IBM’s latest data-masking baby, MAGEN (Masking Gateway for Enterprise), is still in development at its research lab in Israel; as such, the name comes from the Hebrew word for ’shield’. The product uses optical-character recognition to tag and scramble sensitive data on the fly. It’s this masking in real time that IBM claims as a differentiator from the competition. The data is analyzed and sensitive information is blocked before it reaches the user. Administrators use a central console to configure masking and access control rules; and the product will be work with any data format, application, or operating system.

Other contenders in this developing space include Oracle, Camouflage Software, DataGuise, and Axis Technology. Data-masking technology has been around for a while in one form or another, but has often been managed ad-hoc within development shops, outsourcers or large companies. Its early days for data masking as a standalone industry. However with the continued trends towards outsourcing, the proliferation of sensitive data and stricter data privacy becoming a bigger issue with each passing year (not to mention the Obama administration’s push for electronic medical records) we think the ingredients are there for demand for data obfuscation and data masking tools to really pick up speed.

Lauren Eckenroth, Research Associate, Enterprise Security, contributed to this blog post.

However “just before he left, according to the complaint, Mr. Aleynikov used his desktop computer at Goldman’s New York offices to upload a stream of code to a Web site hosted by a server based in Germany,” NYT reports. That data was later copied back to his laptop and what’s described as a “memory device.”

Goldman, it was reported, “noticed the surge of data leaving its servers,” but presumably was unable to block the transfer to the remote server.That turns out to be a big problem, as the code stolen was for so called “black box” computer programs that “Goldman uses to make lucrative, rapid-fire trades in the financial markets.” Those programs earn the firm millions a year, reportedly. And, though authorities have  Aleynikov in their custody, the IP he stole is still sitting on the hosted Wed server where he deposited it, NYT reports.

While its not clear what products were responsible for picking up the theft and monitoring the data flows, the incident is a great example of the gulf that exists between the marketing buzz around DLP - or data leak prevention - technology and the reality, even at top tier firms like Goldman Sachs. Presumably that firm has the pick of the litter of security technologies, the bankroll to purchase and deploy what they want and top tier IT staff to manage the products. The fact that Goldman appears not to have had a means of blocking the transmission outside its firewall of source code and proprietary algorithms whose value is described as “incalculable”  is…shall we say…eye opening.

To be sure: securing source code presents a unique challenge to DLP firms, which have tended to focus on data that might be used in identity theft or for other compromises — credit card and social security numbers, account numbers, names and so on. Today, content monitoring solutions often allow simple regular expression matching that could, in a ham fisted kind of way, be used to identify source code. Many Web filtering firms have or are adding support for features to identify source code files. At a deeper level, firms like Symantec/Vontu claim to be able to index document content (including source code files) then spot even snippets of protected content in transit. With roots in encryption, vendors like BitArmor go a step further: offering data level tagging — essentially metadata containers that travel with data, classifying it and specifying access rights, security policy (encryption) and so on. But tagging and encrypting the incredible diversity of code that resides inside an organization like Goldman Sachs is a Herculean task. And, as Mr. Aleynikov’s alleged excuse for the data breach (that he was merely trying to copy open source code he’d worked on) there are circumnstances under which the movement of source code files back and forth across the network perimeter might be allowed and desirable. On the other side of the fence, there are application protection firms like Arxan, Metaforic and VI Labs, which do a better job securing the underlying code, but have traditionally focused on blocking attempts to reverse engineer applications for piracy or industrial espionage, not spotting or blocking data flows. Finally, source code analysis outfits like Fortify and Ounce Labs, Core Security, Veracode and others focus on finding security holes in compiled or uncompiled code that might be exploited in attacks after applications are deployed.

Expect to see some of these areas of focus converging as more and more of an organization’s value comes to rest in the intellectual property locked up in internal applications and business processes. As we noted in a recent report on BitArmor, the advent of virtualization, private clouds and cloud-based services within the enterprise (as evidenced here in the unnamed hosted Web server the GS application code as spirited off to) challenge network-based DLP with a different set of requirements. Among them: monitoring data movements from local to cloud, cloud to coud or guest OS to guest OS.

The report states that the NAC market fell by 32% between the third and fourth quarters of 2008. Given the scale of the economic meltdown, and that an important NAC customer base lies with financial institutions that were hit hardest, this shouldn’t be surprising. But don’t despair: Infonetics forecasts NAC will be back on top by the end of 2009; and riding high as a $700m industry by 2013.

We don’t participate in market sizing or forecasting of the hard-numbered type. What we can say is that there’s been a considerable amount of movement in the NAC space over the past six months. Autonomic Networks and Nevis Networks have submerged while other players have managed to hold tight and even grow. In February 2009 StillSecure branched into managed services with ProtectPoint, while Trustwave acquired Mirage Networks; both deals combine NAC chops with managed services plays. Appliance vendor Nevis has decamped to India while ConSentry has recapitalized with a valuation far lower than the $80m to $90m put into the company. We expect this kind of movement and consolidation to continue over the next few quarters until NAC, along with the rest of the network security market, can pull itself out of this slump.

– Lauren Eckenroth, Research Associate, Enterprise Security, contributed to this blog entry.

TJX announced Tuesday it had reached a $9.75m settlement with the group of 41 State Attorneys General investigating the now infamous 2006 breach that exposed up to 94 million credit and debit card numbers. The group was led by Massachusetts Attorney General Martha Coakley with the help of Attorneys General in Arkansas, California, Connecticut, Florida, Illinois, New Jersey, Ohio, Oregon, Pennsylvania, Tennessee and Vermont.

Under the terms of the settlement, TJX must pay $1.75m to cover the cost of the states’ investigation and $2.5m to establish a Data Security Trust Fund available to states Attorneys General to enforce policy developments in data security and consumer protection. This leaves a paltry $5.5m in settlement fees to be split among the 41 states for use in data security initiatives; Massachusetts is slated to receive $951,000. Given the scope of the breach TJX has gotten off easy; paying out roughly $0.10 per exposed credit or debit card number. The funds will come from a $107m reserve set up by TJX in 2007 to cover costs associated with the breach.

In addition to the monetary penalty, TJX must comply with an information security program laid out by the Attorneys General. The company must obtain a third party assessment and report “regularly” to the group. Among the actions mandated by the program, TJX must agree to: upgrade its WEP systems to wired or Wi-Fi protected access systems; safely discard consumer account data once it has been processed for legitimate business purposes; implement firewalls, access controls, etc to segment the areas of the TJX network that process personal information; and implement appropriate password management system for that part of the network that handles personal information.

Of course, this settlement is only the latest development in the storm created by the largest reported data breach to date. TJX has already settled with major credit card companies Visa (for $40.9m) and MasterCard ($24m). In August 2008, 11 people were arrested and charged with aggravated identity theft, conspiracy, and computer intrusion related to the breach; and in January 2009, a Ukrainian hacker linked to the TJX breach was sentenced to 30 years in a Turkish prison (yikes).

To combat breaches of this nature Massachusetts has since passed a data privacy law that requires all companies that “own, license, store or maintain personal information” to comply with broad regulations for handling transaction and personnel-based data.That law sets a higher bar for breaches: $5,000 per violation. By that measure, TJX would have had to pay out far more — around $470 billion — in penalties.

The potential to pull in work done in the area of messaging protocols  (like AMQP) and and data classification through extensions to the protocol is, from my perspective, huge when seen in the context of mapping actual business process to policy logic. Thousands of Wave servers can subscribe to a policy server, allowing for large-scale automation of access and collaboration decisions, as well as the creation of a standalone, abstracted policy management tier with direct interaction with the policy decision tier.  Also, the Wave model not only allows for 1 to n connectivity , but also the ability to establish hierarchies within federated relationships.  This is an important advance when you consider the need to balance privacy (or degree of data lockdown) and openness - which could be paraphrased as “share as much as you need to when you have to”. The ability to establish hierarchical sharing constructs based on resource and user profile - what Google describes as winnowing - by takcling inherent tension between security, privacy and access, will ultimately have critical repercussions.My thanks to Chris Swan for highlighting this aspect of the Wave initiative.

There’s been some speculation that SharePoint is the target here. Given SharePoint’s success, that’s certain a possibility - although Google claims that Wave has been in development for four years, predating the rise of SharePoint. Instead, what Wave could offer is the integration of Geneva Server and SharePoint, with possibly a Ping Identity or TriCipher acting as a clearinghouse. Either way, identity management players are going to have to make an explicit strategic decision at some point in the not too distant future: either for or against Google Wave.

As we wrote recently in our ESP Quarterly, ‘The Evolving Endpoint Agent‘, the past three years have witnessed a revolution in malicious code writing. Professional, well-funded organized criminal groups have poured resources into the development of more powerful and versatile programs. Their goal is the theft of personally identifiable information, the theft of intellectual property, and the enrollment of millions of hosts into large botnet armies designed to distribute tasks, generating the computing power necessary to perpetrate fraud, theft and brute-force attacks.

More important, the criminal groups committing these crimes have become larger and more sophisticated. As criminals go, so do terrorists and those who seek to fund terror. For the first time, this brings the world of viruses, phishing scams and other fraud out of the realm of commerce and smack into the world of nation-state intelligence services: when your enemy is funding his operations through phishing, phishing becomes a security priority. For government, leaving commercial, public networks out of the picture when it comes to cyber security is simply no longer a tenable option.

This is not to suggest that government has responded in an organized or consistent fashion to the threats at hand: it has not. Lumpy and uneven distribution of understanding of the core issues; a notable lag in government agencies’ ability to formulate a response, lobby for budget and gain mandates to conduct cyber-intelligence operations; and internecine squabbling over turf and other issues have plagued efforts to enumerate, let alone catch, bad guys. But the will is there, efforts are underway and the response will come – it’s just a question of working the system until it’s good to go.

At the same time, those at the business end of the battle over cyber crime and cyber terror – financial institutions, mainly – are facing challenges like never before. Some time ago, we saw a sea change: banks began to cooperate in ways previously unseen in terms of the sharing of information about common threats. Until very recently, this kind of information was considered to be competitively sensitive – by revealing specific threat vectors, one risks having a rival reverse-engineer an IT landscape in the same manner as it has been reverse-engineered by a cyber criminal creating malware that specifically targets a given bank.

Yet the volume of attacks and their sophistication increased so dramatically that banks had no choice but to begin teaming up to confront a common enemy. The National Cyber-Forensics and Training Alliance (NCFTA), for example, was created to be a neutral collaborative forum in which critical and confidential information about cyber incidents could be shared among industry, academia and law enforcement.

Conversations with information security professionals of the type that would join NCTFA, informal polling of banking IT security professionals and general industry scuttlebutt holds one thing to be true: at this point, we are approaching the ceiling of what we can do reactively. People want proactive tools.

Not to put too fine a point on it, people want aggressive preemptive action taken against bad guys. The use of force, something which is rare to hear information security professionals talk about, is now being discussed at least theoretically. But to even consider any kind of action, you have to find out who’s doing what, when, to whom, and how. Then at least you can have discussions about a range of pre-emptive moves. Until you do that, you’re shouting at the surf.

Cyveillance gathers intelligence about the villainous and illegal use of digital content, and the misrepresentation and resale of digital content into real-world assets. The high-level issues that concern Cyveillance’s client organizations around the world involve cyber-squatting for the purposes of fraud and phishing; online sales of counterfeit and stolen goods; and the peddling of stolen digital assets. In addition, the vendor can provide valuable insight into a slew of other areas, from mere smut peddling, distribution of dangerous child pornography and criminal communications to other spooky stuff. Typically, Cyveillance messages around the first three areas, and conducts the latter quietly on behalf of various government and law enforcement agencies.

We have written a deal analysis of the acquisition which runs tonight in our TechDealmaker service containing target and acquirer profiles, deal rationale and deal details.

Panelists:

James Brokenshire MP, Shadow Crime Reduction Minister And Member of Parliament for Hornchurch
Mike Humphrey, Head Of Information Assurance & Accreditation Serious Organised Crime Agency
Howard Schmidt, President & CEO Information Security Forum Ltd. UK

Introductory Remarks
Nick Selby, VP & Research Director, Enterprise Security, The 451 Group:

As the availability of broadband Internet continues to rise, and computing power and Internet access continues to democratize, holes in the regulatory landscape have appeared. The crimes themselves – fraud, social engineering, theft – have not changed. Nor have the motives – profit seeking, fundraising for illegal activities or terror, money laundering of illicit gain, the list goes on.

What has changed is the medium in which these crimes are committed, and with that change in medium came a change in scale. Criminals are now able to reach a larger pool of targets faster and more effectively than ever before. At the same time, lawmakers struggle to understand technological advances, and are frequently concerned that laws to restrict criminal activities will stanch commercial initiatives.

Law enforcement is faced with a vexing problem: trying to understand jurisdictional issues and rapidly changing regulations.

Criminals, terrorists, drug dealers and others seeking to hide and monetize illegal activity and launder ill-gotten gains are taking keen advantage of this lag. Their risk in doing so is relatively low compared to other criminal endeavours, their chances for success high, and the scale of success even larger. The risk of being successfully prosecuted even if caught is even lower, and their risk of doing serious jail time even lower due to the process of adapting and creating laws to deal with these types of crime.

At the same time, the worldwide economic slowdown has created desperation among many. Many are more tempted than ever to find ways to get rich – or even get liquid – quick. Some of this large and growing number of people will do the maths I just set forth and turn to crime, while others will become victims of fraud.

This is the environment in which we currently find ourselves. Our panel today will discuss these issues in more specific detail. We will break the subjects generally into three categories: how citizens aren affected by these trends, what government and law enforcement can do, and finally we will discuss some of the opportunities available to entrepreneurs and private industry.

–End of remarks–

Download the presentation

I thought the panel went well and was well-attended. We had some interesting questions, especially the one from Steve Howarth, a detective inspector from the Met police’s e-Crime unit. He mentioned the appalling lack of resources his team has. More on that in another post, soon to come.

Of course, there’s no guarantee that those companies or their technology will have staying power. One need only look to past years’ “Tomorrowland” visions around things like converged security or even more quotidian visions, such as network access control, to be reminded that marketing spend != viability.

One good mental yardstick I like to use is to ask myself (and often the companies I’m talking with) why an enterprise _needs_ to own their technology. In the case of NAC, which came about as a way to stop virus and worm outbreaks behind the firewall, there was no one thing compelling companies to make a big investment, though almost everyone agreed on the usefullness of NAC in the abstract. On the flip side, The Payment Card Industry’s PCI DSS gave an enormous boost to vulnerability management firms, anti virus firms and, now, companies that make Web security products like secure Web gateways and Web application testing tools: PCI audits specifically called for the use of those technologies, compelling companies to make an investment, or at least come up with some form of compensating controls.

