“…we are recommending that the Director of the Office of Science and Technology Policy, in conjunction with the national Cybersecurity Coordinator, direct the Subcommittee on Networking and Information Technology Research and Development to exercise its leadership responsibilities…”

We could paraphrase this by quoting Spike Lee’s movie title: “Do the right thing.”

The only problem with this is recommendation is that NITRD’s Cyber Security and Information Assurance Working Group has specifically defined it’s role as facilitator, not a leader (p15). Wishing that they would take the lead won’t make it so.

"Time flies like an arrow, but fruit flies like bananas" -- Groucho Marx

“Data” tells you about the past

“Data” is the output of some observation or measurement process.  If your data is about some states of the world, then by definition your data lives in the past.  You did your measurements or your experiments, generated your data, and then time passed as you assess it, report it, and act on it.  Thus, your data is reporting on history.  Only by acts of inference can you connect your data with the present state of the world or the future state.

In the physical sciences and engineering, they can safely assume that the system under study is the same over time — past, present, and future.  This is called the ergodic hypothesis.  In statistics, the underlying stochastic process is treated as stationary.   This makes it possible to extrapolate the past into the present and future using regression and other techniques.

There are people in the security metrics community that only want to operate on data.   They view anything that is not the result of empirical measurement is pure speculation or a dangerously-seductive “model”.    (See Models are Distracting, and Measurement over Models)    Being an engineer myself, I’m all in favor of empirical data, measurment, and experiments.  But I contend that we will never get to measures of “security” or “risk” through empirical data alone.   Our systems are non-stationary and non-ergodic.

“Security” is a judgement about the present

If we start with the simple high-level question: “Am I secure?”, it becomes clear that any measurement of security must relate to the present time (or possibly a retrospective view on a previous time, i.e. past perfect tense, or prospective view on a future time, i.e. “will I be secure?”).  I call it a “judgement” because security depends on the threats you are facing.  (I play a historically-realistic computer game with my son, called Total War, that includes features that allow you invest in offensive and defensive capabilities.  How much to invest and how fast to invest depends on who you are facing.  A wooden pallisade will be an adequate defense against peasants and spear militia, but hopelessly inadequate against onagers and trebuchets, backed by armored cavalry!)

Thus, you can measure anything and everything you want about security, generating tons of data, and in the end you will have to make a judgement:  “Am I secure?” — or are my security provisions adequate given the threats we face?   Seen this way, your data is really just evidence that is used in this judgement (and inference) process.   What I mean by this is that I don’t think you can simply calculate your way from ground-truth data to any overall security metrics.  There will always be a judgement or inference step(s).

Why?  Because we must account for events, circumstances, and scenarios that haven’t happened yet, or happen so rarely that we have no relevant data, or are beyond the reach of measurements.  (Afterall, the miscreants often do their best to hide their actions.)   On top of this, the security landscape changes rapidly and occasionally dramatically.  Our judgement about security must factor in these changes, to the best of our knowledge.   Finally, our judgement about “are we secure?” is predicated on our risk tolerence.  But what is “risk”?

“Risk” is a cost of the future, brought to the present

This is the economist’s definition of risk, where “cost” here means downside cash flows that are beyond some  threshold of expectation or variability.  Those costs become “risk” when you can account for them in present dollars using some discounting and insurance method.  (This says nothing about the “insurability” of the risk, only about the theoretical possibility of accounting for risk in present dollars by some reasonable method.  The “insurance method” might be diversification, hedging, self-insurance, risk pooling, contingent contracts, or traditional insurance.)

This parallels Peter Drucker’s characterization of profit: “Profit is … needed to pay for attainment of the objectives of the business. Profit is a condition of survival. It is the cost of the future.  The cost of staying in business.” [emphasis added]   Ontologically, “profit” and “risk” are in the same category, which is why it makes sense to measure “risk-adjusted return” and the like.

From the viewpoint of risk, what you have spent in the past is irrelevant  (“sunk costs”).  All rational decisions are based on future cash flows and options.  The only value of the past is if it helps you predict or forecast the future.  Thus, you can’t reach a final judgement about security in the present if you don’t also have some useful estimate of risk in the future.   If the answer to “Am I secure?” is “Yes”, then the implication is that you can live with the risk associated with this level of security.   By “useful”, I mean sufficiently discriminating to inform the judgement — “bigger than a breadbox, smaller than a house”.

