Network Security Forensics Global Market

Network Security Forensics Global Market How Much Forensics Do You Need? An Executive Brief prepared for Lancope, now a Cisco company Christopher Kissel Analyst, Knowledge-Based Security Information & Network Security 1

Key Findings Frost & Sullivan estimates network security forensics vendors sold $967.6 million of network security forensic appliances and related services in the base year of the study, 2014, representing an improvement of 15.5% more than 2013. For 2015, much is expected to be the same. Anticipated revenues in network security forensics are $1.13 billion or a 16.4% improvement. In the years 2014 2019, the physical appliances form factor will be the largest product group in terms of revenue. In 2019, network security forensics physical appliances are projected to have revenues of $1.34 billion. However, physical appliances, of the product types, will have the slowest moving CAGR at 13.9% during the same forecast period. Frost & Sullivan expects software-as-a-service (SaaS) to be the fastest rising product group in terms of CAGR with 26.0%, although this is largely attributable to the lack of SaaS products available. North America is the region that accounts for most network security forensics sales accounting for 76.1% of all global network security forensics revenues in 2014. In 2019, Frost & Sullivan expects that share to drop to 73.4% of all revenues. In 2014, Frost & Sullivan estimates there are 10,669 commercial network security forensics installments. By 2019, Frost & Sullivan estimates there will be 17,333 installations. In 2014, the average annual contract price (ACP) for network security forensics products to a company is $90,640. In 2019, the ACP will be $117,343. The biggest vendors in terms of revenues are Blue Coat Systems, NETSCOUT, and RSA. These companies are noted for their high line-rates (meaning lossless packet ingestion and translation). 2

Key Findings (continued) In this study, Frost & Sullivan discovered five types of network security forensics product origins/architectures: (1) traditional network security forensics and packet capture, (2) network recorders, (3) application performance monitoring and application aware network performance monitoring (APM and AANPM), (4) security information and event management (SIEM), and (5) continuous monitoring. The differing approaches to network security forensics occurs because customers have budget and personnel constraints, and own existing cyber security tools. See Network Security Forensics Origins by Technology Types for a larger explanation. Traditional network security forensics and packet capture is the predominant technology in the largest network security forensics deployments. Continuous forensics and SIEM are increasing market share for companies with 1,000 9,999 endpoints/log sources. Network recorders, and APM and AANPM have roots in video and telecom and are adapting their platforms for other types of networks. Savvius (was WildPackets until April 2015) and Viavi Solutions (was JDSU until August 2015) are influential vendors in AANPM. The same vendors would emphasize that network security forensics is a last-resort technology. Blue Coat Security Analytics, NETSCOUT ngenius, and RSA Security Analytics would optimally be used to gain network visibility and to alarm security teams as a security incident becomes known. Understanding that these platforms do have threat detection capabilities, network security forensics is an important technology. Without a proper post-breach forensic investigation, the ability to remediate damages from the current threat, as well as to the ability to properly mitigate future threats remains very much in doubt. 3

Market Overview 4

Market Overview Despite the best efforts of security professionals and the proficiency of cyber security tools, security breaches occur. This report is about what happens when a security breach does occur. o In 2014, Trustwave conducted a study of its customers and determined that 58% of security breaches were discovered by regulatory bodies, banks, or credit card processors. Another 12% were discovered by law enforcement (see Most data breaches still discovered by third parties Security ComputerworldUK). In network security forensics, a fissured approach to network security forensics investigations exists. The debate is whether a company needs to capture all packets that come across its network, or whether its platforms can use packet headers and metadata to investigate a security incident. A wider discussion about the fissure is included throughout the report, but begins in earnest in the section titled, Network Security Forensics Origins by Technology Types. Companies that have forensic capabilities with full packet capture include Blue Coat Systems, FireEye, RSA, NIKSUN, and NETSCOUT. o For companies offering full packet capture, the key differentiators are capacity (line-rate) of lossless packet recording, storage capacity, ability to add metadata and account for flow data, ease-of-use with search tools, extensibility, and the quality of packet analyzers. o One advantage to using full packet data is the ability to see every bit on the packet. Often malicious code will leave the same footprint on the payload of infected packets. Integrating with other security platforms helps the efficacy of the network security forensics platform. Flow data from vulnerability management or intrusion detection and prevention systems (IDS/IPS) can be taken in as flow data to provide additional context. 5

