NBA suffers from a bad case of “featuritis”
January 27, 2009
The network behavioral analysis market never really took off. I’ve personally always been a big fan of the idea of analyzing the network flows and using that to figure out how what is going on in the network. This is useful from both a network planning, as well as a security perspective. But more from a network planning, if I’m to be honest.
Maybe that was the problem. Due to the vagaries of venture capital and how some markets are “perceived” to be hotter than others, the vendors in the space always seemed to focus on security – rather than it’s true calling.
But ultimately that doesn’t matter now. There are a scant few independent vendors that offer flow detection. Mostly it’s a feature of a different solution. For instance, there are at least two SIEM vendors (us being one of them) that offer flow detection as another data source for analysis.
Riverbed recently announced an acquisition of Mazu Networks for $25 million (and a mostly unachievable earn-out of $22 million), though Riverbed maintains that they will keep Mazu separate. Since there wasn’t really an independent market before, it’s not clear why there would be one moving forward.
We’ve seen this cycle repeat over and over again. A technology innovation happens, then falls a bit short of market expectations, and eventually the products are subsumed into other technologies. I laughingly call it “featuritis.” Many technologies become features. It’s happened with NBA and it’ll happen with other technologies.
January 27, 2009 at 2:00 PM
Mike, thank you for the post. In the interest of full disclosure, I will state up front that I work for an NBA company. My tenure with this company is short, though I have had a long time acquaintance with NBA as a solution when I was consulting. Your post certainly evokes some thoughts.
I agree with your assessment that often technologies are adopted by larger “umbrella offerings” and become features. That being said, I think it is a pre-mature assessment that this is occurring with NBA.
You mentioned not understanding why Riverbed would leave Mazu as its own entity. Make no mistake. MAZU won’t be doing any feature enhancements to its behavioral analysis in a few years. They will be another NetQoS. They have been purchased by a company with no security background, and no initiative or motivation to drive security. Flow Analysis does not = NBA.
One also needs to understand the technology adoption curve and what it means when a technology does not follow that standard curve. This occurs for one of several reasons.
1)Perhaps the technology is not as strong or as valuable as originally thought
2)Perhaps the technology did not mature as quickly as the expectations of the customer and the mark was missed
3)Perhaps the market was not ready to adapt the technology
4)Perhaps the value proposition was misunderstood
In the case of NBA, there is no question that 3 and 4 are the relevant inhibitors of technology adoption.
For years there has been no such thing as a security architecture. If you exclude the Financials and DoD you will pretty much find a dismal state of the union in terms of architectural security deployments regardless of size. Retail would be a huge “case in point.” I would suggest that 70% of the Fortune 1000 would not meet the lowest common denominator of “due diligence” when it comes to a security architecture. By this, I mean that they have not done basic steps in terms of forming a coherent architecture.
The de facto standard has been to throw a box at a point problem. They have boxes, there is no question there. In fact they have box sprawl. That being said I would ask “Do you beleive the average Fortune 1000 could give you root cause for a security breach in less than 24 hours?” I suspect not. I wonder how many could be found who actually could quote a solid incident handling methodology, much less architect a system for working that methodology. I wonder if they could even provide a valid holistic data set? Could we find a valid definition of the term “chain of custody?”
NBA cannot be understood in that environment. It is contextual, macro-analytical, holistic, and architectural in its application by nature. These words (with the exception of the verticals of Finance and DoD that I mentioned) have been foreign to the vast majority of the market until just recently.
I think we need to keep these easily observable facts in mind as we read commentary over the next few weeks regarding this acquisition.
I believe the “True Calling” of NBA is not Network Monitoring, nor is it Security. It is the intersection of the two. Take either of those away and you have lost a part of the rich context that makes an NBA offering powerful.
January 28, 2009 at 9:39 PM
it is interesting how you are making generalizations after the fact …. lehman and merrill just went under – can you say the same for their vertical? do you feel that the SIM/SIEM is much more viable? shall we speak in a year and see where things stand?
January 28, 2009 at 9:47 PM
Cory, thanks for taking the time to comment. Personally I’ve gotten tired of trying to convince myself that Mr. Market is wrong. Mr. Market is right, whether we want to believe it or not and this fine fellow has stated rather definitively that NBA is not a stand-alone market. I’d expect you to argue that fact, given how pay your mortgage, and maybe you are right. But if after almost a decade of slogging through, if there is only one independent company left to chase the enterprise market, it’s hard to see how it’s a market.
I guess I just have a fairly straight forward, yet pragmatic question. If NBA isn’t about network monitoring and it’s not about security, then who is the buyer? That’s really the problem.
January 28, 2009 at 9:50 PM
I wouldn’t have shut down my successful research firm, if I didn’t think security and compliance management was a viable market. Notice I said security and compliance management, not SIEM. I think SIEM is a subset of the larger market and is yet another “feature” or more specifically and application that runs on a security and compliance management platform.
And yes, it’s easy to make statements after the fact. I wish I was short lehman and Merrill over the last year, but I’m not that smart. Which is why I still flog security software for a living.
Happy to chat in a year, I think many folks will be surprised at where eIQ is.
January 28, 2009 at 10:02 PM
per your press release and gartner you belong on the SIEM quadrant … http://www.eiqnetworks.com/news/eIQ_GartnerVisionary.shtml
is eiq – still trying to define itself? what space do you really play in then?
January 28, 2009 at 10:18 PM
I’ll probably regret taking the bait. No eIQ is not “defining” ourselves. We know exactly what we do and why we do it. We need the market to catch up. We all know that it takes Gartner a little while (usually 2-3 years) to evolve the name of their “category” to the changing requirements of the market. But in that very same MQ, Gartner had this to say about eIQ:
So we find the category of SIEM to be too restricting for the broader value we provide the customer. So we are broadening it. One customer at a time.
That’s all I have to say about that.
January 28, 2009 at 10:29 PM
very nice … good luck with that … 2009 is a bad year to create a market where “survival” seems to be goal of many firms … as you yourself admit – it also seems that you dont have a defined market or space but tons of features put together … so dont make fun and laugh at mazu and other nba players.
lets talk in a year and see if there is a market for eiq and where you stand and if you actually create a market … as you have been at this for years -:)
you may also be acquired and become just another feature for a log firm or a security firm.
February 2, 2009 at 12:21 PM
Of course, if you want to look at “defining a market” around the basic concept of aggregating security data and putting correlation policies around it, we can all look at Symantec, IBM, and CA, who are now trying to define exactly that space by taking a bunch of point solutions they’ve acquired over the years and bundling them together under a single management interface. I would submit that they’re not likely to do this unless they see a defined and/or emerging market.
I totally agree that “survival” is the codeword in many organizations today, but survival means many different things to IT: doing more with less; keeping older technologies running rather than deprecating them; identifying where existing technologies can be repurposed (among many others). Before any of these things can happen, an organization needs to understand what assets they have, how these assets are behaving (which includes, but is certainly not limited to, network flow data), and whether there are opportunities to consolidate, eliminate, etc.
The information captured by eIQ’s SecureVue platform (as well as the aforementioned multi-point solutions from the big boys) can support this IT operations use case, just as it supports security and compliance ops. The idea is that the same data is relevant to multiple constituents — getting the relevant data (and all of it) is the first step; the second step is providing an interface to make it usable for different people in the organization. If you can do both from one platform and one UI (as we do), there’s value there, even in today’s “bunker mentality”.