This is where information security deviates from reliability engineering.   In the latter, the ergodic hypothesis holds and the dynamics are sufficiently “tame” to permit statistical data analysis for inference and forecasting.  Even when there are “humans in the loop”, their behavioral tendencies can often be characterized by stable probability distributions.  In information security, we are dealing with adaptive, intelligent, strategic players — not only miscreants, but also “ancillary players” like end-users, auditors, supply chain partners, and so on.  This makes risk estimation a ”wicked problem“.  But is it hopeless?

Estimating risk may be hard, but not impossible

Plenty of smart security people contend that quantitative risk estimation is impossible or infeasible in principle.  Proving or disproving this assertion would take heavy-duty theoretical analysis (and I may do it some day).  But for now consider two extreme situations.

Think of security and risk as a black-box process that generates a continuous stream of cash flows in time (i.e. total spending on security and losses in that time period).  At one extreme, the output is a stationary function or stochastic process.  This is the relm that Nicholas Taleb called “Medicoristan“, since the data stream is well-behaved enough that nothing very surprising happens.  With enough historical data and enough data analysis, I think we’d all agree that risk estimation is feasable with current methods.

At the other extreme, the output is generated by a strategic agent (inside the box) whose sole purpose is to screw up our risk estimation process.  Let’s call this Descartes’ Demon, after Rene Descartes, who introduces a skeptical scenario called the deceiving demon argument to challenge our beliefs that an external world exists; in particular, it raises the possibility that some sort of malicious, demonic non-God, has “employed all his energies in order to deceive me”.    If Descartes’ Demon can maintain history of the output and also has information about our risk estimation process, he can mimic any output pattern and change those patterns arbitrarily to defeat any estimation process we might apply.   (This is more extreme than Taleb’s “Extremestan” in terms of defying estimation or prediction.)   In this case, I believe it could be proved that estimation is impossible (or undecidable or infeasable from a computation point of view).

Some people might argue that information security is exactly in this latter extreme situation, but I don’t think so.  The reason is that all the players have much stronger motives and forcing functions than to subvert the risk estimation processes.  Bad guys want to make money or cause harm.  End users want to avoid hassles and minimize effort and get their job done.  Managers want to manage their business while avoiding negative repercussions.  All of these factors add some elements of predictability and understandability.

But it may only be possible to factor all of these in through the use of models and simulations that represent our best knowledge, our best estimates, and our best beliefs about how they all relate to each other and the overall results.

The marriage of data, security, and risk = social learning processes

Putting this all together, we need to gather a lot of empirical data to understand relationships, patterns, and dependencies.  But to measure security we need to add inference and judgement processes that extend our data into the present, given the threat landscape we believe we are facing.  But to make a judgement about security and make decisions about alternative security postures, we need a useful estimate of risk to decide how much security is enough.  To tie these all together over time requires effective social learning processes, including model validation through experiments and data analysis.  Likewise, risk estimation and security judgement processes tell us what data we need to collect and how to analyze it.

Whether you agree with this framework or not, you should make explicit and consistent definitions of the time dimension relative to your metrics.

Date:            May 19, 2010, 1:30-5:00pm PDT

Location:       Claremont Hotel, 41 Tunnel Road, Berkeley, CA 94705

NITRD representatives from NSF, DHS, and other agencies will present Federal cybersecurity R&D themes. This event will take place at the Claremont Hotel in Berkeley, California, and follows immediately after the IEEE Symposium on Security and Privacy. The themes will guide future Federal research activities and are components of the framework for cybersecurity R&D called for in the President’s Cyberspace Policy Review. This event will be the first discussion of these Federal cybersecurity R&D objectives and will provide insights into the priorities that are shaping the direction of Federal research activities.

Registration: http://www.nitrd.gov/CSThemes.aspx.  This event is free of charge.

Webcast:       http://www.nitrd.gov/CSThemes.aspx 

This is a follow-up to the National Cyber Leap Year process that I have previously critiqued.  Of their original five themes, they have down-selected to three (described here), including:

Cyber economic incentives — foundations for cyber security markets, to establish meaningful metrics, and to promote economically sound secure practices.  [emphasis added]

I’m thrilled that this made the cut and I’m also thrilled that it has been recast to focus on incentive systems and metrics.  I will attend this event and be listening for information about how this “theme” will be turned into tangible reality.

"Go Patriots!"

I haven’t posted much lately because I’ve been arranging a major career change.  I’m happy to announce that I will be entering the PhD program in Computational Social Science (with certificates in InfoSec and Economic Systems Design) at George Mason University, Fairfax VA, starting in the Fall of 2010.  Assuming all goes according to plan, this will take five years.

