It’s now February although you’d never know it from the balmy winter here in Boston. Aside from Valentine’s Day, February is significant because it is when security geeks from around the world get together in San Francisco for the RSA Conference.

The show doesn’t start until 2/27 but you can feel the anticipation in the air across the whole security community. That’s a good thing since 2011 was an especially difficult year – some have even labeled it “the year of the breach.” Hmm, what happens if 2012 is even worse – which is not unlikely?

In any case, RSA is always chock-a-block with a number of common themes. Here’s what I am anticipating, as well as my editorial comment on each.

1. Threat/malware management. This is a very important topic as Advanced Persistent Threats (APTs) and other types of sophisticated malware demonstrate that our existing security defenses are inadequate. I’m hoping to hear some good intelligence about cyber adversaries, and discuss best practice modifications around security processes and defense-in-depth controls to address these increasingly dangerous threats. Interesting vendors in this space include Countertack, Damballa, and FireEye, as well as old guard companies like Sourcefire and Trend Micro but I’m interested in hearing from others as well.
2. Security intelligence. Security situational awareness is marginal at best at many enterprises. Why? Lots of firms don’t have the right skills or tools in place while others need visibility to more host systems, applications, and network behavior. As I’ve said many times, this makes security a big data problem (I’m on a panel focused on this topic) and I’m interested in learning how the industry plans to address this. I’ll seek out HP, IBM, LogRhythm, McAfee, and RSA on this topic.
3. Security services. With security skills in short supply, the security service providers must be seeing lots of activity. Good discussion for Symantec, Unisys, and Verizon.
4. Mobile security. Yeah, I know about the malware and poorly written applications and I do see a lot of interest in this space. That said, ESG has yet to see a lot of demand for mobile security technologies. I expect a lot of buzz over mobile security, even if no one is making any money.
5. Cloud security. A complex topic but all I anticipate seeing at RSA is simple and tactical solutions (unless I get an architectural overview from Amazon, Google, or Rackspace).
6. Data center network security. We’ve had firewalls, IDS/IPS, and gateway devices forever but network security is still a major area of investment for enterprises. Data center network security is particularly challenging these days as large organizations deal with massive data center scale, web-based applications, and server virtualization/cloud. Does anyone offer a highly-scalable physical/virtual data center network security architecture? Good question to bring up when I talk to Cisco, Check Point, and Juniper.
7. Enterprise security software architecture. In the client/server days, departmental applications were subsumed into enterprise ERP systems. This same type of integration/centralization has to happen with security technologies. Which vendors understand this and know how to build scalable software security architecture a la Oracle and SAP? My goal is to find out.

Like all other similar events, RSA has its share of cocktail parties, tradeshow gimmicks, and give-aways. Entertainment is certainly a big part of the event, but RSA is really about cybersecurity – a very serious topic. Before imbibing their fourth Mai Tai at a Hawaiian-themed party at the W Hotel, I hope that RSA participants think about recent security breaches at New York State Electric & Gas (800k customer records exposed), Zappos.com (24 million customer records exposed), and our security colleagues at Stratfor ,and then consider the real objective of this event.

The high-end of the firewall market has really been dominated by two companies: Crossbeam Systems (with Check Point Software) and Juniper Networks. Over the past few years, these two firms won most of the high revenue/high margin enterprise and service provider deals.

Of course, others took notice and wanted their own piece of the pie. Cisco came out with its ASA 5580 a few years back. Network security guru Sourcefire introduced a high-end hardware architecture and a firewall in 2011. Finally, Check Point jumped in with its own high-end hardware as well.

As if this space wasn’t crowded enough, F5 Networks threw its hat in the ring this week with the announcement that its Big-IP 11.1 software passed the ISCA Labs test for network firewalls.

