Wednesday 11 June 2014

Something old, something new, something borrowed and something Blue(Coat)

Every year at CPX, Check Point announce something new.  Levels of excitement can vary depending on that “something new”.  They also take the opportunity to cover some old ground.  To remind customers of all this great stuff they haven’t been buying enough of.  Alongside that this year, we had something borrowed and something Blue…though Blue Coat’s new logo has actually got no blue on it and my colleague Sean Doggett assures me that the new appliances have also lost their blue sheen in favour of a sleek black design…but anyway, blue in name.  So was it all going to come together and be a marriage made in heaven?  Or would Check Point customers feel jilted at the altar when they looked under the hood.

 
Something Old
In my previous blog I took you through Software Defined Protection, which in many ways was both something new (in terms of messaging and forthcoming changes to the management) and something old (in that the messaging referred to layers of technology that exist today and have existed for some time).  The messaging around SDP is on the whole a smart marketing move to encourage customers to revisit some of the technology Check Point have been bringing out the last few years:

·         The Control Layer is an amalgamation of many of the threat prevention blades like Anti-Bot, Anti-Virus and Threat Emulation (which have all either come out or had massive revamps in the last two years) and then ThreatCloud which emerged last year as Check Point finally dipped into the intelligence they could source from having the largest global footprint of enterprise firewalls.

·         Then the Enforcement Layer.  Really just a reminder that Check Point are not just a hardware or software firewall company but have endpoint and virtual security solutions too.

So then we’re left with the management and after a later session with Avi Rembaum (who is a fantastic presenter by the way) in which he talked about How to Implement Software-Defined Protection in Your Network, my Russian companion – remember him from blog 1? – summed it up best.

“Half an hour of bullsh*t, then three interesting slides at the end.  But then they didn’t even go into detail!”
Eloquently put.
He then proceeded to hijack Avi and absolutely grill him (whilst ironically the sounds of Ice Cube’s 90’s rap diss “No Vaseline” played in the background – for those of you who know the song, you can imagine it was quite the surreal montage to be witnessing).  Advised by Avi to go and speak to one of the experts in the Technology Rooms, off he went in search of answers.  And I’m not sure he got them.

Our own Check Point engineering team are one of a select few who get access to EA code as part of our partner programme and we work directly with the Check Point EA Engineers from Israel and what I can tell you is that they’re very excited about everything they’ve seen in R80 (the version in which this management revolution will begin).  Unfortunately there didn’t seem to be that level of visibility at the conference.  It became clear that whilst it’s exciting, the cornerstone of the SDP initiative – the management – appears to be a work in progress, known by a select few who are locked within the deepest vaults of the Check Point fortress, walls of marketeers separating us common folk from the knowledgeable ones.

 
Something new
Going back to Gil’s opening address, whilst SDP merged the old and the new, he did then go on to announce something brand spanking new and quite exciting.

ThreatCloud Mobile.

So what is it?  It’s basically a cloud infrastructure they’re building to be able to handle customers who want to send all of their mobile device traffic to the ThreatCloud.  The ThreatCloud features all of the Check Point software blades you know and love – IPS, Threat Emulation, Anti-Bot – so potentially Check Point are onto a real innovation in the mobile space here.  I’ve not really seen anyone else go to these lengths (basically everything you can do on a gateway, for your mobile!).  I’ve seen impressive cloud infrastructures and innovative approaches from the likes of Zscaler to provide global coverage but that's only really been for web security and with 10 data centres already built that host ThreatCloud as it is today, don’t think Check Point doesn’t have the resources to do this.  The devil will be in the detail.  This technology is on BETA testing right now and is estimated to be on general release by the end of the year so we’ll be seeing more of it no doubt in the coming months.  How well will it scale?  How will latency be?  How easy will it be to implement?  These unfortunately are all still open questions but I’m intrigued at the very least as to how this will take off, to supplement the Mobile Device Management solutions many people have in place today (and that Check Point have with Mobile Enterprise).

