AhnLab Faces Uphill Battle in US – An Addendum

  

This is an addendum the February blog - “AhnLab Faces Uphill Battle in US against FireEye with AhnLab Malware Defense System (MDS)” http://kensek.blogspot.com/2014/02/ahnlab-faces-uphill-battle-in-us.html

If AhnLab is going to make a go of it with their Advanced Persistent Threat product, Malware Defense System (MDS), they must be doing it in incredible stealth mode.  And they must be trying to do it from Korea, where AhnLab is headquartered. 

• Their top US technology person left for a start-up early this year
• There have been no press releases added to the US web site since November 2013
• The company did appear at the Gartner Risk Security & Management Summit in June following up their appearance at RSA SF.  At RSA, they re_announced AhnLab MDS
• AhnLab had posted that they were going to appear at Black Hat Las Vegasin August.  This was removed from their web site.
• Both AhnLab and FireEye complained about an update NSS Labs issued to their 2013 Breach Detection study.  In the original, AhnLab and FireEye finished second and third respectively.  http://kensek.blogspot.com/2014/04/ahnlab-raises-issues-with-recent-nss.html   In the original update, they finished fifth and sixth respectively.  In the post complaints update, AhnLab MDS ranked sixth and FireEye fifth.  Both were far below the other four companies, SourceFire, Trend Micro, Fortinet, and Fidelis.  The updated value map is available at http://www.fortinet.com/sites/default/files/whitepapers/NSS-Labs-2014-BDS-SVM_0.pdf
• If you try to reach AhnLab at their 800 number, 800.511.Ahnlab (2465), you will receive a “you’ve reached a number that has been disconnected or is no longer in service” message.

Perhaps AhnLab is still trying to break into the US licensing Malware Defense System.  If so, they are being incredibly quiet   about it.

Palo Alto Networks, Check Point top Products in Gartner Magic Quadrant for Enterprise Network Firewalls - 2014

As is probably no big surprise to those in the industry and those purchasing network security products, Palo Alto Networks (PAN) and Check Point had the top rated products in the 2014 Gartner Magic Quadrant for Enterprise Network Firewalls.  The report came out in April.  These are the only two companies in the Leaders Quadrant, with Palo Alto Networks leading on Completeness of Vision and Check Point for Ability to Execute. Fortinet and Cisco were the closest to the in the Challengers quadrant.   The report, ID:G00258296 is available on the PAN web site for those who register. http://connect.paloaltonetworks.com/gartner-mq-2014

Palo Alto Networks pretty much was the originator of the acronym NGFW or Next Generation Firewall, and PAN and Check Point Software Technologies companies compete for many of the same customers. Last year, PAN   introduced their Wildfire infrastructure, enabling the PAN firewall to detect and stop Advanced Persistent Threats (APTs) This is offered to customers via the public cloud or can be deployed as a private cloud.   Gartner also wrote that PAN    was consistently on most NGFW competitive shortlists.  PANS Advanced Persistent Threat Solution   was not among those recently tested by NSS Labs in their April Breach Detection Study.   

Check Point was cited by Gartner as being the market share leader in firewall installed base. They offer an extensive line of security appliances and were also delivered the industry’s first flexible, extensible security architecture, the Check Point Software Blade Architecture.   Check Point’s Anti-Bot Software Blade detects bot-infected machines, prevents bot damages by blocking bot C&C communications. This isn’t a comprehensive Advanced Persistent Threat Solution, but it helps protect the network.

PAN’s product portfolio isn’t quite as extensive Check Point’s,   they do offer a virtualized firewall platform in addition to the more traditional appliance offering, threat subscriptions for URL filtering, and a management platform.  

Fortinet was rated a Challenger by Gartner. They stated Fortinet was “not often beating Leaders in mainstream enterprise selections based on features and vision, nor causing Leaders to react to Fortinet.”

Cisco was rated a Challenger as well.  Gartner didn’t seem them displacing   PAN nor Check Point on the basis of visions or features.  They saw Cisco winning firewall business through channel “execution and “aggressive discounting”.

Juniper Networks completed the trio of companies in the Challenger quadrant.  McAfee was a leader in the Niche quadrant.

Offerings from F5, Arkoon-Netasq, and AhnLab were the furthest down and to the left in the Magic Quadrant.

Check out the complete report.  For an assessment of all sixteen vendors in the report. Some names you’re familiar with may be missing due to consolidation. Gartner also has some brief information on why virtualized firewall penetration is a less than two percent.  “Security-minded enterprises are also rightly skeptical of running firewalls within a hypervisor that is between the threat and the firewall,” according to Gartner. 