This year, I’m looking for the impact of new and toughened data privacy laws, such as Massachusetts’ new data privacy provisions, the FTC’s Red Flag Rules and a toughened, toothier HIPAA from DHHS and the federal government (much more on that later!) Which companies stand to benefit (or not) from the provisions of these new laws concerning protection of consumer information, financial data and health information? Its early days here at RSA, but I’ve already briefed with two firms in an fast developing sector that plays right into the increased focus on data privacy: Camouflage and Dataguise. Both sell data masking tools that allow companies to protect sensitive information in databases that are used for testing and other development purposes. The concept here is fairly simple: companies that do application development want to be able to use the best data possible to test their applications. Often, that means using actual, production data. But the loose security practices that often characterize development environments, not to mention the increased use of outsourcing, preclude the practice of piping production data into a test environment. Enter data masking firmslike Dataguise and Camoflage, which sell technology that can replace sensitive data with fake test data without compromising data integrity (i.e. credit card and social security numbers still look like credit card and social security numbers, etc.) Vendors point to regulations like PCI Section 6.3.4, which calls on companies to look at data used in testing, as a major driver -but not the only one. IBM’s been in this space since at least 2007,and some of these firms have been around -in one form or another - for almost a decade. Still, the data masking issue is picking up steam: Forbes recently addressed it in an article, and its likely to get a lot more attention as companies become more attuned to the gaping hole that internal development efforts punch in their data security and data protection plans. 

While Oracle is a recent entrant to the market relative to Sun, IBM and CA with technology derived entirely from acquisition, it is generating the fastest growth and has put the incumbents on the back foot. There is more overlap in terms of product portfolio, thorny integration issues and open source questions ahead compared with an IBM acquisition, but we expect that a shiver has run down many spines at IBM and CA. Sun has suffered from a weak sales organization even as product development has remained strong. Clearly, there are significant integration risks, but at a high level, Sun products will now have a favorable sales model behind them.

Oracle will gain Sun’s directory and federated identity technology and in theory Sun will have Oracle’s Entitlement Server, Adaptive Access Manager for risk-based authentication and upcoming data governance integration at its disposal. But outside of those complementary areas, there will be plenty of overlap in provisioning and Web access management (although a shared SSO OEM in Passlogix). The integration issues are ameliorated by a common Java technology platform but the the challenge should not be over estimated, particularly in light of Sun’s open source approach and emphasis on services layer.

Rivals may have some window of opportunity as the decision process takes it course - since it is unlikely to have been given that much thought in the deal run up - but we expect that to be shortlived. Of all the major IT vendors, Oracle has proven the most adept at minimizing acquisition and integration disruptions.

With a strategic investment in the Microsoft platform, partners like Quest are a natural community, with a shared vested interest in the product making it to market, with expertise in identity management and Microsoft technologies to bring to bear. Of course, there may be dependencies that are specific to internal Microsoft product development that no amount of source code sharing will resolve. Also, there has to be a clear-eyed assessment of the real, tangible value that can be distilled from external input relative to internal development resources. But even in a controlled open source community with a limited degree of transparency, the chances of a partner being blindsided would be diminished. If partners can manage their businesses and customer expectations better, and provide some insight into the scope of the issues behind the delay, the effect has to be a positive one.

There is a broader trend at play here. Even if we put Sun’s open source strategy and efforts at building a support and maintenance business model to the side, we are seeing open source in identity management more and more frequently both as a product development model and as a target system focus. This ranges from Red Hat’s very gradual entry into the market with its IPA project (insert obligatory beer-related quip here) to Likewise’s authentication consolidation platform, bundled with open source OS distributions and Novell’s recent acquisition of Fortefi to incorporate coverage of Linux identities in the resulting compliance manager. There are also a number of open source identity governance and metadata exchange convention frameworks, notably OAuth. And there a few smaller vendors like Acceesstream, OpenIAM and Crowd (part of Atlassian) that have released their source code under GPL licenses.

I am not suggesting that the path to an open source model will be a smooth one. My point is that from my perspective there is some incentive to progress down that path.

ESTRAGON: In my opinion we were here.
VLADIMIR: (looking round). You recognize the place?
ESTRAGON: I didn’t say that.
– Waiting for Godot, Act 1. Samuel Beckett

I’m going to have to excuse myself for sitting out most of the hype storm about the coming Conficker worm conflagration but, to be honest, I’ve been here before.

I’ll explain what I mean by that. But first, for those PD readers that have been hiding in a cave, here’s where things stand:

Conficker is a widespread Windows based worm and information stealing Trojan that is poised to launch a coordinated “action” on April 1st that will, depending on who you talking to, bring the Internet to its knees, or flop harder than A-Rod in an ALCS playoff game. It first appeared in late November and — like most computer viruses — also has more aliases than Jason Bourne. You might also have heard mention of Downadup, or Kido or Pakes? They’re all the same beast. Conficker spreads over computer networks by exploiting unpatched Windows machines (again, for the cave dwellers, MS08-067 is the patch you need) by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE) and by brute force attacks on networked computers and file shares that are secured with weak administrator passwords.There’s an excellent writeup on the worm available on Ars Technica. Read up, then apply the patch. A more technical analysis from SRI International is available here. (Thanks to SANS’ ISC for the link.) The Honeynet Project also has an analysis of Conficker available on its Web site.

With the deadline fast approaching — indeed racing across Conficker infected countries like South Korea — the media hype (including a sensational(ist) piece by 60 Minutes correspondent Lesley Stahl) has set the stage for a Y2K style conflagration, but (willingly) overlooked the consensus opinion of security experts, which is that Conficker’s April 1 surprise will be a big nothing. Indeed, SANS Internet Storm Center predicts “business as usual” on April 1st.

Rest assured, this won’t be the first or the last time that the public is treated to a media-induced roller coaster ride about computer security. If you remember, the Code Red Worm had a similar “attack” programmed into its code back in 2001. That denial of service attack was directed at an IP address that corresponded to the Web site of the Whitehouse. Government officials sidestepped the attack by pointing the Web site to a new IP address — an early victory for the administration of George W. Bush.

Two years later, MSBlast, aka Blaster, had a DOS attack against Microsoft’s windowsupdate.com Web site in its source code. That attack, also, was evaded when Microsoft delisted its windowsupdate.com address.

A variant of MyDoom in 2004 was programmed to attack both Microsoft’s Web site and that of the SCO Group, which was embroiled in controversy over a Faustian bargain it may have made with the OS behemoth. In that case the attack worked — taking out the SCO Group’s Web site.

The Sober worm had a mass update/spam run buried in its code too, timed to coincide with the 87th birthday of the Nazi Party (huh!?). There are countless other examples as well. Remember Kama Sutra (aka “Blackworm”) in 2006? That was the widespread malware that was set to delete files on infected computers. That attack fizzled for reasons that aren’t entirely understood.

And yet…we’re still here. Timed or scheduled attacks play into the media’s hunger for a good story: creating suspense in the form of a concrete date (like, say, January 1, 2000) on which something will happen. As a practical matter, however, setting an attack to happen in the future and leaving the specifics of that attack in plain sight mostly serves to give everyone a chance to prepare for the attack and defend against it. It’s kind of like those hopelessly complex executions in the James Bond films. Why tie the guy to the table then wait for 30 mintues for the laster to cut him up? If you want Bond dead, just shoot him in the head execution style and be done with it?!

These attacks also allow folks who don’t follow the computer security space closely a way to grab onto the problem. Telling consumers that botnets of millions of computers are sending spam e-mail and virus laden messages to their inbox doesn’t quite have the power to grab and hold ones attention as “On April 1, your computer is going to blow up!” Sadly, however, they just obscure the larger truths. Outbreak and attack stories create the idea that the enemy we face is conventional (launching attacks which we must defend against), rather than unconventional (they’ve already broken our lines, surrounded us and, in fact, have infiltrated our own ranks).

Here’s betting (and hoping) that Conficker is a no-show– that any coordinated action by Conficker attacks fades into the background noise caused by millions of other compromised hosts worldwide. But on April 2nd, the problem won’t have gone away — in fact, it will be ever so slightly worse.

Not that security software vendors are all to blame. In the case of the iPhone, the word is that Apple doesn’t want to give third parties access to kernel level APIs they need to do realtime threat protection or data encryption.  In the meantime, the company’s development efforts haven’t prioritized enterprise concerns. As my collegue Chris Hazelton noted in a recent report, the latest rev of the iPhone OS, Version 3.0, did little to advance the iPhone’s enterprise readiness. In particular, it failed to add the ability for one or more third party applications to run in the background, limiting security (i.e. encryption) and management features. 

This leaves security  and mobile device management vendors to do what they can. Sybase’s announcement this week of a new version of its iAnywhere suite is a good example. The company’s iAnywhere Mobile Office, which includes e-mail, calendar, tasks and contacts, as well as Exchange and Lotus Notes integration, offers the kinds of features enterprises want: password protection, data encryption and remote data wipe…but only for data resident in the iAnywhere Mobile Office application. The company tries the spin this as flexibility…enterprise security “without compromising user’s personal information,” but isn’t it just “encryption for me, but not for thee”? Whatever the case, its hard to see how islands of security on a multi function device like iPhone will work practically, or how they advance the interests of companies or the community as a whole.  

In the meantime, another major anti malware vendor told us that it is at work on its own secure Web browser for the iPhone that will allow it to integrate Web reputation technology that it has long offered to PC users. As with Sybase, however, users will have to download and install the third party Web browser to get the protections, rather than leveraging it as a plug-in to the native iPhone implementation of Safari. We can expect more of the same from other vendors (encryption, anti malware, management) who are hot to trumpet “iPhone support” to their enterprise customers in any guise. The result? Expect the balkanization of the iPhone  desktop to contiunue, at least until the Mandarins in Cupertino make good with the tools that third party developers need to do iPhone security right.   

There are sure to be some difficult product rationalization issues, complicated by Sun’s still in progress transition toward open source development and business model. However, in some areas, the product portfolio strengths are complementary. Sun, for instance, has led the market in enterprise directories (although its product has grown long in the tooth and the OpenDS open source version has yet to reach full product maturity) and the acquisition would supply IBM with federated identity and role management technology where the company has lagged the market. There seems to be some difference of opinion over the relative value of Sun’s directory server over IBM’s equivalent, but in terms of market segment penetration, we would postulate that Sun’s is larger (although under attack) and spread across a broader set of businesses.

The rumored deal would certainly provide one possible explanation for why IBM has been so quite on the acquisition front.

Edwards, himself an Ironport-er, said that the loss of Weiss — who got high marks on leadership and vision — was going to be tough. But he put a good face on it all the same. “We get to retain the Ironport DNA and history (with Gillis),” he said.

Of course, there’s nothing surprising about a former CEO like Weiss chaffing under the constraints that come with a role down the org chart in a mega corporation like Cisco. Sounds like Scott gave it the old college try, but has decided to move on to his next act. The surprise, I suppose, comes as a result of the big vision that his appointment at the head of the SBTU set for Cisco’s overall security strategy. Cisco’s security portfolio had grown long in the tooth in recent years, and Weiss came in talking big about reinventing Cisco’s security portfolio. In part, that would come from integrating smarts from the IronPort platform across the other Cisco products. That includes reputation intelligence from the SenderBase online reputation system and from the global deployment of IronPort appliances.  With him gone, its not clear what happens to that vision and whether Gillis will have the clout and vision to carry it forward. Cisco staff insist that Weiss’s departure has nothing to do with the SBTU’s 2008 numbers or a difference in vision with other Cisco brass. That could be true (and we’re waiting on specifics on the SBTU performance that might confirm it either way), but we’ll be waiting to see what the next few months bring.

Babylonian seals

The fact of the matter is that this incident is a big blow to Kaspersky, which is going to great lengths to build up its image in the U.S. and globally. Suffice it to say that a company getting hacked that promises to protect you and your computer from hackers is troubling, and Kaspersky spokesman Roel Schouwenberg admitted as much in a conference call with the press. The company now says that it has hired Next Generation Security Software’s David Litchfield to give its database a good hard look, and that it will be scrutinizing its Web sites for flaws like the SQL injection attack that was behind this breach.

A couple take-aways from this incident:

• If the perp here is to be believed and no sensitive data was exfiltrated from Kaspersky, then the company is lucky. In some ways, this whole incident is very old-school. Some enterprising grey hat finds a fat vulnerability, pokes around, gives the company 15 minutes to respond (ok - Kaspersky said it was more like an hour) and then posts what he’s found on the listserv/Web site of choice.  If this guy was partying like its 2009, instead of 1999, he would have taken the product activation codes, customer e-mail and — ideally — some billing info and fenced them along with access to the Kaspersky domain itself.
• The circumstances of this hack shine a glaring light on a problem that’s facing companies both within and outside the Tech sector (banking, financial services and e-commerce are also highly exposed) namely: how to monitor the security of a corporate Web infrastructure that’s growing faster than your ability to monitor it. This is especially true of fast-growing companies (like Kaspersky) or decentralized organizations with branch offices, third party partner relationships and the like. Kaspersky has already owned up to the fact that its US subsidiary was an amalgam of code developed by Kaspersky in Russia, and code developed by a third party contractor. The company claims it was the code from the outside contractor (a customer support forum) that ultimately provide access to Kaspersky’s back end database.  Who knows. What matters is that the company develops processes, in the wake of this attack, that contain online sprawl and ensure better code auditing and review procedures.
• SQL injection is a big deal. IBM’s ISS X-Force threat report for 2008 says that SQL Injection attacks increased thirty fold in the last six months of 2008. The attack also figured prominently in the SANS recent list of the Top 25 Programming Errors. One big reason is that they’re quite easy to perpetrate. Often all you need is a Web browser, a passing knowledge of the SQL query language and of how databases work to begin poking around. While plenty of products and services exist to sniff out SQL injection attacks, the differences between legitimate and illegitimate queries can be subtle. This puts the onus on application developers to build their code to resist tampering and QA departments to give application code a thorough vetting before it is publicly released. As Kaspersky’s woes indicate: the downside of failing to do so can be considerable.

In response to such state-sponsored actions (not to mention those pesky Twitter outtages), digital rights activists have launched Herdict.com (a portmanteau of “herd” and “verdict”), an online service conceived by Prof. Jonathan Zittrain at Harvard’s Berkman Center for Internet & Society. The service relies on crowd sourced reports from volunteers around to world to pinpoint Website outtages and determine whether they are global- or merely local phenomenon.  

But the cat and mouse game between China’s yearning masses and its worried censors is actually just one skirmish in a much larger battle over access to Web content that’s been bubbling for a while. And the battle runs both ways. In the US, it’s reaching a high boil with the growing popularity of Web based services like social networks and broadband content distributed through services like YouTube.com, hulu.com, and countless other sources. Enterprises are wary of both worker productivity losses, NSFW content that violates workplace decorum and — importantly — Web and application based attacks that can compromise network security. Employees and end users want access to the growing universe of cool tools (and fun distractions) that are available on the Web. An IT director for a public school district in rural Texas told me that he spends an inordinate amount of time playing cat-and-mouse with students who are using proxies to evade their secure Web gateway. He’s counting on his Web security gateway vendor to keep their list of Web proxies current and turning to traffic shaping and rate limiting tools to simply punish  those he catches evading the Web gateway with dial-up level access, rather than issuing collective punishment by limiting Web access for all students. Up at 20,000 feet, IBM’s ISS group is seeing a doubling of anonymous Web proxies between 2007 and 2008, as it reported in its X-Force trends report (available in PDF format here). X-Force also says that attacks based in Adobe Flash video, Acrobat files and Active X conent are on the upswing as of Q4, 2008. 