And if we’re to buy into this vision of Software-Defined Protection, again this technology will be one of the big bets Check Point makes to ensure that it's the success story they’re hoping for.

 
Something borrowed

“Can I have some threat feeds please?”

“Sure.  Which ones do you want?  I’ve got all these.”

 

Check Point open the proverbial rain coat to reveal IntelliStore, a marketplace for Threat Feeds.  And because this is the ‘something borrowed’ section, you can trial them for 30 days via your Check Point user centre.

Something I’ve been discussing with some of my customers as part of our Security Simplified strategy is how we can take the third party threat intelligence or fraud intelligence feeds and feed that information in to dynamically update security tools.  As always with Check Point though, this is geared toward their own software blades and looks like it only supports Anti-Bot and Anti-Virus out of the box (not IPS?).  This is unconfirmed at the time of writing as there’s actually scant detail at the moment.  Get on those 30 day evals now because there’s also currently no pricing for IntelliStore (again, at time of writing) so they genuinely can’t charge you for it yet!

 
Something Blue(Coat)

So Blue Coat were at the conference as the main sponsor (the relationship between Check Point and Blue Coat seems to be ever blossoming at the moment).  Unfortunately I didn’t see their presentations or visit their stand in the sponsor hall.  So basically they were only part of this blog because I wanted to use the pun in the title.  I’m sorry, I really am.

 
In the Final Part……other highlights and a final summary of CPX and I then visit the Tufin Partner Conference to see how they are responding to major industry shifts.  Coming soon!
 
 
 

Tuesday 3 June 2014

Software Defined Something...Reflections on CPX 2014


It is an unusually grey morning in Barcelona.  Having left behind the hottest temperatures of the year in the UK at 27 degrees, I’m wondering if it wasn’t just the taxi driver who went the wrong way last night but the pilot of the plane too.

To explain that note…

I arrived late in Barcelona with my Russian companion for the trip; a little tired but hoping to have a sneaky pint once safely arrived at the hotel.  Having been assured by the taxi driver (despite some trepidation) that there was “only one Hotel Princesa” in Barcelona, we had put our faith in him.  It was, alas, misplaced.  For there are two Princess Hotels – the Hotel Princess at one end of Avenue Diagonal where we were supposed to be and then the hotel we were actually taken to, the Hotel Princess Sofia, almost 8km straight across the Avenue Diagonal (yes on the exact same road to enable the confusion) the other side of Barcelona.  Having tried to check in and figured out we were at the wrong hotel and that the taxi driver was long gone, the concierge was nice enough to call us a cab to the other Hotel Princesa.  I didn’t want a pint, I just wanted to go to bed!

Back to the next morning.  There was an air of confusion it seemed as the delegates gathered for CPX 2014.  Was it the weather and general lack of sunshine?  Or was it that they were trying to figure out what Software Defined Protection is?  Well to varying degrees, the two days ahead would represent some illumination on both fronts.

As is tradition, the conference began with some completely unrelated interpretive dance.  To compound the weirdness this year though, this was interspersed with videos of Gil Schwed and Amnon Bar-Lev encased in futuristic cubes and delivering one word statements about the future of security.  On top of that, the video (which seemed to be playing the music track too) got all jerky and juddery.  Fair play to the dancers for improvising and slowing down their movements but somebody at Check Point forgot to pay their Netflix bill.

Onto the presentations then and the opening address by Gil Schwed, Check Point CEO.  Whether he was proud of seeing himself on video in a dystopian vision of the future or just more excited than usual at what was to come, he certainly had a spring in his step.  I myself was looking forward to seeing what SDP (Software Defined Protection) was all about.  I had purposely ignored everything I could possibly have read prior to this event about SDP.  I wanted to come here to CPX with an open mind and find out if they really were revolutionising security all over again or if it was just another vendor to jump on this year’s buzz word.  Or rather buzz words, plural.  For it seems that if you want to show innovation this year all your marketing needs can be met by saying what you do (e.g. Protection or Networking) and simply adding two words in front – Software Defined.
 