Market Overview (continued) An important point to make is that the companies that Frost & Sullivan identifies as having network forensic capabilities would rather be recognized as companies that offer continuous security be it threat detection, network recording, or network performance monitoring. The large traditional network security forensics and packet capture companies (Blue Coat Systems, NETSCOUT, and RSA) own the predominant share of network security forensic revenues. o The problem is that these platforms start at $100,000 and can approach $1 million. Self-evidently, smaller companies cannot afford these platforms. The need exists for network security forensic tools that are not as expensive. Vendors in security information and event management (SIEM) and in continuous forensics are able to craft less expensive solutions by keeping packet headers and attaching metadata for context. Several companies offer handheld-sized network recorders for point-of-sale (POS) terminals. In the report, the average customer price (ACP) is the cost of all hardware deployed as a solution. This does not include service and maintenance packages. The report addresses how network security forensic solutions are crafted for various vertical markets, use cases, and budgets. 6

Network Security Forensics Role in APT Defense Advanced Persistent Threat (APT) Defense is not a technology but a collection of technologies that are used in concert.* Defenses are put into four categories, based on two vectors: 1. Status of breach (Pre- or Post- Breach) 2. Human involvement (Manual versus Automated) This report focuses on Network Security Forensics which are: Post-Breach Manual Post-Breach to Pre-Breach Pre Breach Post Breach Honeypots Network Security Forensics Sandbox/ Deception Advanced Network Monitoring & Analytics *From June 2015, Network Security Sandbox Analysis Market: APTs Create a "Must Have" Security Technology, NF0F-01. Manual Automated Manual to Automated Note: All figures are rounded. The base year is 2014. 7

Market Overview Network Security Forensics Post- Breach Ideally, analytical tools or an integrated cyber defense grid have deflected an attempted intrusion or alert a security team an attack is happening before much damage is done. Defining the scope of network security forensics is necessary because loosely defined criteria change the argument. If left under defined, several advanced persistent threat technology vendors can claim network security forensics capabilities: o The tools that are used in in alerting security teams about an advanced persistent threat (APT) are similar to forensics analysis. o Intrusion detection/intrusion prevention system (IDS/IPS) claim visibility of a threat. o Behavior analytics claim breach discovery when data is reconciled. Unfortunately, breach detection is often made by third parties: o o o o o A livid customer complains about identity theft. A sandbox or some other from of deception indicates a breach is happening. The Federal Bureau of Investigations (FBI) notifies a business owner of malicious activity. Network performance is noticeably lagging. A breach is discovered in a threat intelligence exchange grid. 8

Market Overview Security Incidents versus Breaches As the study progresses, the terms security incident and breach will be used in the report. While the terms are loosely related, each has separate meanings. A security incident occurs anytime an alarm or ticketing system creates an alert. The vast majority of security incidents are not breaches. The following are examples of security incidents that may occur but are not breaches: Geolocation. An analytics system notices that an end user is accessing a server in Poland. In fact, the end user is on a conference call to Poland, and the activity is an approved activity. Bandwidth consumption. An end user is downloading or uploading 3X the amount of data that the end user normally does. In this case, it is materials for a sales call, and while an alert is generated, the activity is not a breach. Server configurations. Servers are reconfigured to add new employees to a lightweight directory active protocol (LDAP). The rerouting causes alarms to sound, but no breach has occurred. The ability to detect security incidents has an ambiguous effect. If too many alarms are sounded, a security team will use valuable resources trying to determine if a security incident is an indication of compromise (IOC). Often, no vulnerability or breach has occurred. We work with the assumption that vulnerabilities can exist in all types of cyber defense technologies. Pragmatically, an IT/security team cannot prove the existence of a negative; that a certain piece of software is completely vulnerability free. There is a gray area between a security incident and a breach. The gray area occurs when a security tool reveals a vulnerability. If a company s security tools are able to remediate (patch) the infected endpoint/log source/os/application before a breach occurs, for the purposes of this report, this remains a security incident. 9

