits to publications not asking about this!  With respect to the three companies, NSS has a multi-page document letting the firms tested know what they can do with the test results.  One thing they can’t do is start-doing comparisons with other companies, combining charts, et cetera from the reports.  The reports were available for purchase.

And What about NSS Labs’ Reputation?

In “IT Security Survey 2014” by  test group AV-Comparatives (www.av-comparatves.org),   issued in February, NSS Labs came in ninth out of 15 vendors.  Over 5800 users responded to the survey.  

 http://www.av-comparatives.org/security-usage-surveys/   

Timing Means Everything When Stock is Sold

On March 12, insider transactions of FireEye stock at $79.54 included: 

1. Norwest Venture Partners IX, LP sold 2 million shares, grossing $160 million.
2. FireEye CTO Aziz Ashar sold 1.04 million shares, grossing $83 million
3. FireEye CEO Dave DeWalt sold 486 thousand shares grossing $38 million

Insiders can’t sell shares whenever they want.  There are windows near the release of financial results that they can’t do anything.  A more comprehensive list of insider transactions can be viewed at

 http://finance.yahoo.com/q/it?s=FEYE+Insider+Transactions

  

It’s difficult to test security products.  Every environment is unique.  The best way for companies to evaluate products is to bring them in and to look at tests by reliable test groups.  The report by NSS Labs probably means   that FireEye will face more testing in house by potential vendors  rather than just be evaluated separately. 

Twitter - ckensek

Just When You Thought the Target Breach Story Was Over. A Tale of Advanced Persistent Threats (APT), FireEye, and Warnings Ignored

In the previous chapter of this adventure, Target CIO Beth Jacob had taken the hit and was going to resign.  Target was going to implement new processes in protecting their network. Prior to this, Target had gone through a number of phases since the attack began in late November – denial, CEO Gregg Steinhafel is  nowhere to be found, “Houston, we’ve got a problem”, “Let’s give customers a ‘we’re sorry’” discount”, CEO is found (finally, some look at a book on crisis management), transparency, free credit watch software for customers, etc.  The Russian hackers involved in this incident were not even very sophisticated with their coding.

Techtarget’s definition of Advanced Persistent Threat – “An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time.  The intention of an APT attack is to steal data rather than to cause damage to the network or organization.  APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry.”

In the Bloomberg story “Missed Alarms and 40 Million Credit Card Numbers.  How Target Blew It”, the author writes about how Target HAD Advanced Persistent Threat appliances from FireEye (an APT company that went public several months ago for a gazillion dollars (Side note – FEYE’s  market cap was $10 B as of February 14, though their stock has dropped a bit less than 20% from its high).

The malware had completed most of the phases of the hacker’s objective. Credit card numbers were being stored on a Target server as they were swiped on store terminals. All that was left was for the numbers to be transmitted the cyber criminals for subsequent sale to other cybercriminals.  In November and early December, the hackers went about installing the SW that would send the customer info out to staging points, (probably a botnet), and then to Russia.  Busted!  Well. Sort of. FireEye appliances sent an alert to Bangalore. They alerted the people in Minnesota and…  Minnesota did nothing!  Then, the transmittal of ultimately 40 million records began (a nagging question – was there a DLP (Data Loss Prevention), installed on the network?  It wasn’t until mid-December when the Department of Justice got involved, that Target really began investigating.

By the way, the option for the FireEye appliance to  automatically delete malware as soon as it was  detected was turned off.  What’s even more ludicrous is that Symantec’s Endpoint Protection software, also identified the malware.  $61 million spent by Target so far. Lawsuits, Abysmal Q4 profit (down almost 50%).

Read the Bloomberg/Business Week article. It’s quite interesting.  http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

McAfee this week wrote  that this particular attack  was "Far from 'advanced,' The BlackPOS malware family is an 'off-the-shelf' exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”  If this was the case, this is even more embarrassing for Target and their IT team.  http://www.mercurynews.com/business/ci_25322189/mcafee-report-says-target-cyber-attackers-used-common

Takeaways from this - If your network does not have them.  Look at investing in an APT solution.  Look at investing in a DLP solution. Don’t ignore your security solutions when you get flagged. NSS Labs, Ellen Messmer at Network World, and Lawrence Pingree at Gartner.  www.nsslabs.com , www.networkworld.com , www.gartner.com  have all written about Advanced Persistent Threat vendors. Type “advanced persistent threat” into a Google search and a slew of vendors will show up on the RHS.  