Sometimes in technology (and particularly in Security) things snowball to the point of absurdity.  In the midst of all this, very good concepts can be lost.  Like a song you loved when you first heard it but now it’s been played to death.  So what did Gil have to say?  He did indeed touch on SDP.  He was clearly excited by the concept and reinventing security all over again.  He talked about the 3 layers of infrastructure behind SDP:



The management layer, the control layer and the enforcement layer.  All things that, on the face of it, exist already today within the Check Point portfolio.  Gil alludes to more detail around this in the sessions to follow over the next two days but in essence the only thing they’re really changing is the management to accommodate this new model.

The control layer is basically software blades, plus Threat Intelligence (ok so there are some developments on that front too).

Then the enforcement layer is simply a Check Point firewall.  Or a Check Point virtual firewall.  Or a Check Point endpoint agent.  And so on.

So are Check Point simply that ahead of the game or are they trying to capitalise on the latest craze and fit their messaging around it?  This became my new aim for the next two days.  That and eventually getting that pint in somewhere.

 
In Part 2……Check Point announce two major new services and I get more insight into SDP!

Read Part 2 by clicking here

Wednesday 14 November 2012

[Start message] Sorry, this deal has already been registered. [End message]


I don’t know how aware customers are of this, but Deal Registration programmes can be the most controversial part of any Partner Programme.  It’s a constant headache for Re-seller and Vendor alike.
Now, I have never dealt with a Vendor who wasn't committed to their Deal Registration Programme.  At the same time, I've never found such a programme that is 100% fair and perfect; it’s difficult and we come across different approaches.

One approach is this:
  • A deal can be registered at any time and you have a bunch of fields to fill in.  Once that is done, provided no one else has done this first, there you go, you’re protected!  You have the support of the vendor.  You will probably get access to the best pricing for your customer!  Wait what’s that?  They’re not your customer?  You just spoke to them once and they mentioned they might be looking at some new Security Products?  Oh well that’s fine.  Because our Deal Registration programme means you now officially own this opportunity, even though it might not actually exist, or someone else may have been working hard on it, scoped it all out and found the right solution for the customer.  That’s all irrelevant, you've got DEAL REG baby!
Okay so that’s a bit extreme, but in some cases, it’s not too far from the truth.  Here’s another approach to a Deal Registration Programme:
  • The fields to fill in on the vendors online portal are quite complex, they ask a lot of questions you don’t know the answers to.  You figure it out with the customer then you go back to the form, you fill it in and now the Vendor’s sales person calls you right up.  They've been waiting for your call...

...the only problem is, to give you Deal Reg they need to speak to the customer.  Only the customer is really only at the first stages of the project and possibly don't want to be talking to specific product vendors at this stage.  Quite the pickle.  You know you shouldn't register the deal but at what stage should you do it?  It’s like a game of Russian Roulette and across the table are the Deal Reg Cowboys (not to be confused with the Dallas Cowboys) waiting to fire that stinging bullet into all of your hard work.

Every Deal Registration programme I've ever come across faces the above problems; too lenient and it turns into a game of ‘Fastest Finger First’; too stringent and your partners don’t know what’s going on and customers wonder why there’s an IDS Vendor calling them before they even figured out what the acronym stands for.

I don’t have the solution, but one thing I would like to impart – Deal Registration, Incumbency Programmes and all other similar initiatives are designed for one purpose, and that is to make sure that the Partner who works closest with the Customer and Vendor should be able to offer the best commercial deal.  Nice and neat.  Everyone wins.  As a customer, this is designed so that YOU can get the best deal and get to work with who YOU want to work with.  If this isn't happening, let the vendor know!  9 times out of 10, the Vendor will understand as realistically, they cannot tell you who to buy from (as long as your chosen partner is an official partner).  That decision is and should always be yours!

Click to Read Part 4

“Keep Your Eyes Peeled.”