Those of you how have read my posts or heard my presentations know that I’ve been committed to advancing the state-of-the-art in interdisciplinary research regarding information risk management and incentive systems.  This PhD program seems ideally suited to help me make progress toward these goals.  Both during and after graduation, my personal goal is to stimulate more interdisciplinary research, especially public-private-academic collaborations.

I plan to continue working in the private sector, both part-time and summers.  I’m talking with a couple of companies to see if we can arrange a flexible, win-win relationship.  If you know of any other possible employers in the DC area, please contact me.

(While comments here are fine, if you just want to offer personal support, comments, or questions, you can email me directly at: russell.thomas AT the domain “meritology.com”.)

In a keynote speech at RSA 2010 (full text), Microsoft’s Scott Charney proposed proactive solutions to systemic problems like botnets.  Drawing analogies with  public health and environmental protection, he said it might make sense for ISPs quarantine infected consumer PCs. Then he said:

And then there’s a question of who would pay for that. Well, maybe markets will make it work, but if not, there are other models: use taxes for those who use the Internet. We pay a fee to put phone service in rural areas, we pay a tax on our airline ticket for security. You could say it’s a public safety issue and do it with general taxation. [emphasis added]

In other words, some collective action might be beneficial and either markets might pay for it, or taxes might be necessary.  Two days later, a Microsoft spokesperson clarified:

“Scott Charney did not suggest a new Internet tax to fund cybersecurity programs. As part of his keynote at RSA he recommended that the industry and government look at developing the equivalent of the World Health Organization to combat malware on the Internet,” the spokesperson said. “Within this context he mentioned the need to explore how to develop a sustainable funding model for this initiative, not suggesting that any particular funding model is best.”

To be even more clear, he definitely didn’t say that Microsoft should get the proceeds or play any part in how it is spent.   

In the following days, industry analysts, executives, and bloggers weighed in and their judgment was mostly negative.  A prime example is the Computerworld article with a headline that called it  ”a horrible idea”, quoting John Pescatore of Gartner Group.   Here are more ‘expert’ reactions quoted in the same article:

• Pescatore: ” ‘Why not a tax on all retail goods for a standard antishoplifting service all merchants would have to use?’ A business, he said, can now select what it thinks is the best anti-malware solution, but that choice would presumably vanish if funding for battling the bad guys went national.”
• Pescatore: “A general tax would reduce the services to the lowest common denominator”
• Wolfgang Kandek, CTO of Qualys:  ”I have a hard time seeing [a tax] work. The Internet is an international body; you can’t regulate it, and you cannot levy a tax. ISPs might have to up their fees to pay for something like this, I can see that, but a tax that brings government into play — I can’t see that.”
• Randy Abrams, Director of Technical Education at ESET Security: “A tax may be a bad idea, but people will pay for it one way or another.”
• Andrew Storms, Director of Security Operations at nCircle Network Security: “I don’t have a problem with charging a fee and giving it to good works for the whole.  The problem is that one, you have to find a big, smart and trustworthy organization to handle this. And most people will agree that’s not the government, and that’s not Microsoft.”
• Storms: “More likely is that an ISP will take the plunge, charge its users a little extra to keep their machines clean, and prove that it’s possible.  Then I could see a consortium of ISPs getting together to do that.”

Here are some of the negative reactions from bloggers:

• Adrian Kingsley-Hughes shouts, “No!”:

“Let’s also not forget that Microsoft has gone out of its way to create a monoculture where one OS dominates, through legal and illegal methods. So the idea that we should now all pay to solve a problem that Microsoft not only wanted to create, but made billions of dollars in the process is frankly … ridiculous.”

• Don Tennant is equally scathing:

“Microsoft’s “Trustworthy Computing” shtick has gone so far over the oxymoronic top that it’s just no longer possible to give the company the benefit of the doubt. … Really, Scott? … Did you really think we’d all look at each other with nods of agreement, impressed by the brilliance of your epiphany? Didn’t you realize that revelation might just backfire on you?
…
It’s unfathomable that a company with Microsoft’s resources can be so clueless and out of touch. … If Microsoft expects to be taken seriously as an enabler of “trustworthy computing,” it needs to do a lot more than this to demonstrate trustworthiness. Taxing users who find the software they bought is non-secure is like taxing Toyota owners for finding they have faulty gas pedals.”

