So it goes with the announcement on Tuesday that vulnerability research firm Rapid7 is acquiring Metasploit, the entity behind H.D. Moore’s Metasploit Project. The deal adds the Metasploit’s database of software exploits to Rapid7’s NeXpose platform, allowing better risk rating of vulnerabilities based on their exploitability. For Metasploit, Rapid7 provides stable corporate backing and a reliable source of funding for continued research and platform development.  He’s run Metasploit as a limited liability company that owned the copyrights to the development code, trademarks, and domain names since 2006 and shifted from a hybrid proprietary license to an open source three-clause BSD license. To listen to Mr. Moore (and there’s a nice Risky Business podcast interview with him here), the short term consequence of this deal will be more, better exploits and platform updates for Metasploit as he takes off the handcuffs imposed by his previous, non-aligned corporate gig (application testing firm BreakingPoint Systems) and enjoys of the luxury of getting paid to do what he’s been doing for free for the last six years.

As my former colleague, the ever-insightful Nick Selby has pointed out, the key objectives for a corporate backed Metasploit will be a more even and predictable product development, more (and safer) exploits and that ill defined “enterprise polish” (most likely in the form of a premium version of Metasploit). But Rapid7 will face other challenges, also. While Moore’s white hat bona fides aren’t in question, Metasploit straddles the line between professional pen testing tool and force multiplier for script kiddies. So its no stretch to say that there’s some reputation risk here for Rapid7 - especially as it balances the desire to pull in Metasploit contributors with the need to expand in lucrative, but testy verticals like government and finance.

But with enterprises of all stripes increasingly interested in risk based assessments and correlated threat intelligence, the bigger question is what the union of pen testing and vulnerability management –  ”vulnerability plus exploitability”– will mean for competitors in each of those spaces. Vulnerability scanning outfits like nCircle, Sourcefire, Tenable and Qualys (not to mention IBM and McAfee) will feel pressure to provide more context around exploitability to match what Nexpose+Metasploit offer. In the much smaller world of penetration testing, firms like Core Security and Immunity, Rapid7’s backing will ramp up activity on the MetaSploit platform, as H.D. and crew focus their full attention on what has been a side project. In the short term, that won’t pose too much risk to either camp. Both vendors have relationships with vulnerability management players: Immunity with Tenable, and Core with nearly every scanner you could possibly deploy. (Core’s Technology Partners page reveals just about every competitor Rapid7 could think of: Tenable, Qualys, nCircle, GFI, IBM ISS, and eEye.) Eventually, a premium version of Metasploit could land right in the sweet spot between Core and Immunity: balancing usability and platform coverage with quality exploits and enterprise must-haves like stability and support. It won’t be free anymore, but it probably won’t take too big a bite, either.

The question mark is whether Rapid7 can walk the fine line between profit-minded ISV and open source sugar daddy. As others have pointed out, Sourcefire has managed to pull this off admirably over the years, while firms like Tenable get lower marks. We’re ready to believe H.D. and Rapid7’s protestations about the importance of keeping Metasploit open source and their pledges to continue supporting the platform and the community of exploit researchers and users that sustain it. That said, Rapid7 has earned a reputation as a hard charging, take-no-prisoners kind of company. Its hard to reconcile that with the high minded, altruistic ideals of H.D. and other Metasploit contributors (”Free code is happy code,” Egypt wrote in a blog post announcing his new role at Rapid7). But who knows. Maybe, in this case, the tail will wag the dog.

Lauren Eckenroth, Research Associate at The 451 Group, contributed to this post.

Barracuda’s rationale for this deal is straight forward enough: customers from SME on up are interested in new deployment options for their security wares, including managed and hosted security services. This is the same logic behind Symantec’s purchase of MessageLabs, McAfee’s of MXLogic - even the less noted purchase of Borderware by Watchguard. Web and e-mail offerings are of particular interest, and Barracuda says its been evolving its entire product catalog in the direction of SaaS – whatever that means. Buying Purewire is about time to market and about scooping up Purewire’s SaaS engineering talent pool to quickly expand its offerings to include SaaS and hybrid offerings to compliment its on premises offerings – including a “next generation” firewall, VPN and Web security offering built around technology acquired with Austrian vendor phion in August.

From the Purewire side, we’re betting that the mostly bootstrapped company saw an early takeout by Barracuda (or another suitor) as preferable alternative to battling on in an increasingly crowded hosted Web security space. We heard less from competing secure Web gateway vendors about Purewire than zScaler. That’s not a problem in and of itself - Purewire was working the MSSP channel, and the market for hosted Web security for SME and enterprise is big enough and new enough that bake-offs are the exception rather than the rule. Bottom line: Purewire was in a hot space and had a top notch technical team, led by CTO and co-founder Paul Judge. It also had the benefit of an amazing marketing and PR operation (led by the lovely MaryCatherine Bassett Peterman) to promote its name and technology and turn every whiff of success into a gale force wind. Purewire had fewer than 200 customers, but still found its executives quoted in The Washington Post, The Economist, Forbes and USA Today - not to mention all the trade press. Not too shabby. Still, for Purewire, the cost of taking on more venture funding to scale its hosted operations and compete against the likes of Symantec, McAfee – not to mention Google and Microsoft down the road — must have been daunting. Purewire’s people calculated (correctly, in our opinion) that a solid exit with Barracuda was the best option.

Frankly, we were surprised to see Purewire fall to a company that already has strong roots in the SME market. We always felt that Purewire would have been a good fit for a larger vendor like, Blue Coat,  that lacked a SaaS story and was looking to expand down market. That didn’t happen. The question now is: who will be next to fall? Its no secret that zScaler is being courted and we’ve postulated that none less than Cisco might be among the potential suitors. ScanSafe was the grandaddy of hosted Web scanning firms (it prefers to be called a “pioneer”) — though being the granddaddy of anything is a strike against you in a market like this.That company’s been doing well with some of its managed security partners (like AT&T), but we’ve been waiting for the other shoe to drop with ScanSafe for ages. It’s been almost a year since a $22m VC infusion buoyed Web security veteran Finjan to go after the hosted Web security market. That company tells us its executing on its plan of offering a mix of on premises, hybrid on premises/hosted offerings and pure SaaS-based Web security leveraging Amazon’s EC2.

While no security polices were broken at the time, NARA has since changed its recycling policy and will no longer return drives once they are deemed defective.Still, one has to wonder at the careless disposal of personal information by the agency responsible for our records, especially since the security risk posed by discarded drives is no new revelation. Researchers have been warning about it for years. Technologist Simson Garfinkel famously exposed the problem of careless data loss through discarded drives in an article for IEEE Security & Privacy back in 2003. Garfinkel’s article documented inadvertent loss through discarded PCs going back as far as 1997. Since then, countless reporters have repeated his experiment: trolling eBay or local transfer stations for discarded PCs, only to take them home, plug them in and find tax returns, medical records, family photos and other sensitive information cast to the (virtual) winds. In fact, the most recent IG’s report wasn’t the first time NARA has mishandled its electronic records; in March 2009 a hard drive containing copies of records from the Executive Office of the President covering the Clinton administration. Both incidents call to mind the breach in 2006 when a Veteran’s Affairs laptop went missing, exposing some 26 million veteran’s personal information. The laptop was later recovered, with the personal information intact. A lawsuit over the breach was settled earlier this year for $20m.

The other data point, for those of us in the Boston area, is an ongoing drama at City Hall over the loss of some potentially “hot” e-mail messages from an advisor to Mayor Thomas Menino (who, btw, is in the midst of a re-election campaign.) As the Boston Globe reported today, a hard drive belonging to Mayoral aide Michael J. Kineavy has been recovered that may contain months of e-mail exchanges requested in an freedom of information request filed by the Globe. The drive had been replaced by IT staff at City Hall after Kineavy complained the drive was running slowly — a request made just days after receiving the Globe’s FOIA request. (Shocker.) Not only was the City’s handling of that request botched, but the article goes on to state that Kineavy’s replacement laptop had, itself, been repurposed from a “law department employee” and still contained e-mails from that individual, which then showed up on an outside forensic audit by a firm hired by the City. Boston could get stuck with hundreds of thousands of dollars in bills for a forensic search to recover Kineavy’s lost e-mail (he was a habitual “double deleter” we learn), but the Mayor’s Office and City of Boston will still emerge from this smelling pretty bad, even if the sensitive information is recovered.

Long and short: three years after the VA controversy blew up, there’s still a vast gulf between popular awareness of data breach and the practical reality of managing IT infrastructure, with even closely scrutinized organizations playing fast and loose with data security and proper data destruction policies.

[Lauren Eckenroth, Research Associate at The 451 Group, contributed to this blog post.]

But across the universe in the Windows galaxy, free antivirus isn’t such a weird idea these days. In fact, enough vendors are now offering the stuff that PC World has conducted a free AV roundup, tantilizing called “Can you trust free anti virus?” that looks at six of the freeware offerings, including those by AVG (formerly Grisoft), Alwil, Comodo and, of course, Microsoft’s forthcoming Microsoft Security Essentials (MSE). (And that’s not even all that’s out there). The short answer is “yes, you can.” As an enterprise-focused research firm, free software suites for consumers isn’t really something that we typically pay a lot of attention to. But we think there’s something to the proliferation of free anti malware products in recent years that warrants attention even from enterprise-focused vendors. In a new report, “Freegan revolution: will free products upset the anti-malware game?” we take a look at the free anti malware trend and speculate on the impact it might have on incumbent anti malware vendors, including Symantec and McAfee. While its not clear what, if any, impact free anti malware offerings have had to date, we think there’s certainly the potential for “freeganism” to upset the balance of the anti malware market in significant ways. Here are a few thoughts to consider:

+ Free offerings, which have mostly been limited to small, regional firms like AVG, Alwil and Avira, are becoming mainstream. Microsoft’s upcoming offering, currently available in beta, is the best example of this. Its received wholly positive reviews in beta (and from subject experts we consulted), will play nice with Windows, abjures gimmicks like toolbars or pop-ups that other freeware vendors use to capture revenue and carries the sterling Microsoft brand name.

+ Free antimalware is set to jump the fence from the consumer to the SME space. AVG tells us it is readying a free antimalware package for very small business (fewer than 10 systems) that will include some bare bones management features. Don’t be surprised if other vendors follow suit as they eye free-to-premium conversions in the SME space.

+ Consumer sales of both Symantec and McAfee have chipped in 30% (Symantec) to 40% (McAfee) of revenue for the past few years, despite concerted efforts by both companies to reduce their reliance on sales to consumers. Declining margins in the enterprise and SMB markets were a hot topic on Symantec’s most recent analyst call. If ‘good enough’ free anti-malware starts to gain mindshare (and marketshare) with consumers and small business owners, Symantec, McAfee, Trend and others will need to find new hooks or resign themselves to smaller margins. Declining sales in the profitable consumer space will also concentrate pressure on sales to enterprises, where incumbent vendors also face new threats.

+ The advent of hosted anti malware, such as Spanish AV vendor Panda Software’s new free Cloud Antivirus is also a trend to watch, with thin clients offering fast download and install time and reduced load that seems well suited to both consumers and SMEs looking for good-enough anti-malware protection, either in the form of free or pared-down products. 

In short: the proliferation of free anti-malware products and Microsoft’s embrace of the model suggest that a sea change is under way in which basic protection in some form is an entitlement rather than a privilege. Incumbent security vendors have, to date, made little of the threat from free products. Their talking points are, basically, that consumers want to pay for the added threat protection and for support. THat’s been true enough to date, but may not be something that premium vendors can go to the bank on in the future. What will be interesting is watching how incumbent security vendors respon. Will they roll out their own, stripped down free offerings for consumers or the low end of the SME market, or will vendors find ways to sink their hooks deeper into customers in this part of the market - perhaps with online backup options or other features.