This may seem like just another feature for Big-IP but it’s not. F5 has a unique position amongst its competitors because:

1. F5 is already in the right accounts. Big-IP is a staple product at large enterprises, wired/wireless carriers, and cloud service providers. F5 should be able to leverage these relationships to get a CISO introduction.
2. Everyone knows that F5 can build a high-end network hardware box. Like Juniper, F5 built its reputation on building high performance boxes that can scale. This status may get F5 on the evaluation short list right away.
3. F5 offers a consolidation play for the network. F5 sits behind the firewall but in front of a boatload of critical web applications. With a few network architecture tweaks, you can configure a Big-IP to perform firewall and ADC functions from the same box. This could simplify network architecture and operations.
4. F5 brings a new recipe for network/application security integration. With all the industry talk about next-generation or application-aware firewalls, F5 goes a step further. Big-IP can be configured for security and customized with iRules to offer extremely strong network/application security integration.

F5 has a lot of potential to alter the high-end firewall market but there is still work ahead. Remember that many people still perceive F5 as the load balancer company, so for F5 to succeed it must first demonstrate its network security chops. This means convincing its customers that it is committed to network security and that its product is as strong on security protection as it is on performance.

Finally, the introduction of a high-end firewall just made F5 an even more attractive acquisition target. With a current market cap of $9.5 billion, the list of potential suitors is small, but F5 would certainly add value to HP’s networking and security portfolio. IBM may be tempted to make a play since F5 makes sense from a security, data center, cloud computing, services, and WebSphere perspective. You could even make a case for Cisco to buy F5 but that’s the longest shot of all.

At the beginning of WWI, battlefield tactics had not advanced much since the U.S. Civil War. The general goal was to continually advance on the enemy with waves of infantry attacks and eventually break through the lines by overwhelming enemy defenses.

It didn’t take long until both sides realized that things had changed. With the invention of the water-cooled machine gun and pill box fortification, human waves were not only ineffective, but also resulted in mass casualties. The sides adapted to this new reality with trench warfare, long-range munitions, and a battlefield stalemate for much of the war.

There are countless examples like this in the history of warfare where technology advancement forced tactical changes for both offense and defense. In theory, cybersecurity should behave in a similar way where new threats lead to new defenses and tactics. Unfortunately, however, things don’t always progress so quickly. Take Advanced Persistent Threats (APTs) for example. APTs have been in the mainstream since the Aurora attack was first exposed by Google in January 2010 but many organizations haven’t adapted defenses or tactics accordingly. Why? Several reasons:

1. Executives don’t get it. CISOs who lobby executives for more money tend to be faced with a rather cynical question: Why do you need to invest in new security technologies when we’ve already invested millions? This is like a WWI general asking why the troops needed shovels to dig trenches when they were already trained to charge the enemy.
2. Security staff wants a canned solution. In the past, each new type of threat (i.e., SPAM, spyware, DOS attacks, etc.) was addressed with a discrete threat management solution but this no longer works. APTs exploit the gaps between security defenses with 0-day vulnerabilities, credentials harvesting, DDNS, and homegrown encryption algorithms and transport protocols. Rather than a one-size-fits-all APT solution, enterprises need defenses for each stage of an attack.
3. If you can’t see the enemy, you can’t defeat the enemy. I’m sure Sun Tzu said something along these lines and it is certainly true in cybersecurity. The situational awareness tools in use today typically capture and analyze a fraction of the data needed. Many of these platforms also need custom coding and must be managed by highly-skilled security analysts. As a result, security intelligence remains an exclusive and elitist club.

In WWI, the military adapted quickly for two main reasons. First, they faced a life or death situation so there was a real sense of urgency. Second, armies are hierarchical organizations so when generals mandate changes in training and tactics, everyone else falls into line.

Like WWI weapons advances, we’ve reached a new era where our enemies are embracing new technologies and offensive tactics. We need to respond with appropriate changes in defense skills, and situational awareness.

Like it or not, we are engaged in a cybersecurity arms race, and our adversaries show no sign of fatigue. If your organization isn’t willing to recognize this, understand the enemy, and adapt accordingly, you may as well disconnect from the Internet before an inevitable attack.

IBM and NEC announced this week that the two companies will work together to offer networking solutions based upon SDN and OpenFlow. IBM provides the switches which are integrated with the NEC Programmable Flow Controller.

