Tuesday, April 18, 2017

The Ad-Tech Industry Must Finally Admit That Their Product (Ads) is Dangerous

How would you react if I told you that computer security experts are six times more likely to run just an ad blocking software on their PCs, over just anti-malware? Would you be surprised?



That was the result from a Twitter poll I conducted last year, in which more than 1,000 self-identified computer security experts shared that they are more concerned about ads than malware. While social media polls are admittedly unscientific, I’d argue these numbers are actually pretty close to reality, which means that roughly three-out-of-four computer security experts largely view ad-blocking as a more indispensable part of protection than anti-virus software by far. Let that sink in for a moment.

Malvertising, or malicious ads, are hurting people – a lot of people. Anyone who is familiar with the malware problem will tell you that. As just one example of many, last year ads appeared on the New York Times, BBC, AOL, NFL and other popular websites in a malicious campaign attempting to install “ransomware” on visitors’ computers. To put things into context, the chances are better that the average internet user - roughly 99 percent of the population - will be hacked via their own browser then they will by a nation-state. The reason for this? Online ads.



I understand the business model… really, I do. Publishers rely on their viewers seeing ads because that’s how they make their money. In return they provide all of us with free content and services. If ads are blocked, publishers make less money, and the free content and services dries up. On the other hand, these same ads are one of the leading threats to personal security and privacy. So, what we have here is an online version of a Mexican standoff. Neither side is able to proceed without exposing themselves to danger. 

So here we are without many technical options:  the only thing internet users can do to protect themselves is to install an ad blocker (like hundreds of million of users have already done); and the only thing a publisher can do is to use an ad blocker detector on their website(s). This allows them to decide to block content and/or issue a plea to whitelist their ads. Unfortunately, the technology model for publishers to ‘safely’ include third-party content such as ads into their pages is also lacking. There just isn’t a comprehensive and scalable way to check billions of ads daily to see if they’re safe to distribute – or if the origin of an ad is reputable. Of course, publishers can also supplement or replace advertising revenue streams with a paid-for-content model, hosting conferences, asking for donations, and so on.

Let's also be very clear— neither the publisher, advertisers, or the ad-tech industry that binds everything together takes on any liability for malvertising, infecting a user with malware, or the resultant damage. This also means that they have zero incentives to meaningfully address the problem, and never ever seem to want to talk about the security concerns that make ad blocking an essential security practice. They only want to talk about the money their side is losing, or how to make ads more visually tolerable. But even if ads magically become less obnoxious and less costly in terms of bandwidth, we still have the security problem. Until the advertising technology industry admits that their product - the ads themselves -  are simply dangerous, there can be no real resolution.

Monday, February 20, 2017

InfoSec warranties and guarantees

This is a living list of InfoSec companies who offer warranties and guarantees on their various products and services. If you know of others that should be on the list, please comment. 
  1. Cymmetria
  2. KnowBe4
  3. AsTech Consulting (press release)
  4. Waratek
  5. SentinelOne
  6. Trusona
  7. WhiteHat Security
  8. Symantec & Norton (money-back)
  9. McAfee (money-back)
  10. Trustwave 
  11. HIPAA Secure New
  12. Forcepoint
  13. Avira
  14. Proofpoint
  15. DigiCert 
  16. Comodo
  17. Armor

Wednesday, February 01, 2017

InfoSec Start-up Advising and Product Recommendations

As a long-time InfoSec veteran and entrepreneur, I’m often asked by company founders to join their advisory board and lend a hand. Sometimes the founders need someone with experience they can trust to bounce ideas off of, provide guidance on how to scale their business, point out the many pitfalls to avoid, make key introductions, and so on. I’ve been in this advisor role for many years, as well as mentoring more than fifty young businesses over the last five years alone through a startup incubator. Making this contribution has been highly rewarding, both personally and professionally. It leverages the many successes and mistakes I’ve made in my career to help others. Advising and mentoring is something I plan to continue doing for the foreseeable future. The only downside is that due to time constraints, I have to be extremely selective. 

When I come across a hot new start-up, I fully research the company, try out the product, research their target market, meet the management team, speak with a handful of customers, and if I have something useful to offer, only then do I feel comfortable enough to get involved. Oh, another requirement is that none should be competitive with one another. Because I do my homework and have a deep understanding of the information security industry, I’m often asked by colleagues what companies I’d recommend in a particular space or a product to solve a particular enterprise problem. For those interested, below is where I’ve placed my bets and what I’m recommending.