Craig Kensek  - Twitter - ckensek

Gartner Magic Quadrant for Endpoint Protection Platforms- 2013

 Gartner  has  released  their 2013 Magic Quadrant for Endpoint Protection Platforms,   ID:G00247705.  Five performers are in the Leaders Quadrant.  Their approximate order in the report: McAfee, Symantec, Kaspersky, Trend Micro, and Sophos.  This is a little bit of a switch from 2012 when the order was Symantec, McAfee, Sophos, Kaspersky, and Trend Micro Microsoft, like in the 2012 report, was the only company in the Challenger portion of the grid.   Analysts for the report - Peter Firstbrook, John Girard, and Neil MacDonald.  Congrats to all in this portion of the quadrant.

Probably not so pleased with the report are Threatrack Security, Beyond Trust, and Check Point Software Technologies.  These were    the bottom three in the Niche Players portion of the quadrant.  Beyond Trust was the overall lowest in the quadrant with respect to ability to execute.  Check Point Software  slipped from the Visionary portion of the grid to this quadrant.  Not good.

McAfee continues its assimilation into Intel, who purchased them a couple of years ago.  The McAfee name will disappear and become   Intel Security.  Kaspersky continues their assault on Trend Micro. Sophos is aggressively expanding their business offerings, has revamped their channel program, http://channelnomics.com/2014/02/18/sophos-revamps-simplifies-partner-program/  remaining (and probably will remain)  a business focused security vendor.

The   Gartner Magic Quadrant for Endpoint Protection Platforms report is available for purchase on their website.  Some vendors such as Symantec have it available on their website for those who register.

Regarding the Leaders quadrant from the Gartner Magic Quadrant Endpoint report - “However, a leading vendor isn't a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.  Some clients believe that Leaders are spreading their efforts too thinly and aren't pursuing clients' special needs.”

For more details on the Magic Quadrant and how it is created, read “Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors within a Market”.     Sometimes a leader is not the best solution for a particular customer.  Despite that, you will see many   presentations where the vendor uses being in the Leaders quadrant   as a reason to buy from that particular vendor.  www.gartner.com

To see a blog on last year’s results - http://kensek.blogspot.com/2013/01/gartner-magic-quadrant-for-endpoint.html

ckensek on Twitter.

  

RSA Conference USA 2014 – Where the World Talks Security - March addendum at the end

Original Post

It’s that time of the year again.  Not the coming of spring, but RSA Conference USA 2014, where the world talks security.  Over 350 security vendors seeking mindshare and wallet share.  RSA San Francisco is running February 24 through 28 at Moscone Center in San Francisco.  For those who haven’t used their free pass code, too late.  http://www.rsaconference.com/events/us14

Before going, place a bet with your colleagues as to what you think the main theme will be.  Breaches and Advanced Persistent Threats may come back for a second year in a row. You may not be visiting Target as much this year. Though there is one on the same street as RSA!

This is Part 1 of Probably 3 about RSA Conference San Francisco 2014.  Don’t look for depth.  I’ll be looking more at things such as who has the best-looking booths, which booths someone on a budget can go to for   coffee, cookies.  In addition, and most importantly for some of you, what are the best tchotchkes being handed out?  

I’m not going to make it totally easy for people.  It’ll be a coin flip as to whether I just mention the tchotchke, or if I share the vendor name and booth location.

The usual suspects will be giving keynotes, it appears (sponsorship $$).  The final keynote by Stephen Colbert should be interesting.  http://www.rsaconference.com/events/us14/agenda/keynotes

For those who actual want to create a filtered list of whom to visit, the following link should be useful

http://www.rsaconference.com/events/us14/exhibitors-sponsors/exhibitor-list   

One would think that vendors would take advantage of this, and possibly put in their competitors names.  I entered “Advanced Persistent Threat” and only five companies came up.  The companies - Lastline, LOGbinder, NPCore, Viewfinity, and Websense.  Sorry, companies that Gartner or Ellen Messmer  lists as being in this space that aren't showing up, you’re not going to be mentioned here.  That may put a fire in your eye, but I’m not going to do it.

For all attendees -   if you’re bringing your laptop, smartphone, or tablet to the event.  Leave them turned off as much as possible.  Install security SW before getting to the event.  If you log onto the RSA net, make sure it is the RSA network.  

It’s show time for some of the less desireables attending RSA.  Reporters at Sochi were finding their devices being attacked literally, as soon as they turned on their devices.  Remember to pack your “mdse”.