 Regarding the Leaders quadrant from the Gartner Magic Quadrant Endpoint report - “A leading vendor isn't a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.  Some clients believe that Leaders are spreading their efforts too thinly and aren't pursuing clients' special needs.”

For more details on the Magic Quadrant and how it is created, read “Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors within a Market”.     Sometimes a leader is not the best solution for a particular customer.  Despite that, you will see many   presentations where the vendor uses being in the Leaders quadrant   as a reason to buy from that particular vendor.  Who would have thought that they would do that? www.gartner.com

Some of NSS Labs reports are available at no charge.  www.nsslabs.com

craig kensek

Just When You Thought the Target Breach Story Was Over. A Tale of Advanced Persistent Threats (APT), FireEye, and Warnings Ignored

In the previous chapter of this adventure, Target CIO Beth Jacob had taken the hit and was going to resign.  Target was going to implement new processes in protecting their network. Prior to this, Target had gone through a number of phases since the attack began in late November – denial, CEO Gregg Steinhafel is  nowhere to be found, “Houston, we’ve got a problem”, “Let’s give customers a ‘we’re sorry’” discount”, CEO is found (finally, some look at a book on crisis management), transparency, free credit watch software for customers, etc.  The Russian hackers involved in this incident were not even very sophisticated with their coding.

Techtarget’s definition of Advanced Persistent Threat – “An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time.  The intention of an APT attack is to steal data rather than to cause damage to the network or organization.  APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry.”

In the Bloomberg story “Missed Alarms and 40 Million Credit Card Numbers.  How Target Blew It”, the author writes about how Target HAD Advanced Persistent Threat appliances from FireEye (an APT company that went public several months ago for a gazillion dollars (Side note – FEYE’s  market cap was $10 B as of February 14, though their stock has dropped a bit less than 20% from its high).

The malware had completed most of the phases of the hacker’s objective. Credit card numbers were being stored on a Target server as they were swiped on store terminals. All that was left was for the numbers to be transmitted the cyber criminals for subsequent sale to other cybercriminals.  In November and early December, the hackers went about installing the SW that would send the customer info out to staging points, (probably a botnet), and then to Russia.  Busted!  Well. Sort of. FireEye appliances sent an alert to Bangalore. They alerted the people in Minnesota and…  Minnesota did nothing!  Then, the transmittal of ultimately 40 million records began (a nagging question – was there a DLP (Data Loss Prevention), installed on the network?  It wasn’t until mid-December when the Department of Justice got involved, that Target really began investigating.

By the way, the option for the FireEye appliance to  automatically delete malware as soon as it was  detected was turned off.  What’s even more ludicrous is that Symantec’s Endpoint Protection software, also identified the malware.  $61 million spent by Target so far. Lawsuits, Abysmal Q4 profit (down almost 50%).

Read the Bloomberg/Business Week article. It’s quite interesting.  http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

McAfee this week wrote  that this particular attack  was "Far from 'advanced,' The BlackPOS malware family is an 'off-the-shelf' exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality.”  If this was the case, this is even more embarrassing for Target and their IT team.  http://www.mercurynews.com/business/ci_25322189/mcafee-report-says-target-cyber-attackers-used-common

Takeaways from this - If your network does not have them.  Look at investing in an APT solution.  Look at investing in a DLP solution. Don’t ignore your security solutions when you get flagged. NSS Labs, Ellen Messmer at Network World, and Lawrence Pingree at Gartner.  www.nsslabs.com , www.networkworld.com , www.gartner.com  have all written about Advanced Persistent Threat vendors. Type “advanced persistent threat” into a Google search and a slew of vendors will show up on the RHS.  

Craig Kensek  - Twitter - ckensek

RSA Conference USA 2014 – Where the World Talks Security - March addendum at the end

Original Post

It’s that time of the year again.  Not the coming of spring, but RSA Conference USA 2014, where the world talks security.  Over 350 security vendors seeking mindshare and wallet share.  RSA San Francisco is running February 24 through 28 at Moscone Center in San Francisco.  For those who haven’t used their free pass code, too late.  http://www.rsaconference.com/events/us14

Before going, place a bet with your colleagues as to what you think the main theme will be.  Breaches and Advanced Persistent Threats may come back for a second year in a row. You may not be visiting Target as much this year. Though there is one on the same street as RSA!