Full Disclosure: I’ve a financial interest in most of these companies below, but not all of them. And if I don't have a stake, it doesn't mean I won't recommend them -- I can be just as impressed otherwise. I’ve also indicated where I serve in an official advisory capacity.


Anti-Bot

FunCAPTCHA (Advisory Board)
“FunCaptcha is the fastest and most effective way to protect your website from spam and abuse. We stop billions of spammers every year for clever brands that monetize their registrations and content.”


Anti-Virus / Endpoint Protection (Enterprise)

SentinelOne (Employed)
"SentinelOne unifies endpoint threat prevention, detection and response in a single platform driven by sophisticated machine learning and intelligent automation. With SentinelOne, organizations can detect malicious behavior across multiple vectors, rapidly eliminate threats with fully-automated, integrated response capabilities, and adapt their defenses against the most advanced cyber attacks."


Bug Bounty / Security Crowd-Sourcing

Bugcrowd (Advisory Board)
"The pioneer and innovator in crowdsourced security testing for the enterprise, Bugcrowd harnesses the power of tens of thousands security researchers to surface critical software vulnerabilities and level the playing field in cybersecurity. Bugcrowd also provides a range of responsible disclosure and managed service options that allow companies to commission a customized security testing program that fits their specific requirements. Bugcrowd’s proprietary vulnerability disclosure platform is deployed by Tesla, Pinterest, Western Union, Fitbit and many others."


Website Vulnerability Assessment 

"WhiteHat Security is the leading provider of website risk management solutions. Sentinel, WhiteHat's flagship product, is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of website security and prevent Web attacks. WhiteHat Sentinel is built on a Software-as-a-Service (SaaS) platform designed from the ground up to scale massively, support the largest enterprises and offer the most compelling business efficiencies, lowering your overall cost of ownership."


Security Risk and Vulnerability Intelligence

Kenna Security (Advisory Board)
"Kenna is a software-as-a-service Risk and Vulnerability Intelligence platform that accurately measures risk and prioritizes remediation efforts before an attacker can exploit an organization’s weaknesses. Kenna automates the correlation of vulnerability data, threat data, and 0-day data, analyzing security vulnerabilities against active Internet breaches so that InfoSec teams can prioritize remediations and report on their overall risk posture."


Security-in-the-SDLC / Security Requirements 

SD Elements (Advisory Board)
"SD Elements automates software security requirements based on your project’s technology, business and compliance drivers. SD Elements eliminates security vulnerabilities in the most cost effective way, before scanning begins."



AppSec Vulnerability Remediation

"AsTech Consulting is a security consulting company which helps clients understand their risks and what to do about them. As independent security specialists, we employ very experienced security professionals, more than half of which have over 15 years of relevant experience."


Runtime Application Self-Protection (RASP)

"Prevoty provides a new RASP (runtime application self-protection) capability, enabling applications to protect themselves. Unlike traditional security approaches that try to defend against hackers at the network layer, Prevoty works inside the application itself and the analysis engine is smart enough to actively prevent anything malicious from executing. "


Browser Security & Privacy

"We have a mission to save the web by increasing browsing speed and safety for users, while growing ad revenue share for content creators."

Thursday, October 20, 2016

What keeps me in the security industry

It’s common for long-time information experts like myself to be asked what keeps us in the security industry. Some say it’s a good stable job that nicely pays the bills. Others find the work interesting and enjoy the constant intellectual challenge. Some the like the people, the community, the culture, and exchange of ideas. Of course for many, it be some combination of all these things. For myself, while each of the above plays a part, I must admit those haven’t been my core reasons to stay on for a long time now.

Like I’ve said many times in the past, the Internet is single greatest invention we’re likely to witness in our lifetime. The Internet is a place that now connects over 2 billion people. The Internet is how we communicate and keep up with friends and family. It’s where we shop. It’s how we learn about ourselves and the world. It’s where bank and pay bills. It’s what entertains us and how we get from place to place. It’s how we better ourselves. Entire economies are now dependent on the Internet. If you think about it, we’re often more open and honest about our most intimate secrets with the Google search box than any our closest confidants. There is not a single person among us, or perhaps anyone we know, that won’t be online today. Something this important, this vital to the world and to humanity, must be protected. The Internet.

