Behind the Brimstone Curtain: What Life is Like as a Security Vendor

bring extra duct tap a shovel welcome everyone thank you for coming this afternoon I'd like to introduce our next speaker Eric Irvin U from software soft Solutions architect at Alert Logic thank you appreciate it thanks guys this is a this is a little talk we put together Elizabeth and I um you know we've been talking a lot about I work for a security vendor and so I see a lot of the sausage making behind the scenes and uh and hopefully you know all of you have some type of experience of engaging a vendor and you kind of know some of the the issues you kind of run into and so what I want to kind of talk about is some of

the problems that exist in the security product Market space so I kind of gave it some kind of nice little you know Silly title there and um you know kind of go into it we're going to talk about me we're going to talk about economics for you guys uh why the security Product Industry is is destined to fail in a lot of ways and uh house supply side side economics sucks and I'm using that if you're an economist it's not true supply side economics it's it's uh product based supply side economics you know how I got here and roove to these conclusions and then you know how vendors are hacking you and a lot of

that's from my personal experience of being in over you know probably 2,000 sales Cycles with everything from Fortune uh 10 companies to Mom and Pop guys that are just trying to meet some kind of compliance check mark and I can assure you all that this is all related uh it might seem like a lot of different topics but at the end of the day we're going to pull it all together and uh and and circle back up so um it's a small room here so I think we can kind of you know take the whole bsides methodology you can interrupt me and ask me or or call me out anything but has anyone here um I mean is anyone currently in like a

sales cycle with a security vendor you are okay so we have at least one person who can provide some anecdotal evidence of oh God but I'm only three weeks old so I really can't nice um so uh yeah can you say where you worked again and where you worked before sure uh thank you so uh previous currently I work at a company called Alert Logic it's like you looked at my duck already and then uh previously I worked at a company called Blue Cross Michi of Alabama they were a Blue Cross Blue Shield franchise um I worked for Regions Financial Bank and a uh Regional hosting provider uh ran my own MSP back when you could do that at

like 19 to 20 years of age and then uh I was a mail model for all my family uh videos in pictures and I still do that so if you need some help you need an action shot photo bomb I'm up for doing that uh and I got over 150 years of combining security experience because I set up several Second Life characters that were also in security so I'm going to count their Collective years of experience to kind of get me to that point so uh that's my Twitter account so you can always see the stupid ramblings I make uh Elizabeth can can also attest to this as well and I think she's in the

same boat so I apologize I want to call you out here but uh I like to consider myself someone that likes to pull the pin on grenades and throw it out there and and just see what happens and so a lot of times we do go back and forth I do work for a security vendor they they provide my paycheck uh sorry I just realized I was out of the the frame there they provide my paychecks so and they also uh approved my expenses so uh my flight up here from uh Houston Texas uh my hotel room my uh my my Mills and uh a few of the U uh beverages I drank last night all you know allows me to do

stuff like this and my bosses are kind of cool with the fact that they know that I'm going here and I'm speaking they don't ask a lot of questions they don't realiz that I really do like to pull the C curtain back and show some of the dirty things that that we and other people do and I think it's important for you guys to realize this because when you're going through risk assessments when you're evaluating how you're going to solve a problem you have in your organization you look at a control and you assume that control is going to reduce that risk but there's some assumptions you make in that you assume the control is going to work you assume

it's going to work all the time uh and and we know that's not the case we look at things like antivirus which T which tends to faill a lot uh it becomes a joke um it's it's just like layer uh you know network based firewalls which they tend to fail because they don't solve application layer attacks um there's a lot of assumptions we make this control is going to reduce this risk that the vendor doesn't tell you about we get you all excited about the sizzle and we don't tell you that the steak is really more of a uh you know a fish-based flank steak and it's not even really a flank steak it's more of a a meat like

byproduct in some cases so if you learn how to kind of spot when these things are happening you learn to ask the hard questions you at least didn't get all the facts and then when you have to make that decision of well it's only 80% of what I need but it's okay enough then you can make that that that leap across the uh the wrist threshold so we're going to start this off with building a network and let's assume we have H 100 servers file print DB app web you know all that stuff what are the the security tools we don't have to go through all of them but I was just going to get from you guys what are all

the things we would need to protect those assets wow we're already in the hard stuff okay so I'm just going to put MFA uh what was the other one firewalls yeah firewalls IDs IPS what what else you got how about configur

number what what what' you get smart people smart people those people they cost money though so exactly but they a product you can sell I I could still all this so how about Outsource managed Service uh that that's that's true uh man managed Services that's way to kind of consolidate that um the list can go on for a long time uh we also could add you know some kind of host based IDs IPS uh we could add some type of wa for web application we could do some kind of uh database audit Trail and Security Management the the net of all this is everything we've talked about is some type of product or service based

solution to security and then what you run into is while it's 100 servers and those 100 servers might have cost you um you know whether you're using cloud-based services and they're costing you about 10 grand a month or you bought them all and they've cost you a couple hundred thousand dollars to get all this stuff you're now invested in security so each one of these products there's a price tag the firewall you got to pay for IPs IDs the smart people you're having to pay their bill every month you got Consultants you're having to buy uh you also got benefits you got to buy you got to BU health insurance for these guys there's a lot of cost to this and