This is Part 1 of Probably 3 about RSA Conference San Francisco 2014.  Don’t look for depth.  I’ll be looking more at things such as who has the best-looking booths, which booths someone on a budget can go to for   coffee, cookies.  In addition, and most importantly for some of you, what are the best tchotchkes being handed out?  

I’m not going to make it totally easy for people.  It’ll be a coin flip as to whether I just mention the tchotchke, or if I share the vendor name and booth location.

The usual suspects will be giving keynotes, it appears (sponsorship $$).  The final keynote by Stephen Colbert should be interesting.  http://www.rsaconference.com/events/us14/agenda/keynotes

For those who actual want to create a filtered list of whom to visit, the following link should be useful

http://www.rsaconference.com/events/us14/exhibitors-sponsors/exhibitor-list   

One would think that vendors would take advantage of this, and possibly put in their competitors names.  I entered “Advanced Persistent Threat” and only five companies came up.  The companies - Lastline, LOGbinder, NPCore, Viewfinity, and Websense.  Sorry, companies that Gartner or Ellen Messmer  lists as being in this space that aren't showing up, you’re not going to be mentioned here.  That may put a fire in your eye, but I’m not going to do it.

For all attendees -   if you’re bringing your laptop, smartphone, or tablet to the event.  Leave them turned off as much as possible.  Install security SW before getting to the event.  If you log onto the RSA net, make sure it is the RSA network.  

It’s show time for some of the less desireables attending RSA.  Reporters at Sochi were finding their devices being attacked literally, as soon as they turned on their devices.  Remember to pack your “mdse”.

For Newbies at RSA Conference USA 2014

The attractive women (and men) working in the booth, don’t work for the company.  Any mobile numbers you received will be fake.

Wearing an “I worked with Edward Snowden” tee may get you some attention.

How many free pens and stress balls do you really need?

Are you ever going to reference or read the book that you stood in line for 20 minutes to get an autographed copy?  What’s your time value of money?

Are you really ever going to wear a tee shirt from a vendor that’s excessively big for you?

Unless you’re collecting them for other people, don’t’ bother.  Trade show vendor tee shirts will not make you a magnet.  If you must collect them (and they do fit!), promise yourself, that you’ll donate two of the ones you have at home to charity that you collected from last year’s RSA conference.

If the collateral is online, why collect it at the event?

Turning your badge backwards to collect competitive intel screams, “I work for a competitor.”  You should have gotten a free exhibitor pass and registered with that.  Did that already?  Are you wearing your booth shirt?  Busted!

If bored during a presentation, count the number of typos that appear on screen during a presentation. An alternative, sneeze or cough, every time an overused phrase or word appears.  Suggestions – leading edge, next generation, intuitive interface   plug and play, and ROI.  Has there ever been a company promoting a non-intuitive interface?  Make your own list using one of the many pens you’ve collected.

Watch one of the booth presentations where they have better tchotchkes, but require that you answer a question or be part of a group on stage.  Don’t register.  Come back later and play.  They’ll often be asking the same questions.

Go up to someone in the booth who doesn’t look like a salesperson, and ask them, “what are the top 3 or 5 things that make you better than (fill in one of their competitor’s names)?"  Go to that competitor’s booth.  Do the same thing.  Bonus points if you then return to booths and say, “Here’s what I’m being told by (fill in the blank).”  You may be given some better intel (or another pen).

On the last day of the show, do an exhibition hall sprint and collect the tchotchkes that you really want.  You probably may not even need to be scanned.

Have a good time!     Remember, you do have to justify the expense when you return to the office.  Pack those mds.

Addendum   

No parts 2 and 3.  Rain tempered the crowds a bit this year. The FireEye robot was nowhere to be seen.  People were lined up for a few of the keynotes.  Some helicopters were given away in drawings at booths.  The usual iPads at others.  The high tech equivalent of a fashionable women's LBD (little black dress) was given out a a number of booths, the LBT (little (actually, usually large or extra large) little black tee.   One give out read, "Life's a Breach", another read "We take the a** out of passwords.

Products in booths seemed to be more evolutionary rather than revolutionary  in nature.

A suggestion  to the RSA people and the presentation theatres in the exhibition halls.  A 42" monitor doesn't cut it when there are over 10 rows of people seating.  In a living room setting, 42" is ideal for sitting about 5 to 7 feet from the screen. Not good for reading multi line, multi font size presentations!  Open the top floor of the South Exhibition hall (not where the exhibits are) on the first day of the keynotes at the same time as the keynotes are given . Some people want to work rather than attend  the first two keynotes. And.....it was raining.  