The time each of us has in this life is limited and far too short. Every day is a gift. And in that time few people ever get an opportunity to be a part of something greater than themselves. A chance to make an impact and to do something that truly matters. Internet security matters. So for me, to play even a small part in helping to protect the Internet and the billions of people connected feels like a good way to spend ones life time. That’s why I’m still here.

In the immortal words of Dan Geer, “There is never enough time. Thank you for yours.”

Monday, June 06, 2016

I'm joining the fight against malware and ransomware with SentinelOne

Today is a big day for me. I’m contributing to a company called SentinelOne, but I really don’t think of it as a job. I’ve accepted an opportunity to work side by side with other brilliant and highly motivated people where we’re all helping to solve important and challenging InfoSec problems. In this case, malware and ransomware. You see, more than anything, I want to make a positive impact on InfoSec. As I’ve said many times, we who work InfoSec are responsible for protecting the greatest invention we’ll see if our lifetime — the Web, the Internet, and the billions of people using it every day. That’s our mission, our calling. As such, I’ve always kept a evolving list of our industries biggest challenges, which I include in most of my slide decks.

  1. Intersection of security guarantees and cyber-insurance
  2. Explosion of Ransomware
  3. Vulnerability remediation
  4. Industry skill shortage
  5. Measuring the impact of SDLC security controls

The only problem on the list I haven’t gotten the chance to work on is ransomware, an incredibly effective and fast-growing form of malware that’s taking over. I’ve long railed hard about the crap antivirus products on the market and the billions of dollars people and companies spend annually to effectively make themselves less secure. Yes, that’s right, I said LESS secure. The FBI recently published that ransomware victims paid out $209 million in Q1 2016 compared to $24 million for ALL of 2015. Some non-trivial percentage of those ransom dollars will be used for R&D, so the smart money says ransomware will quickly get even more sophisticated and out of hand. And to that point, in recent and well publicized news, ransomware is also responsible for disrupting the care of patients in a few hospitals. This can’t be allowed — lives are at risk!

In my life after WhiteHat, I looked at ton of companies and interesting opportunities where I could lend a helping hand, of which there was no shortage. My inbox was crushed with many worthy projects, but I knew I had to choose wisely. Then out pops a company with some super cool tech and few have heard of them, SentinelOne. SentinelOne is right smack in the middle of the malware/ransomware war, for which Gartner calls next-generation endpoint protection (NG EPP). I met with the founders, the team, all super cool and passionate people. A real gem of a start-up. I felt strongly that I needed to join this fight. Plus, I’ll be working on some exciting stuff behind that scenes that I can’t wait to share with world. Good things take time, so please, standby!

Monday, May 23, 2016

Life is Better without Username Reuse (email aliases FTW!)

Facebook, LinkedIn, Amazon, PayPal, Yahoo, Google. We keep accounts with many of these websites. They and many others use email addresses as the first half of the classic username and password combo. They do this because email addresses are unique and double as a reasonably secure communication channel with the user. And of course we often sign-up for things online to receive information by entering our email address. All this email address sharing, while technically nothing being wrong with it, unfortunately causes several highly annoying problems. These problems can be solved, or at least made far easier to deal with, by leveraging email address aliases. An email alias is where you create one or more email addresses that all send to the same account, vaguely similar to desktop folder shortcuts.

With email address sharing / username reuse, by far the biggest problem we run into is spam. And the more we share and reuse our email addresses across systems, the bigger the spam problem becomes. Sometimes websites sell our email addresses. Other times they share them with third-partie business partners, and from time to time they get leaked in a data breach. Whatever the case, once an email address is out there, it’s out there. No taking it back and no amount of mailing list opting out will help. I know. I’ve tried.

There are other problems too. Anyone who knows your email address can easily determine what systems you’re using (i.e. “This email address is already registered.”). This issue is not only a privacy issue, but a potential security issue as it makes it easier to target your account via brute force, phishing, password recovery hacks, etc. And of course when you have several online accounts, you’re constantly notified via email, which explodes your inbox. Creating rules in your email app using strings in the subject or content body helps, but doing so isn’t easy and never comprehensive. When all these problems are tied to your email email address, there is no escape. You can’t easily kill or change your main email address because all your friends, family, and business contacts use it too.