it gets very expensive very fast and and the other thing is it becomes recurringly expensive um while you might have bought that server uh and you might be able to get five years of useful life out of it before you got to depreciate it off the books and get a new server hardware and software for security tends to recur every two or three years there's a new hardware platform you have to move to or there's a renewal bill that you have to buy and so when we start talking about security we got to make some uncomfortable decisions at a certain point at a certain point we have so much bloat from all these point-based products even if we get smart and we

find some good UTM type devices to reduce those into single Factor appliances pretty quickly we could be upside down where we have to eventually get to the point of we're out of budget for security so we either have to let one of the smart guys go or we have to choose which product we don't renew and which thing we go without or we have to get creative we get the smart people to buy some open sour or put some Open Source Products out there so when we look at it you know we have to ask ourselves you know how much will security cost us in Hardware software renewals and upgrades and then you got training training is the thing

we often forget about and I our product we don't really have like a training thing but I remember when I worked at Blue Cross uh we bought this really nice content acceleration engine uh that also provides some content filtering and there was a twoe boot camp you could go to in San Diego which sounded awesome to me because San Diego seems like a cool place you go to I went to the training and pretty quickly I realized no there actually real training like from from 8 to 500 you're sitting in a room every day learning how to use this package learning all this stuff and while we'll probably only consume maybe 10% of the configuration of it that's a

lot of time spent and then if I leave which I did shortly thereafter to go work for a security company someone else has to come in and go through that training and so your bosses then at that point they get really burn out on the products and services they bought because it becomes expensive to take you off your job to uh do that stuff so looking at it supply versus demand uh security supply tends to be the product services and people and you can even talk about the dirty side of Supply like zero days rootkits bot bot Nets you know all that tends to be uh forms of supply and then demand demand teams to work off of compliance uh

security best practices shame fines legal guidance and fact it's cool now this are here this is all marketing for for my company right that's how we Market our products we Market off compliance we Market it off of fear we market off of Stu net and Flame and all the other stuff in the newspaper and people then go and they buy this stuff based off of these demands right there and that's how we we make money until I get paid to go to uh places like this and so when you start looking at this you kind of kind of start seeing why there's some issues where uh this creates some problems because it's not a perfect

Market um again going into the products and a lot of these we ended up with on here uh in the product side you got firewalls and even the Pepsi generation Next Generation firewalls whatever you want to call them um IPS IDs hips heads and even in Services which are your SAS your msps which Elizabeth called out for that uh your Consultants your PIN tests are also considered Services because you know you're consuming them on onetime use or multi-time use and then you got your people you got your cxo your ciso your smart people as you uh mentioned earlier so these are all the different types of uh supplies that we we work with and so where do you find Supply

well you got development companies and that tends to be the big guys that you know about like sanch McAfee uh Cisco you know all those guys the big boys then you got vars the people that are reselling those products and services uh and then they're not all up here so I apologize if there's a vendor in the room and I didn't mention your company's name um I I think I actually put our name on there because I have to do a cheap plug for that but then you got your msps which either they make the software or they're reselling or servicing someone else's software and those are Dell secure Works trustwave um you know we we make our products you get

still secure BT counterpane Verizon AT&T and then you got your Consultants which will come in and you know tell you what you need to do and they'll typically point you towards which of these you need which of those you need uh and lastly your people and your employees and your contractors so that's where you tend to find the supply of it and this is going to lead us towards problem we're moving towards which is um when we look at the security model and we know the CIA Triad because uh if you ever studied the cisp or Security Plus I think it kind of points you towards this direction of the confidentiality integrity and availability but then you

have these controls you got your products you know and you got your people and your procedures and those are the ways that you kind of maintain your CIA Triad so can I interrupt you real of course please do can we go back just one slide I just want to point out I don't know if everyone El experiences this but you know where do you find Supply I find a lot of people I understand that it's people but conferences shows good point things like that you know you see a lot of folks that go to this happens to me a lot where the executives go to you know some show and they see something shiny yeah and they they want it so bad and

they're just stuck on it they are stuck and no matter what so they launch this whole process for this one shiny item that they they get hooked on the marketing message they go to RSA and they hear about some cool Next Generation thing um anyone ever gotten burnt or with a my boss just brought this product in for me to to own do you want do D ding repeatedly repeatedly over again yeah I'm trying to figure out how to insert my own marketing messages in the glossies in the back of Airline ads so I can get the product I this seems to be more effective than reason some days you know I I I travel a

good bit with my job and I can I can tell you I can't tell you how many times U I have a customer telling me I haven't seen your ads at an airport before I'm like oh wow so that's that's how we we should be marketing to you I don't know why that works it works I I keep thinking that there's a great message you if you could like put it into like a urinal or something I mean yeah in an airport in an airport that's true uh that happens a lot you know we later on I'll talk about it more specifically but you know we we just like most security companies we've got a little twist

towards how we provide our service and that's sort of the sizzle that's sort of the oh that's really cool if we get that message to a CIO or you know a CEO they love that they dig in on that if I'm sitting across the table from an engineer or someone that actually has to consume that product they say so what how well does it work you know what does it do how does it compare to these other guys or this other product I'm currently using how does it save me time when I'm running my own snort instance for example um they ask real questions but a lot of times you know it's shiny it's a

new Lexus I love it let's look at it how much does it cost here's a check and we hack around that in this in this I mean I'll tell you firstand I've got sales guys the first thing they'll do is like all right we're going to go to lunch we're going to talk to these guys I want you take the engineers you're going to sit on this side of the table you're we're going to sit on this side of the table you're going to keep them occupied and play in the sandbox and we walk away I'm going to get a a PO from this guy uh it absolutely happens and it's it's it's it's dirty but it's the game and that's