For Newbies at RSA Conference USA 2014

The attractive women (and men) working in the booth, don’t work for the company.  Any mobile numbers you received will be fake.

Wearing an “I worked with Edward Snowden” tee may get you some attention.

How many free pens and stress balls do you really need?

Are you ever going to reference or read the book that you stood in line for 20 minutes to get an autographed copy?  What’s your time value of money?

Are you really ever going to wear a tee shirt from a vendor that’s excessively big for you?

Unless you’re collecting them for other people, don’t’ bother.  Trade show vendor tee shirts will not make you a magnet.  If you must collect them (and they do fit!), promise yourself, that you’ll donate two of the ones you have at home to charity that you collected from last year’s RSA conference.

If the collateral is online, why collect it at the event?

Turning your badge backwards to collect competitive intel screams, “I work for a competitor.”  You should have gotten a free exhibitor pass and registered with that.  Did that already?  Are you wearing your booth shirt?  Busted!

If bored during a presentation, count the number of typos that appear on screen during a presentation. An alternative, sneeze or cough, every time an overused phrase or word appears.  Suggestions – leading edge, next generation, intuitive interface   plug and play, and ROI.  Has there ever been a company promoting a non-intuitive interface?  Make your own list using one of the many pens you’ve collected.

Watch one of the booth presentations where they have better tchotchkes, but require that you answer a question or be part of a group on stage.  Don’t register.  Come back later and play.  They’ll often be asking the same questions.

Go up to someone in the booth who doesn’t look like a salesperson, and ask them, “what are the top 3 or 5 things that make you better than (fill in one of their competitor’s names)?"  Go to that competitor’s booth.  Do the same thing.  Bonus points if you then return to booths and say, “Here’s what I’m being told by (fill in the blank).”  You may be given some better intel (or another pen).

On the last day of the show, do an exhibition hall sprint and collect the tchotchkes that you really want.  You probably may not even need to be scanned.

Have a good time!     Remember, you do have to justify the expense when you return to the office.  Pack those mds.

Addendum   

No parts 2 and 3.  Rain tempered the crowds a bit this year. The FireEye robot was nowhere to be seen.  People were lined up for a few of the keynotes.  Some helicopters were given away in drawings at booths.  The usual iPads at others.  The high tech equivalent of a fashionable women's LBD (little black dress) was given out a a number of booths, the LBT (little (actually, usually large or extra large) little black tee.   One give out read, "Life's a Breach", another read "We take the a** out of passwords.

Products in booths seemed to be more evolutionary rather than revolutionary  in nature.

A suggestion  to the RSA people and the presentation theatres in the exhibition halls.  A 42" monitor doesn't cut it when there are over 10 rows of people seating.  In a living room setting, 42" is ideal for sitting about 5 to 7 feet from the screen. Not good for reading multi line, multi font size presentations!  Open the top floor of the South Exhibition hall (not where the exhibits are) on the first day of the keynotes at the same time as the keynotes are given . Some people want to work rather than attend  the first two keynotes. And.....it was raining.  

AhnLab Faces Uphill Battle in US against FireEye with AhnLab Malware Defense System (MDS)

Silver sponsorship at RSA Conference USA 2014 in San Francisco  notwithstanding,  South Korea based AhnLab may face an uphill battle achieving success in the US with AhnLab Malware Defense System (MDS).  MDS is designed to combat Advanced Persistent Threats (APTs) and Advanced Malware.  No press release has been issued, but AhnLab will also be showing AhnLab Malware Defense System   Enterprise (MDSE). This version of Malware Defense System isn’t described on AhnLab website yet. The below isn't a technical evaluation of Malware Defense System, MDS or MDSE. It's more of a business analysis. 

http://conference.ahnlab.com/conference/rsa2014/product_mdse.jsp .

For information on MDSE -  http://conference.ahnlab.com/conference/rsa2014/AhnLab_MDSE_Brochure.pdf

Why It May Be Difficult for AhnLab and AhnLab Malware Defense System (MDS) in the US

FireEye (www.fireeye.com) is the 800-pound gorilla in the industry.  They offer more form factors for their APT solutions over AhnLab Malware Defense System.  For example -   their NX series to combat web-based attacks has six flavors, supporting 50 to 40k users.  Their FX series for file protection comes in 2 sizes; up to 80k and up to 160k files per day, respectively.  The acquisition of Mandiant gives them an endpoint solution.  On Valentine’s Day, FireEye announced an Intrusion Prevention product FireEye® MVX-IPS.  Well, they pre-announced the product.  They are shooting for availability during the first half of 2014.  They promote that they have customers in over 40 countries.   