My solution to these problems, which has been working great, is by using email address aliases based on custom domain name. For example, my personal domain is jeremiahgrossman.com. So as an example, I create a new email alias that’s just for Facebook, like fb@jeremiahgrossman.com. Or on Paypal it would be pp@jeremiahgrossman. You can technically use any email alias for this purpose, even a random one. When email is sent to these aliases they automatically forward to my main email address. I never reuse these email address aliases for any other than their intended use, and never use my main email address to register for anything if I can help it.

It does cost a few bucks to pay for domain name and email hosting, but it ain’t much these days and the value is WAY worth it. When things are set up this way, I can be reasonably sure that any email to these aliases, that is supposedly from them, is legit and not a phishing scam because no one else knows the email address / username I used. And since the particular website is only using the email address alias I gave them, inbox rules are way easier.

Then if the email address is leaked, gets spammed out, or whatever, I can just kill it off, create another, and change the account email address / username. The up front work is a little tedious, but again, worth it. And the best part, when you have your own domain name, email aliases are essentially free — I’ve about 100 now. And there is no reason you can’t use any old crap domain name either.

Good luck!

Wednesday, May 18, 2016

Millions experience serious computer security problems and have no one to call for help

A couple times a week, people I may or may not know reach out to me for help because they’re experiencing some kind of computer security catastrophe. Sometimes the situation is serious, other times not. They might be dealing with an online bank account takeover, online scam, data breach, malware infection, identity theft, and the list goes on and on from there. Whatever the circumstance, a great many people often find themselves thrust into the deep end of this technology driven world, without the know-how to solve the problem on their own, and no one to call for help. These experiences are especially painful for the elderly and small-business owners, whose livelihood are disrupted, and the stress takes a toll on them. Personally, I hate it when good people get taken advantage of.

In the most recent case, I was introduced to the founder of a TV and movie production company through a mutual friend. They explained that someone is messing with their website and actively using their company name to scam their business contacts. They said ‘hacked,’ but that could mean anything these days. The situation was causing them real brand damage, and with over a dozen show titles to their credit, the business impact is severe. Even over the impersonal medium of email, you could sense a deep feeling of helplessness and desperation. As you might expect, I tend to keep myself happily occupied with family, work, and martial arts and don’t have a lot of time to spare for things like this. But, this plea originated from a good friend, the victim didn’t have anyone else to turn to, and helping out felt like the right thing to do.

After taking a call and exchanging a few emails, I got the real story. Someone, a scammer, registered an incredibly similar domain name to the legitimate one used by the production company. The fake domain name was being used to create a clone of the real website. The scammer then subtly changed the names and photos of the staff and updated the contact information so that any incoming communication would instead go to them. Through email, phone calls, or search results visitors would be contacted by the scammer, who pretended to be with the production company, and would proceed to con their victims out of money. This is a simple, inexpensive, and effective scam that could happen to basically anyone – and it does.

The near-term plan was to get the scam website taken down. Long-term, try to take ownership over the look-a-like domain name.

To start, the first thing I needed to know is who owns the offending domain name. A quick WHOIS lookup revealed the registrar is GoDaddy, but the domain owner itself was masked by Domains By Proxy, a popular service for those wishing to preserve their online privacy. I often use this service myself! This means without going through a legal process, obtaining the real domain owner information isn’t going to happen. Still, in the event the production company would like to try and get ownership over the domain using ICANN’s and trademark law, they have the registrar info to further that process. Next, I needed to identify where the website is being hosted. The ‘dig’ command easily gets me the IP address of the cloned website and an ARIN lookup tells me who the IP address belongs to — the name of the hosting provider. For those curious, collectively performing these tasks took me far less time than writing this paragraph.

Let’s pause our story for a moment to consider the technical knowledge required to get this far, which includes a set of skills many techies take for granted and forget that the vast majority of people simply don’t have. Few people can explain what a domain name is, have any idea what a domain registrar or an IP address is, what’s WHOIS, or even ICANN. They’ve certainly never heard of ARIN, and only a vague familiarity with hosting providers for that matter. And thus far, we’ve only collected purely public information and in doing so reached a point where most can’t get to on their own. Techies should empathize and exercise patience with those not nearly as literate in how the Internet works as we are. Anyway, back to our story.