Market Overview Security Incidents versus Breaches (continued) A zero-day threat also is in the gray area. While the malware remains dormant and undetected it is neither a security incident nor a breach. Admitting that the words are a matter of semantics, a zeroday threat is a non-incident unless it is detected or detonates. Worth noting, IBM X-Force finds that nearly 80% of all vulnerabilities detected will never be exploited. Additionally, in 2013, IBM showed that only 7% of public vulnerabilities were victim to a true exploit. In the Common Vulnerability Scoring System (CVSS) v.2, a vulnerability will allow an attacker to have either unauthorized access to files, create a condition for denial of service, or allow a miscreant to modify files. For a breach to occur, all three of these conditions must be met: 1. A breach is the establishment of an unapproved presence within a proprietary network. The breach condition involves deliberate penetration and intrusion attempts, and successful actions after initial access. 2. The end user or network has to be exploited. An exploit includes an action resulting from unauthorized access, denial of service, file modification, or outright data exfiltration. The end user provision covers instances in social media where an end user (not a network per se) has been exploited. 3. A network security forensics investigation has to be initiated. A network security forensics investigation occurs when an exploit becomes known to an IT/Security team and a material change has occurred on the network. Also a network security forensics investigation is often initiated after a security incident is investigated and the security incident remains undefined. 10

Market Overview Definitions A formal network security forensics event will offer these characteristics: 1. Tooling. Network forensic tools are designed to help a security analyst investigate a post-breach incident manually. 2. Session replay. If a breach occurs, a forensic analysis must be able to reconstruct the event. The degree of fidelity matters. 3. Packet capture. A network security forensics investigation must include, at a minimum, packet header data. Full packet capture provides the most visibility and truest fidelity, although, in many cases, storage limitations may make the request for the full packet recall impossible. 4. Log metadata required. Types of log metadata include syslog, internal mapping, Dynamic Host Configuration Protocol (DHCP), the Display Log (DSPLOG) which shows a system s history log, destination IP address, and packet header information. Network behavioral anomaly detection (NBAD) is a highly useful and highly prevalent capability. 5. Time stamping capabilities. Events have to have a logical time sequence. This seemingly obvious, but benign technical capability is difficult to achieve over multiple locations or within a cloud environment. 6. Remediation. A forensics investigation must be conducted in such a way that the conclusion of an investigation leads to what must be done to remediate the incident. 11

Competitive Analysis 12

Mergers and Acquisitions Current Company When Results of Acquisition Lancope October 2015. Dell October 2015. Viavi August 2015 NETSCOUT July 2015 Blue Coat Systems March 2015 Avago Technologies February 2015 On October 27 2015, Cisco announced its intention to purchase Lancope, Inc. for an estimated $452.5 million in cash and stock. Lancope will help enhance the Cisco Security Everywhere Strategy. Plans to rename or rebrand Lancope platforms have not been announced. On October 2015, Dell, Inc. announced plans to purchase EMC Corporation for at $33.15 a share which equates to $67 billion. Many analysts agree that VMware and EMC storage was more integral in making the deal than the acquisition of RSA, the security division of EMC. No announcement pertaining to RSA have been made. JDSU spun off its commercial optical division. When this was JDSU renamed the company Viavi. Viavi has Network Enablement, Service Enablement, and Optical Security and Performance Products under its prevue. NETSCOUT acquired the Danaher Corporation Communications Business. This includes Arbor Networks, parts of Fluke Networks, Tektronix Communications and VSS Monitoring. Arbor Network had the Packetloop platform that was capable of packet capture, big data analytics, security forensics and visualizations. Bain Capital announced plans to acquire Blue Coat Systems for a reported $2.4 billion. No announcements were made about how products and platforms would be branded or affected. Avago Technologies has been very aggressive in acquiring technology companies including the purchase of Broadcom in May 2015. Currently, Emulex security products are still branded Endace. Platforms relevant to forensics include EndaceVision Network Visibility Software, EndaceProbe Intelligent Network Recorder (INR), and EndaceFlowNetFlow Generator Appliance. JDSU FireEye December 2013 December 2013 Then JDSU purchased Network Instruments for a reported $200 million. Network Instruments offered the GigaStor and Observer product lines for network performance, packet handling, and network forensics. FireEye acquired Mandiant in a stock and cash deal for roughly $1 billion. Mandiant supplies APT knowledge, consulting, and professional services. Blue Coat May 2013 Blue Coat acquired Solera Networks. Solera Networks had the renowned DeepSee network visibility and forensics platform. Emulex December 2012 In December 2012, Emulex announced plans to acquire Endace. The transaction was completed in April 2013. RSA (EMC) April 2011 EMC acquired NetWitness. At the time, NetWitness was the leading packet storage and analysis company. RSA, the security products division of EMC, has since integrated NetWitness into its Security Analytics platform. 13

