I arrived in Austin Sunday night to get ready for a factory tour on Monday, a kickoff dinner and then two days of briefings from Dell executives, including Michael Dell himself! Dell’s ISG business is growing at a very fast pace and continues to build momentum and focus within the broader organization.

We had a nice overview of the product roadmap, including some of the exciting enhancements Dell is making to their storage products such as the MD3000 and the new EqualLogic PS5000 series iSCSI solutions.

I really enjoyed the Council meeting and it reminds me all over again; what I admire about Dell is the way they and Michael Dell himself stay close to the customer. The entire purpose of this event is to “get it right” and determine meaningful ways to embrace change (including change in the manufacturing process) in order to make their customers more successful. Ah shucks, you may say that all companies behave this way… well I must tell you that is not true and at times, I find it difficult as we continue to grow to stay as close as I would like to all of our customers varying needs and directions.

This concept of gathering, internalizing and embracing customer feedback is a simple principle of Business Success stories. Always trying to improve the pace of change and build meaningful sticky relationships with customers. Dell’s very successful Ideastorm site where customers post product feedback and are active participants in the Dell community is a great example of how to do this right. No other hardware vendor that we have worked with or attempted to work with has ever gone to the extent of embracing change that Dell has during our 5-year relationship.

From the custom factory integration services to the attention to detail in the order and manufacturing, and logistics processes, Dell helps us execute for our customers and I must admit that we could not have built the business as quickly or efficiently without Dell!

So thank you Michael Dell for building a business that embraces change and is focused on helping your ISG customers succeed.

1. Orbitz by Streambase (Real-time monitoring)
2. Netbank by Coral8  (Algo trading)
3. LiquidNet by Coral8 (Market monitoring and analysis)

Progress Apama had a few algo trading references, but they (wisely in my opinion) are not (seeming) calling algo trading platforms sales, CEP, in 2008.   This is good (and more accurate) and I applaud Apama for building a great event stream processing platform and not overhyping the phrase “complex event processing” every opportunity they get.    Maybe we should create another award category?    

You will not find any “secret council of elders” here, nor will you find any subjective opinions about the market from people we send out email asking for their opinions - only the facts in an open transparent way.  Here is the Google worksheet, if interested.

Please contact me or comment here if we missed anything and we will take a look and we will add your suggestion if it meets the criteria.

Revisions:

1. Added LiquidNet/Coral8 suggested by Marc Adler (see comments)

Now that we are beyond the halfway point in 2008 we are going start the process all over again.   So please feel free to comment  as I start compiling the list again, using the same criteria as last year (However, I reserve the right to slightly modify the criteria if necessary).  Basically, the criteria looks like this:

- Must be a (CEP/EP) software vendor.

- Must be an end user / customer.

- Must NOT be a partnership or OEM announcement.

- Must mention complex event processing (CEP) or event processing (EP) in the public statement.

- Must be available on the Internet and in English.

In a nutshell, just as we did last year, we will compile all the CEP/EP public reference clients that mention CEP, the software and the customer.   Your are encouraged to post links to your 2008 reference clients in the comment section  here.   Please include the URL, Date, Source, Software Vendor, Customer Application (Use Case), as in the 2007 worksheet.

AEP had been a victim of the NAC fallout.  They made a bad bet on an OEM partner to provide them with NAC technology.  When that NAC vendor went belly up, so did AEPs NAC product as a result.  Now Tim Greene reports that AEP has come out with a new device that while not strictly a NAC product, does more identity access control and does not seem to do any admission control.

AEP which makes a SSL VPN type of appliance has a new appliance that delivers an agent to an endpoint and authenticates the user.  It than according to the article inserts an identifier in the payload of every packet that shows where and who that packet is from which then allows it to either pass or not pass through, only to its allowed base.  I don’t know that seems a bit of a chokepoint/bottleneck to me, but I don’t know enough about it, only what I read in the article.

The appliance is not cheap with a price tag of over 50k for just 99 users.  It seems like an awful lot of money for what it does.  An important lesson I think on picking the right OEM partner.  Pick the wrong one and your product goes down as collateral damage to the OEM partners demise.

I am not sure what it is with Richard Stiennon.  Maybe his mom beat him with a NAC stick when he was young.  Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC.  In any event Richard never seems to miss a chance to take a pot shot at NAC.  I have fired back and debated him many times on this.  In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow.  Richard still thinks of NAC as Cisco???s network admission control, circa Dec ???03.  He has not gotten up to speed on anything happening with NAC since.  Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard???s latest NAC knock comes on a comment to an excellent article by the Hoff.  Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can???t take the analyst out of the man), takes exception to Hoff???s ???whining??? (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong.  Great Richard you try to prove them wrong, when because of what they report you don???t have a market, can???t get any capital and have no visibility.  I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

???Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.???