All this is going to combine to make 2009 an eventful year for companies that sell Web content filtering, traffic shaping and other technologies. In fact, in a forthcoming report on companies that will stay hot in the cooling economy, Web security will be an area we talk about quite a bit.

The goals of companies that are shopping for this stuff are threefold:

1. Stop malicious content that’s streaming to end users in video clips, e-mail messages (including Web mail), blog comments and Facebook wall posts. 
2. Avoid hamstringing employees with draconian Web use policies. 
3. Priortize access to mission critical applications on their network, such as VoIP, as well as applications and services that are running in the cloud.  

Look for vendors who move in the space to move to address these pain points. In fact, its already happening. In recent weeks, we’ve seen Websense pick up blog antispam firm Defensio to try to boost visibility into blog comment spam. It says it plans to offer much tighter integration between its port authority data leakage wares and its on-prem and SaaS based Web security products. Riverbed picked up network visibility firm Mazu, and Barracuda has told us that it sees bandwidth optimization and traffic shaping as areas into which it needs to extend its reach. There’s more to come. Stay tuned. 

Like CardSystems breach before it (which netted details on an estimated 40 million transactions), Heartland is an example of hackers “fishing where the fish are,” by going after the small, less visibile companies that process card transactions for thousands or (in the case of Heartland) hundreds of thousands of merchants. Frequent diners beware: around 40 percent of Hearland’s business came from restaurant transactions. I knew I should have ate in! 

Yastremskiy was arrested in July 2007 at a nightclub in Kemer, Turkey.  It was not until after his arrest in July 2007 that authorities realized he had been fencing credit card information stolen in the TJX breach. Yastremskiy had worked with 10 other hackers, including Albert “Segvec” Gonzalez of Miami, the alleged mastermind of the heist. 

In August 2008 the United States charged the 11 hackers with aggravated identity theft, conspiracy, and computer intrusion. If he’s ever extradited to the US Yastremskiy will face these charges as well as charges related to fencing the stolen information.  

The firms named in the suit are a Who’s Who of enterprise IT security: Microsoft, Symantec, McAfee, Trend Micro, Check Point, Sophos, CA, Kaspersky, Novell, F-Secure, ESET, Webroot, PC Tools, Comodo, and so on. What’s surprising to us is that the suit doesn’t extend to application whitelisting vendors like Bit9, Solidcore, Websense and so on — especially given that the patents explicity mention methods of application control that involve “including a digital hash of said program to be executed as part of the program authorization information data structure,” but the owners might have figured there are plenty of dollars to shake loose from the companies named.

While Protection and Authentication of Texas LLC may be hoping for a quick payout of “leave us alone” money, we’re expecting the parties named to fight this one hard. First of all, they can. Second, recent Supreme Court rulings appear to be on their side — with the High Court ruling unanimously in recent years to take a tougher stand on so-called patent “obviousness.” The key case here is KSR vs. Teleflex, which was handed down in April, 2007 and overturned lower court rulings that were based on previous patent law standards that made it difficult to challenge granted patents on the grounds that they covered “obvious” applications of existing technologies or ideas — not really new inventions. While its unclear how novel the Texas company’s patents are, the legal environment has certainly changed from recent years, and the company can expect to face well financed defendents.  

We’ll be watching this one to see how it turns out.

Somehow that scene came to mind today as I surveyed the mood of teeth gnashing and garment rending that has accompanied this weekend’s high visibility attack against Twitter accounts. As with the outcome of Mr. Metzler’s little skiing stunt, the consequences of Twitter’s “we’re all friends here” approach to security were utterly predictable.

For those of you who are still emerging from your holiday torpor, news reports began surfacing over the weekend about phishing attacks that were spreading over the Twitter micro blogging network. The attacks began as direct mail messages between Twitter users that contained an enticing message and a link to a phishing Web site. That site, which appeared to be a twitter-sponsored site (i.e. twitter.access-logins.com), harvested account login information from victims…with predictable results. By Monday morning, the scam had claimed some high profile scalps: the Twitter accounts for Fox News (@foxnews) and that of CNN anchor Rick Sanchez, (@ricksanchezcnn), too. Barack got tagged, and unless Britney Spears is suddenly exploring the ancient myths of vagina dentata, she got hacked, too. (And she’s been doing so much better, lately!). The attacks are virtually indistinguishable from Web site phishing attacks, but for the fact that they originate within the Twitter environment, use Twitter’s direct mail (or “DM”) feature instead of traditional e-mail and are designed to steal Twitter credentials. The targets are also no surprise: they’re highly connected Twitter accounts from which spam or phishing messages can be broadcast to thousands or tens of thousands of “followers” (Sanchez, alone, has 40,000 of them). As researchers at Sophos have pointed out, as well, netting Twitter logins and password info is a passcard to even greater riches, as overburdened Web users just re-use passwords for work and personal accounts.

The folks at Twitter warned users about the spreading scam on Saturday and advised them not to share account information (as if this even needs to be stated). They have since posted a status update (”Multiple accounts hacked. Situation stable”) that sounds like it was issued from the control room of Reactor 4 at Chernobyl. Its unclear whether the attack is still spreading. Like other Social Networks, but unlike those fighting e-mail or Web based attacks, Twitter admins have the advantage of central control over network activity and, thus, can stamp out attacks quite efficiently. As I wrote in a recent column for ZDNet, attacks that leverage social networks like Twitter and Facebook are certain to increase this year, as use of those platforms reaches the critical mass that finally attracts the attention of spammers, identity thieves and the like. As this happens, the environment of implicit trust that has governed “in the know” communities like Twitter will disappear. Inboxes will fill with spam or some approximation thereof and users will think twice before they click on URLs in Tweets or Wall postings.

Clearly, the network providers will need to do much more. Twitter, Facebook and the like should force users to harden passwords. [NOTE: As this report from Wired makes clear, it was a weak password combined with a dictionary attack that led to the compromise of a Twitter administrative account.] They should also monitor activity both on their networks and on the Internet more closely, filtering content for phishing attacks and other scams. As an example, Bank of America and other financial institutions long ago started paying attention to who was registering domains that could plausibly be used in phishing attacks against their customers. Twitter should take note when a domain like “twitter.access-logins.com” is registered. Finally, organizations of all stripes are going to have to weigh the cost-benefit ratio as they wade into a new medium like Twitter. On the same day that the Twitter phishing attacks nabbed CNN and Fox News, a journalist whose feed I follow posted a link to a list of all the newspapers that Twitter. My guess is that most of them have jumped in with both feet without stopping to consider whether or how their accounts could be used to attack their followers or otherwise besmirch their good name. For those organizations that understand the risks and decide that Tweeting is worth it, better account management and hygiene (strong passwords, etc.) as well as training and clear policies on how to interact with followers and what to watch out for are in order.

So I am pleased to report that there is a raison d’ twitter: cat names. That is, I Tweeted that my cat, Philmont (named for a nearby town but also because it seemed preposterously high fallutin’ for a cat like Philmont, who’s three months older than when this picture was shot) had on Wednesday evening jumped into the washing machine to wrassle with the clothes. You know. As one does.

Unfortunately we didn’t notice this hitchhiker and shut the washer door and turned on the machine. Ten minutes later I heard a low, mournful Mrooooooooooow noise and went to investigate. I caught a flash of white belly with black spots and realized what was happening. Thank goodness we have a low-water washer! I got him out, used the blow dryer, put Philmont by the wood stove and under a blanket and the next morning he was the same old cat - attacking my legs as I walked to the kitchen, etc.

What has this charming story to do, you ask, with Twitter or information secutiry? Great question. Turns out that when I tweeted this information on Philmont, people assumed - as one does - that Philmont was some infosec-related term, like, “Raptor” or “China”. When I replied that it wasn’t (my actual quote was, ‘Infosec is my job, not my cat’s life’), Anton Chuvakin asked people to vote on the best infosec-related cat name in a poll on the subject. Seriously.

He put forth several names Like ‘bug’, ‘flaw’ and ‘ipsie’; I suggested some dumber ones. Brandon Dunlap mentioned MOSFET. Some genius mentioned ‘Fuzzer’.

Fuzzer - awesome cat name. But is it the best? As I say, Anton ran a poll, and sure enough, Fuzzer it is.

Have very fuzzy, happy holidays everyone, from Philmont, Corinna, Spijk and on behalf of Paul Roberts, Steve Coplan, Lauren Eckenroth and all of us here at The 451 Group’s enterprise security practice. We look forward to speaking and arguing with you in the coming year.

Thanks, we do this for a living.

As we enter one of the most volatile years in recent memory, we thought that we’d speak directly to one of the most commonly asked questions we field from our end user customers - how can we be sure that the venture-funded, non-cashflow-positive, un-profitable startup we’re considering buying some stuff from will be in business next year when I need it? After all, start up companies offer some of the most innovative, cutting edge technologies out there - technologies that can address some real points of pain in enterprises. But investing in a start up - especially in times when budgets are so tight that buying $200,000 worth of shelfware nets the decision-maker something more than tight lips and a stern frown from the CFO - can be a frightening proposition.

Since we’re constantly asking start-ups about their fiscal viability, we thought we’d share some of the basics. None of this is brain surgery, and we’re not going to reveal any of our proprietary methodology. But we will share the basics because at the very least we’ve heard that hearing the questions we ask is useful to our end-user customers.

We usually start out subtly, using guile and tact to eke out of a vendor the answer to the main issue of concern:

• What is your fiscal viability? I’m concerned that you are a venture-funded, non-cash-flow-positive, un-profitable startup. How can you demonstrate to me that you will be in business next year when I need you?

As you can see, this cunningly worded question stakes out the roles (purchaser and vendor) from the beginning. But it gets to the point.

The first thing we do is try to get a handle on how much the company burns each month; a good place to start is

• Staff headcount
• Number of offices
• Location of offices
• Ratio of technincal to non-technical staff

Now, we’re not going to reveal the highly specific multiplier we use to figure this stuff out, but basically if you assume an all in cost of 10 grand per month per body, a little more or less depending on whether they’re technical or non technical, guesstimate the cost of those fancy Silicon Valley offices and all the branches, you can very quickly get a rough idea of how much these jokers are burning through each month. From there, you’ll want to make a determination about how the firm is doing against that monthly nut. You get one great thing that we don’t get - the actual asking price. If you figure that you’re an average customer, multiplying the price they’re asking you for times the number of customers it claims to have landed in the past year will give you a rough idea of how much money the firm is taking in (toss in something for maintenance and other recurring fees). By asking these basic questions one can quickly come to some William of Ockham-ish conclusions of the company that won’t be too far off to either make you feel a little bit better or make a reach for your car keys.

One more thing - if your vendor won’t answer these questions, consider another key insight from a professional observer - we are in, at the moment, what might be referred to as a Buyer’s Market.

Some basic Vendor fiscal viability questions:

• How many staff have you got?
• How many customers did you land this year?
• How many customers have you got under current maintenance agreements?
• Who are the executive team members – who’s driving the boat?
• Can I look at your audited books?
• Can you give me five reference customers I can call?
• Can you point to analyst reports from firms that do not do pay-for-play, i.e., The 451 Group, The Burton Group, Yankee Group?
• Please share with me a nonmarketing version of your corporate history
• Please tell me about your funding rounds in detail (month, year, investors) and amounts. If new investors popped up and old ones went away, what happened - was this a refi? a restart? Did new board members come in? Old ones leave? Why, when?
• Can I speak with your venture capital firm to ask them about the basis for their investment in you?
• Please share with us your roadmap from last year at this time and your current roadmap.
• What is the expected support response time for normal support calls and hardware failures?

As if we needed any more proof of just how sticky things are, this week Ernst & Young released its global IPO report for 2008, announcing a 13 year low in IPO filings from January through November this year. In the past 11 months of 2008, 745 IPOs raised $95.3bn- compared to record breaking numbers in 2007, when 1,790 IPOs raised $256.9bn over the same time period. Details can be found here.

To date this year almost 300 IPOs have been withdrawn or postponed compared to 167 for all of 2007. Few companies in the security space have come out this year. Arcsight (NASDAQ: ARST), though better off now (although for how long, we’re not sure), entered the public market with an uninspiring showing in February 2008. Since then few vendors have even dared to hint at an offering, and those that had have backed off to wait for more promising economic conditions.

For the next few quarters we can expect to see the larger names continue to consolidate in an attempt to steel themselves against the storm while the smaller companies shop for suitors, investors, or both.

The message for small, independently minded companies is clear: stay strong and, if possible, raise funds. Times are tight for venture backed companies, although the well has not run completely dry. Security vendors Rapid7, Napera, Memento Security, Finjan, and Trusteer, among others, have all raised funds in the past 3 months; proof that a good idea (or a hot space) will always be able to stir up investors’ interest.

Rumors of an IPO for patch and vulnerability management vendor Lumension (formerly PatchLink) were everywhere in September 2007; the same was said of unified threat management vendor Fortinet, though there is little talk of that now from either company. NitroSecurity went so far as to file for IPO in August 2007 only to withdraw its application this past June. Sophos had announced its plans to go public on the London Stock Exchange in the fall of 2007, but they also withdrew when markets began to crumble. The company instead made a bid for German encryption vendor Utimaco, choosing to take the company off the Frankfurt Stock Exchange rather than rolling into it. We expect to see Sophos pick the plans back up once conditions are better and Utimaco is integrated into its product line.

We are hearing rumblings of players ready for the push, however. Kaspersky seems to be ramping up its IPO plans. Barracuda’s unsolicited bid for Sourcefire this year could’ve made an IPO that much easier. It will be interesting to see who comes out when the smoke clears, but to be sure, that won’t happen anytime soon.

And so it goes here, with Kaspersky PR and marketing folks escorting a cadre of reporters through a Kaspersky-tinted view of the world. Access to company executives is in abundance, but it should be no surprise that reporters plucked from their home cities and taken on an all-expense paid trip to a strange land are disinclined to question their hosts and handlers too closely. Asked by one intrepid reporter what he estimated the market value of his company to be, CEO Eugene Kaspersky went silent before flashing a wide grin and shouting back “enough to pay for your dinner!” And that…was…that!

Despite its size (the company now employs over 1,200 people worldwide), Kaspersky is still very much a personality-driven company, and the personality who drives it is Eugene Kaspersky. He’s everywhere here in Moscow: presiding over the morning sessions, briefing reporters and analysts, toasting the assembled at gala dinners and holding court over shots of (excellent) Russian vodka in the hotel lobby late into the evening. In a nation of chronically unsmiling people, Eugene is ebullient: bearded and grinning as he bounds about greeting and joshing with his guests like a younger, scruffier Santa Claus.