• Marc Handelman called it “Blatant Stupidity“.
• Dr. Roy Schestowitz: Microsoft’s Government Insider Wants Mac Users and GNU/Linux Users to Pay Microsoft for Its Incompetence

This is where I step in an call “BOGUS!”

Q:  How many of these ‘experts’ know any thing about information economics and public policy responses to negative externalities?  A: Zero.

Even more basic Q: How many of them bothered to find out what Charney was really proposing – rather just reacting to the headline version: “Net tax to clean computers” or the fact that someone from Microsoft said it?  A: Of the articles and blog posts I saw, only two bothered to dig into the speech and seek to understand or clarify Charney’s comments: BetaNews and yinhuan.net.  Conversely, the comments by Pescatore and Kandeck lead me to believe that they didn’t really understand the proposed idea.  Others used this opportunity to throw rocks at Microsoft rather than deal with the substance of the ideas. 

Regarding the idea itself, I think the comment by Randy Abrams is on the mark: “… people will pay for it one way or another.”    Right now, we pay for it through the cost of security breaches and through the cost of inefficient security spending.

The idea of taxes as a way to counteract or pay for mitigation of negative externalities has been thoroughly researched in economics, especially environmental economics.  Here are some links if you want to learn more:

• Also known as Pigovian tax
• Short Tutorial
• Longer Tutorial in the context of environmental economics
• “Green taxes” — public policy analysis from UK
• Economic analysis of negative externalities and possible solutions (PPT)

Myself, I’m more in favor of market-based funding methods (e.g. insurance, etc.): Incentive-based Cyber Trust.  But mandated insurance or other mandates can be seen as a form of “tax”, so the main question is what form of incentives and funding is most effective and most efficient.

This is just one small case in the on-going public policy discussions regarding economics of information security, but given the reaction of the ‘experts’, this was a step backward.

Although Gartner customers almost never complain about false positive rates, I wonder if false positives are under estimated. End users rarely complain about false positives, but they are very vocal reporting Spam in their inbox. Box Sentry (www.boxsentry.com) recently did a tests in a number of organizations and found the false positive rate in some organizations using popular anti-spam tools was as high as 13% of legitimate emails. The largest proportion of false positives in their study was legitimate person-to-person traffic.  While it could be that these organizations have over-tuned their systems to block more Spam at the expense of quarantining more legit email, the reality was the email administrators had no idea they had such a high false positive rate because they never checked.  Have you? 

Going further, it would be very valuable to estimate the cost of false positives.

As I’ve discussed in a previous post, this is just another instance of a general problem in the security industry.  You can’t do rational analysis of effectiveness, cost-effectiveness, risk, and the rest without some estimate of false positive rates and their costs.

• A Roadmap for Cybersecurity Research, by DHS
• National Cyber Security Research and Development Challenges , by the I3P
• Toward a Safer and More Secure Cyberspace, National Academies
• Report to the President on Cyber Security: A Crisis of Prioritization , by PITAC
• Ensuring (and Insuring?) Critical Information Infrastructure Protection, 2005 Rueschlikon Conference on Information Policy
• Four Grand Challenges in Trustworthy Computing , Computing Research Association Conference, 2003
• Others

But no one seems to be able to mobilize any signficant research into solutions.   It’s been very frustrating to see so much talk and so little action.   

This reminds me of the quote by Mark Twain, shown at left, which is the inspiration for the title of this post.

The latest iteration of this was a panel at RSA: “The role of research in industry and government“.  SC Magazine summarized the discussion this way:

A disconnect between the primary research sectors and a lack of appropriate funding in each is leading to decreased technological progress, exposing a huge gap in security that is happily being exploited by cybercriminals.

(read on for a diagnosis and two proposed solutions…)

Part of the problem is the the incentives to focus research on problems and not solutions.  I run into this a lot at academic and other “thought leadership” conferences.  Here’s how it was explained to me: It’s much easier to do a modest-sized research project that shows yet another failure in the economics of security than it is to do the complex, large-scale research that would be necessary to develop both theory and empirical support for solutions. 

The bias toward complaining and against doing research work is even stronger at industry conferences.  I don’t blame any individuals.  Simply put, everyone has a day job that pays them to solve near-term problems and deliver immediate payoffs.   High-risk, fundamental research does not fit that template.

There was one recent attempt to mobilize breakthrough research — the “National Cyber Leap Year Summit” last August, sponsored by NITRD.  As I’ve previously written, that effort was largely a waste of time and money because you can’t brainstorm your way through hard problems like this.