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth.  Richard the fact is that the edu market is not the only viable market for NAC.  In fact, one of the biggest customers of NAC is the DoD.  That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can???t handle the truth!  You sleep securely under the blanket of protection that NAC provides.  If it is good enough to help ???clean the sand??? out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don???t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard.  Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions?  Why has Microsoft put such a big push on NAP?  Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that).  Richard we are still signing new major OEM partners.  I am afraid you are the one sadly out of touch on this one Richard.  Just as you are out of touch in missing Hoff???s point in his article.

As to Hoff???s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to ???learn??? from them while at the same time trying to educate them.  I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts.  Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc.  A vendor giving an analyst a real live???pet??? customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy.  But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

I am not sure what it is with Richard Stiennon.  Maybe his mom beat him with a NAC stick when he was young.  Hence his Jack Nicholson looks (more like the Joker in Batman, than Col Jessep in A Few Good Men) and his total disdain for NAC.  In any event Richard never seems to miss a chance to take a pot shot at NAC.  I have fired back and debated him many times on this.  In fact I am convinced that Richard's problem with NAC is that like Uncle Joe, he is just moving a little slow.  Richard still thinks of NAC as Cisco’s network admission control, circa Dec ‘03.  He has not gotten up to speed on anything happening with NAC since.  Richard is going to debate NAC with Joel Snyder according to this article by Tim Greene today. My prediction is Snyder by a knockout in 3 rounds or less.

Richard’s latest NAC knock comes on a comment to an excellent article by the Hoff.  Chris takes a bold stand for someone working for a vendor and calls BS on the whole analyst thing (I will write more about that later in this article). Richard being an ex-analyst himself (lets face it, with Richard you can take the man out of the analyst job, but you can’t take the analyst out of the man), takes exception to Hoff’s “whining” (Richards words, not mine) and tries to tell Hoff that giving up is not the answer and the way to show up analysts, is to prove them wrong.  Great Richard you try to prove them wrong, when because of what they report you don’t have a market, can’t get any capital and have no visibility.  I guess that is when it is time to move on to the next gig, right? Then Richard has a bad NAC deja vu and feels it necessary to write this:

“Look how easy it is to one up the analyst firms, who as near as I can tell support Network Admission Control universally. Everyone except the folks at Updata Ventures know how seriously flawed NAC is with only one viable market, edu.”

I assume Richard is referring to Updata recently leading the Bradford Networks VC round. But more importantly Richard it is time to call a code red on you and give you the cold hard truth.  Richard the fact is that the edu market is not the only viable market for NAC.  In fact, one of the biggest customers of NAC is the DoD.  That is right Richard at least 3 of the 4 armed forces use NAC in helping to secure their networks. To paraphrase my friend Col Jessep - Richard, you want the truth, you can’t handle the truth!  You sleep securely under the blanket of protection that NAC provides.  If it is good enough to help “clean the sand” out of laptops coming home from SWA (that is SouthWest Asia, like in Iraq and Afghanistan, in case you don’t know Richard), it should be good enough for you. Think about that next time you are about to bad mouth NAC.

Let me give you some other truths you may not like Richard.  Why do you think every switch vendor (of which we partner with many of them) is lining up and bringing out NAC solutions?  Why has Microsoft put such a big push on NAP?  Why despite the Luddites like you does NAC still draw crowds at conferences like Interop (ask Joel about that).  Richard we are still signing new major OEM partners.  I am afraid you are the one sadly out of touch on this one Richard.  Just as you are out of touch in missing Hoff’s point in his article.

As to Hoff’s article, as I said I give Chris credit for speaking his mind. I spend an ungodly amount of my time speaking with analysts and trying to “learn” from them while at the same time trying to educate them.  I am constantly amazed that so many analysts (and press for that matter) just take a vendors word as gospel. I have seen research reports from analysts big and small, that I am sure did not have any more research done than calling a handful of vendors and listening to their spiel. Too many of these vendors if they do speak to customers, base their findings on such a small sample that it is impossible to have an accurate picture.

Personally, like Hoff says, who watches the watchers is the truth. I would like to see a code of conduct among analysts. I would start by dictating that vendors cannot pay analysts.  Take the payola out of the equation the way they did to the DJ/Radio business in the late 50s. Next analyst reports have to come with metrics to back up the findings. I want to know how many customers they spoke to, how big they were, how they were found, etc.  A vendor giving an analyst a real live“pet” customer is not real research. I want to know if the customer pays the analyst. It is a dirty business.

Hey let me be clear, I play the game as well as the next guy.  But I agree with Hoff we need to clean up the rules to make the whole analyst thing more fair, viable and valuable.

Understanding the difference between a NAC Client and an 802.1X Supplicant can save you much time, confusion and - yes - MONEY.

How does it save money? I figured most of you would glob on to that one first- hang on, I’ll get to it in a minute ;).

NAC Clients. Most network-based NAC vendors, such as Cisco, Juniper, StillSecure and ProCurve have some type of NAC Client or Endpoint Integrity Agent provided as part of their NAC solution. The NAC Client is a software agent that sits on the endpoint and collects statement of health or posture of the endpoint and communicates that back to whatever NAC controller you’re using. (Most of these guys offer some type of agent-less or transient-agent posture checking too, but this doesn’t apply here.)