why we're at the end of this I got some some dirty tricks we use that you guys need to aware of and when you spot that happening you know hack around that just yourself you know it's all about social engineering so what's the problem with that well let's look at the uh the old you know way to kind of and if you this is 101 stuff I apologize but you know you've got kind of the the vulnerability which is the fence hole and then you got the exploit which is crawling through it you got the threat agent and lost Feria this is a an old school thing I got from an old security textbook and we all

realize it but this is how the marketplace Works in security um these right here tend to create create uh the need for productss and services right so when we look at that we kind of look at what's happened between 1990 and 2005 and the types of attacks that we're seeing you know we saw the sophistication of attacks uh sophistication required kind of went down and the attacks kind of went up at the same time the tools got better and the uh knowledge and time the attacker had to spend you know preparing for that went down but each one of these created some type of technology to address the risk right uh password guessing right there account lockout complex passwords

multiactor authentication um you know password cracking same thing uh viruses and back doors malware the entire anti virus industry is kind of built around those kinds of threats so each one of these created a product or service that people then had to go and buy and consume and purchase so let me ask you questions uh what are the following companies here have in common and if I missed the company again apologize but log logic Tipping Point arite Nitro security I SS I SS foundstone sonic wall does anyone know what those companies all have in common traditionally Point Commercial Point solutions that that's that's that's one right there um the other one is they've all been

bought they don't exist anymore or they do exist but they've been purchased by either private Equity or they've been purchased by McAfee or Cisco or one of the other big guys I could like that's Cisco Cisco Websense RSA MC uh IBM McAfee uh HP HP and those guys got bought by private Equity so these guys don't exist anymore they had a product and it's off the market now in comparison what of these companies all have in common and there's a couple ashs on that mcavey sanch Cisco th what's that still around they they are still around and they're all publicly traded uh or they've got asteris which means they're about to go IPO so those guys are about to be making

a a lot of money would have been nice to be day one employe there um and how about these guys rapid 7even I got us on there again they're right for the exactly so that's that's sort of the other situation we run into you the market tends to be segregated between these guys who have a cool product and a cool story and then these guys will go and buy those guys and take them off the market and what happens development sucks you know they don't put any more money into it because they got to recover the expense it cost to buy the guys um the product gets embedded with other products and solutions so it kind

of gets watered down to a certain extent but then you got these guys who have the issue of they've got uh they're their duty is not just to their customers but they have an equal if not greater duty to their shareholders they have to make profit they got to make money that's what businesses and corporations are in the business of doing so therefore there's pressure on these guys to to sell more to charge less to cut cost when they cut cost one easy place to go is headcount another place to go is development so once one of these guys goes to here the problem tends to go the product suffers you know it's not that

great but then you got these guys and Rapid 7's got a cool story I love those guys um a lot of good friends that work there uh blue coat even us you know we're on the radar and when you have companies like this you ask yourself the question of you know they have a cool technology they have a cool story but why aren't they owned by someone else yet you know is it is the technology not greated they don't want to get bought by someone else or uh you know how much longer can they go off the private Equity because obviously these companies had significant Investments millions of dollars that were put into them to

develop product eventually someone's going to want that money back so the ways these guys end up going either they stay private and uh and nothing changes uh they go public they set up an IPO and they become the Palo Alto networks or the trust wave or um whatever the latest greatest uh IPO is um you know or they get gobbled up which leads us to this you guys anyone know know what this is I can't see I apologize it's it's the garden hype cycle and it's a pretty cool little little chart that shows how uh how technology gets hyped up and how it gets accepted over time and all these guys when they eventually began with one

product or service in the security side they fit in somewhere on the hype cycle and either what and kind of go through those definitions I don't I don't want to have to read it all to you right there but you got the trigger which is kind of when the things break off and either it's a proof of concept stories there's some media behind it and this is often kind of what's considered the the alpha period for technology and this is really interesting because there's a lot of cloud-based security companies that are in this spot um there's a lot of height behind them there's an idea of how the technology could work and a lot of people get behind that and then

everyone rushes to it and there's this period of inflated expectations and we kind of saw this with the the Poo Alto Network story where everyone got real excited because of the stuff it could do I mean it's it's next Generation it can really do some cool stuff that traditional network based firewalls can't do it can look at application layer stuff right there and then you know everyone's like that can solve all my problems that's what I need and on top of it it's got IPS in it it's got uh DLP in it it's got but it's not a UTM it's next generation and then there's this trough of disillusionment and that's when interest kind of wains and people kind

of realize well it's not the Magic Bullet it's not going to solve all of my problems it's not going to help Greta an accounting who is using a uh you know username and password of 1 2 3 4 five um and after that you know people start to realize man this might not be the best thing for me and then after that there's the slope of Enlightenment where people sort of realize all right now I know what it does I get it I know I need it which kind of leads to that plateau of productivity which is where you know some it it conly start starts paying for itself so you know going back here you

kind of see where the the visibility of the company or the technology or the solution you know it gets all excited and it kind of drops and then eventually becomes accepted and there's some areas where this didn't work out well uh Sim Technologies kind of followed that you know Sim Technologies came out in the mid 90s and there was this whole idea of it was going to solve all of our problems and then people realize it actually just creates a lot of work and it's it's very expensive a lot of very timec consuming but when people realize that it made sense for some organizations so it does still exist uh Knack Technologies haven't quite worked