Gene Spafford (a.k.a. “Spaf”) is one person who has thought long and hard about how to effectively mobilize and support interdisciplinary information security research.  In the second half of this blog post, he mentions a white paper that he has been circulating in DC for feedback.   The white paper advocates “changing the way we fund some of the research and education in the US in cybersecurity” and makes specific recommendations.  It’s a good read and very thoughtful suggestions.  The second of his two suggestions can be summarized:

I suggest a program similar in nature to the MacArthur “Genius Grants” program: the ISPEG, or Information Security and Privacy Extended Grant. Some agency or agencies would provide ISPEG funding to a small number of researchers in multi-year fashion, to “do good things” in cybersecurity and privacy. The intent would be to fund these individuals without requiring specific proposals or highly structured budgets, and with minimal requirements for deliverables and constraints. The researchers would be encouraged to exercise vision and leadership to the betterment of the country and the field of cybersecurity. If they are carefully selected, this will naturally follow.

A small set of ISPEG awardees [should be] chosen annually. These individuals will be senior academic, tenured faculty, chosen on the basis of past accomplishments specifically in the fields of information security and privacy, and because of a commitment to service and education. [emphasis added]

I think this is a keen idea overall.  Several formal studies of scientific performance have shown that the most productive method for acheiving major research innovations is through senior, experienced researchers who have both freedom and adequate support over an extended period of time.  However, Spaf’s model is aimed at supporting only academic researchers and only those researchers who have been blessed by the academic system (“tenured”).  Yes, they merit this sort of support, but they aren’t the only people who can or should play in the advanced research arena. Therefore I want to propose another idea that could work in parallel with ISPEG.

Proposal: Information Security Pioneers Fellowship Program (ISPFP)

Here’s how it might work. A non-profit organization would administer the program and would be the “home” for a number of individuals (the “Pioneer Fellows”) who would have financial and institutional support for a period of time. In return for this support, they would serve as catalysts, leaders, orchestrators, and even program managers for innovative interdisciplinary research projects, esp. those that involve industry, academic, and government partners. They could also work on projects and activities that enable advanced research or help bring advanced research results to the masses: in education, industry, or government policy. For example, here are some specific project ideas that would be well suited for Pioneer Fellows:

• Organizing and leading multi-organization proposal teams for advanced interdisciplinary InfoSec research projects (“Broad Agency Announcments” from DARPA, DHS, NSF, NIST, others).
• Leading the specification and field testing of security metrics, e.g. Center for Internet Security’s consensus metrics , and also pilot implementations.
• Leading the design and implementation of a statistically robust survey of information security practices, metric results, and costs, to displace the current “Computer Crime and Security Survey” (CSI/FBI).  (“Statistically robust” would include random sampling of organization populations, for example.)
• Design and help implement a “Cyber CDC” for advanced vulnerability and threat research and intelligence.
• Organize, lead, and/or collaborate in international research projects. 
• Help integrate economics, organization science, and behavioral science into education, training, and certification programs for security managers and executives.

Being a non-profit (preferably 501c3), they could accept and administer donations from many sources — corporations, foundations, and government. This would open the door to funding from many sources, including organizations that don’t usually provide funding, including VCs, industry associations, privacy advocates, IT vendors and consultants of all stripes, etc.

The fellowship period and applicant qualifications are open to consideration.  Ideally, this program should be “idea capitalists”, knowing some people and ideas won’t payoff but others will be huge winners.  One thing for sure — we shouldn’t focus this program only on people who have been “officially” annointed by some hierarchy, some certification program, or by credentials alone. 

OK… now for all of you who might be frustrated with lack of action, this message is for you:  THIS IDEA COULD BE IMPLEMENTED IMMEDIATELY!

Sorry to shout, but I want that message to hit you between the eyes.

First, there are several candidates for host institution:

• Center for Internet Security
• Security Innovation Network (SINET)
• European Network and information Security Agency (ENISA)

Second, there are a good list of possible projects, not only the list above but also ideas from any of the reports listed at the top of this post. 

Third, there are plenty of good candidates for Pioneer Fellows.  Just look for the people who are already doing pioneer work on their own dime or in their “spare time”.

Fourth, the funding would probably start flowing if the right executives were in the same room at the same time, and someone with sufficient “gravitas” asked for the order.  $35K to $50K per major sponsor is reasonable and comparable to other sponsorship arrangements.  Ten major sponsors would fund 8 to 10 Fellows, assuming they paid full salaries. Once this is all in place, we could probably solicit a “foundational grant” from a major government agency to ramp up recruitment and other administrative parts of the process.

