Needles in a Digital Hay Stack; Finding Value in Big Data

Big data is a scorching hot topic, currently capturing a lions share of the markets available stock of hyperbole and for good reason, data is growing at a meteoric rate.

As we continue to innovate, as business accelerates technology adoption, as the line bleeds between corporate and personal computing and as we interact more in digital mediums we are creating mountains of data. Much of this data is garbage, but some of it is gold (big-data-are-you-creating-a-garbage-dump-or-mountains-of-gold).

Unfortunately with all overly hyped technologies there is a lot of misinformation, failed expectations and the inevitable trough of disillusionment, but that doesn’t mean you have to spend months or years curled up in a fetal position, disillusioned and wondering what went so wrong. With a thoughtful approach you can venture through the murky swamp of your big data and find the insights that provide your company a significant competitive and market advantage.

Continue reading →

Big Data; Are You Creating a Garbage Dump or Mountains of Gold

You’re not really sure how it happened, but some time between last year and the summer of 2011 you were suddenly facing a big data problem, or you were being told you were facing a big data problem, or more accurately you were being told that you needed a big data solution.

Funny thing was that you hadn’t really done anything drastic over the last couple of years that would seem to indicate a tsunami of data was about to breach your storage floodgates, but then again it wasn’t like you watched yourself going bald either.

Continue reading →

The Good, Bad, and Ugly of Technology Acquisitions

It is the foundation for the free market system and capitalism and it is every entrepreneurs dream; build a great technology, execute and achieve excellence in GTM, deliver fantastic value to customers and take great pride in watching your passion grow – fast.

Then it happens; the exit, the liquidation event, the ‘golden ticket’ and in a blip of your time on this tiny little rock your life changes.

Last year, after spending almost four years as the CTO of BigFix, we were acquired by IT industry behemoth IBM (IBM to acquire BigFix) for what was the largest acquisition of a private software company in 2010 (second was CA’s acquisition of Nimsoft at around $380m) and my life changed…

Continue reading →

IBM to Acquire BigFix – Hallelujah! Can I Get a Witness?!

I will post more later but given all the blood, sweat, and tears we have poured into BigFix we are extremely excited about this move.

IBM and BigFix are a great fit. The product portfolios are very complementary (data center to the endpoint), the strategy and vision are well-aligned (automated service management and convergence) and the companies respective values and focus will drive greater innovation to the market

Product and market synergies

• BigFix offers best in class endpoint management (PCs, laptops, and distributed servers) that extends the IBM portfolio enabling their smarter computing vision from the data center to endpoints anywhere in the world
• Our product portfolios are very complementary, as demonstrated by the many joint customers we successfully serve today

Strategy and vision:

• We share a common vision for delivering automated service management and security and operational convergence to our customers worldwide
• IBM intends to continue to evolve the rich capabilities of the BigFix platform and to innovate, integrate, and expand the combined solutions to address a broader set of market requirements than ever before

Company values and market focus

• We share similar ideals and value around integrity and innovation
• We both have a workforce that is provisioned and dedicated to solving the problems of the largest and most sophisticated enterprise environments in the world.

Continue reading →

Chinese Government to Ban All US-Based Technology Companies and Products

Beijing, China – April 1, 2010 – The Chinese government announced that effective immediately all US based technology firms and associated products and services will be banned from all Chinese government and state-run agency IT environments. The ban is expected to include critical infrastructure, such as military, finance, utilities, and healthcare as well as education, retail and manufacturing companies. Continue reading →

Client Hosted Virtual Desktops Part 1; Own the OS

We all know that IT security and operations is becoming a more challenging and untenable problem day by day – see “Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About it” – The reality is that we continue to build on top of inherently insecure and fundamentally weak foundations, such as the operating systems and routing infrastructures that power much of the global economy.

We need an alternative to the current computing paradigms that all organizations struggle with.