out as well um do anyone here deployed a knack solution or even know what Knack is it's a you do gotta it's it's it's a really cool idea and concept and I'll talk a little bit more about it in a second but it just you know fell off right after this and it never quite really built back up what about GRC GRC the the auditor does anyone have have a GRC solution okay GRC if you're not familiar it's a stands for governance risk and compliance and it's a tool that is a lot of workflow management and you audit Pro proof you want to throw some more to the the definition at all yeah I mean I

don't think it is defined but essentially it's designed to manage your security program manage the evidence for all the different compliance requirements and I personally working as a vendor have when I worked for vendors um experienced no less than two three Acquisitions of companies yeah for a vendor that they bought for the GRC and it fail fail fail fail yeah it's and and the thing is all the every every one of these little hype Cycles there's legitimate need behind that that hype right I mean GRC I remember when I worked for uh for Blue Cross Blue Shield we had at any given time we had five Auditors in our organization we had State Auditors we

had Hippa Auditors we had Medicare Auditors we had all these guys coming in to look at our books and look at everything and finally we're like hey there's got to be a better way it's like one of those late night TV ads and uh and and we we heard the whole idea of GRC and it's like hey this is cool so we can say we can do the work once and then if there's like a question we we just do this workflow we send the email to the guy and the guy sends his response or takes his evidence and sends it back over but very quickly it it it just kind of waned off and we realized you know

what while we're trying to implement this and change the way people do things we still got Auditors coming in day in and day out we can't have these guys you know not get their audits done so kind of uh you know dovetailing off of that and uh moving forward to this you know what this kind of tends to to create is as we said earlier when you have a vulnerability you know the example is Knack someone plugs in a laptop to uh you know to your network and so the solution was developed they said hey it's developed software that looks when laptops are put on the network and then what happens next well it becomes

productized in that company uh the company is being built company builts nice tell I worked on this last night uh people are hired right you hire some developers the technolog is improved you hire marketing teams you have sales teams you have HR and now you've got a company built around a problem what ends up happening with Knack though is that uh you know it kind of didn't really uh I'll talk about say it didn't really execute the way it was supposed to uh Knack tended to create a lot of problems uh the fact that it was going to interrogate a laptop and say well it's got to have the latest version of antivirus on it well what happens

when you're a consultant that you're paying you know $250 an hour comes on site and instead of running McAfee EPO he's running smch uh sep and he can't go through your process now he's locked off the network and he's sitting around there twid on his thumbs while you're contacting your network admins asking them to uh release his his Mac address onto the network and so quickly that kind of kind of waned out there but you know again it begins with Knack but it also ends with you know the company and uh and as we said earlier companies are being built to either be run independently which tends to be kind of boring because eventually uh someone

invests some money they want to see some return on it the companies tend to get sold and those are the guys you mentioned earlier they tend to go IPO or they grow and that does happen too uh companies acquire they they they we just bought a a WAFF provider for example um and it was the situ situation where a company was being run independently and they been running for 5 years and the guy wanted to paycheck and he wanted to quit having to work every day and so we bought his company and he's gone and we got the technology for it so that's what happens with you know security products so we talk about it I I love

these slides by the way these are all great stories but you know it used to be about the music you it used to be about the security um by the way I'm sorry I don't know if you can see that or not that's from um I just blanked on it I'm sorry uh these your pict they they are actually there I am right there with my friend milhous MTV but anyways uh you know why is this important and why do we care about this well quality tends to suffer over time with security products we mentioned earlier with through a uh Q&A uh that can that goes down development goes down even the risk of the threat goes down because AF bad guy

realizes that every single company out there that has any type of pii or Phi or credit card information behind it it's going to run a firewall they're going to quit doing as many Networks scans those guys are always going to be out there but they're going to realize that I'm going to Target your application so they're going to go up and this happened with this concept called aets do you guys remember what APS are I hope yeah um I could talk all day about APS but aets were a a type of attack that was developed by an IDs vendor and it's kind of a cool story so this independent company decided to test all these IDs

products and see who was the best and this one company got lamb basted on I mean they just they did awful on that test and they met with them they said hey what methodology did you use how did you test the products they said well we used evasion technology so instead of sending a three-way handshake we send a four-way handshake you know we did a sin we did a sin we did an act and then we did a sin and by doing that we evaded your technology they said whoa you're not supposed to do that well the bad guys do well here's what the company did they marketed that message they improved their products they looked for those

Technologies and they said hey we're the first anti evasion technology approved IDs product out there and so this became a a a marketing Trend where companies started diving in on that and saying hey we're protected against AET attacks it's not a new attack it's it's something that's been around for years I mean there was an old post an old RFC post that talked about the problem with the four-way handshake and how if you're looking for just one type of attack you're going to miss that and so you know and then the other side of that is that also companies in products lead us into a false sense of security uh your bosses will buy an IPS saying this is

going to stop back guys from getting it in or out of my network but if you got a machine that's infected with malware and it's trying to call out the internet and your IPS is blocking it you still got a machine that's infected that's not the problem it's just one one solution to many uh so a lot of times we buy these things and we feel good about them it's Old Tommy Boy reference we we'll go into that one but competition is good but comp commoditization can be good as well um as long as you got products that are competing on different Playing Fields you can never compare those two products together and that's why commoditization