According to its S-1, Fortinet’s revenue as of June 28, 2009 was $115m, up from $98.3m for the same six month period in 2008. Net income is reported at $8.4m, or -$0.04 per share, compared to a loss of $5m (-$0.26 per share) after the first half of 2008. Cash and equivalents total $136m, an increase from $104.8m at H108.

Could this mark the rebirth of the tech IPO market? LogMeIn completed its IPO in June 2009, 17 months after filing its S-1 with the SEC. Security information and event management vendor Arcsight remains the last security vendor to go public, listing on the Nasdaq as ARST in February 2008. Before Arcsight came Sourcefire (FIRE) in March 2007. Both firms are holding their own: ARST is trading just below its all time high of more than $20 set in mid July. FIRE traded as low as $5 in November, 2008 but is now trading above $18, topping the previous peak price set shortly after the IPO.

We’re still waiting to see who else will jump in the game. In our 2008 IPO roundup we identified Lumension, Sophos, Fortinet (we love being right), Kaspersky, and Barracuda as potential vendors ready for an IPO exit. Fortinet’s S-1 underscores the strength of the market for UTM (unified threat management) devices, which we wrote about in our recent report, ROBO Cops, on remote and branch office security.

Take Barracuda, as an example. The firm is muscling forward after a bid for Austrian web application security vendor Phion (listed on the Borse as PHIO) in July 2009.The bid for Phion is Barracuda’s second attempt at an acquisition of a public company (following its two unsuccessful bids for Sourcefire in May and June 2008). Barracuda offered €12 per share for Phion, an offer that management has taken “a friendly position toward”; to the extent that Phion’s three major shareholders (representing 22% of the company) have already signed an agreement with Barracuda.  We’re unsure of Barracuda’s plans for Phion at the moment, but rolling its operations into Phion’s rather than taking the company private could provide the vendor with a good exit in these conditions.

We’ll be keeping an eye on the movement in the playing field in the coming months. We note that Crossbeam might a potential IPO candidate, as could Qualys. The IPO market could very well heat up, once again providing vendors with a viable exit that doesn’t involve life as an acquisition target.

Lauren Eckenroth, Research Associate at The 451 Group, contributed to this report.

IBM’s latest data-masking baby, MAGEN (Masking Gateway for Enterprise), is still in development at its research lab in Israel; as such, the name comes from the Hebrew word for ’shield’. The product uses optical-character recognition to tag and scramble sensitive data on the fly. It’s this masking in real time that IBM claims as a differentiator from the competition. The data is analyzed and sensitive information is blocked before it reaches the user. Administrators use a central console to configure masking and access control rules; and the product will be work with any data format, application, or operating system.

Other contenders in this developing space include Oracle, Camouflage Software, DataGuise, and Axis Technology. Data-masking technology has been around for a while in one form or another, but has often been managed ad-hoc within development shops, outsourcers or large companies. Its early days for data masking as a standalone industry. However with the continued trends towards outsourcing, the proliferation of sensitive data and stricter data privacy becoming a bigger issue with each passing year (not to mention the Obama administration’s push for electronic medical records) we think the ingredients are there for demand for data obfuscation and data masking tools to really pick up speed.

Lauren Eckenroth, Research Associate, Enterprise Security, contributed to this blog post.

However “just before he left, according to the complaint, Mr. Aleynikov used his desktop computer at Goldman’s New York offices to upload a stream of code to a Web site hosted by a server based in Germany,” NYT reports. That data was later copied back to his laptop and what’s described as a “memory device.”

Goldman, it was reported, “noticed the surge of data leaving its servers,” but presumably was unable to block the transfer to the remote server.That turns out to be a big problem, as the code stolen was for so called “black box” computer programs that “Goldman uses to make lucrative, rapid-fire trades in the financial markets.” Those programs earn the firm millions a year, reportedly. And, though authorities have  Aleynikov in their custody, the IP he stole is still sitting on the hosted Wed server where he deposited it, NYT reports.

While its not clear what products were responsible for picking up the theft and monitoring the data flows, the incident is a great example of the gulf that exists between the marketing buzz around DLP - or data leak prevention - technology and the reality, even at top tier firms like Goldman Sachs. Presumably that firm has the pick of the litter of security technologies, the bankroll to purchase and deploy what they want and top tier IT staff to manage the products. The fact that Goldman appears not to have had a means of blocking the transmission outside its firewall of source code and proprietary algorithms whose value is described as “incalculable”  is…shall we say…eye opening.

To be sure: securing source code presents a unique challenge to DLP firms, which have tended to focus on data that might be used in identity theft or for other compromises — credit card and social security numbers, account numbers, names and so on. Today, content monitoring solutions often allow simple regular expression matching that could, in a ham fisted kind of way, be used to identify source code. Many Web filtering firms have or are adding support for features to identify source code files. At a deeper level, firms like Symantec/Vontu claim to be able to index document content (including source code files) then spot even snippets of protected content in transit. With roots in encryption, vendors like BitArmor go a step further: offering data level tagging — essentially metadata containers that travel with data, classifying it and specifying access rights, security policy (encryption) and so on. But tagging and encrypting the incredible diversity of code that resides inside an organization like Goldman Sachs is a Herculean task. And, as Mr. Aleynikov’s alleged excuse for the data breach (that he was merely trying to copy open source code he’d worked on) there are circumnstances under which the movement of source code files back and forth across the network perimeter might be allowed and desirable. On the other side of the fence, there are application protection firms like Arxan, Metaforic and VI Labs, which do a better job securing the underlying code, but have traditionally focused on blocking attempts to reverse engineer applications for piracy or industrial espionage, not spotting or blocking data flows. Finally, source code analysis outfits like Fortify and Ounce Labs, Core Security, Veracode and others focus on finding security holes in compiled or uncompiled code that might be exploited in attacks after applications are deployed.

Expect to see some of these areas of focus converging as more and more of an organization’s value comes to rest in the intellectual property locked up in internal applications and business processes. As we noted in a recent report on BitArmor, the advent of virtualization, private clouds and cloud-based services within the enterprise (as evidenced here in the unnamed hosted Web server the GS application code as spirited off to) challenge network-based DLP with a different set of requirements. Among them: monitoring data movements from local to cloud, cloud to coud or guest OS to guest OS.

The report states that the NAC market fell by 32% between the third and fourth quarters of 2008. Given the scale of the economic meltdown, and that an important NAC customer base lies with financial institutions that were hit hardest, this shouldn’t be surprising. But don’t despair: Infonetics forecasts NAC will be back on top by the end of 2009; and riding high as a $700m industry by 2013.

We don’t participate in market sizing or forecasting of the hard-numbered type. What we can say is that there’s been a considerable amount of movement in the NAC space over the past six months. Autonomic Networks and Nevis Networks have submerged while other players have managed to hold tight and even grow. In February 2009 StillSecure branched into managed services with ProtectPoint, while Trustwave acquired Mirage Networks; both deals combine NAC chops with managed services plays. Appliance vendor Nevis has decamped to India while ConSentry has recapitalized with a valuation far lower than the $80m to $90m put into the company. We expect this kind of movement and consolidation to continue over the next few quarters until NAC, along with the rest of the network security market, can pull itself out of this slump.

– Lauren Eckenroth, Research Associate, Enterprise Security, contributed to this blog entry.

TJX announced Tuesday it had reached a $9.75m settlement with the group of 41 State Attorneys General investigating the now infamous 2006 breach that exposed up to 94 million credit and debit card numbers. The group was led by Massachusetts Attorney General Martha Coakley with the help of Attorneys General in Arkansas, California, Connecticut, Florida, Illinois, New Jersey, Ohio, Oregon, Pennsylvania, Tennessee and Vermont.

Under the terms of the settlement, TJX must pay $1.75m to cover the cost of the states’ investigation and $2.5m to establish a Data Security Trust Fund available to states Attorneys General to enforce policy developments in data security and consumer protection. This leaves a paltry $5.5m in settlement fees to be split among the 41 states for use in data security initiatives; Massachusetts is slated to receive $951,000. Given the scope of the breach TJX has gotten off easy; paying out roughly $0.10 per exposed credit or debit card number. The funds will come from a $107m reserve set up by TJX in 2007 to cover costs associated with the breach.

In addition to the monetary penalty, TJX must comply with an information security program laid out by the Attorneys General. The company must obtain a third party assessment and report “regularly” to the group. Among the actions mandated by the program, TJX must agree to: upgrade its WEP systems to wired or Wi-Fi protected access systems; safely discard consumer account data once it has been processed for legitimate business purposes; implement firewalls, access controls, etc to segment the areas of the TJX network that process personal information; and implement appropriate password management system for that part of the network that handles personal information.

Of course, this settlement is only the latest development in the storm created by the largest reported data breach to date. TJX has already settled with major credit card companies Visa (for $40.9m) and MasterCard ($24m). In August 2008, 11 people were arrested and charged with aggravated identity theft, conspiracy, and computer intrusion related to the breach; and in January 2009, a Ukrainian hacker linked to the TJX breach was sentenced to 30 years in a Turkish prison (yikes).

To combat breaches of this nature Massachusetts has since passed a data privacy law that requires all companies that “own, license, store or maintain personal information” to comply with broad regulations for handling transaction and personnel-based data.That law sets a higher bar for breaches: $5,000 per violation. By that measure, TJX would have had to pay out far more — around $470 billion — in penalties.

The potential to pull in work done in the area of messaging protocols  (like AMQP) and and data classification through extensions to the protocol is, from my perspective, huge when seen in the context of mapping actual business process to policy logic. Thousands of Wave servers can subscribe to a policy server, allowing for large-scale automation of access and collaboration decisions, as well as the creation of a standalone, abstracted policy management tier with direct interaction with the policy decision tier.  Also, the Wave model not only allows for 1 to n connectivity , but also the ability to establish hierarchies within federated relationships.  This is an important advance when you consider the need to balance privacy (or degree of data lockdown) and openness - which could be paraphrased as “share as much as you need to when you have to”. The ability to establish hierarchical sharing constructs based on resource and user profile - what Google describes as winnowing - by takcling inherent tension between security, privacy and access, will ultimately have critical repercussions.My thanks to Chris Swan for highlighting this aspect of the Wave initiative.

There’s been some speculation that SharePoint is the target here. Given SharePoint’s success, that’s certain a possibility - although Google claims that Wave has been in development for four years, predating the rise of SharePoint. Instead, what Wave could offer is the integration of Geneva Server and SharePoint, with possibly a Ping Identity or TriCipher acting as a clearinghouse. Either way, identity management players are going to have to make an explicit strategic decision at some point in the not too distant future: either for or against Google Wave.

As we wrote recently in our ESP Quarterly, ‘The Evolving Endpoint Agent‘, the past three years have witnessed a revolution in malicious code writing. Professional, well-funded organized criminal groups have poured resources into the development of more powerful and versatile programs. Their goal is the theft of personally identifiable information, the theft of intellectual property, and the enrollment of millions of hosts into large botnet armies designed to distribute tasks, generating the computing power necessary to perpetrate fraud, theft and brute-force attacks.

More important, the criminal groups committing these crimes have become larger and more sophisticated. As criminals go, so do terrorists and those who seek to fund terror. For the first time, this brings the world of viruses, phishing scams and other fraud out of the realm of commerce and smack into the world of nation-state intelligence services: when your enemy is funding his operations through phishing, phishing becomes a security priority. For government, leaving commercial, public networks out of the picture when it comes to cyber security is simply no longer a tenable option.

This is not to suggest that government has responded in an organized or consistent fashion to the threats at hand: it has not. Lumpy and uneven distribution of understanding of the core issues; a notable lag in government agencies’ ability to formulate a response, lobby for budget and gain mandates to conduct cyber-intelligence operations; and internecine squabbling over turf and other issues have plagued efforts to enumerate, let alone catch, bad guys. But the will is there, efforts are underway and the response will come – it’s just a question of working the system until it’s good to go.