The very act of flying four or five dozen reporters to Moscow in December just to show them around his company speaks volumes about Kaspersky’s personal ambition. He’s doubtless been counseled by others to play down the company’s Russian connections (Kaspersky is officially incorporated in the UK). But he’ll have none of it and, in fact, wants to play it up. He takes seriously the idea that his company will be a beacon to other Russian IT firms that — in the words of COO Evgeny Buyakin — Russia can produce “more than just oil and gas.” His fellow executives and employees seem to take it seriously too and — the Russians among them — to consider it a point of pride to work for a home grown firm that’s taking on much larger and richer U.S., European and Asian operations like Symantec, McAfee, Trend and Sophos.

Of course, getting a modern IT company to thrive in a business environment dominated by connected firms whose wealth is tied to natural resources like oil, timber and mining will be no small feat. Western critics and opinion makers need convincing, and Kaspersky faced pointed questions about whether his company may have unwittingly hired black hats and cyber criminals to work in its labs. It’s a fair enough question for any security company (especially given recent revelations in the TJX case), but I didn’t hear it asked of anyone at Symantec Vision in Las Vegas.

As a venue, Moscow both helps and hurts. The place is booming — no doubt about it — with new office buildings going up all over the city, luxury automobiles beached on the sidewalks, and giant plasma screens perched above the main boulevards displaying luxury ads. But the Freudian term “unheimlich” — literally “un-homey” or “uncanny”– comes to mind in a place where old and new come together so jarringly. Doors fly open for us in the very capable hands of Kaspersky and crew. The man is, after all, something of a national hero. But there’s also a palpable sense that layers of deep complexity lie beneath the seamless production here that might easily trip up a smaller firm making a go of it. San Jose this ain’t.

As for Kaspersky, the company, its executives agree that the biggest challenge facing the company will be managing growth in the coming years — holding onto the spark that animates the company today, but also developing the systems and processes that large companies need to operate. The company is working to secure a partnership (and possibly an additional investment) with Credit Suisse. That, it is hoped, will open doors to Western enterprises, and Western markets for a possible IPO. Given the turmoil in world markets, however, those plans have almost certainly been pushed back and we imagine Kaspersky is counting its lucky stars that it can hide out from the tumolt as a privately held firm for the time being. We’ll be writing more about Kaspersky in the days ahead — its roadmaps and strategic considerations. But often its the details around the edges that tell the most interesting story. In the case of Kaspersky Lab, that’s definitely true.

“With respect to NAC, Selby said the technology is getting sucked into identity and access management and NAC vendors are looking to get bought by vendors in the IAM market.”
- Bob Brown, Days numbered for standalone NAC, anti-data leakage firms?, Network World

Analysts love saying stuff like "X is dead!". Part of the analysts guild membership requires that we doom some sub-sector to failure at least annually. But I really think that Bob Brown at NWW got our point absolutely right when he reported on the goings-on at our Third Annual Client Conference held in Boston last week.

During the event I said,

“‘NAC’ then, becomes more of a policy enforcement point than a pat-down. By the end of 2009 … Network Access Control [is] gone as a standalone [industry].”

Now there are a couple of things. First, the NAC vendors in the audience began gnashing their teeth, audibly. Seriously, someone told me that they thought one guy’s jaw would break.

Second, what I said and meant was that there is a sea change occurring in the world of Identity and Access Management, towards a new layer of policy management. We are not saying that IAM vendors are going away either, but we do say that, after years of incremental change mainly through consolidation, changing technologies (rabidly accelerated use of mobility leading to re-perimiterization being merely one) are forcing IAM vendors to make some seriously cool stuff.

The years of consolidation and incremental change mean that no one will have to throw out the kit they have - this is not a rip-out, it’s a layer atop existing infrastructure that makes the whole system more valuable. For example, federated and single-sign-on authentication are important, but they’re the tip of the iceberg. Compliance compels you to know who is accessing what, but does not get to the why question in a way that gets you to make dynamic decisions about:

1. Who are you? What do you have access to?
2. Why?
3. How is this reflected in the resource you’re accessing?
4. How is it reflected in system level privileges?
5. What happens when the role, resource or policy changes?

To accomplish this, there are three main categories of kit:

• Policy Administration Points - The brains
• Policy decision points - The central nervous system
• Policy enforcement points – The muscle.

It was in this context that I said what I said - here it is again:

“‘NAC’ then, becomes more of a policy enforcement point than a pat-down. By the end of 2009 … Network Access Control [is] gone as a standalone [industry].”

NAC technology is not dead. NAC has been most relevant for verticals, like education or certain parts of SMB - where you have a large number of low value endpoints. But enterprises, especially in this exciting economy, aren’t satisfied to make decisions based just on the endpoint and its hygiene.One must consider visibility into a combination of endpoint and user and intent - go/no-go simply isn’t adequate for that. There needs to be more granularity in permissions. These are all properly IAM issues.

The most important clarification I can make is this: vendors are not going broke because they’re NAC vendors (though some are going broke because their stuff sucks). The technology created by good NAC vendors is not going away, it’s going to be repurposed. We have seen this happening already, as NAC vendors have moved away from admission/post-admission discussions and towards the much more relevant conversation about visibility. We believe that this conversation will evolve even further. For example, we’ve been threatening for two years that IAM vendors would marry endpoint assessment outcomes with risk-based authentication profiles to assess the risk associated with providing access to an individual to a specific resource. On the other hand, the idea of an enforcement overlay with a binary decision matrix (”No anti-malware? Orf with ‘is access“) will not materialize.

So put yer knives away! Over the coming weeks we’ll be pointing to some specific examples of this and tweaks or changes to the strategies of the NAC vendors.

Next week: Firewalls are dead! Dead!

We know roughly how much data was taken, and a timeline of when the company became aware of it. We can guess at the sophistication of the attack by noting, for example, that almost 18 months passed between the initial compromise and the company learning that its network had been compromised. However, details in the press are often lacking. We hear that “malicious software” was used, that it stole data in transit, or from a database and stored it in files that were later transferred off the network.

What’s missing is the provenance of the malware itself — was it a variant of a common, information stealing program like Torpig, or a custom application developed specifically for the attack in question? The answer to those types of question suggests a lot about the amount of effort and investment that preceded an attack — was it merely a target of opportunity, caught up in the net cast by a massive spam run, or did the criminals in question have their sites set on the victim from the outset?

With arrests in some of these cases, those with knowledge of them are now beginning to flip in an effort to avoid harsh sentences. That, in turn, is leading to more arrests and more details about the eye-popping data breaches that have dominated headlines. Those details are reason for concern, particularly for high profile companies that might be worried about the threat posed by rogue insiders and targeted attacks.

Take the case of Stephen Watt, the New York man who was named in an indictment filed in U.S. District Court in Massachusetts on October 29. According to some published reports, Watt was part of a criminal ring that engaged in wire fraud, identity theft, money laundering and unlawful access to computers — all part of a scheme to steal more than 45 million credit and debit card account numbers from TJX, authoring the sniffer program used to steal the credit card information. That program, dubbed “blabla” was apparently written and then repeatedly modified by Watt for Albert Gonzalez, a co-conspirator who is believed to be the mastermind of the TJX scheme. Gonzalez, otherwise known as “Segvec,” was acting as a federal informant at the time he was also engaged in pilfering data from TJX.

Watt hasn’t been convicted of anything yet. Moreover, not much is known about the government’s case against him. It’s entirely possible that he developed the blabla application in a vacuum and with penetration testing, rather than data exfiltration in mind,–completely ignorant of Gonzalez’s larger plan. Time will tell.

What is clear is that Watt was a talented developer and security mind with the resume to match. His LinkedIn profile shows him working currently for Imagine Software Inc., a company that makes trading system software used by “hedge funds, pension funds, investment banks, brokerages, and sovereign wealth funds.” His LinkedIn profile claims stints at financial services giant Morgan Stanley, where he worked on “Application infrastructure development and inhouse security toolkit development.” It also claims he worked at SaaS based vulnerability scanning firm Qualys where he says he “conducted research and development for an industry-leading network vulnerability scanner..and developed proof-of-concept exploits for discovered vulnerabilities,” among other things.

UPDATE: Qualys says the LinkedIn information is inaccurate. According to company HR records, Watt worked as a summer intern for two summers, in 2001 and 2002, where he helped test that company’s scan engine. He never conducted research and development for Qualys, according to the company.

His work for Morgan and Imagine overlaps with the period of the TJX hack and his alleged work on blabla. Troubling.

The questions for security-conscious organizations of all stripes are obvious:

1) Given that you can’t stop a determined hacker from gaining access to your network, what is the proper means of protection from a hacking outfit that’s employing a top-notch developer to write custom malware just for you? 18 months between compromise and detection doesn’t sound so outrageous if TJX (and the layered defenses it employed) were just looking for stuff that looked like other stuff that was out there. They weren’t going to find Watt’s “blabla,” because nobody had ever seen blabla before. Forget that Watt was allegedly providing regular updates to the software as the hack was in progress, as is alleged in the indictment.

2) Given the hunger for IT development talent, and the unfathomable and largely anonymous world of malicious and recreational hackers, how can firms trust that their star new developer isn’t donning a black hat when he’s at the office — or even when he gets back home? This is ultimately an HR question, but its unlikely that most employers are doing the kind of “three letter agency” caliber due diligence on IT staff that would uproot questionable associations like Watt’s.

Surveys of end users that we’ve conducted show acute interest in anti fraud technology that can provide intelligence about threats posed by insiders regardless of seniority, from the low-level call-center agent and receptionist, up through senior managers. Firms like call center giant NICE have already invested in this space, marrying anti-fraud to their existing monitoring platforms.

Companies like Guardian Analytics have come out with software that they claim can analyze and model user behaviors to spot weirdness that might indicate an account takeover or compromise. But most of these products are focused on transaction-based security - fraud and money laundering. Watt poses an even hairier problem: what posture do you take towards your realtime trading system software — say — once you realize that one of your developers was donning a black hat — at least some of the time? Better yet, what internal controls can you institute that will help connect the dots leading to a questionable developer. Is it merely a matter of hiring nosey managers and smart QA people, or is some extra layer of scrutiny needed? All of this assumes, of course, that there was some bleed over between white hat and black hat. That may not be the case every time. But as word of this indictment spreads, I wouldn’t be surprised to hear that there are some heated conversations and hastily arranged audits to assess the collateral damage — if any.

The fundamental technology issue that arises from de/re-perimeterization and other number of transactional models built across security domains, is that there has to be some transparent decision framework that dynamically assesses the benefits of access relative to the security risk. But without visibility into the each element of the decision train - what is the resource, what’s the nature of the access request, what is the identity of the source of the request, with what degree of certainty and is the source of the request acting in a way that falls outside of the band of normalized behavior - there is no foundation to determine whether the access decision will risk-neutral or elevate it.

The information and profiles generated from these functions are distinct from the network and event types of information that SIEM systems capture, and can serve the purpose of generating the visibility into how system and user are correlated in order to incorporate risk assessment into access decisions and eventually embed into policy definition. Without going into specifics, what the vendor has in mind is a form of risk management that enables organizations to decide how much security they need to deploy - instead of trying to sell them too much or compelling them take the decision that operating without enough is just fine when assessed in terms of the associated cost and implementation complexity. If risk management is implemented correctly, it minimizes the potential from an external breach or insider threats by using a sliding scale of security enforcement rather than subjecting every user to an equivalent degree of scrutiny, when most of the time it’s simply overkill.

Still, even if risk management does become a viable sales pitch, there’s still the threat of risk management being becalmed in the doldrums of unresolved ownership. Where do the lines of responsibility get drawn? Is it an IT responsibility, a security responsibility, or a networks responsibility? Of course, this argument that risk management ends up in a no-man’s land can be turned on its head to make a claim in its favor : risk management becomes the source of accountability for balkanized operations divisions. (Think of risk management as Marshall Tito).

I am open to correction, but just not convinced yet that risk management is a good lever to prise open budgets. We’ve been told by a few vendors that the economic downturn has helped sales of security products - on the assumption that hard times make for an increase in insider attacks. We will be watching to see whether this holds true for risk management too.

]]> http://blogs.the451group.com/security/2008/11/04/can-you-sell-risk-management/feed/ http://blogs.the451group.com/security/2008/11/04/can-you-sell-risk-management/ http://feedproxy.google.com/~r/451security/~3/ARve-MGS0r8/ http://blogs.the451group.com/security/2008/11/04/it-security-after-the-crash/#comments Tue, 04 Nov 2008 22:04:07 +0000 Lauren Eckenroth http://blogs.the451group.com/security/?p=58 With the close of the third quarter, security vendors were putting on an optimistic face about the coming storm and the coming year. With quarterly earnings strong so far, McAfee, Sourcefire, and Websense sounded upbeat about the state of security spending in these tough economic times while major player Symantec is a little more conservative. It seems that those who control the budgets are at least pretending to share in the optimism; while overall IT budgets contract many people expect security spending to weather the storm.

McAfee says that customers at their client conference reported that security spending is still a top priority—but we’re not so sure that, ‘Things that make us money’ shouldn’t top the list- and maybe security, while still in the game, will have to take a hit. As far as earnings go, revenue came in at $410m in Q3, a 27% year over year growth. McAfee CEO David DeWalt claimed that many of the 28 deals over $1m that closed in the quarter closed in September when the markets took a downturn. However we would infer that these were sales cycles that were begun months earlier, when things looked considerably better. By the time the markets dumped and the deals closed the budgets were already written to include these big ticket deals. DeWalt also claimed customers seem more interested in spending their money with one vendor on a product suite, but we wonder if this analysis may have been influenced by the fact that McAfee sells a product suite.

Intrusion detection and prevention vendor Sourcefire had a solid quarter, which, as we’ve mentioned before, was needed to stave off bidders aimed at hostile takeover. The company has recorded a 37% year over year growth in GAAP revenue, coming in at $20.3m. Net loss is also down to $1.7m from $2.8m in Q307. More on Sourcefire’s latest quarter and its Shareholder Rights plan can be found in this report.

Websense finished its third quarter with $76.7m in revenue, up from $50.4m in Q307. The company recorded a GAAP net loss of $3.5m, or 8 cents per diluted share, and GAAP operating cash flow was $19.4m compared to approximately $13.9m in the third quarter of 2007. The company also tightened its 2008 revenue guidance from $290-295m to $292-294m. In another attempt at optimism, or just plain denial, Websense CEO Gene Hodges released a statement saying the company had “yet to see a significant negative impact on our business from the recent economic turbulence.”

Storage and…ahem…security vendor Symantec seems to have slowed considerably. Revenue for its second quarter in fiscal year 2009 came in at $1.5bn — nothing to sneeze at until you consider that it is only a 6% improvement over Q208. The company’s GAAP net income increased considerably, at $140m from $50m the year before (and to be fair, we hear that Vontu is faring quite well under the Symantec regime). Cash flow from operations fell more than $100m due to an increase in cash tax payments, whereas the year before the company had received a tax refund. Symantec’s security and compliance segment grew only 1%, to $400m, representing 26% of the company’s Q209 revenue. Guidance for next quarter is conservative to say the least; revenue is expected to come in between $1.44bn and $1.50bn. Symantec says it sees the mid market softening due to the economy, and that retail growth is down 20% year over year.