can kind of be good for us because in the situation where the IDS was being detected you could tell I'm G to try 20 different attacks and see which IDs catches it and and compare that but if each one's trying to differentiate ourselves and say well I'm only good for application types of attacks and you should only use me for application attacks and these guys say well we're only good for DDOS attacks and we should only be used for that as long as that's the case you're going to need two different products for two different problems so a lot of times it's good if we can kind of set the playing field on even side right there and then we often

buy products and services on the sizzle that's we mentioned earlier I can't tell you how many times I've sent across from a CIO and I just know in my heart that this guy does not know what his problem is he's he just he's hooked on my message he's hooked on what we're talking about and again I'll be honest I'm going to take his check and I'm going to cash it and and I love the guy for it and I'm going to visit him once a quarter and buy him a steak and a beer but the fact is people still in the marketplace don't know what their risk are or what problems they're trying to solve they get so hooked in on this guy

that's giving a lot of attention it's a lot like being the nerdy guy in a bar and then you know the the girl comes up and starts talking to you you're like well I'm being paid attention to it's like that way in the marketplace as well so again uh you can trust me I sell things uh don't trust anyone else but you can trust me uh in security products some and services companies remember they're sales companies they're in business to make a profit they're not there to be your best friend they're not there because they're concerned about your risk assessment they're there to sell a product so remember that you know keep that in mind when you're talking to

them and it doesn't make them unethical evil or wrong I got a lot of good friends that are sells guys they're fun to party with they bu my drinks for me I love them but it also means that they have to make conscious choice if they're going to be ethical they have to make a choice of if they're going to be good or they're going to be right so therefore when you're making decisions of buying products don't buy the sales guy you know buy the solution that best fits your problem so this goes into the dirty secrets and I'm going to invite Elizabeth up here who's going to uh to give us a little handr here because she

can also provide some anecdotal evidence from uh her experience in the soul side but the first dirty secret you got to know about souls people is am I supposed to get up uh you can sit there I don't mind these guys can look at me hey Mom uh dirty secrets so is that you know deal today is most likely a deal tomorrow uh don't buy the artificial pressure of you know you can only get this pricing for for 30 days and it expires in the state in in in software-based companies we are on a quarterly system and uh it starts off with January which is a fun month because we're going out meeting a lot of

people we're not doing a lot of business it gets into February where my boss is like all right guys we got March coming let's get some deals in and then you got March where we're actually working eight hour days and we're actually getting calls from our boss and then the last day of the month is is is all right I don't care what you got to do make that price happen and you send some special pricing over well if you don't buy you don't buy maybe it's not a good time for you maybe you don't have the budget maybe it's not you know something you're ready to buy yet so the next day ask them say hey look we're still interested

in this but I need this pricing in two weeks and if it's not good then this conversation's over you'll get that pricing I mean I don't know if if Elizabeth you worked on both sides of that but yeah so my current role I work for a reseller and predominantly I do Professional Services but I'm responsible for the security practice my experience is very different than Eric's because I have to M everything he's talking about we have to manage with our partners on a really large scale right so we've got at the end of the month we have 20 vendors calling us or the end of the quarter we've got every single solitary vendor wanting to know what our

pipeline is and this and that so we what we do with our clients is we we have the open honest conversations we talk about these guys behind their backs all the time and say listen oh thanks um and say listen uh I don't think is this working it's just for you for live okay because turn it on yeah um so what'll happen is you know we get all these vendors we talk about all the vendors behind their back we say okay this product's good for this that product's good for that Etc what do you think what's your time frame client will come back to us and say you know what the you

can sorry guys technology yeah it's hard yeah it's it's one of those things words and things uh do you want to talk in this mic right here yeah there we go okay it's not a real mic but so what'll happen so clients will tell us okay my uh maintenance is due in October so I really need to get this

done this is just for the stream this is just for the stream I don't think it's for the room yeah it's just if you just talk loudly okay you'll be able to pick up I'm fine we don't need to stand so what so what we'll do is we'll tell the the partners um you know we will curb their enthusiasm to such such a degree because we can't freaking handle these phone calls at the end of the quarter so for every one particular problem we can get five six seven eight phone calls so we're like ah they're just kind of lightly shopping maybe Q4 when really they're really interested and it's really going to be next month possibly yeah and and

that's the other thing is don't don't call a vendor up and say we're ready to buy we need something tomorrow because those guys will they'll get your home number they'll get your cell phone they'll talk to your kids they'll be at your your your baseball games they'll be like hey so what's going on you said you're ready we need to do anything for you but but also I mean I'm going to Counterpoint that because that's not true of all salese so this is kind of the dirty dirty part the underbelly right there are many many good salese I think and that is a challenge like being honest finding a salesp person that you trust and having that honest

relationship and working together I do think it's achievable um and I do think being honest I just I actually have a right now situation in my mailbox right now that I'm kind of stressing about um because if I didn't know it was right now I'm not going to go do the work right now yeah so there is you know the counter to that sure one of the other things I got on here was that you know makes make sure that U you know most vendors know that your RFP was bu built around your favorite product we we we know this we a lot of times the first thing I get asked when the RFP comes

into our company is take a look through that and see which vendor it was written for and if we look at it it looks like they legitimately written a RFP based off their needs or requirements we're going to submit to it if we look at it and we see a lot of marketing that our vendors put in there then we're probably going to pass on that that's why you don't get a lot of responses to your rfps is because it's a lot of work and a lot of times there's no reward from that but I will tell you we have one rfps that our vendors have put stuff in for sometimes we have time for them but the

other side of that is don't let vendors your rfps because if I do I'm going to put all my cool things that I can do that my other products that are out there can't do um you got any experience with that we by policy we by policy we do not uh respond to rfps if we have an existing client relationship so we're a reseller right what our ideal position is we don't care what you buy but buy it from us and we'll help you through the process uh so my perspective is um if you know I've had salespeople that want to Chase like City rfps or they have a big RFP and they think it's their in and I'm like no