Now that we’ve learned who the hosting provider is, I helped the production company founder draft an email to send that concisely explains the problem and what we’d like the action to be. Take down the website! Their website nicely listed the abuse@ email address and I pressed send on the message. I figured it could be a while for them to get back to us, and in the meantime decided to take a close look at the scammer’s website.

Using every web hackers best friend, view-source, I skimmed the underlying code of the website. Maybe the scammer left clues as to their identity, tools they used to clone the website, or whatever. In less than 60 seconds, I immediately spotted something very interesting. While the HTML of the page is hosted locally, all the CSS, images, and most importantly, the Javascript is being SRC’ed in from the real website! As you’ll see if a moment, this was a major oversight on the scammer’s part. Are you thinking what I’m thinking? We’ll see. :)

1)    In the logs of the real website, we should be able to ascertain who and how many people visited the scammers website. Because every time someone visits one of his web pages, their browser automatically pulls in the aforementioned third-party content from something we control. This means the visitors IP address is logged, as is what web page they are currently looking at — called the referer. And yes, this is intentionally misspelled and a throwback to Internet antiquity.

2)    If we have the visitors IP address information, it’s quite likely we also have the scammer’s too! Provided they didn’t mask that as well. And if they are, that’s useful bit of information as well. Either way, their IP address is probably the first one we see the in the logs when the referer of the fake website appeared. If we decide to go after the bad guy directly, we at least have something to begin tracking them down with. Subpoenaing the hosting provider or Domains By Proxy is of course another possible course of action, but we’ll see about that path later.

3)    This is the big one. Any web hacker would have quickly theorized that we can probably modify the javascript on the real website, which again is called by the fake website, to at least temporarily redirect it’s visitors. And, that’s exactly what we did! A quick 3-line block of code did just the trick!

if (window.location.host != ‘<real-website.com>') {
        window.location = ‘<real-website.com>’;
}
 
At this moment, we got the production company and visitors of the scammer’s website some immediate relief. That is until the bad guy notices what we did and updates their website code, which is trivial to do. Next I ask the domain registrar (GoDaddy) about the process for taking ownership over domain names that are designed for abuse. They point us towards an ICANN’s trademark dispute policy and suggested we consult with a lawyer experienced in such legal measures. I then advise the founder to seriously consider going down his route.

A couple days go by, and while we wait for the hosting provider to respond, we notice the aforementioned redirect stopped working. As expected, the scammer caught on and fixed their code so that all the web page files now point locally. Drat! What we did learn is the scammer is sentient, responsive, and persistent. He didn’t care so much that were we onto his little game. Interesting. Such brazenness indicated that the scammer is probably outside the US jurisdiction – or optionally just stupid. Then like magic on the same exact day, and the timing could not have been better, the hosting provider informs us that they completed their investigation and disable the scammers website. Success!

For now, my work is done and the production company founder profusely express their thankfulness. This was a good feeling. However, that doesn’t necessarily mean this is the end of our little story, or that it will be a happy one. After all, this is the security of the web we’re talking about, and plainly said, it’s fundamentally broken.

You see, the scammer can easily set up shop with a new hosting provider and start the identical scam all over again and there is absolutely nothing anyone can do to prevent that. There is no good way to help visitors tell the difference between the real website from the fake one. And even if we use ICANN’s process to take ownership over the domain name, the scammer could easily just register another suitable look-a-like domain in no time flat and we’re back at it all over again. This problem is never ending and there really is no good way to solve it once and for all. A website owner’s only option is to wait for something bad to happen, give me or someone else with the right skills a call for help, and proceed similarly.

What I can do is actively monitoring the illegitimate domain name to see when and if it’s IP address changes. If it does, this would indicate that the scammer is moving hosting providers. It took a couple weeks, and that’s exactly what appears to be happening right now. Grr. This is kind of thing happens every day, to who knows how many people, and honestly I’m not sure what the answer is. One thing I do know, the world needs the help of a lot more good computer security people. Join in!