Crowded marketplace   - AhnLab is among the double handful of competitors Gartner mentions in their August paper “Five Styles of Advanced Threat Defense”.  Competitors besides FireEye include   dedicated APT vendors Lastline, Bromium, and Damballa.  Other competitors (Googling Advanced Persistent Threats) include Palo Alto Networks, Cisco, McAfee, Fidelis Security Systems, Trend Micro,  Bit9, and Tenable.  Everyone has their eye on FireEye 

Limited US Presence -   AhnLab decreased their staffing in the US at the start of the year to a handful despite having just opened their US/EMEA headquarters in the Santa Clara, CA less than two years ago.    

It takes a channel and partners - Two ways to try to   grow sales quickly are to  OEM your product and agressively develop a channel.  AhnLab devotes one  page to recruiting partners.  No Partner Portal.  No Education Portal.  FireEye has a well-developed partner program, including VARs, Value Added Distributors, System Integrators, MSSPs, and Technology Alliance Partners (over a dozen listed in their site).  FireEye’s reseller program seems “standard” with three tiers.

It takes customer support - FireEye has a multiple levels of support for their customers.  For Malware Defense System, AhnLab will have to build off a single email address they currently have for US/EMEA customers.  This suggests that support will be coming from South Korea.  Nothing about multiple levels of support.  Barracuda Networks has an amusing radio commercial asking if you want phone trees  and long distance support for your products.

It takes customers who will talk about your Advanced Persistent Threat product - It is difficult to get customers to publically talk about what security products they have on their network.  FireEye has Sallie Mae, Equifax, and the Department of Defense listed as well as a dozen anonymous case studies across a number of industries. FireEye claims that over 100 of the Fortune 500 are among their customers.

 

It takes marketing and noise - FireEye is “everywhere”.  They appear on multiple security web sites. Multiple CIO and CISO events.  Going public created a lot of visibility.  Their reports and Mandiant’s whom FireEye acquired shortly after the first of the year, get a lot of visibility.  FireEye is aggressive in issuing press releases about threats they have discovered and investigated.  They’re promoting fourteen security events (four in the US),   they’ll be at during the first half of the year.  AhnLab will be at two.  Most PR firms would consider just putting up a product description on your web site a sub-optimal way to announce a product.  That’s not the usual marketing strategy in the North America marketplace.

What AhnLab Malware Defense System May Have Going For it

NSS Breach Detection Study -   AhnLab, Fidelis Security Systems, and FireEye were the only three companies to complete a breach detection study by NSS Labs, (www.nssslabs.com ) last summer.  Fidelis put out a press release about their results, made their report available at no charge, and wrote a blog challenging FireEye to make their summary report available.  AhnLab put out a press release but hasn’t made the report available on their website.  FireEye wrote nothing.

Three types of protection in a single appliance - AhnLab promotes that they provide Web, email, and Content Security in a single appliance.  With FireEye, you would have to purchase three products.

Profits - AhnLab is one of the largest security companies in South Korea.  And profitable.  FireEye has yet to show a profit.  For 2013, Sales and Marketing expenses, by themselves, exceeded Revenue.  Profits and positive cash flow are good things for the long term.

Ultimately, prospects will have to bring the products in house and test them.  Gartner has looked at a number of companies offering a solution.  NSS Labs issued their reach study last summer and undoubtedly has another APT study going on.  www.nsslabs.com

For people visiting RSA 2014 in San Francisco http://www.rsaconference.com/events/us14  a number of the vendors offering solutions will be present.  Coffee and cookies in the AhnLab booth, at 11:30 each morning during the exhibition!  “Learn about the ultimate threat defense.  AhnLab’s announcing APTs Dead!”  (Sic) will be the topic of a talk by AhnLab executive Leo Versola on Wed. February 26 at 1:00PM in the North Expo Hall Briefing Center. Too late for a free RSA pass.

The window is closing for AhnLab and other Advance Persistent Threats vendors.  Obviously, FireEye has made it through.  AhnLab and other vendors are going to have a battle to be one of the other survivors and get share.  The press over some major attacks from cyber criminals Target Stores and over 110 million, among others during 2013  ensures  athat companies will be looking for a solution. craig kensek

twitter - ckensek