To me, this is bigger than just a press release and some joint marketing programs. Here’s why:

1. IBM and NEC are moving OpenFlow beyond academic labs and cloud computing theory, taking their joint solution to enterprise data centers. Yes, enterprises need to be educated on SDN and its benefits, but the use case for OpenFlow is certainly there since legacy networks can’t keep up with growing data scale or virtual server mobility.
2. While the headline may be OpenFlow, it’s really all about software. Mainframes became virtual computing platforms in the 1970s and Intel servers did the same with server virtualization technology from Citrix, Microsoft, Red Hat, and VMware. The next step is cloud computing which is intended to virtualize the whole IT infrastructure enchilada but static proprietary networks just don’t play well in this arena.
3. You have to give NEC credit for recognizing the software-centric opportunity around OpenFlow and bringing a quality controller to market. NEC could become the standard glue of a heterogeneous OpenFlow network over time.
4. When HP purchased 3Com, a lot of people had IBM reacting with an acquisition of Brocade or Juniper. With SDN/OpenFlow, IBM can create a data center fabric out of access switches. Between OpenFlow and existing partnerships, I can’t see IBM making a big networking acquisition anytime soon.
5. For those of us who’ve been around the industry for a while, it is certainly ironic to see IBM taking a leadership position in networking. I know I’m showing my age, but it doesn’t seem like that long ago that IBM was pushing Token Ring and SNA.
6. Personally, I don’t see SDN and OpenFlow as a threat to Cisco. In fact, Cisco could build OpenFlow software with IOS/Nexus intelligence and integration as sort of a dual path strategy. If I’ve learned anything about the network industry it is this: Never (and I mean never) count Cisco out when it comes to networking.

When it comes to information security budgets, however, growth should be more robust. More than half (61%) of midmarket (i.e., less than 1,000 employees) and enterprise (i.e., more than 1,000 employees) organizations will increase security spending in 2012, and of these, 18% will bolster security spending by 8% or more. These results are similar to the data collected in the ESG Research about Advanced Persistent Threats.

ESG also discovered that information security initiatives were identified by respondents as one of the top 5 IT priorities for 2012.

Where will this money be spent?

1. Headcount. ESG found that 35% of organizations plan to hire additional security staff – if they can find skilled professionals available (see my last blog).
2. Network security. Just over half (52%) of organizations will make additional investments in network security technologies (i.e., firewalls, IDS/IPS, gateway devices, etc.). Why? Because they need additional scale, integration, and security services at the network level. Good news for Cisco, Check Point, Juniper, McAfee, Palo Alto Networks, and Sourcefire. Other high priorities identified were mobile security, endpoint security, and SIEM.
3. Advanced malware protection. With the rise of APTs, hacktivism, and other types of sophisticated attacks, organizations have no choice but to adopt a “belts and suspenders” model for anti-malware. This will benefit startups like Countertack, Damballa, and FireEye, as well as established leaders like RSA, Sourcefire, and Trend Micro.
4.  Security services. Given the threat landscape, shortage of skilled security professionals, and increasingly complex IT environment, many organizations will decide to punt and outsource security tasks to professional services and SaaS providers. It’s likely that HP, IBM, Unisys, and Symantec will gain share here.

Like other analyst firms, ESG conducts research on IT Spending Intentions annually. The latest 2012 report will be published soon, but in the meantime, I’ve taken a look at the data that will be included. One of the things we track is IT hiring plans in all areas including IT security.

In 2011:

• 35% of all midmarket and enterprise organizations planned on hiring security staff
• 22% believed they had a “problematic shortage” of security skills at their organizations

The situation has not improved at all over the past year. In 2012:

• 39% of midmarket and enterprise organizations plan on hiring security staff
• 23% believe they have a “problematic shortage” of security skills in their organization

I dug into the 23% who believe they have a “problematic shortage” of security skills. Interestingly, large enterprises that tend to pay the most for IT skills in general are most likely to have these security skills deficits. For example:

• 18% of midmarket organizations (i.e., less than 1,000 employees) organizations say they have a problematic shortage of information security skills as compared to 26% of enterprise organizations (i.e., more than 1,000 employees).