Tuesday, May 17, 2016

7 Tips to Get the Absolute Best Price from Security Vendors

Security budgets are always extremely tight, so it’s smart to get the absolute best price possible from your security vendors. Never ever pay full price, or even take the first quote vendors give you. That price just sets the stage and it’s best to think of it as the ‘dummy price,’ so don’t pay it! I’ve spent nearly two decades sitting at the price negotiation table in the security industry and seen all manner of techniques customers use successfully to win discounts, and more people should use them. Customers, even small ones, can exercise a ton of leverage over their security vendors if they only knew how. And, more often than not, vendors themselves don’t really mind. It signals that a deal is likely to be made and to a vendor, that’s what’s most important.

While it’s common for large companies to have negotiations handled by a separate department, typically called ‘Procurement,’ many leave the responsibility to whomever is actually making the purchase. In either case, security practitioners can personally say, do, and offer things the procurement department can’t to help obtain the best possible price. Remember, security product margins can range anywhere from 40-60% or even higher. I’ve seen discounts well over 50% of the originally quoted price. Some vendors will even take a loss to win your business, depending on the size of your brand and the reference you’ll provide. 

Note: I’m not a big fan of this as you risk not being treated well as a customer long-term. The vendor may decide to drop you later because you’re unprofitable. So, allow vendors to make a profit, just not an obscene one.

Below you’ll find my ranked list of the most powerful negotiating techniques I’ve come across in the purchasing process, many of which are applicable beyond security purchases…


1. Negotiate Price at Quarter End / Year End
More than anything, businesses want financial predictability. They want to be able to plan out, with a high degree of accuracy, precisely how much business is expected to close at least two quarters into the future. Sales forecasting is largely a Sales department function. So when end of the quarter is just a few weeks away, and overall sales volume isn’t where it needs to be, the sales rep (and their bosses) scramble and make concessions to bridge the gap and hit their forecast. The larger the sales forecast gap, and the closer to quarter end, the more desperate they become and more open they’ll be to deep discounts or throwing in additional products / services to sweeten the pot.

Smart customers simply ask sales reps when their quarter or fiscal year ends, just after the vendor asks the customer what their budget range is. So, if you like the product, and you’re likely to buy it, let them know you’ll commit to the purchase in the current quarter, before the end, if they give you a good deal. Vendors will routinely knock 10-30% (or more) off the price, just with the ability to accurately forecast a deal closing. If the vendor is unwilling to work with you and the purchase isn’t urgent, let them know you’re more likely to purchase next quarter, which ads uncertainty to their forecast and they’ll have a decision to make. Rinse. Repeat.
2. Multi-Year Deals
As previously mentioned, businesses love predictability. For this reason, subscription-based businesses, like Software-as-a-Service, love predictable renewals rates. Security vendors know that just because you’re a customer this year, it doesn’t automatically mean you’ll be a customer next year — as the market is highly competitive. They know they’ll likely have to negotiate price with existing customers before the contract expires, which comes at a cost of time and sales forecast uncertainly. 

To reduce this uncertainly, subscription-based businesses will often give attractive discounts to customers willing to sign up for multi-year deals. Two to three year deals are typical, likely fetching a 5-10% discount, possibly more if you’re willing to pay up front, but we’ll explore this more in a moment. It’s also best to refrain from committing to more than three years for security purchases as it’s difficult to know what the business needs will be that far out, or how the product landscape may have changed in that time. 

3. Paying In Advance
For many security services, such as subscription SaaS products, you pay monthly or quarterly after services are rendered. For the security vendor’s finance department, that means they’re out some amount of money to service you before you pay them for those services. If you like a particular security service and plan to continue having it for a least another year, consider paying for a year or more in advance. For the vendor, having getting cash up front is often attractive and it takes payment uncertainty out of the equation, giving their business additional flexibility. Obviously, the bigger the deal, the better in terms of discounting. This method can win another 5-10% or so in discounts on its own. 

4. Customer Reference, Case Study, Gartner Reference
In InfoSec it’s extremely difficult to get customers to speak publicly, or even privately, about their experience with a given security product. When a customer does consent to speak, it’s incredibly powerful, and few things generate more business for security vendors than vocally happy customers. Customers should use this power to their advantage, especially if they really really like a security product and want to see the company do well.

To do this, customers can serve as a reference in a few different ways:

a. Private Reference – speaks to other customers
b. Public Reference, Individual – willing to do case studies, press, events, quotes, but as an individual versus the company
c. Public Reference – Company – the company is endorsing the product and brand, including a logo on the vendors website, slides, etc.  