Continue reading →

Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About It

In the security industry we like to fool ourselves into thinking that we can materially impact an organizations security posture. We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organizational ignorance and enable us to attain the state of enlightened security practitioner.

But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail.

Maybe it is time to stop fooling ourselves and recognize that to move forward we have to know our limitations and start to question the status quo that so many others rely on for their livelihood.

So as you stare out the window, morning cup of coffee in hand, a tear rolling listlessly down toward your chin and as your sitting there pondering what went so terribly wrong take a moment to reflect on the top 10 reasons your security program sucks and why no matter how much you kick and scream it will continue to suck…

Continue reading →

50th “Beyond The Perimeter” Podcast HighLights

Not too long ago I embarked on a creating a podcast series that would provide more regularity than the blog. Beyond the Perimeter has been a tremendous amount of fun and as we just posted our 50th podcast I wanted to reflect on some of the highlights and wonderful guests we have been honored to have joined us.

Beyond the Perimeter iTunes subscription

Beyond the Perimeter Direct XML Feed

Continue reading →

Client-Side Virtualization Episode II: Standardization, Attack of the Clones and Desktops Reloaded

Consolidation is the major benefit or “killer app” for server/data center virtualization. Standardization is the major benefit or “killer app” for client-side virtualization.

As I was pondering the challenges of current systems management processes, researching the latest and greatest from the client-side virtualization vendors, and talking to a lot of large organizations I was trying to find that one thing that explained the operational benefits of client-side virtualization. There are more than one, but it really does come down to standardization, allow me to explain… Continue reading →

Cloud-Computing Solves Patching Problem…IT Admins Please Report to HR for Immediate Dismissal

So apparently the latest version of the Qualys Laws of Vulnerabilty Report has Qualys jumping to some pretty outrageous claims about how cloud-computing – invented by Qualys according to Courtot (insert cute smiley here) – can secure IT more effectively or allow people to not patch any more or some such nonsense (thanks to Hoff for the heads up).

Anyway so the logic flaw goes something like this -> Continue reading →

Reports of my death have been greatly exaggerated…

Yes I know it has been some time since I have posted a blog entry. The pain and suffering this has caused I can only imagine has been unbearable. Many of you must be feeling the nauseating withdrawal like symptoms of not enough me, but do not fear you will no longer need to remain in a fetal position rocking back and forth wondering if I will blog again – I shall. Continue reading →

Open Cloud Computing Manifesto: Much Ado About Nothing

So apparently a group of technologists and vendors working under the cloak of digital darkness drew out a pentagram and locked arms as they called out to Cthulhu to manifest and drive out those that would oppose their ultimate aims of total and complete world domination. Domination brought about through a set of cloud computing solutions that would revolutionize antiquated IT infrastructures and deliver agility, scalability, and operational efficiencies through an open platform at a really, really good price.  Blood was spilled, virgins were killed, and apparently an “open” cloud-computing manifesto was drafted. Continue reading →

Mission Accomplished: There is NO Future in Security

According to IBM the Security industry is dead and has no future (here)

“The security business has no future,” Val Rahamani, general manager of IBM ISS and of security and privacy for IBM Global Technology Services. Rahamani said the security industry as it is today is not sustainable, and that IBM is instead going into the “business of creating sustainable business.”

“It’s all about putting security into the context of business operations, she said. “Parasitic threats are only a metaphor for the greater issue — there will always be new threats to business sustainability, ranging from parasites to regulations to insiders to global politics. We cannot achieve true sustainability if we continue to focus on individual threats. We can only achieve true sustainability if we design security and continuity into our processes from the beginning.”

“The traditional security industry is simply not sustainable… We have a historic opportunity to change our mindset from IT security to secure business. We have the technology, services, and expertise available today to create truly sustainable business, even in a world where we assume everyone is infected.”

“The security industry is dead,” Rahamani said. “Long live sustainability.