That’s a sketch of the idea.  What do you think?

We can take inspiration from other fields.  Consider this innovation in statistical value management in baseball, a.k.a. the ”Moneyball” approach:

Evaluating fielding is baseball’s hardest math. There are just too many unknowns in a play. How much ground did Jeter cover? How fast was the ball moving? In essence: How unlikely was it that he’d catch the ball?   [...]

Sportvision’s FieldFX camera system records the action while object-recognition software identifies each fielder and runner, as well as the ball. After a play, the system spits out data for every movement: the trajectory of the ball, how far the fielder ran, and so on. “After an amazing catch by an outfielder, we can compare his speed and route to the ball with our database and show the TV audience that this player performed so well that 80 percent of the league couldn’t have made that catch,” says Ryan Zander, Sportvision’s manager of baseball products. That information, he says, will allow a much more quantitative measure of exactly what is an error.

The Great Family Shame of incest between Oedipus and Jocasta

The public display of taboo is one of the more interesting aspects of Operation Aurora, a.k.a. the Google-China affair (summary and analysis is here, more details here.).  It’s unfolding almost like a like a Greek tragedy. 

Act 1 in the play was Google’s strategic decision to go public and recruit other breached companies to join them (without success).  Google went public anyway, violating the InfoSec disclosure taboo, and also the taboo against corporations speaking out against China.

Act 2 was the public and institutional reaction to Google’s announcement, the political posturing between US and China, and even the tempest of chatter in the InfoSec community about “Advanced Persistent Threats“  (or “Advanced Persistent Adversaries“, a term I prefer).

Act 3 is now under way at that great annual public meeting of Big Thinkers, the World Economic Forum in Davos, Switzerland.  While they discussed almost every other topic and idea, they avoided the Operation Aurora as if it was the Great Family Shame, as highlighted here:

“BusinessWeek reports that the cyber attack on Google was the elephant-in-the-room at the annual meeting of world leaders in Davos. ‘China didn’t want to discuss Google,’ Josef Ackermann, CEO of Deutsche Bank AG and a co-chair of this year’s World Economic Forum, said in an interview. China’s Vice Premier Li Keqiang made that clear, he added. Even Google CEO Eric Schmidt didn’t bring up China, and Bill Gates was mum on the topic in an interview. The reluctance of companies to talk about China illustrates the pressure on them to protect their business in the country, while the U.S. government doesn’t want to upset Chinese investors, said Andy Mok of Red Pagoda Concepts LLC. ‘People have their commercial interests,’ explained Deutsche Bank’s Ackermann.” [emphasis added]

The Business Week article is here.  (Funny: here is a great Saturday Night Live skit that satirizes the power of China over the US in matters like this.)

While the Operation Aurora taboo is rooted in international politics, similar taboos exist within both the public and private sectors and no international politics are involved.   While we must deal productively with these taboos, we also can’t let them block meaningful progress toward the goal of data-driven information security and collective learning.

If this is how you feel, buy our products. Then you'll feel better.

Headline is “You are losing the war!”, followed by “Criminal and state-sponsored adversaries are winning”.    The key line: “NetWitness delivers real-time network forensics and automated threat intelligence solutions designed to combat advanced cyber security threats like Operation Aurora.”

I don’t blame them for surfing the publicity wave of “Operation Aurora”  (China, Google, Adobe, et. al.).  And I can’t blame them for following industry practice of amplifying FUD, primarily “fear”, to get potential buyers to give attention and budget to NetWitness solutions, to wit: 

“You have a choice: The NSA or FBI can sit down with your CEO and report your company’s network compromises, or you can be the one telling them that an attack was detected, thwarted, and steps were taken to prevent it from happening again. Which scenario sounds better to you?”

OK… so here’s a glimmer of NewSchool hope in the last lines of the email:

“We’re so sure of this fact that we’re determined to prove it on your network. We’re offering a complimentary Proof of Concept to any organization meeting a minimum set of qualifications.” 

So they are willing to show how their solution will actually work in your organization.  Not bad.  But to get the “NewSchool Tip-of-the-Hat”, it would be even better if the Proof of Concept included some sort of data about effectiveness vs. alternatives vs. make-do-with-whatever.  It would be even better if they published such data or made it available via various information sharing organizations.  We can only hope.

(I have no opinion about NetWitness or their solutions or their competitors, nor do I have any relationship.)