All of this is good and even a non-contractual promise to be a reference can lead to great discounts. As a small warning, many organizations have policies regarding speaking on behalf of the company, so make sure to follow those. If you can find out if the security vendor is in the process of working with Gartner on the magic quadrant of their space, customers who are willing to be a positive reference in this time period are like gold. I’ve personally seen seriously deep discounts here, even free!

5. Ask for More Stuff, Not Always Price Discounts
Let’s say you’re asking for a discount, but for whatever reason the security vendor isn’t agreeable. This could be because they need to keep their average sales price (ASP) above a particular threshold so their business looks good to their board and investors. In these circumstances, you can instead ask for them to throw in things that are more easy for them to give away or commit to.

a. Extra subscription time, especially if full deployment will take a while.
b. Additional services or software licenses 
c. A better customer support package.
d. Free training.
d. Payment flexility. How and how often payment has to be made.
e. Product roadmap enhancements that’ll better serve you.

In many circumstances, security vendors will find the items on this list easier to give you than discounting the overall deal. You get more, but pay the same.


6. Find Out What Others Paid. Competitive Bids.
When entering pricing discussions, it’s always helpful to know what other customers paid as a point of reference. You may or may not be able to get the same deal as they did, but you want something in at least the general vicinity. There are a couple of ways to obtain this information.

a. Ask a colleague you personally know, who has already purchased a product you’re considering. What kind of deal did they get? 
b. Ask the vendors for customer references during the evaluation process, which is something all customers should do as a matter of course. Not only ask the reference what they liked and didn’t like about the product, but what they paid. 
c. Ask the vendor for their competitor’s pricing, and how they compare with it.  

In some cases, pricing information is considered confidential, but it doesn’t hurt to ask. Having this pricing research on hand greatly helps get you the best deal possible. 

Additionally, you’re probably considering between two or more comparable products to solve a particular security problem. If the products themselves are a toss up, meaning you’d be happy with either option, consider sharing the bids with the competing security vendors. No security vendors want to lose a competitive deal in the last stage simply because the competition slightly edged them on price. You’d be surprised how quickly vendors will knock off 5—10% as a take away from the competition.


7. Go Direct
Many customers have a preferred reseller, typically called Value Added Resellers (VARs), through which they make their security purchases. Among other things, VARs make vendor management much easier for customers. They’ll help identify security program gaps, document purchase requirements, product selection, answer questions, and more. For the value they add, VARs usually take a roughly 30% margin on each product sale. Then, of course, they can tack on additional dollars for consulting and implementation if there is a need.  The remaining 70% of the sale price goes to the security vendor.

Here’s the thing, the business of the VAR is in the first two letters — V.A…  VALUE. ADDED. If a VAR is not adding enough value, which is often the case, they’re justifiably not entitled to their 30%. And in these circumstances, the VAR can and should be bypassed to go direct to the security vendor where the customer can get a [30%] discount without costing the vendor anything. And, unless there is a good reason not to, get bids from 3 VARs so they’ll have to fight to get you the best deal – fight to win your business. Often VARs will cut into their own profit margin to land the deal.



There you have it. Seven ways to help maximize the purchasing power of the security budget. Good luck!





Thursday, May 12, 2016

From 300 lbs to 200 lbs

Did you know that one point in my life I was just over 300 pounds? Most don’t, but I was. Then after considerable effort, I got to the 250 pounds range and remained for several years. At the time of this writing, I’m about 210 pounds. My goal is to stabilize at around 200 pounds with a body fat of ~10%. If all goes as planned, maybe in 6 months or so I’ll be about where I want to be. At 6’2”, it’s a pretty solid physique. Upon witnessing my physical transformation, many friends and family ask how I’m doing this. “What’s your secret?” Spoiler: I don’t have one. 



Before going any further, let me clearly state that I’m NOT a personal trainer. I’m NOT a nutritionist. And I’m certainly NOT trying to sell anything. This post simply answers the question people ask by listing out my nutrition and exercise regiment. Additionally, while everything I’ve done has undoubtedly improved my overall health, the goal is primarily focused towards improving my performance in combat sports, such as particularly Brazilian Jiu-Jitsu and Mixed Martial Arts. Competing at a high-level requires that I’m very strong, fast, flexible, with good cardio and balance. A lean and muscle-toned physique is most ideal.