I'm no by policy we don't do it we'll help you WR it for sure but and and a lot of times I've gotten like 30 page rfps and at the end I'm just like copy and pasting answers because you know it's it's it's just you do it's the equivalent to homework your senior year of college or high school it's worse it's like your term paper it's the most horrible and we we get through it with the least amount of work that we possibly can yeah uh you know Swag RSA conferences drinks my airfare you know customers are paying for that and that's uncomfortable truth that I say and I realize that there's probably hopefully not none of my customers in here right

now but you know that is baked into the price of the product that you you buy so whenever you do wear the T-shirt or whenever you go to the conference and you see the name outside that comes from a budget and so and and so can I counterpoints since I'm up here I'm paying for this out of my pocket yeah we're we're small we're not you know we don't have a huge marketing arm because we have to Market our products and things like that we're a reseller so yeah if I can't bring leads in real potential opportunities home I don't charge my my employer so if you guys can give me a business card at least one I

can justify this I'm

kidding

SC

can I ask so I want to ask everyone here is what you do you experience security folks so is that your well it that really management of the engineers that you know at the end of the day it's the engineers types that need to make the recommendation and usually their boss just kind of signs off right changed over CH now some we're actually signing now sometimes we don't know's sign sure sourcing is now involed yeah that's just to pain the butt but uh know our perspective it's great you can deal with a contract which means legal e right and they're going to you know sign the contract and actually hold the contract but they ask us should we buy this is

the right it's it's kind of interesting because I have seen a shift towards that um I'll tell you still though our my boss my Souls guys they're still going to figure out who the boss is and they're going to talk to him they and I had that happen to me work to Blue Cross I was doing an RFP I was doing a whole process for a deal PE solution and my sales guy called in to our receptionist and said hey I can't get in touch with Eric who's sitting right there I need to talk to his boss it's a very important urgent thing about a PO we're having some problems with and he got my boss's

number and suddenly he's calling my boss my boss like why is this guy calling me this is your project why is he talking to me and I was I was very infuriated so you know you want to keep track

of yeah it is very unethical my op that's what I would consider like a severe violation right yeah so what you just described as rapid s basico I'm not sure why you like them so much I we like them we like them we love them as a reseller because nobody wants to buy stuff from them but about their stuff go go go to Defcon go to the Palms that's why I like rapid 7 they have the best parties out there they do that's a way to choose yeah and HD is a really cool guy but I mean I'll tell you there are companies similar to Rapid 7 that they just run the bowler room type sales team they have an inside

sales team they're pounding the phone all day if you don't return their calls you know I don't I don't want to talk to anymore talk to someone else and they they they sometimes work that way they exist all companies it's not even Security even on General it uh here's here's another little trick if you meet the sales guy's boss he shows up you're either a big fish or the guy's about to get fired and that that's I've seen that happen a lot of times suddenly our uh VP is like hey I want to go on a trip with you guys and then you realize these guys are getting ready to spend you know several millions of dollars

with this or you realize that this guy hasn't hit his quota for three4 in a row and we're trying to manage some transition right there so um that's one thing to keep in mind um and vendors also play favorites as well if you talk to a vendor like us and then we have a preferred uh partnership where we have a partner that's brought us a lot of deals in the past couple weeks we'll sometimes push you to them to feed them you know to give them opportunity or if we like this company here more than you know this company or we like this engineer more than that animaly you know we're going to work with the people that that we like the

people we think are going to get the deals done for us and that's also an unfortunate part of the game yeah and so from a reseller stpoint this is a very important part of our business right because a obviously we're we want to position solutions that work right you know that's number one but the business side has to be there we have to have good relationships with the people we have to make money on it I mean if they're going to give us like 10 points on a deal you know that's not an option for us we need to keep the business alive um and we spend a significant amount of time negotiating with the

partners on you know give and take um you know we bring we bring you large opportunities and then we expect you to you know hand over and introduce us to certain clients I mean that is our very clear expectation and we will drop vendors if or Partners if we find that they're perhaps bringing in competitors too often or something like that um yeah we we we had that again the same experience when I was at Blue Cross there was a DLP product we were working with the vendor we we love the vendor the vendor is doing a great job and at the last minute he comes in he goes yeah we got to do this PO through this other company I'm

like well we don't want to do business with them we want to do business with you guys guys well we have to it's this requirement we have and it's because we don't do anything directly that that wasn't the case at all I mean he was just trying to feed the vendor to get them some stuff because they had uh so many authorized Engineers that were allowed to do Professional Services and other things which is the other game as well which is the Professional Services game you know a lot of times you'll take a cut on the product in order to sell 20,000 hours of Professional Services you may or may not need yeah we um so

this was actually a huge thing I was at I worked at ISS for the better part of the 2000s and Professional Services we were always the red-haired stepchild by Design the services were not to exceed 20% of the company Revenue because it changed our multi our multiplier when IBM and I'm here to say it worked um but so we had no marketing we had you know very little um enhancements you know we were a really really awesome Consulting team and we succeeded in spite of the lack of support but but we would constantly get it was a struggle because clients never wanted to pay for the services the uh salespeople obviously wanted the deal and they wanted the you