AhnLab Faces Uphill Battle in US against FireEye with AhnLab Malware Defense System (MDS)

Silver sponsorship at RSA Conference USA 2014 in San Francisco  notwithstanding,  South Korea based AhnLab may face an uphill battle achieving success in the US with AhnLab Malware Defense System (MDS).  MDS is designed to combat Advanced Persistent Threats (APTs) and Advanced Malware.  No press release has been issued, but AhnLab will also be showing AhnLab Malware Defense System   Enterprise (MDSE). This version of Malware Defense System isn’t described on AhnLab website yet. The below isn't a technical evaluation of Malware Defense System, MDS or MDSE. It's more of a business analysis. 

http://conference.ahnlab.com/conference/rsa2014/product_mdse.jsp .

For information on MDSE -  http://conference.ahnlab.com/conference/rsa2014/AhnLab_MDSE_Brochure.pdf

Why It May Be Difficult for AhnLab and AhnLab Malware Defense System (MDS) in the US

FireEye (www.fireeye.com) is the 800-pound gorilla in the industry.  They offer more form factors for their APT solutions over AhnLab Malware Defense System.  For example -   their NX series to combat web-based attacks has six flavors, supporting 50 to 40k users.  Their FX series for file protection comes in 2 sizes; up to 80k and up to 160k files per day, respectively.  The acquisition of Mandiant gives them an endpoint solution.  On Valentine’s Day, FireEye announced an Intrusion Prevention product FireEye® MVX-IPS.  Well, they pre-announced the product.  They are shooting for availability during the first half of 2014.  They promote that they have customers in over 40 countries.   

Crowded marketplace   - AhnLab is among the double handful of competitors Gartner mentions in their August paper “Five Styles of Advanced Threat Defense”.  Competitors besides FireEye include   dedicated APT vendors Lastline, Bromium, and Damballa.  Other competitors (Googling Advanced Persistent Threats) include Palo Alto Networks, Cisco, McAfee, Fidelis Security Systems, Trend Micro,  Bit9, and Tenable.  Everyone has their eye on FireEye 

Limited US Presence -   AhnLab decreased their staffing in the US at the start of the year to a handful despite having just opened their US/EMEA headquarters in the Santa Clara, CA less than two years ago.    

It takes a channel and partners - Two ways to try to   grow sales quickly are to  OEM your product and agressively develop a channel.  AhnLab devotes one  page to recruiting partners.  No Partner Portal.  No Education Portal.  FireEye has a well-developed partner program, including VARs, Value Added Distributors, System Integrators, MSSPs, and Technology Alliance Partners (over a dozen listed in their site).  FireEye’s reseller program seems “standard” with three tiers.

It takes customer support - FireEye has a multiple levels of support for their customers.  For Malware Defense System, AhnLab will have to build off a single email address they currently have for US/EMEA customers.  This suggests that support will be coming from South Korea.  Nothing about multiple levels of support.  Barracuda Networks has an amusing radio commercial asking if you want phone trees  and long distance support for your products.

It takes customers who will talk about your Advanced Persistent Threat product - It is difficult to get customers to publically talk about what security products they have on their network.  FireEye has Sallie Mae, Equifax, and the Department of Defense listed as well as a dozen anonymous case studies across a number of industries. FireEye claims that over 100 of the Fortune 500 are among their customers.

 

It takes marketing and noise - FireEye is “everywhere”.  They appear on multiple security web sites. Multiple CIO and CISO events.  Going public created a lot of visibility.  Their reports and Mandiant’s whom FireEye acquired shortly after the first of the year, get a lot of visibility.  FireEye is aggressive in issuing press releases about threats they have discovered and investigated.  They’re promoting fourteen security events (four in the US),   they’ll be at during the first half of the year.  AhnLab will be at two.  Most PR firms would consider just putting up a product description on your web site a sub-optimal way to announce a product.  That’s not the usual marketing strategy in the North America marketplace.

What AhnLab Malware Defense System May Have Going For it

NSS Breach Detection Study -   AhnLab, Fidelis Security Systems, and FireEye were the only three companies to complete a breach detection study by NSS Labs, (www.nssslabs.com ) last summer.  Fidelis put out a press release about their results, made their report available at no charge, and wrote a blog challenging FireEye to make their summary report available.  AhnLab put out a press release but hasn’t made the report available on their website.  FireEye wrote nothing.