I also looked at the data by the size of overall IT budget. In this analysis:

• 16% of organizations with IT budgets of less than $5 million say they have a problematic shortage of information security skills
• 21% of organizations with IT budgets of more than $5 million/less than $50 million say they have a problematic shortage of information security skills
• 36% of organizations with IT budgets of more than $50 million say they have a problematic shortage of information security skills

ESG is not the only organization to recognize the security skills shortage. The Center for Strategic and International Studies (CSIS) published similar research about the security skills gap in the Federal sector. As I recall, CSIS said that the Feds have about 1,000 highly skilled cybersecurity professionals proficient in security analysis, forensics, and incident response. Unfortunately, it has the immediate need for at least 10,000.

This skills gap impacts us as a society – all of our online data is at risk. We need more cybersecurity training, programs, and funding as soon as possible. The longer we wait, the greater the risk.

Data center consolidation and server virtualization are creating data centers of massive scale, and thus radically changing the data center environment. Unfortunately, legacy data center networking equipment was not designed for this type of scale and dynamic use case. ESG calls this state data center networking discontinuity.

Data center networking discontinuity is most commonly associated with access, aggregation, and core switches in the data center but it actually extends beyond Layer 2 switching alone. Legacy network security policies, procedures, and technical controls are also a mismatch for burgeoning data center scale requirements. In a recent ESG Research survey, 280 networking professionals working at enterprise organizations (i.e., more than 1,000 employees) were asked to define their biggest challenges with regard to data center networking. Just over half (51%) identified network security as their top challenge, followed by network performance (44%), and network management (37%).

Network security contributes to data center networking discontinuity because:

1. Traditional security zones don’t play well with virtual servers. Old school security zones were based on physical and logical separation – physical servers protected by varying security services and network segmentation. Mobile virtual servers make security zoning much more challenging as security policies and enforcement have to follow virtual servers as they migrate around data centers.
2. Security adds network latency and architectural complexity. When application traffic has to flow through L3 firewalls, it impacts network performance and latency. And when disparate traffic has to be routed to the nearest physical firewall device, it makes the network architecture more complex and difficult to manage.
3. Data center scale requires a new mix of physical and virtual security controls. Big firewalls from Check Point, Cisco, Crossbeam Systems, Juniper and Sourcefire may have the right performance characteristics for data center scale but does anyone really want to route all traffic through a single firewall? Clustering can address “single point of failure” concerns but server virtualization and cloud computing applications are far too fluid to depend upon physical security devices. What’s needed is a mix of physical and virtual security services with centralized command-and-control and distributed enforcement, but this model is relatively new and many large organizations are still in learning mode here.

Like core networking, security vendors appreciate the ramifications of data center networking discontinuity and are introducing new products to bridge the gaps. While this transition is in progress, security professionals need time to improve their skill sets, get comfortable with the new data center model, and gain confidence that emerging virtual security services are robust enough for corporate governance, regulatory compliance, and information security requirements.

We are in a period of rapid technology cycles from endpoint devices to cloud computing. No one debates the promise of these technology developments but issues like data center networking discontinuity scare the heck out of the security team. To allay these fears, networking and security vendors need to spend more time on customer education and proof-of-concept projects, and less time on marketing rhetoric. Otherwise, security concerns may continue to slow down the cloud computing train.

Why did dinosaurs become extinct? I’m no paleontologist but allow me to provide an over-simplified explanation: When the environment went through radical alterations, dinosaurs couldn’t adequately adapt to these changes. In a binary, “adapt or die” world, the dinosaurs died.