know part of how they position the product is that um you know it's easy and you know you don't need a whole bunch of services to sell it well guess what I was doing a year later I was going back in I was cleaning up their database I was tuning their IDs I was you know writing up procedures for analyzing you know there's all these things that just didn't occur and I had some really large environments that were blowing up and security tools that would be orphaned and things like that so we were opposite the selling of the services was not done as much as it should have been um yeah so so so way

that you know other side if you need the services if you don't have the team or you don't have the expertise or you don't have time to go to the boot camp sometimes the trainings the another way to look at that and offset that um but can I also make another Point real quick go ahead so now what as a reseller what we find we're often doing is you know I'm still a consultant at heart that's what I do and for example we just had a client that bought an HSM and and so we truly want to differentiate oursel as a reseller because it's very competitive and we have our skill sets and we spend a lot

of money on security people so we want to put that them to use so we look at it and say okay where can we ADV value and so you know now what we'll do we would love to sell services but now we try to give away Services just to differentiate ourselves so that they buy it from us instead of another reseller um and and we we actually do the other thing we we don't have a Professional Services arm because you know we want to sell money on the products not the services either so you know we try to get our partners to do our our Professional Services for them uh I I got uh two short slides here

but uh this one here I was going to show some you know how you're hacked by your vendors uh one is the the question that only you can only one guy can answer uh that's a silly little trick that I learned when I was waiting tables that a lot of sales guys use and that's when you've got your boss and a couple other people in the room and you don't quite know who's making the decision so you ask the question of like uh so is this something that you guys uh is your budget is it currently a u you know is it ending in January or February and you look and see whoever everyone looks at and that's the

guy who's ultimately you're going to be selling to uh that's how you figure out the pecking order and then the other one is you know yeah she knows you're looking at you if you've got a female who's selling the product and she's wearing a low cut shirt she knows as a guy that some of you guys are checking her out and it sometimes that's by Design we've got we've had sales girls that have come through the office and they come to the office and they're wearing sweats and all that and they go to a sales meeting and they're looking very uh you know saltry that's sometimes by Design it's a technique it's a tool just like having

uh you know being best friends to Brett Favre and mentioning that when you're at the dinner table it's the same technique um sorry Elizabeth no it's true I I was just thinking there I've seen some funny stories not so funny embarrassing actually for our gender but yeah there's also the leading questions which is which is the so and I put this on Twitter yesterday and it's the most ridiculous question in the world how important are your goals to you is there any possible way to answer that that doesn't set the sales guy up for the next question of so you'd say this is a pretty important goals to solve this problem it's ridiculous questions that

they'll ask that get you kind of nodding your head and the idea is you get them nod their head two or three times and so then you say so you would say this is a product that's going to fit your needs right so when can you buy and then there's the Brute Force honesty I I like to use that and it's a technique that you just tell them look we suck at this part like our log product we're not a Sim we suck at Sim we're not going to ever beat arcite on that product feature but we're great at blah blah blah blah we're good at this we're good at that uh that's one way

your vendor hacks you he get you to realize that oh he's being honest with me he's looking out for my best interest they trick you by being honest with I don't trick anybody this is that's why I got her up here so she can call me out uh and then there's the divide and conquer I mentioned this earlier this is one where they try to get people two conversations on two sides of the room and while I'm having a conversation with you about speeds and feeds and bandwidth uh he's having a conversation about so you really like this do you want to move forward is this is this something you think we can get done in the next two

weeks okay I'll get you the paperwork over this afternoon let's go ahead and sign it and so they try to have the conversation split off uh that's something you got to watch out for but does that so let me ask you that does that hinder I mean at the end of the day do you run into unexpected roadblocks yeah in the 11th hour because the tech dude is like I hate this product and then suddenly you have 10 things that you have to overcome it that's that we we got two different issues we're a renewal based company and so we've got um hunting and we got farming right we got new deals we go after and then we

got deals we try to upgrade and then we got renewals that that is a SAT a customer satisfaction issue is what that that creates and that's why we try to avoid that but it does when the guy when your boss buy something or excuse me your boss or your boss whenever they buy something that you're not aware of and you got to use that product that's the thing where you spend all year complaining you're like I can't get it working I don't know what it's doing I can't do this hey these other guys are going to come in and show us a product it's going to be even better than that and they get thrown out the next next

next cycle so yeah that absolutely happens um open source more like boring Source uh that that comes up a good bit as well that's a note I want to take it's it's it's absolutely true they can sell around open source it's it's easy thing to sell around uh it's the fact of well yeah absolutely open source can do stuff as good as my product and there's products out there that even better than our products but you know you're going to spend a lot of time behind it you're going to spend a lot of work behind it if your guy who understands it inside and out knows how to rewrite it and reprogram it if he decides to leave or

get hit by a bus the product's gone and you got to talk to me anyway so that's another way they try to hack you is to keep you off the open source topic that's all true yeah it's it's they're all I mean it's not it's not a hack it's the truth you're absolutely right it creates a single point of failure in a lot of cases which is the person that has to run it um and then the nice to meet you who do you work for we talked about that a couple times already the last thing I got here is uh how you can hack your vendors back and this is probably uh the things

happen but you got to also start the conversations off filling out the vendor finding out how sincere he is to want to do business with you find out if he understands what your needs are um ask question question you know research the guy you're talking to find out where he's worked at if he's only been with the company for a week or two he probably doesn't have a solid grasp of the products he's trying to position he's probably looking for one or two key words when you say compliance he's like oh great I got a great product going Sol it's PCI in a box you pay one check and your PCI Compliant and you're out the