At the same time, those at the business end of the battle over cyber crime and cyber terror – financial institutions, mainly – are facing challenges like never before. Some time ago, we saw a sea change: banks began to cooperate in ways previously unseen in terms of the sharing of information about common threats. Until very recently, this kind of information was considered to be competitively sensitive – by revealing specific threat vectors, one risks having a rival reverse-engineer an IT landscape in the same manner as it has been reverse-engineered by a cyber criminal creating malware that specifically targets a given bank.

Yet the volume of attacks and their sophistication increased so dramatically that banks had no choice but to begin teaming up to confront a common enemy. The National Cyber-Forensics and Training Alliance (NCFTA), for example, was created to be a neutral collaborative forum in which critical and confidential information about cyber incidents could be shared among industry, academia and law enforcement.

Conversations with information security professionals of the type that would join NCTFA, informal polling of banking IT security professionals and general industry scuttlebutt holds one thing to be true: at this point, we are approaching the ceiling of what we can do reactively. People want proactive tools.

Not to put too fine a point on it, people want aggressive preemptive action taken against bad guys. The use of force, something which is rare to hear information security professionals talk about, is now being discussed at least theoretically. But to even consider any kind of action, you have to find out who’s doing what, when, to whom, and how. Then at least you can have discussions about a range of pre-emptive moves. Until you do that, you’re shouting at the surf.

Cyveillance gathers intelligence about the villainous and illegal use of digital content, and the misrepresentation and resale of digital content into real-world assets. The high-level issues that concern Cyveillance’s client organizations around the world involve cyber-squatting for the purposes of fraud and phishing; online sales of counterfeit and stolen goods; and the peddling of stolen digital assets. In addition, the vendor can provide valuable insight into a slew of other areas, from mere smut peddling, distribution of dangerous child pornography and criminal communications to other spooky stuff. Typically, Cyveillance messages around the first three areas, and conducts the latter quietly on behalf of various government and law enforcement agencies.

We have written a deal analysis of the acquisition which runs tonight in our TechDealmaker service containing target and acquirer profiles, deal rationale and deal details.

Panelists:

James Brokenshire MP, Shadow Crime Reduction Minister And Member of Parliament for Hornchurch
Mike Humphrey, Head Of Information Assurance & Accreditation Serious Organised Crime Agency
Howard Schmidt, President & CEO Information Security Forum Ltd. UK

Introductory Remarks
Nick Selby, VP & Research Director, Enterprise Security, The 451 Group:

As the availability of broadband Internet continues to rise, and computing power and Internet access continues to democratize, holes in the regulatory landscape have appeared. The crimes themselves – fraud, social engineering, theft – have not changed. Nor have the motives – profit seeking, fundraising for illegal activities or terror, money laundering of illicit gain, the list goes on.

What has changed is the medium in which these crimes are committed, and with that change in medium came a change in scale. Criminals are now able to reach a larger pool of targets faster and more effectively than ever before. At the same time, lawmakers struggle to understand technological advances, and are frequently concerned that laws to restrict criminal activities will stanch commercial initiatives.

Law enforcement is faced with a vexing problem: trying to understand jurisdictional issues and rapidly changing regulations.

Criminals, terrorists, drug dealers and others seeking to hide and monetize illegal activity and launder ill-gotten gains are taking keen advantage of this lag. Their risk in doing so is relatively low compared to other criminal endeavours, their chances for success high, and the scale of success even larger. The risk of being successfully prosecuted even if caught is even lower, and their risk of doing serious jail time even lower due to the process of adapting and creating laws to deal with these types of crime.

At the same time, the worldwide economic slowdown has created desperation among many. Many are more tempted than ever to find ways to get rich – or even get liquid – quick. Some of this large and growing number of people will do the maths I just set forth and turn to crime, while others will become victims of fraud.

This is the environment in which we currently find ourselves. Our panel today will discuss these issues in more specific detail. We will break the subjects generally into three categories: how citizens aren affected by these trends, what government and law enforcement can do, and finally we will discuss some of the opportunities available to entrepreneurs and private industry.

–End of remarks–

Download the presentation

I thought the panel went well and was well-attended. We had some interesting questions, especially the one from Steve Howarth, a detective inspector from the Met police’s e-Crime unit. He mentioned the appalling lack of resources his team has. More on that in another post, soon to come.

Of course, there’s no guarantee that those companies or their technology will have staying power. One need only look to past years’ “Tomorrowland” visions around things like converged security or even more quotidian visions, such as network access control, to be reminded that marketing spend != viability.

One good mental yardstick I like to use is to ask myself (and often the companies I’m talking with) why an enterprise _needs_ to own their technology. In the case of NAC, which came about as a way to stop virus and worm outbreaks behind the firewall, there was no one thing compelling companies to make a big investment, though almost everyone agreed on the usefullness of NAC in the abstract. On the flip side, The Payment Card Industry’s PCI DSS gave an enormous boost to vulnerability management firms, anti virus firms and, now, companies that make Web security products like secure Web gateways and Web application testing tools: PCI audits specifically called for the use of those technologies, compelling companies to make an investment, or at least come up with some form of compensating controls.

This year, I’m looking for the impact of new and toughened data privacy laws, such as Massachusetts’ new data privacy provisions, the FTC’s Red Flag Rules and a toughened, toothier HIPAA from DHHS and the federal government (much more on that later!) Which companies stand to benefit (or not) from the provisions of these new laws concerning protection of consumer information, financial data and health information? Its early days here at RSA, but I’ve already briefed with two firms in an fast developing sector that plays right into the increased focus on data privacy: Camouflage and Dataguise. Both sell data masking tools that allow companies to protect sensitive information in databases that are used for testing and other development purposes. The concept here is fairly simple: companies that do application development want to be able to use the best data possible to test their applications. Often, that means using actual, production data. But the loose security practices that often characterize development environments, not to mention the increased use of outsourcing, preclude the practice of piping production data into a test environment. Enter data masking firmslike Dataguise and Camoflage, which sell technology that can replace sensitive data with fake test data without compromising data integrity (i.e. credit card and social security numbers still look like credit card and social security numbers, etc.) Vendors point to regulations like PCI Section 6.3.4, which calls on companies to look at data used in testing, as a major driver -but not the only one. IBM’s been in this space since at least 2007,and some of these firms have been around -in one form or another - for almost a decade. Still, the data masking issue is picking up steam: Forbes recently addressed it in an article, and its likely to get a lot more attention as companies become more attuned to the gaping hole that internal development efforts punch in their data security and data protection plans. 

While Oracle is a recent entrant to the market relative to Sun, IBM and CA with technology derived entirely from acquisition, it is generating the fastest growth and has put the incumbents on the back foot. There is more overlap in terms of product portfolio, thorny integration issues and open source questions ahead compared with an IBM acquisition, but we expect that a shiver has run down many spines at IBM and CA. Sun has suffered from a weak sales organization even as product development has remained strong. Clearly, there are significant integration risks, but at a high level, Sun products will now have a favorable sales model behind them.

Oracle will gain Sun’s directory and federated identity technology and in theory Sun will have Oracle’s Entitlement Server, Adaptive Access Manager for risk-based authentication and upcoming data governance integration at its disposal. But outside of those complementary areas, there will be plenty of overlap in provisioning and Web access management (although a shared SSO OEM in Passlogix). The integration issues are ameliorated by a common Java technology platform but the the challenge should not be over estimated, particularly in light of Sun’s open source approach and emphasis on services layer.

Rivals may have some window of opportunity as the decision process takes it course - since it is unlikely to have been given that much thought in the deal run up - but we expect that to be shortlived. Of all the major IT vendors, Oracle has proven the most adept at minimizing acquisition and integration disruptions.

With a strategic investment in the Microsoft platform, partners like Quest are a natural community, with a shared vested interest in the product making it to market, with expertise in identity management and Microsoft technologies to bring to bear. Of course, there may be dependencies that are specific to internal Microsoft product development that no amount of source code sharing will resolve. Also, there has to be a clear-eyed assessment of the real, tangible value that can be distilled from external input relative to internal development resources. But even in a controlled open source community with a limited degree of transparency, the chances of a partner being blindsided would be diminished. If partners can manage their businesses and customer expectations better, and provide some insight into the scope of the issues behind the delay, the effect has to be a positive one.

There is a broader trend at play here. Even if we put Sun’s open source strategy and efforts at building a support and maintenance business model to the side, we are seeing open source in identity management more and more frequently both as a product development model and as a target system focus. This ranges from Red Hat’s very gradual entry into the market with its IPA project (insert obligatory beer-related quip here) to Likewise’s authentication consolidation platform, bundled with open source OS distributions and Novell’s recent acquisition of Fortefi to incorporate coverage of Linux identities in the resulting compliance manager. There are also a number of open source identity governance and metadata exchange convention frameworks, notably OAuth. And there a few smaller vendors like Acceesstream, OpenIAM and Crowd (part of Atlassian) that have released their source code under GPL licenses.

I am not suggesting that the path to an open source model will be a smooth one. My point is that from my perspective there is some incentive to progress down that path.

ESTRAGON: In my opinion we were here.
VLADIMIR: (looking round). You recognize the place?
ESTRAGON: I didn’t say that.
– Waiting for Godot, Act 1. Samuel Beckett

I’m going to have to excuse myself for sitting out most of the hype storm about the coming Conficker worm conflagration but, to be honest, I’ve been here before.

I’ll explain what I mean by that. But first, for those PD readers that have been hiding in a cave, here’s where things stand:

Conficker is a widespread Windows based worm and information stealing Trojan that is poised to launch a coordinated “action” on April 1st that will, depending on who you talking to, bring the Internet to its knees, or flop harder than A-Rod in an ALCS playoff game. It first appeared in late November and — like most computer viruses — also has more aliases than Jason Bourne. You might also have heard mention of Downadup, or Kido or Pakes? They’re all the same beast. Conficker spreads over computer networks by exploiting unpatched Windows machines (again, for the cave dwellers, MS08-067 is the patch you need) by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE) and by brute force attacks on networked computers and file shares that are secured with weak administrator passwords.There’s an excellent writeup on the worm available on Ars Technica. Read up, then apply the patch. A more technical analysis from SRI International is available here. (Thanks to SANS’ ISC for the link.) The Honeynet Project also has an analysis of Conficker available on its Web site.

With the deadline fast approaching — indeed racing across Conficker infected countries like South Korea — the media hype (including a sensational(ist) piece by 60 Minutes correspondent Lesley Stahl) has set the stage for a Y2K style conflagration, but (willingly) overlooked the consensus opinion of security experts, which is that Conficker’s April 1 surprise will be a big nothing. Indeed, SANS Internet Storm Center predicts “business as usual” on April 1st.

Rest assured, this won’t be the first or the last time that the public is treated to a media-induced roller coaster ride about computer security. If you remember, the Code Red Worm had a similar “attack” programmed into its code back in 2001. That denial of service attack was directed at an IP address that corresponded to the Web site of the Whitehouse. Government officials sidestepped the attack by pointing the Web site to a new IP address — an early victory for the administration of George W. Bush.

Two years later, MSBlast, aka Blaster, had a DOS attack against Microsoft’s windowsupdate.com Web site in its source code. That attack, also, was evaded when Microsoft delisted its windowsupdate.com address.

A variant of MyDoom in 2004 was programmed to attack both Microsoft’s Web site and that of the SCO Group, which was embroiled in controversy over a Faustian bargain it may have made with the OS behemoth. In that case the attack worked — taking out the SCO Group’s Web site.

The Sober worm had a mass update/spam run buried in its code too, timed to coincide with the 87th birthday of the Nazi Party (huh!?). There are countless other examples as well. Remember Kama Sutra (aka “Blackworm”) in 2006? That was the widespread malware that was set to delete files on infected computers. That attack fizzled for reasons that aren’t entirely understood.