Security is vital to many industries. In the long run it may be less expensive to implement strong security policies than to pay for a possibly expensive and distracting security breach or data leak, and compliance certainly isn’t an issue that can be set aside. But so much of this optimism smacks of bravado and wishful thinking. The real effects of the current financial turmoil won’t really be felt until, at earliest, next quarter. This is far from over, and no amount of heel clicking will convince me that we’re not going to see security spending take a hit. Get out your umbrellas, folks.

With that in mind, we were contacted by none other than Jamie Butler, an esteemed security expert who now works for security consulting firm Mandiant. Jamie, along with his friend and sometimes co-author Greg Hogland, as an Obi Wan Kenobi of rootkits and other stealthy malware. Jamie wanted to tell us about a new tool, dubbed Memoryze, that Mandiant has released in a free version. What does it do? At a high level, Memoryze is a forensic memory analysis tool that allows users to interrogate live system memory on a host or a saved memory image to determine exactly what is running in memory, including processes that might be hidden by rootkit technology, as well as DLLs, executable files, registry keys, and so on. The program can list network sockets that a process running in memory has open — again, including those hidden by rootkits, as well as modules loaded in the OS kernel.

“This tool is extremely powerful,” Butler said.

What are the applications? Where to start — the most obvious application for Memoryze is as a strict forensic analysis tool: you can use it to pick over a saved image of physical memory. But Mandiant points out that its also useful as an incident response tool, to help understand what processes and drivers are (or are not) running on a host that may have been compromised. As an example, Memoryze’s forensic capabilities have uncovered the shellcode that Metasploit and Immunity’s Canvas inject into processes, Butler said. It can also be used as a reverse engineering tool — defeating anti-reverse engineering techniques to capture and reconstitute an image of a process or driver from physical memory that can then be plugged into IDA Pro or whatever happens to be the researcher’s favorite disassembler/debugger.

Yes, yes. This is a freebie that’s designed to steer you towards a premium product — in this case, Mandiant’s Intelligent Response product, which encapsulates almost all of the Mermoryze functionality. But Butler said its a robust product in its own right — with the ability to write custom filters to look for evidence of compromise using XPath filters. Check it out!

- At $695, Symantec is paying around 4.7x MessageLabs FY 2008 revenues of $145m — a good bit of change, but a much lower premium than the Google-Postini deal, which we estimated as being close to 9x revenues. That’s a reflection of the tougher market right now, but also of cooler heads prevailing when it comes to SaaS.

- We always find it interesting when companies re-buy into spaces they’ve already invested in. If you remember, Symantec already laid out some $370m back on 2004 to acquire antispam firm Brightmail. Now, of course, Brightmail had a different model, selling more traditional on-premises spam gateways, but given that Symantec had the Brightmail antispam engine and expertise in house, it makes you wonder why the company felt it needed to plunk down almost $700m just to get antispam as a service. (Note: we’re not saying this wasn’t a worthwhile investment, just that it’s…interesting.) At the end of the day, though, Symantec gets a top shelf antispam services company with a fast-growing Web threat detection service, a mature SaaS platform for its other products and a 19,000 strong customer base to upsell into.

- The truth behind this acquisition may lie in Symantec’s repeated references to MessageLabs’ “deep expertise in the SaaS market” and the synergies (to summon the ghost of the 1990s) between MessageLabs platform and Symantec’s nascent Symantec Protection Network (SPN) SaaS platform. SPN has been inching along, most recently with a beta release of an online remote backup feature in September. Given Symantec’s already deep investment in antispam and a mature product line, this deal may signal that the company realizes that SaaS is an entirely new game, that SPN isn’t the plug it in SaaS platform for Symantec’s other products that the company’s messaging has sometimes suggested, and that it needed to deepen its bench when it comes to SaaS.

More to come on this latest deal in the SaaS space…

Hubbard’s basic point was that new cloud computing platforms are massively powerful tools for creating virtual computing infrastructures and offloading CPU and memory intensive operations. Platforms like EC2 essentially allow businesses and individuals to create any number of virtual computers on the fly — and deals that companies like Amazon are offering allow customers to create new hosts for pennies a month. That’s great, and Hubbard talked about how Websense has begun to use these platforms to host elements of its threat honeypot network and failover servers for its antispam service. Other whitehat applications include image analysis, fuzzing, vulnerability research, analysis of large data sets, and so on.

As Hubbard explains it, the cloud infrastructure allows Websense to spin up new systems quickly, provides anonymity that makes it harder for spammers and organized crime groups to blacklist its honey clients and allows the company to focus on its core competency: threat detection and security, rather than Web hosting.

The problem, as Hubbard sees it, is that cloud computing systems are “frictionless systems,” more akin to the anything goes Domain Name System than an ASP or other hosting offering. Users can set up accounts online and anonymously with little more than a credit card, while APIs make it easier to spin up dozens or hundreds of new systems in minutes. Once created, those systems can then be used, potentially, for DDOS attacks, man in the middle attacks, spam runs and more. Hubbard also notes that its unclear what level of security between cloud systems exist, potentially allowing attackers to compromise hosted systems, steal data on them or monitor traffic between them.

We’ve written about the increasing growth and massive potential of cloud computing — which everyone from Microsoft to Google and IBM, Sun and VMWare are investing in. Expect to hear more about the security implications of the cloud — for both good and ill — in the year ahead.

Fear — worked yesterday, works today. Aboud made no bones about the fact that the “F” in FUD — fear– continues to be a prime motivator in security software purchases and marketing. “Fear is a natural tendency,” Aboud pointed out. Outbreak marketing, he said “catapults off fear.” The key, of course, is to tap into the underlying fears of your prospective customers without overdoing it or seeming like you’re taking advantage.

Much of the rest of Aboud’s talk was spent discussing the best possible way to market outbreaks. In a nutshell, Aboud argued that anti malware companies do themselves a disservice by chasing every and all outbreaks in an effort to get their name attached to news stories and other coverage. Rather than the carpet bomb approach that takes security companies off their core message (and make them look like FUD-meisters), anti malware companies should use the Gulf-War laser guided munitions approach: picking and choosing their outbreaks, then tying their comments and marketing efforts into research and product development efforts that are consistent with their long term objectives. Aboud calls this approach “proactively reactive” — let’s just all decide that will be the last time we ever use that term, ok?

That all sounds well and good — I’m just not sure its very realistic. I think Jeff’s right that security firms don’t do themselves a favor chasing issues that don’t dovetail with their areas of core competency. Most reporters will read through your spin and just look on the whole effort as rather desperate. At the same time, companies that want to get their name in the press can’t lay back and mull their options while news is breaking around them. At some point, if you think you’ve got something to say, you’ve got to get out there and make calls, send emails, blog and otherwise start shaping opinion. That said, mega outbreaks like Blaster, Slammer, et al. are rare these days, so in most cases you’ve got time to get your story straight, provide something new and useful to reporters and prep your experts. My advice on getting your message out:

1) make sure reporters know how to reach your key reps and experts

2) make sure your folks return calls and emails ASAP and move quickly to set up interviews and shape the story

3) debrief experts on what reporters are looking for and make sure they have their facts straight

3) provide independent, marketing free advice/information. no product pitches, please.

My 2c.

So periodically we’ll be analyzing the stock performance of publicly traded security companies. The posts combine our security technology industry analysis with our M&A and market analysis to bring some clarity to the often under-understood world of publicly traded security companies.

This week we take a look at Sourcefire (NASDAQ: FIRE), which as we’ve just noted, has recently released 3D System 4.8 and the beta of SnortSP—a main component of the forthcoming Snort 3.0.

We would note that these product releases—and others coming soon—will likely have a significant influence on Sourcefire’s stock as the company returns to trading on its fundamentals rather than getting whipped around by speculation about whether it will be gobbled up by Barracuda Networks. With shares currently changing hands at roughly a 15% discount to the offer price from privately held Barracuda, Wall Street appears to be dismissing the takeover. Further, the relatively thin trading volume in Sourcefire shares is hardly representative of a speculative market, with arbs and ’special situation’ investors whipping around huge blocks of stock. (The beta on the stock is 0.8, meaning it is notably less volatile than the S&P 500.)

Sourcefire was put in play following Barracuda’s unsolicited bid in May. The privately held company initially offered $7.50 per share for Sourcefire, then later bumped that up to $8.25 per share. Reflecting the offer, Sourcefire stock soared 20% in two sessions in early June. It even briefly topped Barracuda’s bid, hitting a high of $8.27 on June 10th. However, as doubts emerged about Barracuda’s commitment to closing the deal—as well as Sourcefire’s larger-than-expected Q2 loss—Sourcefire shares sank back to the mid-$6 range, essentially where they were before Barracuda floated its offer. (One reason for the market’s skepticism: Barracuda never released any details about the financing the proposed $205m deal. Presumably, Barracuda could tap backer Francisco Partners for the cash, but it certainly isn’t going to get it from the credit markets right now.)

We and others await the company’s important Q3 earnings announcement with great anticipation. Should Sourcefire blow the quarter, or see lower-than-expected takeup in the federal sector, the company could be looking at the business end of investor crankiness. Market conditions these days and tightening of credit might make any potential bidder think twice about a new offer, but we can’t help but note that stocks seem to be on special this week (pending further Washington drama in the form of a Senate vote on the bailout). If Sourcefire gets through Q3 with a respectable showing, then all comes down to its make-or-break fourth quarter results, when Wall Street is looking for the company to put up black numbers.

Looking at pre-drama prices, we wondered whether Sourcefire’s volatile performance suddenly turned steady. For the past month and half investors seem to be in a holding pattern, with light volume and little conviction. And while the stock has followed the overall market, it hasn’t been roughed up as much. Since Barracuda’s bid was revealed, Sourcefire shares have lost some 8% of their value, just half the level of the decline in the Nasdaq.

As for Barracuda’s play in this game, if the market was convinced the deal was going to happen in its current incarnation (and in current market conditions) Sourcefire would be trading above eight bucks. But it’s not; it’s been steady around $7.40 for the past six weeks—even after the 777-point drop of Monday, September 29, 2008, the stock closed above $7, and by Tuesday it was back up at $7.29. Is the market trying to tell Sourcefire that Barracuda really didn’t undervalue the company, as was claimed it had when the original bid was made on May 29th?

Investors are waiting to see if Burris can pull Sourcefire out of the funk it’s been in since the 41% plunge after its initial IPO offering in March 2007. Everyone’s holding onto what they have, but for how long? If Sourcefire doesn’t perform, especially in Q4, which has historically brought in somewhere around 35% of its annual revenue, its board may start looking a little closer at whatever offers are coming across the table. If Burris can’t pull Sourcefire into a substantially better position if not into the black by the end of the fiscal year we would expect to see the company sold, with or without the approval of its upper management.

Compared with industry shindigs like the RSA Conference, InfoSec or Interop, VB has an almost academic air to it — its lite on biz dev, but heavy on binary analysis. For reporters and analysts who are used to talking to the marketing and PR flaks, VB is great — an opportunity to hang out with the researchers that most security firms keep hidden away at the labs who actually develop the protections and diagnose the new malware variants floating around the Internet.

I’m here to participate in a panel discussion on virus testing methods, and whether they’re doing a good job reflecting the relative effectiveness of anti malware products. This blog has sounded off on this topic (and on VB) before. And, without going into it, suffice it to say that there are real concerns that the methods industry groups are using to evaluate products aren’t keeping up with the times. Of course, testing methods is a familiar topic of debate here at VB and at other industry conferences like AVAR, and its its not clear that much changes year to year. Still, its clear that the anti malware industry is at an inflection point: there’s more talk here about the organizations behind threats and less focus on the threats themselves than in years past. There’s also more chatter in the crowd about in the cloud security services and threat intelligence, than about ways to fine tune signatures and heuristics. The Web is very much on the minds of security researchers, as is virtualization technology. With all that going on, folks are looking at the methods that testing organizations like VB, AV-Test and the like use to assess the effectiveness of anti malware products. Trend Micro made noise earlier this year about dropping out of VB’s testing program, and others (Panda, as an example) have taken similar steps over the years. Mostly they’re peeved about evaluation methods they consider ossified and not reflective of the capabilities of their products. (For example, some tests still rely heavily on signature matching against the virus Wild List –just one measure of effectiveness in stopping malware, and not a particularly relevant one at that.) In addition to the panel I’ll be on, I count two other sessions on the testing question (”Who will test the testers” with David Hartley from ESET and Andrew Lee from K7 Computing and “Rebuilding anti-malware testing for the future” with Igor Muttik and James Vignoles from McAfee). I’ll let you know if any of us reach any peace on the issue — but don’t hold your breath.

The Palin case is a great example. The Vice Presidential nominee was already under fire for allegedly doing government business through her personal, Yahoo e-mail account. If nothing else, coverage of that story directed any number of hackers and Internet trolls to her Web mail account. One of them appears to have been successful in breaking it. The account of how he pulled it off shows how thin the blanket of protection is around Webmail and other online resources, even when offered by top-tier providers like Yahoo. All that stood between the outside world and Palin’s e-mail account was Yahoo’s password reset feature, and a few simple facts that were easily recovered by Googling: her place of birth, zip code and where she met her husband (umm…Wasilla high school?). While the information retrieved from the account has been unsensational, it has also been limited and suggested that Palin mixed professional and personal correspondence. That could have been (and may yet be) a huge headache for Palin, the McCain campaign and the State, exposing sensitive personnel, policy decisions and official business to public view. I’m all for open government — but this is something different.

The Palin incident also recalls a recent incident a bit closer to home in the IT Security world, namely: the hacking of Webmail and blog accounts belonging to Alan Shimel of NAC/IPS vendor StillSecure. Alan has already written about the grief that ensued after some trolls busted into his blog and his Yahoo e-mail account and disgorged reams of personal information — tax returns, vacation photos, personal correspondence — from them. According to Alan, the integrity of StillSecure’s network was never compromised but, as with Palin (and most of us, frankly) the boundaries between work and personal life blur, and sensitive data often flows back and forth between them.

Blogs, social networks and the like also provide a treasure trove of personal information for identity thieves and others that can be used to gain access to more sensitive resources than Yahoo Webmail accounts.
What’s the solution? There is no easy answer. Companies can use Web content monitoring tools from any number of vendors to try to block use of social networks, Web mail and the like during the work day. But that’s a ham fisted approach that, in the end, probably won’t be all that effective. Also, some social networks are becoming rather important conduits of professional communication and activity, as well — even if its just for HR and marketing.

Making employees aware of the need for strong account protections and the risks inherent in mixing work and personal correspondence is another approach. My sense is that most companies haven’t made that type of coaching part of their standard employee orientation. With more and more of their workers blogging, facebooking, twittering and the like, companies are going to need to address this head on, lest the tidal wave of new communications prove a death by a thousand cuts for enterprise IT security groups.