Three types of protection in a single appliance - AhnLab promotes that they provide Web, email, and Content Security in a single appliance.  With FireEye, you would have to purchase three products.

Profits - AhnLab is one of the largest security companies in South Korea.  And profitable.  FireEye has yet to show a profit.  For 2013, Sales and Marketing expenses, by themselves, exceeded Revenue.  Profits and positive cash flow are good things for the long term.

Ultimately, prospects will have to bring the products in house and test them.  Gartner has looked at a number of companies offering a solution.  NSS Labs issued their reach study last summer and undoubtedly has another APT study going on.  www.nsslabs.com

For people visiting RSA 2014 in San Francisco http://www.rsaconference.com/events/us14  a number of the vendors offering solutions will be present.  Coffee and cookies in the AhnLab booth, at 11:30 each morning during the exhibition!  “Learn about the ultimate threat defense.  AhnLab’s announcing APTs Dead!”  (Sic) will be the topic of a talk by AhnLab executive Leo Versola on Wed. February 26 at 1:00PM in the North Expo Hall Briefing Center. Too late for a free RSA pass.

The window is closing for AhnLab and other Advance Persistent Threats vendors.  Obviously, FireEye has made it through.  AhnLab and other vendors are going to have a battle to be one of the other survivors and get share.  The press over some major attacks from cyber criminals Target Stores and over 110 million, among others during 2013  ensures  athat companies will be looking for a solution. craig kensek

twitter - ckensek

Target Data Breach – Target CEO Belatedly Starts to “Man Up”

Target and CEO Gregg Steinhafel have finally downloaded a book on crisis management and are following the script for when a company crisis occurs.   They could have begun a lot earlier after this November/December data breach occurred. Right after the breach was discovered.  They have managed to never say the phrase “Advanced Persistent Threat (APT)” in their communications. I would imagine that any company offering an APT solution has contacted them.

On January 14^th, Target ran a full page ad in a number of major US newspapers. Below are snippets of the four bullet points and my comments. These adverts do cost $$.  Earlier blogs on this topic are on www.us.ahnlab.com

1. Closed the access points that were used and removed the malware.  I should hope so!  Preferably, this was done a month ago.
2. Hired a team of data security experts to investigate how this happened.  Good.  Hopefully this happened a month ago. The internal IT department kind of messed up here.  However, most current security technology is unable to stop these kind of attacks. Hence, the number of APT solutions being offered.
3. Communicated that  guests will have zero liability for any fraudulent charges.  First, they’re customers, not guests.  A bit of a $$ olive branch. Usually, customers have a small window of  to dispute charges on debit cards and credit cards. The rules vary. They don't have unlimited liability.  But a person’s checking account could, in theory be emptied.  This communication hopefully happened right after the breach was discovered and closed.
4. Offered one year of free credit card monitoring and identify theft protection.  This should have happened weeks ago.  Target – do not auto renew this on Target debit cards. That would be tacky.

Target is now doing much of the right thing. Steinhafel even said, “Sorry”.    All the above   was late. The crisis management book would have had Steinhafel front and center right after the breach was discovered, rather than having an update section on the Target web site.  www.target.com/databreach

Demerits for Target for not being transparent early to customers. Demerits for not keeping Target employees in the trenches in the loop immediately and ongoing about this.  Target should even consider having something conspicuously posted (with copies available) at checkout lines at their stores.  The 10% additional weekend discount offered was barely an olive branch.

It now appears that even non Target customers are now getting emails from Target. These read, in part,  from one article on the topic: 

"The good news first: A Target spokeswoman has confirmed to Consumerist that the email is “an official communication,” despite it seeming like the perfect chance for hackers to strike yet again. So, whew. But when we asked where Target obtained email addresses for people who are not now and have never been customers of the retailer, the spokeswoman simply said, 'The information was obtained by Target through the normal course of our business.'" 

http://consumerist.com/2014/01/17/non-target-customers-wondering-how-target-got-contact-info-to-send-email-about-hack/

Target IT employees. Start evaluating APT solutions.

Why hasn’t Target and/or the relevant financial institutions gone out and immediately sent out replacement cards?  First, a less costly solution would be if all customers would go and change their passwords. This isn’t going to happen. The information (fortunately a lot of it encrypted) has already been stolen. Second – behind the scenes, the financial institutions and Target are probably pointing fingers at each other regarding inadequate protection.  Third – the cost of sending out replacement cards is around $10.  This could be   an up to $440 million hit in revenue to Target and/or the affected financial institutions. So, this isn’t going to happen.