And yet…we’re still here. Timed or scheduled attacks play into the media’s hunger for a good story: creating suspense in the form of a concrete date (like, say, January 1, 2000) on which something will happen. As a practical matter, however, setting an attack to happen in the future and leaving the specifics of that attack in plain sight mostly serves to give everyone a chance to prepare for the attack and defend against it. It’s kind of like those hopelessly complex executions in the James Bond films. Why tie the guy to the table then wait for 30 mintues for the laster to cut him up? If you want Bond dead, just shoot him in the head execution style and be done with it?!

These attacks also allow folks who don’t follow the computer security space closely a way to grab onto the problem. Telling consumers that botnets of millions of computers are sending spam e-mail and virus laden messages to their inbox doesn’t quite have the power to grab and hold ones attention as “On April 1, your computer is going to blow up!” Sadly, however, they just obscure the larger truths. Outbreak and attack stories create the idea that the enemy we face is conventional (launching attacks which we must defend against), rather than unconventional (they’ve already broken our lines, surrounded us and, in fact, have infiltrated our own ranks).

Here’s betting (and hoping) that Conficker is a no-show– that any coordinated action by Conficker attacks fades into the background noise caused by millions of other compromised hosts worldwide. But on April 2nd, the problem won’t have gone away — in fact, it will be ever so slightly worse.

Not that security software vendors are all to blame. In the case of the iPhone, the word is that Apple doesn’t want to give third parties access to kernel level APIs they need to do realtime threat protection or data encryption.  In the meantime, the company’s development efforts haven’t prioritized enterprise concerns. As my collegue Chris Hazelton noted in a recent report, the latest rev of the iPhone OS, Version 3.0, did little to advance the iPhone’s enterprise readiness. In particular, it failed to add the ability for one or more third party applications to run in the background, limiting security (i.e. encryption) and management features. 

This leaves security  and mobile device management vendors to do what they can. Sybase’s announcement this week of a new version of its iAnywhere suite is a good example. The company’s iAnywhere Mobile Office, which includes e-mail, calendar, tasks and contacts, as well as Exchange and Lotus Notes integration, offers the kinds of features enterprises want: password protection, data encryption and remote data wipe…but only for data resident in the iAnywhere Mobile Office application. The company tries the spin this as flexibility…enterprise security “without compromising user’s personal information,” but isn’t it just “encryption for me, but not for thee”? Whatever the case, its hard to see how islands of security on a multi function device like iPhone will work practically, or how they advance the interests of companies or the community as a whole.  

In the meantime, another major anti malware vendor told us that it is at work on its own secure Web browser for the iPhone that will allow it to integrate Web reputation technology that it has long offered to PC users. As with Sybase, however, users will have to download and install the third party Web browser to get the protections, rather than leveraging it as a plug-in to the native iPhone implementation of Safari. We can expect more of the same from other vendors (encryption, anti malware, management) who are hot to trumpet “iPhone support” to their enterprise customers in any guise. The result? Expect the balkanization of the iPhone  desktop to contiunue, at least until the Mandarins in Cupertino make good with the tools that third party developers need to do iPhone security right.   

There are sure to be some difficult product rationalization issues, complicated by Sun’s still in progress transition toward open source development and business model. However, in some areas, the product portfolio strengths are complementary. Sun, for instance, has led the market in enterprise directories (although its product has grown long in the tooth and the OpenDS open source version has yet to reach full product maturity) and the acquisition would supply IBM with federated identity and role management technology where the company has lagged the market. There seems to be some difference of opinion over the relative value of Sun’s directory server over IBM’s equivalent, but in terms of market segment penetration, we would postulate that Sun’s is larger (although under attack) and spread across a broader set of businesses.

The rumored deal would certainly provide one possible explanation for why IBM has been so quite on the acquisition front.

Edwards, himself an Ironport-er, said that the loss of Weiss — who got high marks on leadership and vision — was going to be tough. But he put a good face on it all the same. “We get to retain the Ironport DNA and history (with Gillis),” he said.

Of course, there’s nothing surprising about a former CEO like Weiss chaffing under the constraints that come with a role down the org chart in a mega corporation like Cisco. Sounds like Scott gave it the old college try, but has decided to move on to his next act. The surprise, I suppose, comes as a result of the big vision that his appointment at the head of the SBTU set for Cisco’s overall security strategy. Cisco’s security portfolio had grown long in the tooth in recent years, and Weiss came in talking big about reinventing Cisco’s security portfolio. In part, that would come from integrating smarts from the IronPort platform across the other Cisco products. That includes reputation intelligence from the SenderBase online reputation system and from the global deployment of IronPort appliances.  With him gone, its not clear what happens to that vision and whether Gillis will have the clout and vision to carry it forward. Cisco staff insist that Weiss’s departure has nothing to do with the SBTU’s 2008 numbers or a difference in vision with other Cisco brass. That could be true (and we’re waiting on specifics on the SBTU performance that might confirm it either way), but we’ll be waiting to see what the next few months bring.

Babylonian seals

The fact of the matter is that this incident is a big blow to Kaspersky, which is going to great lengths to build up its image in the U.S. and globally. Suffice it to say that a company getting hacked that promises to protect you and your computer from hackers is troubling, and Kaspersky spokesman Roel Schouwenberg admitted as much in a conference call with the press. The company now says that it has hired Next Generation Security Software’s David Litchfield to give its database a good hard look, and that it will be scrutinizing its Web sites for flaws like the SQL injection attack that was behind this breach.

A couple take-aways from this incident:

• If the perp here is to be believed and no sensitive data was exfiltrated from Kaspersky, then the company is lucky. In some ways, this whole incident is very old-school. Some enterprising grey hat finds a fat vulnerability, pokes around, gives the company 15 minutes to respond (ok - Kaspersky said it was more like an hour) and then posts what he’s found on the listserv/Web site of choice.  If this guy was partying like its 2009, instead of 1999, he would have taken the product activation codes, customer e-mail and — ideally — some billing info and fenced them along with access to the Kaspersky domain itself.
• The circumstances of this hack shine a glaring light on a problem that’s facing companies both within and outside the Tech sector (banking, financial services and e-commerce are also highly exposed) namely: how to monitor the security of a corporate Web infrastructure that’s growing faster than your ability to monitor it. This is especially true of fast-growing companies (like Kaspersky) or decentralized organizations with branch offices, third party partner relationships and the like. Kaspersky has already owned up to the fact that its US subsidiary was an amalgam of code developed by Kaspersky in Russia, and code developed by a third party contractor. The company claims it was the code from the outside contractor (a customer support forum) that ultimately provide access to Kaspersky’s back end database.  Who knows. What matters is that the company develops processes, in the wake of this attack, that contain online sprawl and ensure better code auditing and review procedures.
• SQL injection is a big deal. IBM’s ISS X-Force threat report for 2008 says that SQL Injection attacks increased thirty fold in the last six months of 2008. The attack also figured prominently in the SANS recent list of the Top 25 Programming Errors. One big reason is that they’re quite easy to perpetrate. Often all you need is a Web browser, a passing knowledge of the SQL query language and of how databases work to begin poking around. While plenty of products and services exist to sniff out SQL injection attacks, the differences between legitimate and illegitimate queries can be subtle. This puts the onus on application developers to build their code to resist tampering and QA departments to give application code a thorough vetting before it is publicly released. As Kaspersky’s woes indicate: the downside of failing to do so can be considerable.

In response to such state-sponsored actions (not to mention those pesky Twitter outtages), digital rights activists have launched Herdict.com (a portmanteau of “herd” and “verdict”), an online service conceived by Prof. Jonathan Zittrain at Harvard’s Berkman Center for Internet & Society. The service relies on crowd sourced reports from volunteers around to world to pinpoint Website outtages and determine whether they are global- or merely local phenomenon.  

But the cat and mouse game between China’s yearning masses and its worried censors is actually just one skirmish in a much larger battle over access to Web content that’s been bubbling for a while. And the battle runs both ways. In the US, it’s reaching a high boil with the growing popularity of Web based services like social networks and broadband content distributed through services like YouTube.com, hulu.com, and countless other sources. Enterprises are wary of both worker productivity losses, NSFW content that violates workplace decorum and — importantly — Web and application based attacks that can compromise network security. Employees and end users want access to the growing universe of cool tools (and fun distractions) that are available on the Web. An IT director for a public school district in rural Texas told me that he spends an inordinate amount of time playing cat-and-mouse with students who are using proxies to evade their secure Web gateway. He’s counting on his Web security gateway vendor to keep their list of Web proxies current and turning to traffic shaping and rate limiting tools to simply punish  those he catches evading the Web gateway with dial-up level access, rather than issuing collective punishment by limiting Web access for all students. Up at 20,000 feet, IBM’s ISS group is seeing a doubling of anonymous Web proxies between 2007 and 2008, as it reported in its X-Force trends report (available in PDF format here). X-Force also says that attacks based in Adobe Flash video, Acrobat files and Active X conent are on the upswing as of Q4, 2008. 

All this is going to combine to make 2009 an eventful year for companies that sell Web content filtering, traffic shaping and other technologies. In fact, in a forthcoming report on companies that will stay hot in the cooling economy, Web security will be an area we talk about quite a bit.

The goals of companies that are shopping for this stuff are threefold:

1. Stop malicious content that’s streaming to end users in video clips, e-mail messages (including Web mail), blog comments and Facebook wall posts. 
2. Avoid hamstringing employees with draconian Web use policies. 
3. Priortize access to mission critical applications on their network, such as VoIP, as well as applications and services that are running in the cloud.  

Look for vendors who move in the space to move to address these pain points. In fact, its already happening. In recent weeks, we’ve seen Websense pick up blog antispam firm Defensio to try to boost visibility into blog comment spam. It says it plans to offer much tighter integration between its port authority data leakage wares and its on-prem and SaaS based Web security products. Riverbed picked up network visibility firm Mazu, and Barracuda has told us that it sees bandwidth optimization and traffic shaping as areas into which it needs to extend its reach. There’s more to come. Stay tuned. 

Like CardSystems breach before it (which netted details on an estimated 40 million transactions), Heartland is an example of hackers “fishing where the fish are,” by going after the small, less visibile companies that process card transactions for thousands or (in the case of Heartland) hundreds of thousands of merchants. Frequent diners beware: around 40 percent of Hearland’s business came from restaurant transactions. I knew I should have ate in! 

Yastremskiy was arrested in July 2007 at a nightclub in Kemer, Turkey.  It was not until after his arrest in July 2007 that authorities realized he had been fencing credit card information stolen in the TJX breach. Yastremskiy had worked with 10 other hackers, including Albert “Segvec” Gonzalez of Miami, the alleged mastermind of the heist. 

In August 2008 the United States charged the 11 hackers with aggravated identity theft, conspiracy, and computer intrusion. If he’s ever extradited to the US Yastremskiy will face these charges as well as charges related to fencing the stolen information.  

The firms named in the suit are a Who’s Who of enterprise IT security: Microsoft, Symantec, McAfee, Trend Micro, Check Point, Sophos, CA, Kaspersky, Novell, F-Secure, ESET, Webroot, PC Tools, Comodo, and so on. What’s surprising to us is that the suit doesn’t extend to application whitelisting vendors like Bit9, Solidcore, Websense and so on — especially given that the patents explicity mention methods of application control that involve “including a digital hash of said program to be executed as part of the program authorization information data structure,” but the owners might have figured there are plenty of dollars to shake loose from the companies named.

While Protection and Authentication of Texas LLC may be hoping for a quick payout of “leave us alone” money, we’re expecting the parties named to fight this one hard. First of all, they can. Second, recent Supreme Court rulings appear to be on their side — with the High Court ruling unanimously in recent years to take a tougher stand on so-called patent “obviousness.” The key case here is KSR vs. Teleflex, which was handed down in April, 2007 and overturned lower court rulings that were based on previous patent law standards that made it difficult to challenge granted patents on the grounds that they covered “obvious” applications of existing technologies or ideas — not really new inventions. While its unclear how novel the Texas company’s patents are, the legal environment has certainly changed from recent years, and the company can expect to face well financed defendents.  