Identity is dead, long live identity

Identity has never been more important as the network perimeter frays, and the diversity of users accessing resources expands - the tension between the demand and risks for access to data is escalating. Identity, data and policies are the three legs of the stool for managing how information is managed - the better identity is defined in terms of attributes, and more easily consumed by a policy engine, the more pivotal it becomes in policy decisions. Also, as identity as understood as an entity with attributes defined in terms of business logic, and correlated from multiple sources, it provides the ability to write more powerful policy statements. In other words, what is referred to as role management (too vaguely in my estimation), is about to have it’s day in the sun. But there remains a lot of uncertainty out there about what constitutes identity management - and vendors with metadirectory products and provisioning engines can shoulder some of the blame here. Also helping to further cloud matters is the conflation of enterprise identity and internet identity as a single notion, or at least as inevitably reconcilable. The 451 Group’s view is that while there is a clear overlap, they deal with divergent use cases. Part of the misunderstanding is perpetuated by the lack of distinction between authentication to resources and tying a user to a particular persona.

The market is growing (but not booming)

To a lesser or greater degree, the vendors I spoke to are optimistic, are seeing their pipelines expanding, and are experiencing smoother sales cycles. Compliance is the common theme here, but buyers are increasingly motivated to buy new technology in order to deal with the complexity of existing infrastructure - created either through M&A (where multiple systems must be integrated to establish unified controls), autonomy in how identity management is implemented, no processes in place in the first place or simply poor implementations of technology designed to automate procedural changes and streamline operations. Still, it’s more prudent to characterize the market as one leaving the doldrums, rather than one with a gale force wind at its back. At least one vendor we know has had to retrench after scaling the company on forecasts of 350%, and then having to contend with a ‘paltry’ 100%. Also, even though the volume of M&A rumors has picked up substantially in the last six months, there remains a gulf between what acquirers are willing to pay, and what targets think they are worth. The smarter private companies are looking for ways to scale before seeking an exit — which in my mind is the appropriate course of action at this point when the scope of the problem is only beginning to be understood by the customer at large.

Visibility, control and now transparency

So what is the scope of the problem? As I started to ramp my coverage of the IAM space, fairly early on it became quite clear that the overarching issues faced by organizations looking to manage identity were visibility - who are my users, what do they have access to and how - and control - can I ensure that access is appropriate and policies centrally specified. It’s now dawned on me that there is a third facet here - transparency. Transparency involves capturing who touches what and how through logging, reporting and auditing in the context of compliance (accountability in other governance contexts). But transparency is also the path to transcend the age-old wall between IT and business. Transparency is the ability to understand system privileges in terms of business rules (and translate business requirements into system privileges), build a resource-centric view of consumption and integrate identity into the change management process. The ability to understand access decisions in terms of a business process through a policy management layer translates to transparency - which is why we will be spending a lot of time on this topic over the next two months.

Security as a business process?

Far more informed, incisive people than myself have posited that IT security should not exist as a standalone industry. But is it realistic to think of security as embedded into business processes? Not at all - but does depend on the nature of the business process - there is sure to be a continuum of the degree to which security needs to be embedded, and dependent on the risk associated with the business process. But, the question can be turned around: is it possible to fully map the security implications of each access decision and transaction? Can we satisfy the need to dynamically (and in run time) assess the risk of allowing a decision or transaction? Identity can clearly evolve to be an important pivot in the decision, and provide the foundation to move away from binary decisions to a world of less and more access and control, but other elements have to fall into place in parallel. (Although Covisint with its trusted environment and transaction brokering has an interesting take on this possibility).

]]> http://blogs.the451group.com/security/2008/09/11/digital-id-world-a-postscript/feed/ http://blogs.the451group.com/security/2008/09/11/digital-id-world-a-postscript/ http://feedproxy.google.com/~r/451security/~3/vjY6jTURx_A/ http://blogs.the451group.com/security/2008/09/09/marc-maiffrets-new-gig-youll-be-surprised/#comments Tue, 09 Sep 2008 20:12:10 +0000 Paul Roberts http://blogs.the451group.com/security/?p=48 My favorite memory of Marc Maiffret goes back a couple years. I was a security reporter for eWEEK and had just landed in Las Vegas to cover the annual Black Hat security conference. I had a late (9:00pm) interview scheduled with Marc, who co-founded eEye Digital Security and, by then, was its CTO. But my plane was late and it was now almost midnight. Once we landed , I called Marc to apologize and, obviously, reschedule the interview. He answered and, yelling over the din of the craps table, told me to get my butt down to Caesar’s. The night was still young.

By the time I got there, Marc - in trademark smoking jacket with dyed hair, combat boots and piercings — had somehow glommed on to the hottest table on the Casino floor. He and everyone in the eEye posse were WAY up. The free drinks were … flowing. After watching this all for a few minutes, I threw my money on the table, too. We played a while longer, won some dough, then spilled into the booth at an all night buffet at around 2:00am. We talked shop. Marc tipped me off to the news about Michael Lynn’s scratched Cisco IOS presentation, which was going to become worldwide news, and the show was on!

That’s Marc and that was eEYE — lots of youth and energy and fun. And lots of ups and downs — too many, as it turned out. Throughout, Marc set the tone: a gifted security researcher, he was among the first to isolate and analyze the Code Red worm. Over the years, Maiffret built and led a team of researchers that did important work exploring the vulnerabilities of Microsoft’s Windows operating system, Internet Information Server (IIS) Web server and countless other products. With talented developers like Ryan Permeh (now Manager of Product Security in McAfee’s Security Architecture Group), he oversaw the creation of both the Retina vulnerability assessment tool, but the Blink host IPS product. That said, his company, which was an early leader the vulnerability assessment market, was guilty of a number of strategic missteps over the years, even while competitors like Foundstone and ISS were acquired.

So when Marc finally stepped aside as CTO at the end of 2007, the question on everyone’s mind was “What’s Marc’s second act?” I got an answer a couple weeks back in the form of a call from Marc, who wanted to talk about his next project: a managed security services company called The DigiTrust Group that is targeting SMBs. Truth be told, Marc isn’t launching something new here. Rather, he’s joining a company that was started 10 years ago by a childhood friend, Jason Lidow.

The company has spent much of its life as an IT consultancy targeting small and mid sized enterprises in all the veriticals you’d expect: retail, finance, education, legal, manufacturing, insurance, etc. So what does a security rock star like Marc bring to the table? According to the two friends, Marc will serve as director of professional and managed services and will be charged with helping expand DigiTrust’s core services such as infrastructure assessment, configuration reviews, Web application assessments and the like. Marc also wants to expand DigiTrust’s managed security business — helping companies deploy, manage and use products from other vendors and, of course, forging relationships with those tech partners (and, yes, eEye is likely to be on the list).

As Jason and Marc see it (and we agree), SMBs are an underserved lot when it comes to the security services business. But with their limited resources and tiny IT staff, they’re among the most needy of high quality IT security services. Organized online crime groups have already figured out that a small business making $20m in revenues a year has steal-able assets that are just as valuable as what they’ll get from the big banks and financial services companies, but far fewer resources to protect them. DigiTrust plans to develop a more-or-less standard set of “best of breed” products — both at the perimeter and on the endpoint — that it works with and standardize across its customer base.

Obviously, Marc and Jason aren’t the first guys to think of this. In fact, there is a slew of competition out there, from giants like AT&T and Verizon Business, to consumer outfits like BestBuy, which bought IT service provider Speakeasy last year, to small, one and two person consultancies that manage a handful of clients. SaaS vendors, from Microsoft and Google on down, are also reaching out to SMB’s with security services like e-mail and Web security, data archiving and the like hosted in the Internet cloud. They’re competitors too. It’s not clear what advantages — in resources or technology — DigiTrust has at this point, but it did pick up a very smart security mind in Maiffret — and someone with contacts who can be a public face for the company and, perhaps, open doors.

Maiffret said he’s not going to be tilting at those windmills anytime soon, just trying to be the best IT security services company for SMBs in southern California, then the best on the West Coast, and then go from there. That sounds a lot more modest than the plans for world dominance that folks at eEye used to regale us journalists with — but it also may be a plan that has legs. Time will tell.

McAfee is hardly the only company to realize that their future lies in cloud-based threat intelligence services. Trend Micro was an early advocate of cloud based intelligence. In August, Spanish antimalware firm Panda Labs announced updates to its products that include a feature Panda has dubbed “Collective Intelligence.” The feature can be used to instantly scan emails and shared programs from the Internet cloud, sending information back to Panda about new malware. With the collected data from all users Panda can determine new malware techniques and distribution points.

And, as the Network World article points out, F-Secure is planning similar features for the next version of its endpoint security products.

As we’ve noted, the trend towards tighter integration between cloud based threat intelligence services in the anti malware industry is nothing new. That said, it’s still a tectonic shift within the industry, which has struggled for years to find a better way to block zero day attacks and fast-morphing viruses and worms. In April, for example, we noted the friction caused by antimalware testing organization Virus Bulletin, which panned products from leading vendors based on a number of highly suspect criteria — for example, VB still takes accuracy in matching a random selection of malware from the Wild List as its primary benchmark, while giving less weight to non-signature based detections.

Trend Micro has notably removed its products from evaluation by VB since then, saying that the evaluation criteria haven’t adapted to a new world in which desktop based and cloud based intelligence services interact to provide protections. As an example, Trend noted that the VB testers refuse to allow products to have access to the Internet during tests, hamstringing newer detection models.

In response, VB defended its approach, saying that the Wild List itself is being overhauled, and that its working on ways to make its tests more reflective of what’s “hitting people in the real world.” The organization defended its “No Internet Connection” policy saying that the policy is not an oversight, but something that is done to ensure fairness in its tests. “If the test systems were connected to the web, we could not ensure a level playing field,” wrote John Hawes of VB. “Even if we had the resources to run all the tests at once, this would give an advantage to slower products, which would have more time to add in updates before they completed scanning sample sets…”

That’s true enough, but one has to wonder how useful any standard rating system can be, given the helter skelter nature of change within the industry!

Paul Roberts and Lauren Eckenroth, The 451 Group

Zscaler just came out of stealth mode last month to announce the availbility of its in-the-cloud web application filtering and monitoring product. The company was founded by Jay Chaundhry of CipherTrust and, later, AirDefense. Chaundhry invested an undisclosed sum as start-up capital. Zscaler currently has 45 employees and claims 15 customers, notably The Weather Channel, though it is unclear whether those are paying customers, beta customers or what.

zScaler said it has been a work on its platform for the last 18 months and sports a team of hardware developers poached from Citrix’s netScaler team, Microsoft, Google, Yahoo and others. Its multi-tenanted, SaaS based Web scanning platform can support up to 250,000 transactions per second, the company claims.

In addition to standard Web threat detection fare like antivirus scanning and URL filtering, phishing and botnet detection, zScaler claims to offer traffic management (say “view but not upload” when on YouTube.com”) , analysis and compliance and traffic analysis. Basic Web content filtering is being cast at data leak protection (zScaler’s not alone in this) and an analysis engine allows customers to replay attacks, etc. Sounds good — though we haven’t yet spoken to anyone who’s actually using this product.

In a statement, zScaler’s Chaudhry said she “has quite a track record of excellent leadership as well as a valuable background as an entrepreneurial mentor…She is well-known for her strong strategic insights and business acumen and we greatly look forward to working with her.”

As we noted, zScaler is eerily similar to another SaaS-based Web security startup: purewire, which unveiled its flagship service on the same day zScaler announced its own. Like zScaler, Purewire sports an all star board member — Tom Noonan of IBM/ISS.

– Paul Roberts and Lauren Eckenroth, The 451 Group Enterprise Security Practice

Among the key problems I think IQT is now looking at is the oft-lamented fact that the US has no cogent strategy to deal with cyberwarfare, no leadership on the issue (in fact the issues surrounding this are so complex it’s hard to find anything people don’t want to talk about more. Simultaneously, political winds are blowing funds in the form of budget dollars from many places (including my wallet) towards the white tower that is the Office of the Director of National Intelligence.

It is said that the CIA under George Tenet somehow recognized that private industry was surpassing government talent in the field of technological innovation. Is it possible that the CIA was prescient enough to recognize over the past few years that its budgetary influence was waning and that to re-increase its stature in the intelligence community it would need to get really geeky about cyber-warfare and get itself some really cool kit? The CIA? Prescient? It’s become so hip to make the CIA the butt of jokes recently that people forget just how much seriously cool stuff it has done (this is a technological, not a political, discussion).

In his 2002 review of The Bourne Identity, the New York Times’ A.O. Scott wrote that,

The movie … trots out a quaint view of the C.I.A. as not only bottomlessly malevolent, but also endlessly and terrifyingly competent.Shortly after they see Marie’s image on a security camera satellite feed, the folks at Langley are in possession of her entire life history, and they are able to track her movements across Europe with a few clicks of the mouse. This is inadvertently hilarious in light of recent news reports. If Marie had only thought to disguise herself as an international terrorist, she might never have attracted the agency’s notice in the first place.

Well, IQT itself has been a monster success. Its investments are absolutely classic examples of how to do it right: tons of due diligence, heaps of knowledgeable people asking sensible questions about the technology, the leadership of the innovative company-prospect. That they don’t make large investments (generally they’re capped at $3m) or take an equity position is a question of taste, or style, or, you know, propaganda value. But the investments are made in the form of, essentially, non-recurring engineering fees to make something wicked-cool out of something more pedestrian, and come complete with a promise to buy a bunch of it if it works out right.

But back to cyberwarfare.

If our current policies and the reality of the US’ digital security stance is any indication, policy makers would rather read tax code than infosec material - hell, even I’m reading a book on tax code, and I think this security stuff is a gas. You take a look at something like H. R. 130, the Smarter Funding for All of America’s Homeland Security Act of 2007), whose dense prose mentions the word ‘cyber’ a total of once, and you wonder. I digress.).

We wrote in this blog back in April about Aaron Turner & Michael Assante’s excellent article in CSO Magazine, in which they compare and contrast the response in the 18th century by the United States to pirates on the high seas with today’s federal response to Internet crime. (read Turner’s prescient testimony to the House Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, Science and technology here).

In that blog post we also mentioned that, back in 2004 MIT Technology Review published a terrific piece by Eric Hellweg, Cyber Security’s Cassandra Syndrome which discussed the stalled and possibly addle-headed Bush administration approach to the problem of leadership of the effort to protect the nation’s computing infrastructure.

The problem, Hellweg argued, was that you couldn’t get the right people to do the job of protecting the nation’s critical infrastructure (which is basically our government’s ability to use computers and the Internet) because, well, it’s impossible. You can’t get anyone to take all the responsibility while having none of the authority to do what’s necessary. The fact of the matter is that it’s not defense against being attacked, it’s long since devolved to the point that our government should be asking itself, to paraphrase Ed Harris playing Gene Kranz in Apollo 13, ‘Whadda we got in this country’s critical infrastructure that’s good?’