door and I can cash that check tomorrow so can I jump in here I agree with your point another thing that I like to do is I like to go look at the vendor job descriptions or you know see what positions they have available when they have 40 positions available for DLP and they don't have a DLP product or something like that guess what they're going to be calling you about next week and if you see that their requirements are two you know two years experience in it for a sales senior salesperson that should tell you something yeah find out what also other cool stuff you can find out is if you look at the development

positions you can see what the platform is built off of and you can find out that really under the hood it's running Windows and you know using C or some kind of s sh programming language it's no longer supported that might be a red flag this product might not be around much longer gotcha uh ask for references and call them I can't tell you how many times people ask us for references and we give them the guys names and they never never call they just want to make sure you got them uh this worked for me when I was doing my DLP project at uh Blue Cross I got a list of references from two different vendors and one of

the vendors I called the guy up and the guy's like yeah we love it it's a great product I like well how do you currently have it deployed well I only have it in a lab because you know because we're DOD we can't really put it on our production network but it works great in the lab like so you haven't really used this in a production environment well no but we followed their test plan and it worked perfectly so of course it did call them out on that um and then after theyve shown you the Goods and you've seen a lot of vendors then start the RFP process again you might not get a lot of

responses but find out what your needs are find out what you liked about the product what you didn't like and then decide which what what you want to get from that and a lot of just be realistic about what you're looking for and you know try not to buy into the bloat and you know the the features that are added G because Gartner didn't put them in the right quadrant yeah also that's another thing pull up Gartner look at the quadrant look at the cons they have over there and ask them about that I mean it's just like if someone comes to interview and uh they got a weak spot ask them if they've improved that say

what are you guys planning to do gardner says you guys stink at this are you guys investing in that are you going to improve that the other things ask for sixday guarantee on pricing um you know and sure you're researching in good faith you know but be honest tell the guy I'm not looking to buy anytime soon I just want to know what's out there or if he calls you I'm willing to look at your products I don't have a lot of time and I don't have time getting a sell cycle so I'm not buying this year but I'd love to look at your products and next year there might be a fit for it

but expect that call you know towards the end of the Q3 saying hey next year's coming up fast you want to go ahead and start talking and then the last few things you know price is often a deciding factor but make sure you have a reason for for buying what you're buying and then go to lunch talk to the SE they're the ones that know how the product really works uh don't waste a of time with the sales guy unless he's the guy you need to be talking to if you're worried about price you're worried about company reputation stuff like that that that guy's going to have some answers but he's not going to know stuff about

road map he's not going to know stuff about blind spots in the product and then the uh last part I got my contact can I add just one point please do consider a reseller finding somebody that you trust and I'll serious since I'm not just plugging our you know business but find someone you know that you trust that you can talk to that knows the full breath of the industry that spends time with it and can tell you the Good the Bad and the Ugly yeah um you know someone that's really plugged into the industry the the the good point of that I'll ask real quick is we do have that happen a lot of times

where a VAR will come in and they will be the trusted adviser for the people they'll they will hold us off and keep us in AR arms length so if you have a good one you can tell them look I don't want to hear from any of these vendors directly I want to talk to you if I have a question I ask you and you get me the answer to it if I want a conversation with a vendor you're going to arrange and set that up so I can talk to the vendor or their engineering staff but I don't want this guy showing up off you know randomly don't want him calling my bosses and they're going to be the

people that say all right I'll keep an arms length and I will tell them he's not interested this isn't the right product for him and they will do they'll break up for you if you will gl.com yeah yeah you ever use that V sometimes we do GL glass door LinkedIn uh glass door is kind of interesting because a lot of times you you know we' use that for our competition when we're scouting out other salespeople kind of gives you an idea of how much they're making and how much you got to offer to pay them uh but we also use that to figure out you know disgruntled employees if they have a a known list of

security Engineers that say these guys buy the worst products and they don't ever consult us and everything well you got a good idea of who you're going to be talking to and who's going to be deciding your product it also lets you know if you're talking to an analyst who loves your product it doesn't matter it's still his boss that makes that that call of whether he's going to get it or not on customer references big things to try to reach act customers it it it depends on the install base we got like 1,600 customers that across lots of verticals I would recommend ask for someone that's in your same vertical space uh ask for someone

that's local if you can um and the reason why is because you might be able just to say hey look this is great do you go to any Issa meetings or ing are you going to be at this thing next week and then you can talk to them face to face because let's be honest references they don't reference your product just because they absolutely love it those guys exist a lot of cases they're getting better discounts uh we flipped them over you know an iPad for doing something like that in the past uh you know there's some quid proquo there but if you look someone in the eye you can figure out real quickly they

legitimately like the product do legitimately meet their needs which those guys exist or are these guys just doing it because they're in bed with a vendor and they have a great relationship with them yeah and have a conversation too right not sometimes you can tell if they're tight lipped and it's a yes no answer um like we give references for our services I strongly encourage I can't I typically because we're under NDA with the services I can't say what we're doing I can't tell the person that's calling but I strongly encourage them to have a conversation and not just ask yes no yeah any other questions all right thanks guys I appreciate I Pro I promise

you guys I'm not as schmy as I I I appear I'm actually legitimate guy and I got a soul Eric's company actually is a pretty one of the good ones I will say thank you I appreciate that hope you enjoy that iPad all right guys thank you all