We’ll be watching this one to see how it turns out.

Somehow that scene came to mind today as I surveyed the mood of teeth gnashing and garment rending that has accompanied this weekend’s high visibility attack against Twitter accounts. As with the outcome of Mr. Metzler’s little skiing stunt, the consequences of Twitter’s “we’re all friends here” approach to security were utterly predictable.

For those of you who are still emerging from your holiday torpor, news reports began surfacing over the weekend about phishing attacks that were spreading over the Twitter micro blogging network. The attacks began as direct mail messages between Twitter users that contained an enticing message and a link to a phishing Web site. That site, which appeared to be a twitter-sponsored site (i.e. twitter.access-logins.com), harvested account login information from victims…with predictable results. By Monday morning, the scam had claimed some high profile scalps: the Twitter accounts for Fox News (@foxnews) and that of CNN anchor Rick Sanchez, (@ricksanchezcnn), too. Barack got tagged, and unless Britney Spears is suddenly exploring the ancient myths of vagina dentata, she got hacked, too. (And she’s been doing so much better, lately!). The attacks are virtually indistinguishable from Web site phishing attacks, but for the fact that they originate within the Twitter environment, use Twitter’s direct mail (or “DM”) feature instead of traditional e-mail and are designed to steal Twitter credentials. The targets are also no surprise: they’re highly connected Twitter accounts from which spam or phishing messages can be broadcast to thousands or tens of thousands of “followers” (Sanchez, alone, has 40,000 of them). As researchers at Sophos have pointed out, as well, netting Twitter logins and password info is a passcard to even greater riches, as overburdened Web users just re-use passwords for work and personal accounts.

The folks at Twitter warned users about the spreading scam on Saturday and advised them not to share account information (as if this even needs to be stated). They have since posted a status update (”Multiple accounts hacked. Situation stable”) that sounds like it was issued from the control room of Reactor 4 at Chernobyl. Its unclear whether the attack is still spreading. Like other Social Networks, but unlike those fighting e-mail or Web based attacks, Twitter admins have the advantage of central control over network activity and, thus, can stamp out attacks quite efficiently. As I wrote in a recent column for ZDNet, attacks that leverage social networks like Twitter and Facebook are certain to increase this year, as use of those platforms reaches the critical mass that finally attracts the attention of spammers, identity thieves and the like. As this happens, the environment of implicit trust that has governed “in the know” communities like Twitter will disappear. Inboxes will fill with spam or some approximation thereof and users will think twice before they click on URLs in Tweets or Wall postings.

Clearly, the network providers will need to do much more. Twitter, Facebook and the like should force users to harden passwords. [NOTE: As this report from Wired makes clear, it was a weak password combined with a dictionary attack that led to the compromise of a Twitter administrative account.] They should also monitor activity both on their networks and on the Internet more closely, filtering content for phishing attacks and other scams. As an example, Bank of America and other financial institutions long ago started paying attention to who was registering domains that could plausibly be used in phishing attacks against their customers. Twitter should take note when a domain like “twitter.access-logins.com” is registered. Finally, organizations of all stripes are going to have to weigh the cost-benefit ratio as they wade into a new medium like Twitter. On the same day that the Twitter phishing attacks nabbed CNN and Fox News, a journalist whose feed I follow posted a link to a list of all the newspapers that Twitter. My guess is that most of them have jumped in with both feet without stopping to consider whether or how their accounts could be used to attack their followers or otherwise besmirch their good name. For those organizations that understand the risks and decide that Tweeting is worth it, better account management and hygiene (strong passwords, etc.) as well as training and clear policies on how to interact with followers and what to watch out for are in order.

So I am pleased to report that there is a raison d’ twitter: cat names. That is, I Tweeted that my cat, Philmont (named for a nearby town but also because it seemed preposterously high fallutin’ for a cat like Philmont, who’s three months older than when this picture was shot) had on Wednesday evening jumped into the washing machine to wrassle with the clothes. You know. As one does.

Unfortunately we didn’t notice this hitchhiker and shut the washer door and turned on the machine. Ten minutes later I heard a low, mournful Mrooooooooooow noise and went to investigate. I caught a flash of white belly with black spots and realized what was happening. Thank goodness we have a low-water washer! I got him out, used the blow dryer, put Philmont by the wood stove and under a blanket and the next morning he was the same old cat - attacking my legs as I walked to the kitchen, etc.

What has this charming story to do, you ask, with Twitter or information security? Great question. Turns out that when I tweeted this information on Philmont, people assumed - as one does - that Philmont was some infosec-related term, like, “Raptor” or “China”. When I replied that it wasn’t (my actual quote was, ‘Infosec is my job, not my cat’s life’), Anton Chuvakin asked people to vote on the best infosec-related cat name in a poll on the subject. Seriously.

He put forth several names Like ‘bug’, ‘flaw’ and ‘ipsie’; I suggested some dumber ones. Brandon Dunlap mentioned MOSFET. Some genius mentioned ‘Fuzzer’.

Fuzzer - awesome cat name. But is it the best? As I say, Anton ran a poll, and sure enough, Fuzzer it is.

Have very fuzzy, happy holidays everyone, from Philmont, Corinna, Spijk and on behalf of Paul Roberts, Steve Coplan, Lauren Eckenroth and all of us here at The 451 Group’s enterprise security practice. We look forward to speaking and arguing with you in the coming year.

Thanks, we do this for a living.

As we enter one of the most volatile years in recent memory, we thought that we’d speak directly to one of the most commonly asked questions we field from our end user customers - how can we be sure that the venture-funded, non-cashflow-positive, un-profitable startup we’re considering buying some stuff from will be in business next year when I need it? After all, start up companies offer some of the most innovative, cutting edge technologies out there - technologies that can address some real points of pain in enterprises. But investing in a start up - especially in times when budgets are so tight that buying $200,000 worth of shelfware nets the decision-maker something more than tight lips and a stern frown from the CFO - can be a frightening proposition.

Since we’re constantly asking start-ups about their fiscal viability, we thought we’d share some of the basics. None of this is brain surgery, and we’re not going to reveal any of our proprietary methodology. But we will share the basics because at the very least we’ve heard that hearing the questions we ask is useful to our end-user customers.

We usually start out subtly, using guile and tact to eke out of a vendor the answer to the main issue of concern:

• What is your fiscal viability? I’m concerned that you are a venture-funded, non-cash-flow-positive, un-profitable startup. How can you demonstrate to me that you will be in business next year when I need you?

As you can see, this cunningly worded question stakes out the roles (purchaser and vendor) from the beginning. But it gets to the point.

The first thing we do is try to get a handle on how much the company burns each month; a good place to start is

• Staff headcount
• Number of offices
• Location of offices
• Ratio of technincal to non-technical staff

Now, we’re not going to reveal the highly specific multiplier we use to figure this stuff out, but basically if you assume an all in cost of 10 grand per month per body, a little more or less depending on whether they’re technical or non technical, guesstimate the cost of those fancy Silicon Valley offices and all the branches, you can very quickly get a rough idea of how much these jokers are burning through each month. From there, you’ll want to make a determination about how the firm is doing against that monthly nut. You get one great thing that we don’t get - the actual asking price. If you figure that you’re an average customer, multiplying the price they’re asking you for times the number of customers it claims to have landed in the past year will give you a rough idea of how much money the firm is taking in (toss in something for maintenance and other recurring fees). By asking these basic questions one can quickly come to some William of Ockham-ish conclusions of the company that won’t be too far off to either make you feel a little bit better or make a reach for your car keys.

One more thing - if your vendor won’t answer these questions, consider another key insight from a professional observer - we are in, at the moment, what might be referred to as a Buyer’s Market.

Some basic Vendor fiscal viability questions:

• How many staff have you got?
• How many customers did you land this year?
• How many customers have you got under current maintenance agreements?
• Who are the executive team members – who’s driving the boat?
• Can I look at your audited books?
• Can you give me five reference customers I can call?
• Can you point to analyst reports from firms that do not do pay-for-play, i.e., The 451 Group, The Burton Group, Yankee Group?
• Please share with me a nonmarketing version of your corporate history
• Please tell me about your funding rounds in detail (month, year, investors) and amounts. If new investors popped up and old ones went away, what happened - was this a refi? a restart? Did new board members come in? Old ones leave? Why, when?
• Can I speak with your venture capital firm to ask them about the basis for their investment in you?
• Please share with us your roadmap from last year at this time and your current roadmap.
• What is the expected support response time for normal support calls and hardware failures?

As if we needed any more proof of just how sticky things are, this week Ernst & Young released its global IPO report for 2008, announcing a 13 year low in IPO filings from January through November this year. In the past 11 months of 2008, 745 IPOs raised $95.3bn- compared to record breaking numbers in 2007, when 1,790 IPOs raised $256.9bn over the same time period. Details can be found here.

To date this year almost 300 IPOs have been withdrawn or postponed compared to 167 for all of 2007. Few companies in the security space have come out this year. Arcsight (NASDAQ: ARST), though better off now (although for how long, we’re not sure), entered the public market with an uninspiring showing in February 2008. Since then few vendors have even dared to hint at an offering, and those that had have backed off to wait for more promising economic conditions.

For the next few quarters we can expect to see the larger names continue to consolidate in an attempt to steel themselves against the storm while the smaller companies shop for suitors, investors, or both.

The message for small, independently minded companies is clear: stay strong and, if possible, raise funds. Times are tight for venture backed companies, although the well has not run completely dry. Security vendors Rapid7, Napera, Memento Security, Finjan, and Trusteer, among others, have all raised funds in the past 3 months; proof that a good idea (or a hot space) will always be able to stir up investors’ interest.

Rumors of an IPO for patch and vulnerability management vendor Lumension (formerly PatchLink) were everywhere in September 2007; the same was said of unified threat management vendor Fortinet, though there is little talk of that now from either company. NitroSecurity went so far as to file for IPO in August 2007 only to withdraw its application this past June. Sophos had announced its plans to go public on the London Stock Exchange in the fall of 2007, but they also withdrew when markets began to crumble. The company instead made a bid for German encryption vendor Utimaco, choosing to take the company off the Frankfurt Stock Exchange rather than rolling into it. We expect to see Sophos pick the plans back up once conditions are better and Utimaco is integrated into its product line.

We are hearing rumblings of players ready for the push, however. Kaspersky seems to be ramping up its IPO plans. Barracuda’s unsolicited bid for Sourcefire this year could’ve made an IPO that much easier. It will be interesting to see who comes out when the smoke clears, but to be sure, that won’t happen anytime soon.

And so it goes here, with Kaspersky PR and marketing folks escorting a cadre of reporters through a Kaspersky-tinted view of the world. Access to company executives is in abundance, but it should be no surprise that reporters plucked from their home cities and taken on an all-expense paid trip to a strange land are disinclined to question their hosts and handlers too closely. Asked by one intrepid reporter what he estimated the market value of his company to be, CEO Eugene Kaspersky went silent before flashing a wide grin and shouting back “enough to pay for your dinner!” And that…was…that!

Despite its size (the company now employs over 1,200 people worldwide), Kaspersky is still very much a personality-driven company, and the personality who drives it is Eugene Kaspersky. He’s everywhere here in Moscow: presiding over the morning sessions, briefing reporters and analysts, toasting the assembled at gala dinners and holding court over shots of (excellent) Russian vodka in the hotel lobby late into the evening. In a nation of chronically unsmiling people, Eugene is ebullient: bearded and grinning as he bounds about greeting and joshing with his guests like a younger, scruffier Santa Claus.