At first read some of you may be taken aback and look at this as an overly provocative stance along the lines of Bill Gates assertion at a Gartner Symposium over 5 years ago that Microsoft would solve security, or John Thompson’s stance 4 years ago that convergence between security and storage were not only demanded they were needed to evolve the industry, or Art Covello’s prediction last year that the security industry would experience wide-spread and massive consolidation with only large, broad-scoped vendors remaining – with hundreds of security start-ups and more on the way, someone clearly didn’t get the memo.

The reality is that the current reactive, ad-hoc security model isn’t working. Val’s statements reflect a growing awareness and acceptance that a significant part of the security challenge must be addressed through pro-active, insightful, management of the infrastructure, in a way that enables security to support the needs of the business. I have spoken about this in numerous posts

1. Why Should We Spend on Security (here)

“There is a dull hum permeating the industry of late – security is dead some say, others think it to be too costly to maintain, others still believe that what is needed is a change of perspective, perhaps a radical shift in how we approach the problem. What underlies all of these positions is a belief that the status quo is woefully ineffective and the industry is slated for self-destruction or, as a whole, we will succumb to a digital catastrophe that would have been avoided if only we had just…well, just done something different from whatever it is we are doing at the time something bad happens.”

“As we go round and round on the never ending hamster wheels provided as best practice guidelines by security vendors, consultants, and pundits, we find ourselves trapped in an OODA loop that will forever deny us victory against malicious actors because we will never become faster, or more agile than our opponents. But to believe one can win, implies that there is an end that can be obtained, a victory that can be held high as a guiding light for all those trapped in eternal security darkness. We are as secure as we need to be at any given moment, until we are no longer so – when that happens, regardless of what you may believe, is outside of of our control.”

2. Information Security Must Evolve (here)

“Security professionals must have a better understanding of the business they are hired to protect, must posses more soft skills such as communication and cooperation, and must evolve their skill against the dynamic threat environment and the evolving business infrastructure…These soft skills will become increasingly important in the coming decade as security programs mature and become an integral part of business success. More importantly organizations structure becomes critical as enterprises must implement an organizational structure that supports cross-group cooperation and workflow.”

3. RSA Themes: Information Security Evolves (here)

“a general market realization that security is evolving beyond a reactive, ad-hoc activity to an integral part of running a business in today’s world. We are increasingly reliant on technology for every aspect of our lives and business is looking to IT to play a significant role in innovation, whether that is to tap into new revenue streams or to achieve new levels of operational efficiency that also boosts the bottom line.”

“It is encouraging to see organizations begin to embrace security as an integral part of how a successful business functions. But we have a long way to go as we evolve from reactive security programs performed in a silo to security and operations convergence, and a level of operational maturity and agility that allows organizations to leverage IT for innovation.”

4. Security Prediction 2007: The year security becomes irrelevant! (here)

“So does security become irrelevant? well not exactly, but it is the year security goes main stream and becomes just another function performed by an increasingly taxed IT organization. Security will become less and less silo’d and more operationalized. Security and operational convergence will drive more technology convergence as vendors scramble to address multiple constituencies in the operations, security and compliance domains. The bottom line is that information security will begin to mature and evolve”

5. Rational Fear vs. Irrational Security (here)

Security must be agile, we must be able to quickly adapt to changing threats and we have to be careful to balance security of the unknown vs. securing against the known. Zero-days are scary, yet they are relatively infrequent compared to the thousands of known vulnerabilities organizations face annually, we certainly need to adapt to zero-day threats, but we can’t do this at the loss of security against the more frequent but less exotic MSFT or browser vulns. What’s scary is that most organizations, even after years of dealing with vulnerabilities, still have not implemented effective vulnerability management programs (here), (here), and (here)

6. Information Survivability vs. Information Security (here)

Bottom Line: you cannot stop all bad things from happening, this is not the goal of security. The goal of security is to limit the probability of bad things from happening and when they do happen to limit their impact. It really is that simple.