More specifically, how badly are we already owned by foreign nation-states and commercial entities, and how can we look at ways to fix that? Then we can start talking about ways to have ‘Smarter Funding for All of America’s Homeland Security’.

So… IQT as savior? Are Darby and Geer (who raised some fascinating and common sense points on security metrics in his testimony before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology last year) and the infosec team at IQT the stand-in Cyber tsars by forfeit? Well, there’s an argument for it. Geer (and Assante, by the way) sits on the The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency, which is working to develop recommendations for a comprehensive strategy to improve cybersecurity in federal systems and in critical infrastructure. So do a lot of other really smart people. But as several of them have admitted, the danger is that the need to reach high level consensus will lead to watered-down pablum despite the best intentions of a truly smart group of people. It’s Washington. It’s almost inevitable. Don’t get me wrong: some great ideas will come out of the CSIS deliberations. Our biggest fear is that politics will pare down the final recommendations to be on par with ‘Don’t-click-on-attachments, wear-mittens, study-hard‘-caliber advice.

A look at the political climate in Washington, especially that surrounding the intelligence community, shows that the winds are being shifted by a Bush administration miffed at…Well, who knows.

The unclassified Annual Threat Assessment of the Director of National Intelligence from this past February had this to say about Cyber warfare:

The US information infrastructure—including telecommunications and computer networks and systems, and the data that reside on them—is critical to virtually every aspect of modern life. Therefore, threats to our IT infrastructure are an important focus of the Intelligence Community. As government, private sector, and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture, and service of information technology has moved overseas, our vulnerabilities will continue to grow.

In an Op-Ed piece in The Wall St Journal this past April by DNI Mike McConnell and House Intelligence Committee sub-committee chair Anna G. Eshoo, they talked about responsible domestic surveillance:

If we are going to ask our intelligence agencies to help defend our country, we need to carefully construct policies that give them access to this information when necessary, and protect the rights of Americans. The National Security Agency, for example, is governed by strict rules that protect the information of U.S. citizens. It must apply protections to all of its foreign surveillance activities, regardless of the source. As we add new authorities and programs to secure our country, we must ensure appropriate safeguards and protections to secure our liberties. We must maintain the balance between safety and freedom.

And then pooh-poohed technology…

Too often, our country has invested in dazzling new technology as the solution to our intelligence woes. Technology is vitally important. But a computer is only as good as the person who programs it. No piece of technology can substitute human judgment. A computer – even one that costs millions – cannot recruit a spy.

Meanwhile, Joe Lieberman (IND-CT) and Susan Collins (R-ME) are asking good questions that are worth reading. If you’re up for it, answers to those questions are in a letter that highlights the marvels of redaction.

We, like you, can only speculate about what the CIA will do with Veracode’s technology, but I would be willing to bet it has something to do with finding weaknesses in code. Which is quite useful stuff, if it works. I bet there’s more where it came from, and I bet IQT will be and is looking at other infosec investments.

And with regards to Cyber warfare, we would say that, at the very least, IQT and its staffers are raising the level of discourse about the problems faced by the US - or at least by the CIA.

Many people sort of wink knowingly when they hear about IQT, but don’t really have a sense of what the thing does, or in fact, its successes to date. The interesting thing, which we will go into in a bit, is that for the most part, IQT - which sounds really spooky and security-ish, has invested in hugely successful companies that could not be less directly related to information security. Like OpGen, which does single molecule DNA analysis technology to identify and analyze microorganisms. The closest it gets to something like IPS is, well, IPS, or Infinite Power Solutions, which makes thin-film energy storage devices for micro-electronics. It’s not like it’s a bunch of guys dressed like Lefty skulking around corridors in Silicon Valley saying, “Psssst! Hey Bud…Wanna take some NRE money?”

IQT exists to determine an answer the question, ‘Is it possible to solve [problem set here]?’. If the answer is, ‘yes’, IQT’s job is to identify fiscally viable, practically capable, innovative private organizations which might be able to solve the problem at hand. By providing availability to these technologies, often by re-purposing existing ones to accomplish things outside thre scope of their original design, IQT will increase the capabilities of its main customer, the CIA.

So going out on a long, unsupported limb, we think that the Veracode investment is the first in what will be a string of more traditional infosec investments, especially in the areas of digital identity and access control technologies addressing the concepts of digital persona. And we think that this is being driven in part by a several-years’ long political climate change that has led money and influence away from the CIA. More on that tomorrow.

By the way, IQT has not spoken to me about this issue other than typically flacky guff about the Veracode investment, to wit:

“… We have relatively recently expanded our internal organization in terms of the technology practice, derived from the specific problems we see; we spend lots of time examining not just the technical capabilities but the company itself. Our selection of Veracode speaks for itself; as a strategic investment firm it’s there to meet a strategy.” Blah, blah, blah [blah, blah, blah added].

IQT is, intriguingly, a 501(c)(3) not-for-profit organization, meaning, I suppose, that donations to it are tax deductible. I’ll try to donate fifty bucks and blog about how that works out, and what kind of newsletter I get for it.

Its activities are unclassified, and the company only deals with open source (in the spook sense, not the licensing sense) stuff.

There are some fascinating documents available on the CIA’s website about IQT’s history and on IQT’s website about the organization and how it has been operated, especially including a report excoriating the hand-wringing at the CIA as it tried to get past its, ‘Private sector? Pah! We made CORONA! We can read the gender of a newt from nine miles in space!’ attitude.

In the past, this has often not been a case of information security in a standard sense of the phrase. Still, the perception of IQT as a ’security’ investor remains. When the investment in Veracode was announced, many felt that it was par for the course - code analysis, security, CIA….All goes hand in hand.

Except that for most of its nearly ten year history, IQT has been anything but an investor in information security companies. Sure, since its inception it’s made investments in lots of things that seem cloak and dagger. Keyhole, the satellite imagery and 3-D Earth visualization company, was an early investment (in 2003 my accountant, reviewing my expenses, saw a credit card charge to ‘Keyhole’ and asked me if I was trying to write off a visit to a strip club); it ended up becoming Google Earth. Many other investments are in areas like zoom lens development, chemical analysis tools, entity extraction and semantic analysis stuff. An analysis of the investments that the, uh, firm, has made since its inception under the George Tenet-led CIA of 1998 shows that most of the investments are of the build-a-cooler-mousetrap variety for things that seem decidedly bookish.

Of its 76 investments, IQT has made ten in what I would consider to be classic infosec investments. The other 66 investments have been spread across IQT’s other practice areas: Application Software and Analytics, Bio, Nano, and Chemical Technologies, Communications and Infrastructure and Embedded Systems and Power.

In-Q-Tel’s Digital Identity and Security group invests and seeks technologies in the truly hot if not downright sexy areas of identity management and access control as well as risk analysis capabilities, system design and analysis tools and policy definition and management. The investments have been:

• 3VR Security (wicked-cool video facial recognition, like, ‘Show me where this guy has been on every camera you have’ kind of recognition - you have to watch the demo);
• A4Vision (facial biometric and camera tracking systems technology acquired in January 2007 by BioScrypt, which itself was acquired in January, 2008 for $44.3m by L-1 Identity Solutions, Inc;
• ArcSight (the enterprise security information management vendor which has since, of course, gone public and whose stock has recently recovered from elephant-tranquilizer-territory);
• PKI and ID infrastructure vendor CoreStreet;
• Encryption vendor Decru (bought by Network Appliance, Inc for $272.1m in June, 2005);
• Master data management vendor Initiate Systems (whose $26m series F round takes total funding to about $61m);
• Awesome-cool ‘where’s-that-RF-device?’ vendor Network Chemistry, which sold its security assets to Aruba in July 2007 and got waaaay pissed off with us when we priced that deal at $3m;
• SRD Software (if you thought RSA’s Verid is spooky you should talk to these guys; it was acquired in January, 2005 by IBM for $69m);
• and, of course, Veracode.

But the Veracode investment is interesting. The core technology of Veracode’s on-demand service was developed in 2002 at @stake, the pen testing and assessment firm acquired for $49m by Symantec in April, 2004. Want to know what’s also interesting? IQT President and CEO Chris Darby was Chairman and CEO of @stake. And the Veracode investment comes three months after the appointment by IQT of Dan Geer as its Chief Information Security Officer.

Now, Geer is a plain-spoken star in the security world. He was CTO at @stake (and a gazillion banks) before a much celebrated and reviled paper declaring that Microsoft was a national security threat hastened his departure; to quote another former @Staker, ‘It’s hard not to suck deep, deep down when you are Microsoft Windows’). Geer has also worked at Verdasys and on a host of other projects and organizations (more on him and some of those other projects tomorrow).

Based on what I know of IQT and of Geer (I’ve never met Darby but I think Geer is a truly honorable guy), I don’t believe that there is much connection that Geer is on the board of Veracode and the IQT investment in Veracode. We understand that IQT has actual conflict-of-interest firewalls that are taken seriously by the firm, so we don’t believe Geer would have been involved in the investment decision on the IQT side). I am much more willing to believe, based on IQT’s investment history and the people involved that these guys simply knew that the stuff was out there to meet the specific requirements that were presented, and that Darby and Geer would naturally have said, ‘Oh yeah, that stuff - you wanna talk to the guys at Veracode.’ As I said, maybe I am being a sucker, but I think not.

For Veracode, the cachet of the investment is PR no one can buy, and the cache of having sold stuff to the CIA will be on its own enough to open doors at other government agencies (especially, one would assume, the three-letter kind). And for reasons I will get into tomorrow, I think that the statement I made earlier - that it is the first in what will prove to be a series of straight-up infosec and ID and Access management-related investments - will prove true.

The presentation, by MIT student’s Zack Anderson, RJ Ryan and Alessandro Chiesa (who are under the tutelage of crypto-legend Ron Rivest, no less), is scheduled as part of the annual Defcon hacking conference at the Riviera Hotel and Casino in Las Vegas. According to the Defcon Conference guide, the students will show “how we reverse engineered the data on magstripe card” and “present several attacks to completely break the CharlieCard, the MIFARE Classic smartcard used in many subways around the world.” The talk includes discussions of brute force attacks using field programmable gate arrays and software tools to read the cards RFID data, WiFi hacks and, of course, social engineering attacks on T employees (who have already shown a lackadaisical attitude to other kinds of crime fighting).

As the Lynn and IOActive/HID controversies have already shown, getting lawyers involved and filing injunctions is exactly the WRONG approach to take, should your black box security system come under attack. The controversy that the legal wrangling between DEFCON and the T will provoke will do far more to ensure that the students’ presentation gets spread far and wide within the hacking community than would a sleepy presentation on the last day of Defcon. Companies need to practice a kind of PR Jiu-Jitsu with blow ups like this — playing it cool, being respectful to the researcher, hacker community, then working like hell with the vendor to get things fixed behind the scenes.

The brewing controversy also casts a bright light, yet again, on the continued reliance of major corporations (HID, Diebold) and public agencies on the thoroughly discredited notion of security through obscurity — you know, the idea that “our stuff is secure because nobody knows how it works.” Fare token systems, RFID-based purchasing systems, door access products and the like would be a lot more secure if they actually built secure systems and methodologies for conducting transactions via RFID, etc. then opened up their inner workings to review by the likes of Zach, RJ and Alessandro to poke around.

While I won’t try to rehash the entirety of his presentation, there are a couple take away points that are worth repeating for the Plausible Deniability crowd. In general, Chris stuck a big, sharp pin into the hype bubble that surrounds virtualization technology and security. Like others before him, Chris pointed out that the virtualization and security issue is actually three different issues, that don’t necessarily overlap: there’s the Joanna Rutkowska stuff concerning the use of virtualization as an aide to malware writers -subverting the hypervisor, etc. etc. Cool stuff, but in Chris’s thinking, more proof of concept than pressing concern.

Then there’s virtualization as a tool in the enterprise IT toolbelt — consider the use of virtual switches as tool for quarantine or network isolation. Finally, there the adoption of virtualization by security vendors (security virtualization) — a totally different trend that concerns the migration of traditional enterprise security products (firewall, IDS/IPS, and so on) and which Hoff expects will soon lead to a “gold rush” phenomenon, as vendors of all stripes look to sex up their offerings moving them from hardware appliances to UTM-like virtual appliances. Beware: Hoff sees a lot of magical thinking on the part of vendors, who want us to believe that their software-based virtual appliances will somehow be able to scale in the same way as their hardware appliances, while still competing for processor time and resources with all the other software running on their box. Before plunking down $$ on a virtual appliance, be sure to dig in on the high availability and load balancing capabilities of the thing and make sure that you’re getting 1:1 with what the physical appliance offers. If Hoff is right — you probably aren’t.

Of course, with all the hype that surrounds virtualization technology in the enterprise (and our Cloud Cover blog is a great tool for cutting through that hype), most enterprise IT security folks haven’t had the time to weigh these issues or figure out what their strategy for dealing with the security of virtual environments is…let alone how virtualization might help them with existing security problems.

As I see it, some of the magical thinking about virtualized security appliances will come out in the wash, as companies begin to realize that soft virtual appliances aren’t really stand ins for the hardened and optimized boxes they have loaded in their racks. But Hoff is right to say that better management and monitoring tools for virtualized environments are high on the “got to have” list for enterprises. One possibility he sees is for access control for virtualization — basically tools that will profile and qualify VMs offline before they’re allowed to gain access to the network — verifying that they are properly configured with the standard endpoint security products, that they’re not compromised in any way and that they’re configured in such a way as to not impact the overall performance on other virtual or actual hosts on the network, and so on. That sounds pretty close to the standard NAC line about endpoint “posture assessment,” but is a use case that enterprises might soon be hungry for.

We know of at least one traditional NAC vendor who’s looking seriously at this possibility though others have expressed skepticism that the market is really ready or interested in what Hoff is talking about.

That’s the position that Finnish secure shell maker SSH Communications Security has found itself in recently, as OpenSSH, the open source secure remote connection technology, has worked its way into a slew of Linux distributions and other products.  That’s wreaked havoc on SSH’s earnings, which dip and dive like the latest Six Flags ride. A big ( €4.5m) enterprise deal with Wal-Mart in Q3 of 2007 gave the company a boost, and tended to underscore its core argument: that discerning companies wouldn’t be satisfied with open source code of unknown origin. But once you’ve cracked the Fortune 1, there’s no where to go, and SSH hasn’t followed up with a similarly sized deal to keep the good news coming. This quarter the company broken even after underachieving in Q2. They expect to do better in Q3, but the year over year numbers won’t look very impressive, since it was Q3 last year that the company scored the €4.5m deal with Wal-Mart. (Translation: SSH will make less money in 2008 than it did in 2007.)

The company’s latest news is a new feature for its SSH Tectia ConnectSecure 6.0.2, a secure file transfer product, that’s targeted at companies that are hoping to get rid of insecure FTP servers without the headache of rejiggering years of accumulated scripts and routines based on the older FTP standard. SSH Tectia ConnectSecure includes an automatic File Transfer Protocol (FTP) to Secure File Transfer Protocol (SFTP) conversion, and transparent FTP and TCP tunneling, allowing large heterogeneous networks to install secure protocols more easily. It is deployed as software on the initiating side of the connection. Administrators can decide whether to push all traffic into the SSH tunnels to encrypt between servers or if they want to convert from FTP-SFTP on a command by command basis. The product can also help businesses running Windows or Unix to reach regulatory compliance requirements.