The very act of flying four or five dozen reporters to Moscow in December just to show them around his company speaks volumes about Kaspersky’s personal ambition. He’s doubtless been counseled by others to play down the company’s Russian connections (Kaspersky is officially incorporated in the UK). But he’ll have none of it and, in fact, wants to play it up. He takes seriously the idea that his company will be a beacon to other Russian IT firms that — in the words of COO Evgeny Buyakin — Russia can produce “more than just oil and gas.” His fellow executives and employees seem to take it seriously too and — the Russians among them — to consider it a point of pride to work for a home grown firm that’s taking on much larger and richer U.S., European and Asian operations like Symantec, McAfee, Trend and Sophos.

Of course, getting a modern IT company to thrive in a business environment dominated by connected firms whose wealth is tied to natural resources like oil, timber and mining will be no small feat. Western critics and opinion makers need convincing, and Kaspersky faced pointed questions about whether his company may have unwittingly hired black hats and cyber criminals to work in its labs. It’s a fair enough question for any security company (especially given recent revelations in the TJX case), but I didn’t hear it asked of anyone at Symantec Vision in Las Vegas.

As a venue, Moscow both helps and hurts. The place is booming — no doubt about it — with new office buildings going up all over the city, luxury automobiles beached on the sidewalks, and giant plasma screens perched above the main boulevards displaying luxury ads. But the Freudian term “unheimlich” — literally “un-homey” or “uncanny”– comes to mind in a place where old and new come together so jarringly. Doors fly open for us in the very capable hands of Kaspersky and crew. The man is, after all, something of a national hero. But there’s also a palpable sense that layers of deep complexity lie beneath the seamless production here that might easily trip up a smaller firm making a go of it. San Jose this ain’t.

As for Kaspersky, the company, its executives agree that the biggest challenge facing the company will be managing growth in the coming years — holding onto the spark that animates the company today, but also developing the systems and processes that large companies need to operate. The company is working to secure a partnership (and possibly an additional investment) with Credit Suisse. That, it is hoped, will open doors to Western enterprises, and Western markets for a possible IPO. Given the turmoil in world markets, however, those plans have almost certainly been pushed back and we imagine Kaspersky is counting its lucky stars that it can hide out from the tumolt as a privately held firm for the time being. We’ll be writing more about Kaspersky in the days ahead — its roadmaps and strategic considerations. But often its the details around the edges that tell the most interesting story. In the case of Kaspersky Lab, that’s definitely true.

“With respect to NAC, Selby said the technology is getting sucked into identity and access management and NAC vendors are looking to get bought by vendors in the IAM market.”
- Bob Brown, Days numbered for standalone NAC, anti-data leakage firms?, Network World

Analysts love saying stuff like "X is dead!". Part of the analysts guild membership requires that we doom some sub-sector to failure at least annually. But I really think that Bob Brown at NWW got our point absolutely right when he reported on the goings-on at our Third Annual Client Conference held in Boston last week.

During the event I said,

“‘NAC’ then, becomes more of a policy enforcement point than a pat-down. By the end of 2009 … Network Access Control [is] gone as a standalone [industry].”

Now there are a couple of things. First, the NAC vendors in the audience began gnashing their teeth, audibly. Seriously, someone told me that they thought one guy’s jaw would break.

Second, what I said and meant was that there is a sea change occurring in the world of Identity and Access Management, towards a new layer of policy management. We are not saying that IAM vendors are going away either, but we do say that, after years of incremental change mainly through consolidation, changing technologies (rabidly accelerated use of mobility leading to re-perimiterization being merely one) are forcing IAM vendors to make some seriously cool stuff.

The years of consolidation and incremental change mean that no one will have to throw out the kit they have - this is not a rip-out, it’s a layer atop existing infrastructure that makes the whole system more valuable. For example, federated and single-sign-on authentication are important, but they’re the tip of the iceberg. Compliance compels you to know who is accessing what, but does not get to the why question in a way that gets you to make dynamic decisions about:

1. Who are you? What do you have access to?
2. Why?
3. How is this reflected in the resource you’re accessing?
4. How is it reflected in system level privileges?
5. What happens when the role, resource or policy changes?

To accomplish this, there are three main categories of kit:

• Policy Administration Points - The brains
• Policy decision points - The central nervous system
• Policy enforcement points – The muscle.

It was in this context that I said what I said - here it is again:

“‘NAC’ then, becomes more of a policy enforcement point than a pat-down. By the end of 2009 … Network Access Control [is] gone as a standalone [industry].”

NAC technology is not dead. NAC has been most relevant for verticals, like education or certain parts of SMB - where you have a large number of low value endpoints. But enterprises, especially in this exciting economy, aren’t satisfied to make decisions based just on the endpoint and its hygiene.One must consider visibility into a combination of endpoint and user and intent - go/no-go simply isn’t adequate for that. There needs to be more granularity in permissions. These are all properly IAM issues.

The most important clarification I can make is this: vendors are not going broke because they’re NAC vendors (though some are going broke because their stuff sucks). The technology created by good NAC vendors is not going away, it’s going to be repurposed. We have seen this happening already, as NAC vendors have moved away from admission/post-admission discussions and towards the much more relevant conversation about visibility. We believe that this conversation will evolve even further. For example, we’ve been threatening for two years that IAM vendors would marry endpoint assessment outcomes with risk-based authentication profiles to assess the risk associated with providing access to an individual to a specific resource. On the other hand, the idea of an enforcement overlay with a binary decision matrix (”No anti-malware? Orf with ‘is access“) will not materialize.

So put yer knives away! Over the coming weeks we’ll be pointing to some specific examples of this and tweaks or changes to the strategies of the NAC vendors.

Next week: Firewalls are dead! Dead!

We know roughly how much data was taken, and a timeline of when the company became aware of it. We can guess at the sophistication of the attack by noting, for example, that almost 18 months passed between the initial compromise and the company learning that its network had been compromised. However, details in the press are often lacking. We hear that “malicious software” was used, that it stole data in transit, or from a database and stored it in files that were later transferred off the network.

What’s missing is the provenance of the malware itself — was it a variant of a common, information stealing program like Torpig, or a custom application developed specifically for the attack in question? The answer to those types of question suggests a lot about the amount of effort and investment that preceded an attack — was it merely a target of opportunity, caught up in the net cast by a massive spam run, or did the criminals in question have their sites set on the victim from the outset?

With arrests in some of these cases, those with knowledge of them are now beginning to flip in an effort to avoid harsh sentences. That, in turn, is leading to more arrests and more details about the eye-popping data breaches that have dominated headlines. Those details are reason for concern, particularly for high profile companies that might be worried about the threat posed by rogue insiders and targeted attacks.

Take the case of Stephen Watt, the New York man who was named in an indictment filed in U.S. District Court in Massachusetts on October 29. According to some published reports, Watt was part of a criminal ring that engaged in wire fraud, identity theft, money laundering and unlawful access to computers — all part of a scheme to steal more than 45 million credit and debit card account numbers from TJX, authoring the sniffer program used to steal the credit card information. That program, dubbed “blabla” was apparently written and then repeatedly modified by Watt for Albert Gonzalez, a co-conspirator who is believed to be the mastermind of the TJX scheme. Gonzalez, otherwise known as “Segvec,” was acting as a federal informant at the time he was also engaged in pilfering data from TJX.

Watt hasn’t been convicted of anything yet. Moreover, not much is known about the government’s case against him. It’s entirely possible that he developed the blabla application in a vacuum and with penetration testing, rather than data exfiltration in mind,–completely ignorant of Gonzalez’s larger plan. Time will tell.

What is clear is that Watt was a talented developer and security mind with the resume to match. His LinkedIn profile shows him working currently for Imagine Software Inc., a company that makes trading system software used by “hedge funds, pension funds, investment banks, brokerages, and sovereign wealth funds.” His LinkedIn profile claims stints at financial services giant Morgan Stanley, where he worked on “Application infrastructure development and inhouse security toolkit development.” It also claims he worked at SaaS based vulnerability scanning firm Qualys where he says he “conducted research and development for an industry-leading network vulnerability scanner..and developed proof-of-concept exploits for discovered vulnerabilities,” among other things.

UPDATE: Qualys says the LinkedIn information is inaccurate. According to company HR records, Watt worked as a summer intern for two summers, in 2001 and 2002, where he helped test that company’s scan engine. He never conducted research and development for Qualys, according to the company.

His work for Morgan and Imagine overlaps with the period of the TJX hack and his alleged work on blabla. Troubling.

The questions for security-conscious organizations of all stripes are obvious:

1) Given that you can’t stop a determined hacker from gaining access to your network, what is the proper means of protection from a hacking outfit that’s employing a top-notch developer to write custom malware just for you? 18 months between compromise and detection doesn’t sound so outrageous if TJX (and the layered defenses it employed) were just looking for stuff that looked like other stuff that was out there. They weren’t going to find Watt’s “blabla,” because nobody had ever seen blabla before. Forget that Watt was allegedly providing regular updates to the software as the hack was in progress, as is alleged in the indictment.

2) Given the hunger for IT development talent, and the unfathomable and largely anonymous world of malicious and recreational hackers, how can firms trust that their star new developer isn’t donning a black hat when he’s at the office — or even when he gets back home? This is ultimately an HR question, but its unlikely that most employers are doing the kind of “three letter agency” caliber due diligence on IT staff that would uproot questionable associations like Watt’s.

Surveys of end users that we’ve conducted show acute interest in anti fraud technology that can provide intelligence about threats posed by insiders regardless of seniority, from the low-level call-center agent and receptionist, up through senior managers. Firms like call center giant NICE have already invested in this space, marrying anti-fraud to their existing monitoring platforms.

Companies like Guardian Analytics have come out with software that they claim can analyze and model user behaviors to spot weirdness that might indicate an account takeover or compromise. But most of these products are focused on transaction-based security - fraud and money laundering. Watt poses an even hairier problem: what posture do you take towards your realtime trading system software — say — once you realize that one of your developers was donning a black hat — at least some of the time? Better yet, what internal controls can you institute that will help connect the dots leading to a questionable developer. Is it merely a matter of hiring nosey managers and smart QA people, or is some extra layer of scrutiny needed? All of this assumes, of course, that there was some bleed over between white hat and black hat. That may not be the case every time. But as word of this indictment spreads, I wouldn’t be surprised to hear that there are some heated conversations and hastily arranged audits to assess the collateral damage — if any.

The fundamental technology issue that arises from de/re-perimeterization and other number of transactional models built across security domains, is that there has to be some transparent decision framework that dynamically assesses the benefits of access relative to the security risk. But without visibility into the each element of the decision train - what is the resource, what’s the nature of the access request, what is the identity of the source of the request, with what degree of certainty and is the source of the request acting in a way that falls outside of the band of normalized behavior - there is no foundation to determine whether the access decision will risk-neutral or elevate it.

The information and profiles generated from these functions are distinct from the network and event types of information that SIEM systems capture, and can serve the purpose of generating the visibility into how system and user are correlated in order to incorporate risk assessment into access decisions and eventually embed into policy definition. Without going into specifics, what the vendor has in mind is a form of risk management that enables organizations to decide how much security they need to deploy - instead of trying to sell them too much or compelling them take the decision that operating without enough is just fine when assessed in terms of the associated cost and implementation complexity. If risk management is implemented correctly, it minimizes the potential from an external breach or insider threats by using a sliding scale of security enforcement rather than subjecting every user to an equivalent degree of scrutiny, when most of the time it’s simply overkill.

Still, even if risk management does become a viable sales pitch, there’s still the threat of risk management being becalmed in the doldrums of unresolved ownership. Where do the lines of responsibility get drawn? Is it an IT responsibility, a security responsibility, or a networks responsibility? Of course, this argument that risk management ends up in a no-man’s land can be turned on its head to make a claim in its favor : risk management becomes the source of accountability for balkanized operations divisions. (Think of risk management as Marshall Tito).

I am open to correction, but just not convinced yet that risk management is a good lever to prise open budgets. We’ve been told by a few vendors that the economic downturn has helped sales of security products - on the assumption that hard times make for an increase in insider attacks. We will be watching to see whether this holds true for risk management too.