So what should you look out for?  Well, most Vendors have a number of Technical Accreditation's and Certifications that partners have to pass in order to attain partner status. Look at how many of those accreditation's your security partner has and also, if they have in-house technical resources. It’s always worth investigating things like the ratio of engineers for that vendor vs. total number of engineers or how many engineers vs. number of total customers. For example, you could have a massive Systems Integrator servicing thousands of customers and they could have 10 Engineers that are certified in deploying a Product. It might seem a reasonable amount – but then when you go to book one, it turns out there’s a 6 week wait for an engineer. Why is this? It will probably be because those 10 engineers are spread too thinly across the customer base and that the partner just isn't focused on investing in more resources for that technology. (Or maybe they just didn't have that many engineers in the first place!)

Some other key points:

  • When choosing a support partner – are the re-seller / Systems Integrator taking support direct within their own support centre or are they backing straight off to the vendor? Of course, no one partner will do everything. And for us it comes back to having to make those hard choices – you can’t support everything; and not everything you support will be appropriate for all of your customers. Likewise as the customer it’s about finding the partner who will provide the best fit for you and give you the best service across the board and work with you strategically towards your goals – rather than trying to push products onto you.
  • Account management.  Now I’m not just saying this because it’s my job, a good AM is extremely important.  Especially where there might be one or two products/services that are supported direct with the Vendor (either wholly or partially).  You need someone who is going to take responsibility and be accountable.  If there are issues with in-house support and service, they need to escalate that and fight for you.  If there is a vendor who is slacking, they need to be able to give them a kick and stress how important this issue is and to convey in strong terms how it is affecting their customer (you!).
  • Make your Account Manager work!  I have always found that putting that little bit extra effort in and taking on problems (some of which you may not even be able to influence massively) will pay dividends – both when escalating with vendors and when reporting back to customers.  Communication is so, so important.  It’s where great business relationships are built.  And destroyed!
Click to Read Part 3

“If you can’t say something nice...”



It’s getting quite serious this blog isn't it. So let’s lighten the tone with a bit of comedy. And in a surprise twist, I’m going to be drawing not from the archives of Frankie Boyle or Dara O’Briain but from one of Nebulas’ competitors! Of course, naming them would give them some fame I’m sure they don’t want. Besides, I don’t think they were trying to be funny so that means they don’t deserve it either...


I always think that those who slag off other organisations are doing so because they don’t actually have much to talk about themselves.  They don’t feel their own argument is strong enough, so they try to do a bit of classic misdirection.  “If we tell them a few fairy-tales we might just bore them enough that they won’t think to ask what our story is.”

We had the following email show up in the inbox of one of our customers a few months ago.  Luckily they saw right through the sludge and forwarded it to us.  I now present it to you as a classic example of how Partner Programmes can be twisted into a shallow venom that is scattered over a wide area, hoping to get a hit or two so they can paralyse their prey long enough to pounce and really dig their claws in.  Did I mention that I come from a thespian background?  The email was written as follows (with my comments in red):



Subject: F5 Gold Partners

Hi name / name,

Hope you are fine and well,
(well that's a nice enough start. Nothing wrong so far. How quaint in fact.)

Juts bringing to your attention that Nebulas have lost their F5 gold partner status,
(Unfortunately we did get bumped down to Silver Partner for now, mainly down to not hitting our revenue target. This harks back to the point I made at the start of this blog. Like all top level partners we carry a number. That number increased and we did not do that number.)
which impacts on their commercial rates offered and technical ability.
(Hmmmm, not sure about that. Ask any of our F5 customers if they saw a price increase the last 6 months. But the second bit is the real kicker. Let me get it straight - we didn't sell as much product as we were targeted on over 6 months and suddenly the moment we went to Silver Partner all of our Consultants and Support guys suddenly forgot everything they knew about F5?...

...well we just don't know how that happened. Sorry about that. We'll do our best to figure it out!)

We ourselves are Gold Partners and are considered F5's highest skilled technical.
(Good point. Except this sentence doesn't make sense.)

