An Information Security Place

Let’s talk about manufacturer’s for a bit.  This may seem a bit jaded, but manufacturers are often viewed the same way as politicians.  They make promises that their technology can do such-and-such, but in the end, they really don’t do much different that the next technology that is trying to do the same thing.  It would be different if that manufacturer’s technology was the only one that could do what they do, and those pop up every now and again.  But in reality, when you look at these companies, you really find that there are at least three or four other companies that do the same thing. 

Not to pick on Alan, but let’s talk about NAC.  There are so many companies jumping on the NAC bandwagon, it is almost impossible to tell which one fits your environment the best.  And since so many of these companies are doing the same thing the same way, the differentiation is often not worth the time to find.  Those vendors are going to do everything they can to make you see what makes them different and better than the other guy, but it really comes down to your environment.

When you look at it from the perspective of your environment, there is no “best” NAC vendor, or firewall vendor, or IPS vendor, or whatever.  Yes, you can grade them.  You can come up with an IPS that has fewer false positives and has gigabit capability.  But if that IPS doesn’t fit in your network for some reason, then it is not the best.  Maybe another IPS with lower scores in the trade rag fits your network because of some quirk in your environment.  That makes it better than the other IPS, plain and simple, because the IPS with the higher grade did not possess some feature that your environment called for.

And I mean no offense to my other manufacturer friends out there, but all of this often makes me wonder just how honest vendors really are.  Do they really think their technology is the best?  Do they think they fit in any environment?  It seems like it because they try to sell it to everyone.  Don’t get me wrong.  I understand trying to make money.  But how can they push their product where it really doesn’t belong just to make a buck?  It can’t possibly be the best fit for everyone.  Cisco tries, and they often succeed at getting everywhere, but that doesn’t mean they actually fit in all cases (probably not in most).

From a personal perspective, I have experience interviewing for jobs with vendors.  In one interview, one of the questions they asked me was what would I do if I went to a customer where I thought we weren’t the right fit.  I told them point blank that I would tell the customer that we didn’t fit.  I thought their jaws were going to hit the floor.  I knew when I said it that it was not the “right” answer, but it was the honest answer.  And no, I didn’t get the job.  Whether it was because of that answer or not, I really don’t know.

Anyway, I don’t think EVERY manufacturer is made up of a bunch of crooks, but I often see them sell their product where it doesn’t fit and then move on to the next sell without looking back.  This is why so many people have the jaded view that I have.  Of course, being a realist, is there any success in being totally honest in selling situations where you don’t fit?  Are they simply going with the model that works?  I guess that may be the case.  But I think it would just make me feel dirty.

Vet

Since I started working at Accuvant, I have been leery of blogging about products that we sell.  Since we are not a manufacturer, I don’t feel like I have to worry as much about becoming a corporate whore, but I want to make sure I stay somewhat above the fray so I don’t look like I am an Accuvant mouthpiece.

All that being said, if I like a product a lot, I will pimp it here.  And I have come across just such a product.  I am speaking of Nitrosecurity’s NitroView product.  This is a network+security information management product that really kicks some major buttocks.  This thing is ridiuclously fast.  You really need to see a demo to appreciate the speed, but I have never seen something do look ups for reporting as fast as it does.  And it maintains this speed while simultaneously not degrading its performance on capturing events.  It is based off their Nitroedb database, which was originally designed for the government, and it is very, very fast.

And speaking of the reporting, a known fact is that many SIEM products either do a good job at capturing and storing events, or they do a great job of reporting (I wrote about that dynamic at my CW blog).  However, NitroView does a great job with both.  The reporting engine is nothing short of miraculous.  The drill down capability is wonderful, and the ease of use os beyond compare (they use Flash for the reporting front-end – very smart).

One thing the product lacked a couple of months ago was the ability to pull in many feeds from different devices.  However, they have done a superior job in getting that done.  They have taken a 80 / 20 view, making sure they capture the top 80 of the players, and that seems to be serving them well.

I have seen this product demo’d several times.  The customers are always just astounded at what this thing can do.  It is almost a guaranteed move to an evaluation when they see the demo.  Speaking of that, I am about to participate in a couple of evaluation installs here in Houston.  I can’t wait to get my hands on this thing.

Nitrosecurity also sells an IPS that I don’t have much experience on, so I can’t talk to it.  But I expect to be getting familiar with it very soon since we are also planning on putting it in at a customer fairly soon.  I do know that their Nitroview product can couple their IPS data with Netflow data to give some great event correlation.

It is worth a look.  Let me know what you think.

Vet