A similar binary situation is developing with data center networks. On the one hand, the environment is going through some radical changes. According to ESG Research:

• 63% of enterprise organizations are consolidating or have already consolidated data centers. On average, these firms will eliminate 25% to 50% of their data centers. Nearly half of organizations will consolidate data centers belonging to independent business units into multi-tenant facilities.
• About 40% of organizations are extending applications or moving virtual servers across geographically dispersed data centers. In other words, web applications and server virtualization are creating a virtual data center platform across multiple physical facilities.
• Almost all enterprises are using server virtualization today with aggressive future plans for more VM workloads, more VMs per physical server, etc.
• Large organizations anticipate steady growth in the number of physical/virtual devices per data center, the number of VLANs per data center, and the number of IP subnets per data center.

Clearly the data center environment is changing, which begs the question: Are data center networks adapting? Yes, but the ESG data indicates that the slow pace of change is causing some major problems. When asked to identify network operations challenges, large organizations pointed to things like too many manual processes, time consuming network provisioning and configuration, and organizational problems between the networking team and other functional IT groups. Network security is a mess and network performance is a constantly moving target. Yikes!

The data center networking dinosaur is adapting but we are rapidly approaching a breaking point. Yes, the networking industry is working diligently to bridge this gap, the ESG data points to an inevitable inflection point coming sooner than you think.

I will continue to blog about the ESG data center networking research as the report will be published quite soon. A few parting thoughts here:

1. Expect changes in every aspect of data center network: NIC cards, cabling, virtual switches, data center fabrics, etc. Networking vendors must realize that these are a lot of simultaneous change that even the most sophisticated IT shops will have difficulty understanding.
2. If anyone was still unclear about why Cisco went into the server business, my first point should solve this riddle. The ESG data also indicates that Cisco is succeeding but more on this later.
3. While the jury is still out on OpenFlow, there is no question that the future of provisioning, management, and control planes will be software-based. The network must become a virtual platform a la VMware, Xen, KVM, etc. It is likely that SDN, OpenFlow, and vendor support from companies like BigSwitch, Brocade, HP, IBM, Juniper, and NEC will get a lot of attention in 2012.
4. If you believe #3, Arista’s strategy looks increasingly intelligent.
5. While pure-play cloud computing initiatives are still rare, many enterprise organizations are extending applications, moving workloads, and using global load balancing across multiple data centers. Seems like the on-ramp to cloud computing to me.  Once again, the network must adapt to location-independence — or die.

More soon.

Let me know what you think.

According to ESG Research, 20% of large organizations are certain that they’ve been the target of an APT attack while another 39% say that it is likely they have been targeted. Can organizations detect and react to sophisticated attacks like APTs?

Unfortunately, the answer is likely “no” in both cases. ESG asked 244 security professionals working at enterprise (i.e., more than 1,000 employees) organizations to define their biggest incident response challenges. The list indicates both IT and organizational weaknesses. On the technical side:

• 32% were challenged by a lack of security forensic skills
• 29% were challenged by an overall lack of technical skills within their incident response team
• 26% were challenged by their incident response team’s ability to gather relevant information

As for the organization:

• 26% were challenged by a lack of executive management buy-in to incident response policies and procedures
• 25% were challenged by a lack of integration between the incident response and legal team
• 23% were challenged by the lack of a formal external communication plan
• 23% were challenged by the lack of a formal internal communication plan

The data speaks for itself, but as an analyst I have to add my two cents. Large organizations don’t have the right skills or tools to know if they are under attack. Furthermore, when they do discover a security breach, IT and business managers run around like proverbial chickens with their heads cut off, not knowing what to do next.

These incident response shortcomings and delays could equate to a whole lot of incremental costs in terms of data breaches, compliance violations, stock valuation, lost business, litigation, and so on.

Clearly there is a lot of work to be done on all fronts. Security professionals need better skills and tools but at least this is fairly well understood. It may be more difficult to convince CEOs and other executives that they need a formal, documented, and tested plan for unavoidable security breaches.

Progressive CEOs will free up funds and increase security budgets in 2012. Leading CEOs will take their organizations to the next level by preparing their organizations to respond to security breaches in an appropriate and timely manner. Unresponsive CEOs may lose their jobs when the public learns that they chose to ignore rather than address cybersecurity risks.