Points of Competitive Differentiation Network Security Forensics Market: Points of Competitive Differentiation Global, 2014 Most Comprehensive use of Metadata Sources Best Analytical Platform for Network Security Forensics and Threat Detection Most Comprehensive Product Portfolio for Enterprises Blue Coat Security Analytics RSA Security Analytics FireEye Network Forensics Greatest Amount of Capacity NIKSUN Supreme Eagle (10000 Series) Best Hardware Design Viavi Observer Best Data Flow Management and Correlation Best Network Security Forensics Integration Within a Dedicated Platform Smartest Use of Packet Extraction Most Interesting New Product Lancope (now a Cisco company) Stealthwatch IBM Security QRadar Incident Forensics/Security Intelligence Platform (tie) Novetta Cyber Analytics (tie) PacketSled Continuous Network Security Savvius Vigil 14

Points of Competitive Differentiation (continued) Best Data Flow Management and Correlation Lancope (now a Cisco company) Stealthwatch Flow data refers to the many types of traffic that occurs on a network. Traffic types that contain flow data include syslog, Common Log Format, sflow, Internet Protocol Flow Information Export (IPFIX), OpenFlow, and PCAP. Different protocols determine how traffic is routed within a network. Some protocols include protocols assigning traffic to different OSI Layers. Lancope emphasizes visibility and analysis over network traffic. At some point, when traffic hits the network, the traffic is unencrypted. In fact, Lancope promotes, let the network be your sensor. In addition to network security forensics, Stealthwatch is capable of network monitoring, threat detection, analysis, and threat response. Stealthwatch has visibility over all network traffic without use of probes. To do this, Stealthwatch collects and analyzes network telemetry from routers and switches throughout the network. For devices that cannot export NetFlow, then Flow Sensors can be placed throughout the internal network and at egress/ingress points in the network to achieve complete visibility of east-west traffic. The UDP Director is a component to Stealthwatch architecture. The UDP aggregates the traffic from Flow Collectors or from other flow sources, and forwards it in a single data stream to one or more destinations. Stealthwatch can correlate telemetry data from different data flows and flows from other security platforms. 15

Points of Competitive Differentiation (continued) Best Data Flow Management and Correlation Lancope Stealthwatch (continued) Stealthwatch tracks more than 90 behavioral attributes including DDoS attacks, same-source firewall denials, and high-volume emails. In terms of capacity, Stealthwatch is robust. The platform can: 1. Store and analyze as many as 4,000 sources at 240,000 sustained flows per second (aggregated six million flows per second). 2. As many as 25 Flow Collectors can be aggregated on the same network. 3. Flow Sensor recognizes 900 application variants including major classifications such as mobile app, peer-to-peer, and social networking. 4. Packet Analyzer presorts packets. The platform allows for continuous packet capture, with a rolling buffer of up to 96 hours. 5. Supports up to 20 Gbps per sensor. 16

Lancope, Now a Cisco Company, Profile 17

Vendor Profile: Lancope, now a Cisco company Overview In 2000, Lancope was founded in Alpharetta, Georgia. Stealthwatch System is the main product line. Stealthwatch is a comprehensive security platform capable of network monitoring, incident detection, security analytics, network security forensics, and incident response. Lancope has had strong growth since 2010, and counts 35 of Fortune 100 companies as clients. Security Concept The buzz-term that Lancope uses to describe Stealthwatch and what the platform does is, Let the Network Be Your Sensor. The Stealthwatch platform is based on four concepts: monitoring, detection, response, and analytics. Here is how Stealthwatch is designed to achieve these objects. Monitoring. Stealthwatch has visibility over all network traffic without use of probes. To do this, Stealthwatch collects and analyzes network telemetry from routers and switches throughout the network. For devices that cannot export NetFlow, then Flow Sensors can be placed throughout the internal network and at egress/ingress points in the network to achieve complete visibility of east west traffic. The Stealthwatch Flow Collector analyzes traffic looking for anomalies in network flow. o The platform achieves context and situation awareness over users and devices on the network. o An advantage to an emphasis on network traffic is that network traffic cannot be encrypted. An intruder cannot evade detection by changing privileges. 18