See enclosed F5 link below:

http://www.f5.com/partners/partnerlists/goldpart.php


We work with similar organisations to you such as company, company etc.
(Fair enough. Good validation I suppose. Except one of the organisations they named uses Nebulas for F5 support!)

My sales director some person, would like to call in for 30 mins to talk (over a coffee)
(If he's anything like the writer of this email, perhaps he should let the coffee talk over him.)
about how we work in this space and what we could potentially do to add value to yourselves - commercially and technically.

Please let me know if there is a space moment ahead we can look to call in for 30 mins of your time?
(A 'space moment'! You know I hadn't realised this one until I sat here writing this. Pure gold. The lesson here? Don't write about others supposed incompetence, if you can't even write an email!)

Best Regards,

Tool



So I think I've said enough.  Entertaining wasn't it!  But no way to go about doing business.  And quite offensive to my eyes when I read it.  As I've said, our customer sent it to us so hopefully they (and you) will know better than to put any stock in such things.  And in no way is this relevant to our relationship with F5 which has remained strong throughout this period – it seems they are really clamping down on their partner programme which I’m certain in the long run will see us show our commitment and regain our Gold Partner status and conversely will surely see some of these pretenders get found out.

And all the while, regardless we’ll be doing what we always do – providing the highest levels of service possible to you, our customers.

Thank you, as always, for reading.  Next time I’ll be discussing the evolution of compliance programmes so stay tuned for that.  And if you have any questions or feedback, of course please do email me at grant.paling@nebulas.co.uk

 


Tuesday 13 November 2012

“What Partner level are you?”


It’s a question I get asked reasonably often; and the implications of the answer can vary.  Just how much significance a customer puts in a partner level status, I couldn't tell you for sure and likely it varies between companies and even between individuals.
What I’d like to do in writing this is to shed some light on Partner and Deal Registration Programmes by highlighting the flaws (and to be fair to the vendors out there, the challenges – Partner Programmes are impossible to make foolproof) that I have seen in some of them over the years I've been working in this industry.
Following that, I’ll touch on ‘cutting through the sludge’.  It’s come to my attention that there are other re-sellers out there who aren't confident enough in their own abilities that they have to focus on spreading mindless tripe about their competition (which of course includes Nebulas).  Each to their own I suppose but I’ll be dissecting some of the stuff I've seen and exposing just how ridiculous this can get!

First of all a quick disclaimer. Let me say that Partner Levels do give you some indication of how proficient a re-seller is in supporting a Vendor’s products and services. You don’t become a Super Triple Platinum Elite partner for nothing. Most Partner Programmes require some level of investment, both from a Commercial and more importantly, from a Technical point of view. There are certain things that aren’t just gloss, take F5 Networks’ UNITY programme for example. In getting accredited to take F5 Level 1 and 2 support ourselves, we had to pass a very strict auditing process. Something we could not have done were we not capable and committed.

So what do you have to be wary of as a customer when reviewing a partner organisation’s capability?

Well firstly, once you get to the highest couple of levels of Partner Accreditation, you’re likely to encounter two types of Re-seller or Systems Integrator - one who does masses of volume, just as a small percentage of what they do as a wider business; and then the type that really is focused around providing technical value around that solution set.  One of the challenges, is that it is so difficult to be truly independent.  Partner Level is not just judged on technical ability and the ability to integrate the vendor’s product(s) with surrounding IT infrastructures.  The higher levels particularly always carry a number.  And those who, like we do here, try to remain as independent as possible will still have to carry that number.  Again to be fair to Product Vendors, they have a different task.  Their aim is still to deliver a good customer experience and to enhance the way in which their customers operate but the crucial difference is that the ultimate goal is to convince you that you can do that with their product!  Whereas for companies like ourselves, you may have a case where you might carry two vendors who compete with one another (two competing firewall vendors for example) and you might end up paying the price for putting your customers’ interests first.  Finding them the right fit might just cost you your Partner Level elsewhere.

Click to Read Part 2