]]> http://blogs.the451group.com/security/2008/11/04/can-you-sell-risk-management/feed/ http://blogs.the451group.com/security/2008/11/04/can-you-sell-risk-management/ http://feedproxy.google.com/~r/451security/~3/ARve-MGS0r8/ http://blogs.the451group.com/security/2008/11/04/it-security-after-the-crash/#comments Tue, 04 Nov 2008 22:04:07 +0000 Lauren Eckenroth http://blogs.the451group.com/security/?p=58 With the close of the third quarter, security vendors were putting on an optimistic face about the coming storm and the coming year. With quarterly earnings strong so far, McAfee, Sourcefire, and Websense sounded upbeat about the state of security spending in these tough economic times while major player Symantec is a little more conservative. It seems that those who control the budgets are at least pretending to share in the optimism; while overall IT budgets contract many people expect security spending to weather the storm.

McAfee says that customers at their client conference reported that security spending is still a top priority—but we’re not so sure that, ‘Things that make us money’ shouldn’t top the list- and maybe security, while still in the game, will have to take a hit. As far as earnings go, revenue came in at $410m in Q3, a 27% year over year growth. McAfee CEO David DeWalt claimed that many of the 28 deals over $1m that closed in the quarter closed in September when the markets took a downturn. However we would infer that these were sales cycles that were begun months earlier, when things looked considerably better. By the time the markets dumped and the deals closed the budgets were already written to include these big ticket deals. DeWalt also claimed customers seem more interested in spending their money with one vendor on a product suite, but we wonder if this analysis may have been influenced by the fact that McAfee sells a product suite.

Intrusion detection and prevention vendor Sourcefire had a solid quarter, which, as we’ve mentioned before, was needed to stave off bidders aimed at hostile takeover. The company has recorded a 37% year over year growth in GAAP revenue, coming in at $20.3m. Net loss is also down to $1.7m from $2.8m in Q307. More on Sourcefire’s latest quarter and its Shareholder Rights plan can be found in this report.

Websense finished its third quarter with $76.7m in revenue, up from $50.4m in Q307. The company recorded a GAAP net loss of $3.5m, or 8 cents per diluted share, and GAAP operating cash flow was $19.4m compared to approximately $13.9m in the third quarter of 2007. The company also tightened its 2008 revenue guidance from $290-295m to $292-294m. In another attempt at optimism, or just plain denial, Websense CEO Gene Hodges released a statement saying the company had “yet to see a significant negative impact on our business from the recent economic turbulence.”

Storage and…ahem…security vendor Symantec seems to have slowed considerably. Revenue for its second quarter in fiscal year 2009 came in at $1.5bn — nothing to sneeze at until you consider that it is only a 6% improvement over Q208. The company’s GAAP net income increased considerably, at $140m from $50m the year before (and to be fair, we hear that Vontu is faring quite well under the Symantec regime). Cash flow from operations fell more than $100m due to an increase in cash tax payments, whereas the year before the company had received a tax refund. Symantec’s security and compliance segment grew only 1%, to $400m, representing 26% of the company’s Q209 revenue. Guidance for next quarter is conservative to say the least; revenue is expected to come in between $1.44bn and $1.50bn. Symantec says it sees the mid market softening due to the economy, and that retail growth is down 20% year over year.

Security is vital to many industries. In the long run it may be less expensive to implement strong security policies than to pay for a possibly expensive and distracting security breach or data leak, and compliance certainly isn’t an issue that can be set aside. But so much of this optimism smacks of bravado and wishful thinking. The real effects of the current financial turmoil won’t really be felt until, at earliest, next quarter. This is far from over, and no amount of heel clicking will convince me that we’re not going to see security spending take a hit. Get out your umbrellas, folks.

With that in mind, we were contacted by none other than Jamie Butler, an esteemed security expert who now works for security consulting firm Mandiant. Jamie, along with his friend and sometimes co-author Greg Hogland, as an Obi Wan Kenobi of rootkits and other stealthy malware. Jamie wanted to tell us about a new tool, dubbed Memoryze, that Mandiant has released in a free version. What does it do? At a high level, Memoryze is a forensic memory analysis tool that allows users to interrogate live system memory on a host or a saved memory image to determine exactly what is running in memory, including processes that might be hidden by rootkit technology, as well as DLLs, executable files, registry keys, and so on. The program can list network sockets that a process running in memory has open — again, including those hidden by rootkits, as well as modules loaded in the OS kernel.

“This tool is extremely powerful,” Butler said.

What are the applications? Where to start — the most obvious application for Memoryze is as a strict forensic analysis tool: you can use it to pick over a saved image of physical memory. But Mandiant points out that its also useful as an incident response tool, to help understand what processes and drivers are (or are not) running on a host that may have been compromised. As an example, Memoryze’s forensic capabilities have uncovered the shellcode that Metasploit and Immunity’s Canvas inject into processes, Butler said. It can also be used as a reverse engineering tool — defeating anti-reverse engineering techniques to capture and reconstitute an image of a process or driver from physical memory that can then be plugged into IDA Pro or whatever happens to be the researcher’s favorite disassembler/debugger.

Yes, yes. This is a freebie that’s designed to steer you towards a premium product — in this case, Mandiant’s Intelligent Response product, which encapsulates almost all of the Mermoryze functionality. But Butler said its a robust product in its own right — with the ability to write custom filters to look for evidence of compromise using XPath filters. Check it out!

- At $695, Symantec is paying around 4.7x MessageLabs FY 2008 revenues of $145m — a good bit of change, but a much lower premium than the Google-Postini deal, which we estimated as being close to 9x revenues. That’s a reflection of the tougher market right now, but also of cooler heads prevailing when it comes to SaaS.

- We always find it interesting when companies re-buy into spaces they’ve already invested in. If you remember, Symantec already laid out some $370m back on 2004 to acquire antispam firm Brightmail. Now, of course, Brightmail had a different model, selling more traditional on-premises spam gateways, but given that Symantec had the Brightmail antispam engine and expertise in house, it makes you wonder why the company felt it needed to plunk down almost $700m just to get antispam as a service. (Note: we’re not saying this wasn’t a worthwhile investment, just that it’s…interesting.) At the end of the day, though, Symantec gets a top shelf antispam services company with a fast-growing Web threat detection service, a mature SaaS platform for its other products and a 19,000 strong customer base to upsell into.

- The truth behind this acquisition may lie in Symantec’s repeated references to MessageLabs’ “deep expertise in the SaaS market” and the synergies (to summon the ghost of the 1990s) between MessageLabs platform and Symantec’s nascent Symantec Protection Network (SPN) SaaS platform. SPN has been inching along, most recently with a beta release of an online remote backup feature in September. Given Symantec’s already deep investment in antispam and a mature product line, this deal may signal that the company realizes that SaaS is an entirely new game, that SPN isn’t the plug it in SaaS platform for Symantec’s other products that the company’s messaging has sometimes suggested, and that it needed to deepen its bench when it comes to SaaS.

More to come on this latest deal in the SaaS space…

Hubbard’s basic point was that new cloud computing platforms are massively powerful tools for creating virtual computing infrastructures and offloading CPU and memory intensive operations. Platforms like EC2 essentially allow businesses and individuals to create any number of virtual computers on the fly — and deals that companies like Amazon are offering allow customers to create new hosts for pennies a month. That’s great, and Hubbard talked about how Websense has begun to use these platforms to host elements of its threat honeypot network and failover servers for its antispam service. Other whitehat applications include image analysis, fuzzing, vulnerability research, analysis of large data sets, and so on.

As Hubbard explains it, the cloud infrastructure allows Websense to spin up new systems quickly, provides anonymity that makes it harder for spammers and organized crime groups to blacklist its honey clients and allows the company to focus on its core competency: threat detection and security, rather than Web hosting.

The problem, as Hubbard sees it, is that cloud computing systems are “frictionless systems,” more akin to the anything goes Domain Name System than an ASP or other hosting offering. Users can set up accounts online and anonymously with little more than a credit card, while APIs make it easier to spin up dozens or hundreds of new systems in minutes. Once created, those systems can then be used, potentially, for DDOS attacks, man in the middle attacks, spam runs and more. Hubbard also notes that its unclear what level of security between cloud systems exist, potentially allowing attackers to compromise hosted systems, steal data on them or monitor traffic between them.

We’ve written about the increasing growth and massive potential of cloud computing — which everyone from Microsoft to Google and IBM, Sun and VMWare are investing in. Expect to hear more about the security implications of the cloud — for both good and ill — in the year ahead.

Fear — worked yesterday, works today. Aboud made no bones about the fact that the “F” in FUD — fear– continues to be a prime motivator in security software purchases and marketing. “Fear is a natural tendency,” Aboud pointed out. Outbreak marketing, he said “catapults off fear.” The key, of course, is to tap into the underlying fears of your prospective customers without overdoing it or seeming like you’re taking advantage.

Much of the rest of Aboud’s talk was spent discussing the best possible way to market outbreaks. In a nutshell, Aboud argued that anti malware companies do themselves a disservice by chasing every and all outbreaks in an effort to get their name attached to news stories and other coverage. Rather than the carpet bomb approach that takes security companies off their core message (and make them look like FUD-meisters), anti malware companies should use the Gulf-War laser guided munitions approach: picking and choosing their outbreaks, then tying their comments and marketing efforts into research and product development efforts that are consistent with their long term objectives. Aboud calls this approach “proactively reactive” — let’s just all decide that will be the last time we ever use that term, ok?

That all sounds well and good — I’m just not sure its very realistic. I think Jeff’s right that security firms don’t do themselves a favor chasing issues that don’t dovetail with their areas of core competency. Most reporters will read through your spin and just look on the whole effort as rather desperate. At the same time, companies that want to get their name in the press can’t lay back and mull their options while news is breaking around them. At some point, if you think you’ve got something to say, you’ve got to get out there and make calls, send emails, blog and otherwise start shaping opinion. That said, mega outbreaks like Blaster, Slammer, et al. are rare these days, so in most cases you’ve got time to get your story straight, provide something new and useful to reporters and prep your experts. My advice on getting your message out:

1) make sure reporters know how to reach your key reps and experts

2) make sure your folks return calls and emails ASAP and move quickly to set up interviews and shape the story

3) debrief experts on what reporters are looking for and make sure they have their facts straight

3) provide independent, marketing free advice/information. no product pitches, please.

My 2c.

So periodically we’ll be analyzing the stock performance of publicly traded security companies. The posts combine our security technology industry analysis with our M&A and market analysis to bring some clarity to the often under-understood world of publicly traded security companies.

This week we take a look at Sourcefire (NASDAQ: FIRE), which as we’ve just noted, has recently released 3D System 4.8 and the beta of SnortSP—a main component of the forthcoming Snort 3.0.

We would note that these product releases—and others coming soon—will likely have a significant influence on Sourcefire’s stock as the company returns to trading on its fundamentals rather than getting whipped around by speculation about whether it will be gobbled up by Barracuda Networks. With shares currently changing hands at roughly a 15% discount to the offer price from privately held Barracuda, Wall Street appears to be dismissing the takeover. Further, the relatively thin trading volume in Sourcefire shares is hardly representative of a speculative market, with arbs and ’special situation’ investors whipping around huge blocks of stock. (The beta on the stock is 0.8, meaning it is notably less volatile than the S&P 500.)

Sourcefire was put in play following Barracuda’s unsolicited bid in May. The privately held company initially offered $7.50 per share for Sourcefire, then later bumped that up to $8.25 per share. Reflecting the offer, Sourcefire stock soared 20% in two sessions in early June. It even briefly topped Barracuda’s bid, hitting a high of $8.27 on June 10th. However, as doubts emerged about Barracuda’s commitment to closing the deal—as well as Sourcefire’s larger-than-expected Q2 loss—Sourcefire shares sank back to the mid-$6 range, essentially where they were before Barracuda floated its offer. (One reason for the market’s skepticism: Barracuda never released any details about the financing the proposed $205m deal. Presumably, Barracuda could tap backer Francisco Partners for the cash, but it certainly isn’t going to get it from the credit markets right now.)