Vendor Profile: Lancope, now a Cisco company (continued) Security Concept Detection. The Stealthwatch platform helps in threat detection in three ways. Anomalies can be discovered in east-west traffic monitoring. Behaviors of known APTs, insider threats, DDoS and malware can be looked for inside the network. Lastly, Stealthwatch Labs offers its own advanced security algorithms that look for combinations of suspicious events. Analyze. Using different sources or information gathered form Stealthwatch, Lancope can collect and analyze holistic network audit trails. Two big challenges remain in data collection. The first challenge is whittling down the number of possibilities in a formal forensics investigation. Secondly, using forensics to get to the root cause of a malicious attack. Respond. The end goal of any cyber security defense is to reduce the mean-time to detect (MTTD) and the mean-time to respond (MTTR) to an attack. Response can be triggered by investigating links to malicious, or traffic patterns synonymous with communications from C&C servers, or from users migrating to uncommon parts of the network. With full visibility and contextual awareness, a security team can continuously improve its enterprise security posture. The UDP Director is a key component to Stealthwatch architecture. The UDP Director aggregates data from multiple sources, and then forwards it in a single data stream to one or more destinations, such as the Stealthwatch Flow Collector. Stealthwatch can correlate telemetry data from different data flows and flows from other security platforms (see upcoming section Integration with Security Partners). Stealthwatch tracks more than 90 behavioral attributes including DDoS attacks, same-source firewall denials, and high volume emails. 19

Vendor Profile: Lancope, now a Cisco company (continued) Security Concept (continued) The platform also establishes logical business boundaries. The network is segmented by characteristics affecting internal communications, external Internet, and activities consistent with command and control. Stealthwatch has pre-set and configurable security event, and alarm settings. Network Security Forensics Technology In terms of capacity, Stealthwatch is robust. The platform can: 1. Sort and analyze as many as 4,000 sources at 240,000 sustained flows per second (aggregated 6 million flows per second). 2. As many as 25 Flow Collectors can be aggregated on the same network. 3. Flow Sensor recognize 900 application variants including major classifications such as mobile app, peer-to-peer, social networking. 4. Stealthwatch Packet Analyzer allows for continuous packet capture, with a rolling buffer of up to 96 hours. 5. Supports up to 20 Gbps per sensor. Stealthwatch Threat Intelligence continually updates behavioral analysis algorithms, adds new threat intelligence data, and performs feed validation enhancing Stealthwatch. Stealthwatch presorts packets, keeping the most useful. Packet Analyzer for intelligent packet capture uses a 96-hour buffer period. 20

Vendor Profile: Lancope, now a Cisco company (continued) Network Security Forensics (continued) A right-click on an incident pulls up the metadata and associated packets. Flow Sensors can incorporate data from routers and switches that many platforms (and several SIEMs) cannot collect. (Currently, Flow Collectors can be deployed as virtual or physical appliances). The combination of session data and metadata provide a clean view of a network incident for forensic purposes. Integration with Security Partners Stealthwatch is a strong network monitoring and analytics platform that is used with other security platforms to strengthen the cyber security grid. Key technology integrations include: o NAC. One key integration is with the Cisco ISE NAC platform. The Cisco integration is important because if a network anomaly or intrusion is detected, between the Lancope and Cisco platforms, devices can be isolated. The bidirectional communication creates a redundancy where NAC rules violations or suspected malicious activities create alarms. (Lancope is in the Cisco reseller program and Cisco is investing in Lancope-related branding). o Packet analysis. Stealthwatch is sometimes integrated with NetScout, BlueCoat Networks, Arbor Networks, and RSA Networks packet analysis platforms to organize metadata associated with a network event. o SIEM. Stealthwatch is integrated with the leading SIEM platforms (HP ArcSight, IBM QRadar, McAfee ESM, etc.) to provide analytics and visibility. 21