Nutrition


Food is what fuels my body to perform at my best during each training session. My daily consumption maps as best as I can to the planned physical activity. If I break down and eat something I shouldn’t, it happens, my performance noticeably suffers and I get my butt kicked as a consequence. It sucks. As it turns out, not wanting to get punched in the face, choked, or arm hyper extended is a great motivator!

Each week I have 4 very hard training days, 2 lighter training days, and 1 rest day. And that’s how I plan out my meals. For most of the last year, I was predominantly eating lean meats, vegetables, and fruit. The Paleo diet is the closest example. Then for the last ~3 months I shifted to a whole-food Vegan diet with some minor exceptions. 



Additional nutrition rules I follow:
  • No caffeine
  • No alcohol
  • Liquid is primarily water (occasionally iced tea, tea, or carbonated water with lime)
  • No dairy
  • Nothing fried
  • Very little processed food
  • No vitamins or supplements (I may include them later at some point)

Hard Training Day


Paleo: To get through my training sessions, 2300 - 2400 calories feels about right. Under 2100 and I would gas out early. Over 2400 and body fat wouldn’t come off. I targeted my protein intake at just under 1g per pound of body weight, which is a good zone according to what many bodybuilders suggest to build muscle. Fat intake at no more than 50g. And of course the rest being the carbs for energy I need for training.

Reaching these macros requires several full meals during the day, and timed so my belly isn’t too full during class.  And honestly, if you look at the meal plan, its been really hard physically eating so much food. On the upside, while [bad food] cravings are certainly an issue, I was never, ever hungry!

Vegan: On the outset, I didn’t know how my body would react to being Vegan. I didn’t know what the cravings would be like, if I’d have the necessary energy needed, etc. So, I got rid of the whole calorie and macro counting thing. Instead decided to start by simply eating whatever I wanted, whenever I wanted, as long as it was whole-food and vegan, and then fine tune from there. Note that I routinely replace many of the ingredients on the list with suitable replacements as I want to eat a wide variety of food in order to get all the recommended vitamins and minerals. 




While the calorie counts on my Vegan diet are higher than the Paleo version, the weight / fat has been coming off with similar speed. And honestly, I feel notably better being vegan so far and my physical performance has improved. My mind is a bit clearer, joints move easier, and my recovery is faster. Cool eh!?


Light Training


Paleo: Take my hard training day meal plan, then drop the calories to 1600 - 1700, mostly from the carbs. Eat just enough food to get through my training and no more.




Vegan: Same thing, reduce calories mostly from slow burning carbs (oatmeal, sweat potato, etc) down to roughly 1800 as this feels right.




In both hard and light training days, I generally stop eating for the day around 5pm — particularly anything containing any sugars, like fruit. The strategy here is that by the time my early morning training starts the next day, my cardio workout will largely burn fat as fuel as all the sugar / carbs in my system have already been metabolized. Then afterwards I can eat again — yay! :)





Rest Day

24 hour fast (no food, but water / tea is ok). While this helps stabilize my insulin levels, it’s also about simple math — and besides, I’m not training at all anyway. Consider that 1 pound of fat equals 3,500 calories. So, by foregoing ~1800 calories per week here, I get to lose an extra 1/2 off the top. Each month, that’s roughly 2 pounds of fat. Awesome!






Training / Exercise

As mentioned, my exercise is primarily designed for combat sports. Then I mix in some low intensity cardio and weight training to support those activities. Collectively it’s about 4 hard days of training, 2 lighter days, and 1 rest day. Most weeks I’ll miss a session here and there when life gets in the way, but what you see is the plan I set out to accomplish each and every week and whatever happens, happens. I’ll try to get the time back in some other way before reseting on Monday. On the average, I get done about 75% or more of what’s on the list. 

The intensity of each class can vary greatly depending on what we’re learning, what I’m physically capable of that day, and so on. Either way, I do the best that I can with a mission of improving … in whatever small amount that might be. And those with a sharp eye, who read this far, might notice that I have a salsa dance class listed. It was recommended by my Muay Thai coach as a way of improving my footwork, timing, and coordination. And, it works! Go figure.

That’s it. My secret is hard work and dedication, which is basically all anyone needs to accomplish anything in life.