Not surprisingly, the folks at SSH have realized that FTP-SFTP swap outs aren’t the path to riches. The company is planning its second act, which we could tell you about, but then we’d have to kill you. Stay tuned…

Paul Roberts and Lauren Eckenroth

I worked as a technology reporter for a bunch of years, so I can tell you in all honesty that getting Brad Stone from the NYT to rewrite your press release is no small feat, and speaks to the pull that someone like Jay Chaudhry has. Hey, this is a guy who’s started and sold a string of security companies in the last decade including AirDefense, which was sold last week to Motorola and CipherTrust, which sold to Secure Computing in 2006.

The Times story, however, tends to eclipse another release on the Web security front that, interestingly, also has ties back to Mr. Chaudhry. Purewire, an Atlanta company formed by three of Mr. Chaudhry’s former CipherTrust cohorts — Paul Judge, Mike Van Bruinisse and Mark Caldwell– announced the availability of its eponymous SaaS based Web security service, as well as an additional $2m funding round (the company raised $1.75m in May) and the appointment of former ISS head Tom Noonan (an Atlanta tech luminary) to its Board of Directors. Chaudhry, Judge and Van Bruinisse have all held executive positions at Ciphertrust or its acquirer, Secure Computing, before pursing their latest ventures.
That’s a pretty good news day for Purewire, though the Times article raises the uncomfortable prospect that they’ll be fielding a lot of “how are you different from Zscaler?” questions as they go along.

I doubt this is accidental — we see Web security as the big area of investment and one in which there’s a huge opportunity for consolidation, along the lines of data leakage. It’s certainly possible that Chaudhry and the folks at Zscaler got wind of the Purewire announcement and timed their news to steal some of the thunder away from their competitor — or that Purewire did the same to Zscaler. Regardless, landing your product launch announcement in the New York Times is a slam dunk in the big ‘ol basketball game that is public relations.

On paper, anyway, Purewire’s approach sounds pretty similar to Zscaler’s: both companies operate scads of Web content scanning servers in the cloud that intercept inbound and outbound content and scan them for malicious content and for adherence to enterprise security policies (i.e. “if Web_URL == pornotube.com && role !=CEO, action==block”). Web traffic is redirected to the Web security scanners in the cloud from the company’s firewall or existing Web proxy. On the issue of latency (a critical point in Web-based SaaS security that SaaS-based messaging vendors could largely blow off), both companies point to their secret sauce. Zscaler trawled the acronym ghetto and came up with a technology called SSMATM (Single Scan, Multiple Action), that does “sophisticated hashing and caching” to support up to 250,000 transactions per second. Purewire talks about its PureWire Webcelerator, which uses “cooperative caching” — an approach akin to what Akamai has been doing to accelerate Web content — to reduce response time and, in theory, give the company more time to chew on suspicious looking stuff.

But there are some differences, too. [Big caveat here -- We haven't spoken to Zscaler yet and are, thus, basing our read here on what information is publicly available] PureWire’s core Reputation service combines standard URL filtering with “dynamic classification engine” that analyzes requested Web pages based on their content. That sounds pretty close to what Zscaler is talking about. But Purewire is addressing the Web threat at multiple different points. Customers have the option of deploying an on-premises Purewire “adapter applicance” to handle more sophisticated Web application traffic that requires links back to on-premises AAA servers. For script based attacks, the company offers Purewire Sandbox, a Web browser plugin that allows suspicious scripted content to be run safely on the endpoint.

In general, Purewire seems to be aiming for a kind of protection that’s more hollistic than just Web threat detection. Executives talk a lot about offering a kind of Web reputation filtering that guards against malicious “people, places and things.” (Noundefense, maybe?) What does that mean? For one thing, it means trawling the online social networks (Facebook, LinkedIn) for potential threats that might be hiding in what appear to be legitimate online profiles. Purewire talks about being able to pick up on things not accessible to human eyes: different pixel resolutions or color ranges that tend to correlate with bogus profiles that are used as lures in phising attacks, and so on. It still sounds fuzzy to us and our sense is that the company is a long way from being in a position to actually block content based on this kind of reputation awareness.

But we give a tip of the hat to Purewire for recognizing that Web security in the next five years is going to be as much about being able to makes sense of social networks and online reputation as it will be about blocking cross site scripting and SQL injection attacks. As history has shown…the Times doesn’t always get it right.

Two things we were waiting for on Sourcefire’s second quarter earnings call yesterday were a) an indication of whether the company had blown the doors off - in a good OR a bad way - because b) we wanted to see how or if the quarterly results would affect how some investors were feeling about the still-out-there hostile takeover bid by Barracuda Networks. Barracuda, you’ll remember, bid $8.25 per share of FIRE, after an earlier, lower bid was quickly rejected by FIRE’s board. The first offer was low enough that we wondered whether it was a practical joke or publicity stunt, but the $8.25 offer, while clearly low, isn’t as terrible as some would say. FIRE’s CEO told us that major shareholders were cool, and others should trust the company and watch it voom.

Okay, he didn’t say voom, but we did think of the dead parrot sketch a couple of times in looking at slightly widening losses. Nothing so dramatic as to push things in one direction or the other, in fact, which was why it was so embarrassing to hear one of the financial analysts on the call utter the dreaded analyst-kiss-ass phrase:

“Hey, great quarter, guys.

He really said it.

In summary, Sourcefire’s Q208 revenue of $16.0m was above expectations of $14.3m, and the earnings per share (EPS) of ($0.07) was in-line. Q308 revenue guidance above expectations, but the EPS outlook lower.

Revenue detail: Sourcefire reported Q208 total revenue of $16.0m, up 42.3% from the $11.3m reported in Q207 and up 17.3% compared with the $13.7m reported in Q108. The company reported Q208 products revenue of $8.7m, up 43.4% from the $6.1m reported in Q207 and up 26.7% compared with the $6.9m reported in Q108 driven by continued demand for the company’s enterprise-class 3-D products. Q208 services revenue came in at $7.3m, up 40.9% from the $5.2m reported in Q207 and up 8.0% compared to the $6.8m reported in Q108. The increase in services revenue was due to support service being applied to a larger customer base. 38% of Q208 revenue was driven by from existing customer product sales (up from 33 Y/Y), 16% from new product sales (up from 21%), 40% from recurring support services (flat Y/Y and 6% from professional services and training (flat Y/Y). 61% of Q208 revenue was driven through resellers and partners with 39% from direct channels.

Margins down: The company’s Q208 gross margin came in at 77.1%, down compared to the 79.2% reported last year and the 77.7% reported last quarter. Products gross margin cam in at 71.4%, down compared to the 73.8% reported last year primarily due to the sales mix which consisted of a greater proportion of lower margin sensor products. The services gross margin came in at 83.7%, down from 85.6% in Q207 due to increases in hardware services expense and headcount additions. These issues in addition to higher SarbOx compliance and CEO transition expenses led to a Q208 operating margin of (24.1%), down compared to the (21.6%) reported last year.

Client statistics: During Q208, the company signed 33 six-figure deals (13 of which are new 3-D product customers) up from 20 last quarter. There were no clients with over $500,000 in revenue. In the past, the company’s sold quarters have been driven by one or two large transactions in a select market but this was not the case in Q208, which saw strength across the company’s operating units. In total, Sourcefire added 60 new 3D clients during Q208 (up from 56 clients added last quarter) with incremental revenue from 82 existing customers up from 67 in Q108.

Improvement in federal business: Sourcefire’s federal business showed improvement in Q208, with revenue up 78% Y/Y to $2.1m, or 13% of the total revenue pie. While concerns remain regarding defense spending, FIRE expects to report continued overall sector improvement for the remainder of the year. The company’s Q3F08 falls is the end of the federal budget cycle and management is confident that the improved results in the federal business reported in 1HF08 will continue in Q3F08.

International growth: During Q208, Sourcefire reported $4.5m in revenue from the company’s international business, up from the $4.1m reported last quarter and up 88% over the $2.4m reported in Q207. On a percentage basis, the company’s international business accounted for 28% of the total, down slightly from 30% last quarter but up from 21% last year. International channel initiatives continued to make progress in Q208. FIRE announced a new tiered channel program in EMEA and has resulting the signing of 6 new partners.

Q308 revenue targets above expectations, EPS slightly weaker: For Q208, Sourcefire expects to report revenue in the $17.0 to $18.0m range (implying Y/Y growth of 6% to 12%), above consensus expectations of $16.8m. On the bottom line, Sourcefire expects to report adjusted EPS in the range of ($0.07) to ($0.10), down from previous guidance of ($0.05) to ($0.09) and below current expectations of ($0.01).

Anti malware vendor Sophos, plc has made a bid to purchase Oberursel, Germany-based Utimaco Safeware, A.G., which manufactures encryption, key management and port and device control software for endpoints. The public takeover offer would take Utimaco private at a valuation of €217m ($340m), or €14.75 ($23.17) per share. Sophos has made no secret that it sees data encryption as a key part of its future, as its enterprise customers look for help with problems like accidental data loss and insider threats. The hunger for a data encryption play became especially acute following data encryption deals by two of its large competitors: CheckPoint (which bought Pointsec) and McAfee (which acquired Safeboot).

Sophos told us that it has also signed an agreement with Investcorp Technology Partners for the acquisition of its 24.99% stake in Utimaco. The rest is a cash deal, with HSBC, RBS and TA Associates (Sophos investors) putting up the difference between the $120m in cash Sophos has on hand and the total purchase price of $340m

Utimaco said it expects to get the final offer in writing within a few weeks and will comment on it then, but that there have been initial conversations regarding the potential takeover and limited due diligence by Sophos. That sounds chilly, but German securities regulations make it so. The German process of taking Utimaco private is complex, or at any rate different from that of similar deals in the UK and US. Utimaco, which we infer is looking positively on the deal, must wait until a final written offer is published by Sophos until it comments – a process we believe will take until sometime in August. The whole deal, barring regulatory or shareholder hurdles which we do not anticipate to be much of an issue, would close by October. Deutsche Bank acted as advisers to Sophos. Utimaco did not use an adviser for the deal but has engaged Jeffries Broadview for the fairness opinion.

Takeover or not, the two companies have entered into a reseller agreement in which Sophos will resell Utimaco’s SafeGuard Enterprise product and both companies will refer each others’ technologies.

What’s going on here? Sophos has made no secret that it sees data encryption as a key part of its future, as its enterprise customers look for help with problems like accidental data loss and insider threats. The hunger for a data encryption play became especially acute following data encryption deals by two of its large competitors: CheckPoint (which bought Pointsect) and McAfee (which acquired Safeboot).

When we last spoke with Utimaco (earlier in July), the company found strange position: a profitable firm with solid backing from its investors (most recently $60m in private equity investment from Investcorp). Nevertheless it was in the unenviable position of having its two largest competitors sold off to larger firms. The company said it was expanding its core businesses and adding to its technology, both with in-house organic development as well as licensing technologies from partners – most crucially anti-data-leakage (ADL) from Trend Micro (Provilla) and port and device control (PDC) from Safend. Utimaco suggested, at that time, that it was on the prowl, maybe for ADL or data classification technology. Obviously, the Sophos offer changes that roadmap.

This is an audacious and smart deal for both companies. We have written of Uti’s desire to expand inorganically in the field of anti data leakage, but also of Sophos’ desire to take what it considers to be the next obvious step to add real inorganic growth to what has been a very successful story over the past few years: endpoint encryption that is transparent to the user and easy to centrally manage. From what we know of both firms, the technologies and engineering cultures is complimentary. The deal then positions Sophos to gain geographical strongholds in Scandinavia, Germany and elsewhere in central Europe – Utimaco’s traditional footholds – and boost Uti’s penetration into Asia and North America – Sophos’ North American bookings were $77m for FY 2008, which ended March 31, up 28% year-on-year. We love this deal and look on it as a win for both companies.

Geographically, Sophos strengthens its already strong hand in the European endpoint security market. The company has long been a leading player in the UK. The US is now its fastest growing market, and Asia is doing well, too. Utimaco’s strength is in continental Europe, especially Scandanavia, giving Sophos a boost there. Pointsec is also a strong player in the EU encryption market, but CheckPoint’s acquisition has now required it to focus its attention globally.

From a technology standpoint, we think Sophos gets top-shelf key management technology and transparent-to-users encryption for devices throughout the enterprise, complimenting its endpoint threat detection and policy-based access control wares. (Albeit at a price).

We wondered openly how Sophos inability to get its IPO to market would affect its acquisition strategy. This deal suggests that that inconvenience has prompted the company to get creative. That could benefit it in the long run and give Sophos a nice add-on to its portfolio that will sweeten the IPO offer when that happens — probably sometime in 2009.

We’ll be doing a full deal analysis in our TechDealmaker Service later today.

One element of the evolution (or revolution) is sure to be architectural, but also how the components of the new architecture speak to each other, establish trust and exchange policy information is where the real hard work lies. Another of the themes at Catalyst that many people seemed to pick up on was the notion of ‘relationships’. Relationship is a useful concept in defining the attributes of identities that are distributed between directories that do not share a domain but I would take the idea one step further- identity is relative.

Identity only has any real meaning if its in the context of a resource request at authentication, an action in the context of authorization and interaction with data if its in the context of policy management. This is not authentication and provisioning in the traditional sense - it is invoking a policy decision based not just on information stored in a directory, but also the relationship between the user (who they are and what they are in a organizational context) and the resource. Clearly there is another facet of the relativity: what is the relative sensitivity of the resource or data that the user is trying to get at - which must be defined in business terms and and again expressed in terms of policy. Relativity also means that the relationship can change over time and place, which immediately need to express policy that can handle variables. How does this relate to the paradigm vacuum? Because it implies the need for an abstracted policy management layer that establishes what the parameters are for resource access, incorporates variables in decision making and enforces authorization consistent with a policy requirement. Now we can see identity management from a different angle — it’s not a matter of putting human relationship into system terms but managing the intersection between human organizations and systems, data and resources. (I am still wrestling the idea that what’s implied here is a resource-based model since at some level the resource and identity have to be reconciled in terms of policy and business definitions).

There are a number of proposals on how we get there — the Internet Governance Framework’s CARML being one example - and we expect to see a lot more action in the directories realm than we have in years. My vote for protocol of the year goes to XACML, though. The language has its issues, is still too complex for developers to easily code policy and is verbose enough to create latency issues. However, of the vendors we have spoken to looking at being the logic and infrastructure behind that policy management layer - NextLabs, Axiomatics, Rohati, Jericho Systems, ObjectSecurity, BitKOO and Cisco Securent (in no particular order) - all use XACML to communicate policy. Having demonstrated it can work is evidence enough for the moment.