The NAC Client may also provide additional security functions such as host enforcement or it may serve as an encryption termination point for IPSec tunnels created between the endpoint and a firewall, for example. I’m sure we’ll be seeing more and more bells and whistles added to the NAC Clients as time goes by.

802.1X Supplicant. An 802.1X supplicant is a different creature all together. First of all, it’s worth noting a supplicant can exist as a piece of software on an endpoint, or as part of an infrastructure device, including switches, APs and even printers. On an infrastructure device, the built-in supplicant lets us do things like authenticate switches to one another for maintaining integrity of network devices and prevent rogues from joining the network.

If the supplicant is on a PC or laptop, it may be built in to the operating system, or provided as a 3rd party software. The supplicant is what communicates through the switches to the RADIUS server for authentication and ‘speaks EAP’. EAP, the Extensible Authentication Protocol, is what makes 1X. Generally a supplicant’s only function in life is to speak EAP and get the device authenticated to the network.

What you may see from some vendors, such as Juniper, is an integrated NAC Client with a built-in Supplicant. Juniper’s Odyssey Client bundles both functions in to 1 agent.

Okay, so back to the money… Understanding what does what, and what comes from where is helpful when we start talking dollars. In many cases you’ll end up paying separately for the NAC Client licenses and the Supplicant licenses. You won’t have to pay for both if…

1. If the NAC Client and Supplicant are bundled
2. If you’re using the Supplicant integrated with the OS or 
3. If you’re using an open source Supplicant
4. If you’re not 802.1X with your NAC, and of course
5. If you’re not using NAC on top of 802.1X

Some vendors may offer a pricing advantage depending on what you’re planning to do. We started with two main Supplicants a few years ago- Meetinghouse’s Aegis and Funk’s Odyssey Access Client. What happened to those guys? Cisco bought Meetinghouse and now offers the Aegis client as an option with their solution and Juniper bought Funk and integrated the Odyssey Access Client directly into their endpoint integrity agent. Most likely they want to try and recoup some of the money from those acquisitions, so what that means for you is that you will likely pay money for products containing those technologies.

On the other hand, some of the home-grown technology from the NAC side may lessen the budget burden. Cisco’s endpoint integrity agent is actually included with their NAC solution, so they don’t charge any per-seat fee (unless you add 802.1X). Juniper’s is integrated, so you’re getting both functions regardless. You can probably spot companies that OEM another solution or another client if they charge for the NAC Client license… that’s not definite, but a good rule of thumb.

From a deployment perspective an bundled agent (NAC + 1X) is nice, since it means you only need to download 1 piece of ‘thing’ onto the endpoint. From a budget persepctive it can be good or bad- it really depends on how many licenses you need and how willing your vendor is to work with you on price.

# # #

For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the "mature" label which seems to indicate there is no new innovation happening.  Recently though we have seen some new announcements in this area.  Also, Gartner should have a new marketscope due out soon.  Here is a recap of some recent developments:

1. Qualys - I had a chance to speak with Philippe and his son at RSA. After riding high on the PCI wave and pioneering the SaaS in security movement, Qualys is now clearly moving into the compliance arena. This release details what Qualys is doing but clearly they see compliance and risk management as a new driver for the business.

2. McAfee- Say goodbye to Foundstone. Years after buying the company McAfee is finally getting rid of the Foundstone name for the vulnerability product and renaming it Vulnerability Manager 6.5 (I think I like the Foundstone name better), as part of the new business unit they have started around GRC. Foundstone founder George Kurtz is heading that unit up. They indicate they will supplement the old Foundstone scanner with abilities to scan applications, web sites and data and databases.

3,. nCircle - I spoke with Andrew Storms and Elizabeth Ireland at RSA. nCircle has been touting their compliance and risk management capabilities for a while now.  They also are showing off web application scanning as well. Though they don't get the press that Qualys does, they appear to be holding their own.  The question in my mind is how do they break out to the next level (see my post on shimmy's theory of relativity).5.

4. eEye - After many of us including me raised doubts about their viability, eEye has announced the addition of web application scanning to their Retina product. I understand this is an OEM of another companies product and does not represent a lot of investment on eEye's point.  I think at the end of the day they are trying to be an endpoint company but can't afford to jettison the scanner business.  Their long term viability according to my relativity theory is still in doubt if you ask me.

5. ISS/IBM - I hear nothing on this one, do you?  You have to question what is the game plan from Big Blue on this.  Do they buy an update or put the money into actually taking this dinosaur out of the Jurassic?  I guess we will have to see.

So I am sure some of you ask, OK Shimmy enough about the competition what is StillSecure doing with its VAM product?  Well the purpose of this blog post was to set the stage for that. I will post an update on some of the cool stuff we have planned with VAM shortly.