Vendor Profile: Lancope, now a Cisco company (continued) Integration with Security Partners (continued) o Advanced malware. Lancope has integration partnerships with Damballa, FireEye, and Bit9 where behavioral analytics can be used to provide additional insight into suspicious signatures. o Network security platforms. Stealthwatch monitors east-west traffic inside of a network providing additional depth to Palo Alto Networks, Check Point, and Fortinet platforms. o Endpoint. Stealthwatch integrates with leading endpoint solutions, including Ziften and Cisco AnyConnect (as of Q4 2015) to extend network visibility all the way down to the endpoint user context and activity. Outlook Lancope may have found a sweet spot in network monitoring and threat detection. Statistical baselines, behavioral analytics and east-west traffic monitoring (all in Stealthwatch) are possibly the only ways to find suspicious activity within the network if a virus gets past an IDS/IPS system. 22

Market Engineering Methodology One of Frost & Sullivan s core deliverables is its Market Engineering studies. They are based on our proprietary Market Engineering Methodology. This approach, developed across the 50 years of experience assessing global markets, applies engineering rigor to the often nebulous art of market forecasting and interpretation. A detailed description of the methodology can be found here. 23

About the Author Functional Expertise Ten years of research and sales experience in the network security, cellular infrastructure, wireless, telecomm, PCs, semiconductor, and high-definition consumer device sectors. - Presented a Vulnerability Management Analyst Brief, Moderated an IBM Navigator on Cloud Webinar, and served as a panellist on a Wireless Week webinar about cellular backhaul - Developing expertise in knowledge-based network security technologies.: vulnerability management, SIEM, network forensics, network access control (NAC), and Internet of Things. - Well-regarded analyst in LTE and cellular infrastructure. Chris Kissel Industry Analyst Frost & Sullivan North America Phoenix, AZ Primary Research Domains Industry Analyst on IT and Information and Network Security market strategies, business opportunities, and technologies What I bring to the Team A synergistic viewpoint about network security technologies that involves threat mitigation, forecast techniques, vendor profiling, and in-depth report methodologies. Ten years of experience in TMT (Technology, Media, Telecomm) Experience with several research templates including primary research, in-depth research reports, Pivot Table, and PowerPoint deliverables. Career Highlights Moderator and guest blogger for IBM Navigator on Cloud project. Published a report that forecast LTE cellular infrastructure shares by vendor, by region, and by operator. Product endorsements for BeyondTrust, Qualys, and Fortinet. Changed In-Stat LTE & Cellular Infrastructure service to be far more granular in backhaul and small cell coverage. Worked with Fierce Wireless as a contributor to their annual Cellular Backhaul ebook.. Note: All figures are rounded. The base year is 2014. 24

About Frost & Sullivan Information and Network Security Research Programs Frost & Sullivan's Network Security Research and Consulting practice provides global industry analysis, custom consulting, growth consulting and market research & forecasts that help your firm grow. 25 Market Analysis: Information & Network Security Advanced Persistent Threats (APT) Detection and Mitigation Distributed DoS (DDoS) Attack Mitigation Endpoint Protection and Security Network Forensics Identity & Access Management (IAM) Intrusion Detection and Prevention Systems Managed and Professional Security Services Network Access Control (NAC) Public Vulnerabilities SIEM and Log Management SSL Certificates Strong Authentication Unified Threat Management and Next-Gen FW Vulnerability Management Web and Email Content Filtering Web Application Firewall (WAF) Strategic Analysis: Stratecast Secure Networking Examination of market dynamics Creation and presentation of market dimensions Examination of market participants strategic movements Creation and presentation of market growth recommendations Advanced Threat Detection and Mitigation Cloud Security Desktop Virtualization File Sharing and Synchronization Hardware-embedded Security Identity and Access Management (IAM) Identity Assurance and Strong Authentication Network Security Usability Secure Containerization and MDM Secure Software Development Software Defined Networking (SDN) Tokenization 25

Legal Disclaimer Frost & Sullivan takes no responsibility for any incorrect information supplied to us by manufacturers or users. Quantitative market information is based primarily on interviews and therefore is subject to fluctuation. Frost & Sullivan research services are limited publications containing valuable market information provided to a select group of customers. Our customers acknowledge, when ordering or downloading, that Frost & Sullivan research services are for customers internal use and not for general publication or disclosure to third parties. No part of this research service may be given, lent, resold or disclosed to noncustomers without written permission. Furthermore, no part may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the permission of the publisher. For information regarding permission, write to: Frost & Sullivan 331 E. Evelyn Ave. Suite 100 Mountain View, CA 94041 26