We and others await the company’s important Q3 earnings announcement with great anticipation. Should Sourcefire blow the quarter, or see lower-than-expected takeup in the federal sector, the company could be looking at the business end of investor crankiness. Market conditions these days and tightening of credit might make any potential bidder think twice about a new offer, but we can’t help but note that stocks seem to be on special this week (pending further Washington drama in the form of a Senate vote on the bailout). If Sourcefire gets through Q3 with a respectable showing, then all comes down to its make-or-break fourth quarter results, when Wall Street is looking for the company to put up black numbers.

Looking at pre-drama prices, we wondered whether Sourcefire’s volatile performance suddenly turned steady. For the past month and half investors seem to be in a holding pattern, with light volume and little conviction. And while the stock has followed the overall market, it hasn’t been roughed up as much. Since Barracuda’s bid was revealed, Sourcefire shares have lost some 8% of their value, just half the level of the decline in the Nasdaq.

As for Barracuda’s play in this game, if the market was convinced the deal was going to happen in its current incarnation (and in current market conditions) Sourcefire would be trading above eight bucks. But it’s not; it’s been steady around $7.40 for the past six weeks—even after the 777-point drop of Monday, September 29, 2008, the stock closed above $7, and by Tuesday it was back up at $7.29. Is the market trying to tell Sourcefire that Barracuda really didn’t undervalue the company, as was claimed it had when the original bid was made on May 29th?

Investors are waiting to see if Burris can pull Sourcefire out of the funk it’s been in since the 41% plunge after its initial IPO offering in March 2007. Everyone’s holding onto what they have, but for how long? If Sourcefire doesn’t perform, especially in Q4, which has historically brought in somewhere around 35% of its annual revenue, its board may start looking a little closer at whatever offers are coming across the table. If Burris can’t pull Sourcefire into a substantially better position if not into the black by the end of the fiscal year we would expect to see the company sold, with or without the approval of its upper management.

Compared with industry shindigs like the RSA Conference, InfoSec or Interop, VB has an almost academic air to it — its lite on biz dev, but heavy on binary analysis. For reporters and analysts who are used to talking to the marketing and PR flaks, VB is great — an opportunity to hang out with the researchers that most security firms keep hidden away at the labs who actually develop the protections and diagnose the new malware variants floating around the Internet.

I’m here to participate in a panel discussion on virus testing methods, and whether they’re doing a good job reflecting the relative effectiveness of anti malware products. This blog has sounded off on this topic (and on VB) before. And, without going into it, suffice it to say that there are real concerns that the methods industry groups are using to evaluate products aren’t keeping up with the times. Of course, testing methods is a familiar topic of debate here at VB and at other industry conferences like AVAR, and its its not clear that much changes year to year. Still, its clear that the anti malware industry is at an inflection point: there’s more talk here about the organizations behind threats and less focus on the threats themselves than in years past. There’s also more chatter in the crowd about in the cloud security services and threat intelligence, than about ways to fine tune signatures and heuristics. The Web is very much on the minds of security researchers, as is virtualization technology. With all that going on, folks are looking at the methods that testing organizations like VB, AV-Test and the like use to assess the effectiveness of anti malware products. Trend Micro made noise earlier this year about dropping out of VB’s testing program, and others (Panda, as an example) have taken similar steps over the years. Mostly they’re peeved about evaluation methods they consider ossified and not reflective of the capabilities of their products. (For example, some tests still rely heavily on signature matching against the virus Wild List –just one measure of effectiveness in stopping malware, and not a particularly relevant one at that.) In addition to the panel I’ll be on, I count two other sessions on the testing question (”Who will test the testers” with David Hartley from ESET and Andrew Lee from K7 Computing and “Rebuilding anti-malware testing for the future” with Igor Muttik and James Vignoles from McAfee). I’ll let you know if any of us reach any peace on the issue — but don’t hold your breath.

The Palin case is a great example. The Vice Presidential nominee was already under fire for allegedly doing government business through her personal, Yahoo e-mail account. If nothing else, coverage of that story directed any number of hackers and Internet trolls to her Web mail account. One of them appears to have been successful in breaking it. The account of how he pulled it off shows how thin the blanket of protection is around Webmail and other online resources, even when offered by top-tier providers like Yahoo. All that stood between the outside world and Palin’s e-mail account was Yahoo’s password reset feature, and a few simple facts that were easily recovered by Googling: her place of birth, zip code and where she met her husband (umm…Wasilla high school?). While the information retrieved from the account has been unsensational, it has also been limited and suggested that Palin mixed professional and personal correspondence. That could have been (and may yet be) a huge headache for Palin, the McCain campaign and the State, exposing sensitive personnel, policy decisions and official business to public view. I’m all for open government — but this is something different.

The Palin incident also recalls a recent incident a bit closer to home in the IT Security world, namely: the hacking of Webmail and blog accounts belonging to Alan Shimel of NAC/IPS vendor StillSecure. Alan has already written about the grief that ensued after some trolls busted into his blog and his Yahoo e-mail account and disgorged reams of personal information — tax returns, vacation photos, personal correspondence — from them. According to Alan, the integrity of StillSecure’s network was never compromised but, as with Palin (and most of us, frankly) the boundaries between work and personal life blur, and sensitive data often flows back and forth between them.

Blogs, social networks and the like also provide a treasure trove of personal information for identity thieves and others that can be used to gain access to more sensitive resources than Yahoo Webmail accounts.
What’s the solution? There is no easy answer. Companies can use Web content monitoring tools from any number of vendors to try to block use of social networks, Web mail and the like during the work day. But that’s a ham fisted approach that, in the end, probably won’t be all that effective. Also, some social networks are becoming rather important conduits of professional communication and activity, as well — even if its just for HR and marketing.

Making employees aware of the need for strong account protections and the risks inherent in mixing work and personal correspondence is another approach. My sense is that most companies haven’t made that type of coaching part of their standard employee orientation. With more and more of their workers blogging, facebooking, twittering and the like, companies are going to need to address this head on, lest the tidal wave of new communications prove a death by a thousand cuts for enterprise IT security groups.

Identity is dead, long live identity

Identity has never been more important as the network perimeter frays, and the diversity of users accessing resources expands - the tension between the demand and risks for access to data is escalating. Identity, data and policies are the three legs of the stool for managing how information is managed - the better identity is defined in terms of attributes, and more easily consumed by a policy engine, the more pivotal it becomes in policy decisions. Also, as identity as understood as an entity with attributes defined in terms of business logic, and correlated from multiple sources, it provides the ability to write more powerful policy statements. In other words, what is referred to as role management (too vaguely in my estimation), is about to have it’s day in the sun. But there remains a lot of uncertainty out there about what constitutes identity management - and vendors with metadirectory products and provisioning engines can shoulder some of the blame here. Also helping to further cloud matters is the conflation of enterprise identity and internet identity as a single notion, or at least as inevitably reconcilable. The 451 Group’s view is that while there is a clear overlap, they deal with divergent use cases. Part of the misunderstanding is perpetuated by the lack of distinction between authentication to resources and tying a user to a particular persona.

The market is growing (but not booming)

To a lesser or greater degree, the vendors I spoke to are optimistic, are seeing their pipelines expanding, and are experiencing smoother sales cycles. Compliance is the common theme here, but buyers are increasingly motivated to buy new technology in order to deal with the complexity of existing infrastructure - created either through M&A (where multiple systems must be integrated to establish unified controls), autonomy in how identity management is implemented, no processes in place in the first place or simply poor implementations of technology designed to automate procedural changes and streamline operations. Still, it’s more prudent to characterize the market as one leaving the doldrums, rather than one with a gale force wind at its back. At least one vendor we know has had to retrench after scaling the company on forecasts of 350%, and then having to contend with a ‘paltry’ 100%. Also, even though the volume of M&A rumors has picked up substantially in the last six months, there remains a gulf between what acquirers are willing to pay, and what targets think they are worth. The smarter private companies are looking for ways to scale before seeking an exit — which in my mind is the appropriate course of action at this point when the scope of the problem is only beginning to be understood by the customer at large.

Visibility, control and now transparency

So what is the scope of the problem? As I started to ramp my coverage of the IAM space, fairly early on it became quite clear that the overarching issues faced by organizations looking to manage identity were visibility - who are my users, what do they have access to and how - and control - can I ensure that access is appropriate and policies centrally specified. It’s now dawned on me that there is a third facet here - transparency. Transparency involves capturing who touches what and how through logging, reporting and auditing in the context of compliance (accountability in other governance contexts). But transparency is also the path to transcend the age-old wall between IT and business. Transparency is the ability to understand system privileges in terms of business rules (and translate business requirements into system privileges), build a resource-centric view of consumption and integrate identity into the change management process. The ability to understand access decisions in terms of a business process through a policy management layer translates to transparency - which is why we will be spending a lot of time on this topic over the next two months.

Security as a business process?

Far more informed, incisive people than myself have posited that IT security should not exist as a standalone industry. But is it realistic to think of security as embedded into business processes? Not at all - but does depend on the nature of the business process - there is sure to be a continuum of the degree to which security needs to be embedded, and dependent on the risk associated with the business process. But, the question can be turned around: is it possible to fully map the security implications of each access decision and transaction? Can we satisfy the need to dynamically (and in run time) assess the risk of allowing a decision or transaction? Identity can clearly evolve to be an important pivot in the decision, and provide the foundation to move away from binary decisions to a world of less and more access and control, but other elements have to fall into place in parallel. (Although Covisint with its trusted environment and transaction brokering has an interesting take on this possibility).

]]> http://blogs.the451group.com/security/2008/09/11/digital-id-world-a-postscript/feed/ http://blogs.the451group.com/security/2008/09/11/digital-id-world-a-postscript/ http://feedproxy.google.com/~r/451security/~3/vjY6jTURx_A/ http://blogs.the451group.com/security/2008/09/09/marc-maiffrets-new-gig-youll-be-surprised/#comments Tue, 09 Sep 2008 20:12:10 +0000 Paul Roberts http://blogs.the451group.com/security/?p=48 My favorite memory of Marc Maiffret goes back a couple years. I was a security reporter for eWEEK and had just landed in Las Vegas to cover the annual Black Hat security conference. I had a late (9:00pm) interview scheduled with Marc, who co-founded eEye Digital Security and, by then, was its CTO. But my plane was late and it was now almost midnight. Once we landed , I called Marc to apologize and, obviously, reschedule the interview. He answered and, yelling over the din of the craps table, told me to get my butt down to Caesar’s. The night was still young.

By the time I got there, Marc - in trademark smoking jacket with dyed hair, combat boots and piercings — had somehow glommed on to the hottest table on the Casino floor. He and everyone in the eEye posse were WAY up. The free drinks were … flowing. After watching this all for a few minutes, I threw my money on the table, too. We played a while longer, won some dough, then spilled into the booth at an all night buffet at around 2:00am. We talked shop. Marc tipped me off to the news about Michael Lynn’s scratched Cisco IOS presentation, which was going to become worldwide news, and the show was on!

That’s Marc and that was eEYE — lots of youth and energy and fun. And lots of ups and downs — too many, as it turned out. Throughout, Marc set the tone: a gifted security researcher, he was among the first to isolate and analyze the Code Red worm. Over the years, Maiffret built and led a team of researchers that did important work exploring the vulnerabilities of Microsoft’s Windows operating system, Internet Information Server (IIS) Web server and countless other products. With talented developers like Ryan Permeh (now Manager of Product Security in McAfee’s Security Architecture Group), he oversaw the creation of both the Retina vulnerability assessment tool, but the Blink host IPS product. That said, his company, which was an early leader the vulnerability assessment market, was guilty of a number of strategic missteps over the years, even while competitors like Foundstone and ISS were acquired.

So when Marc finally stepped aside as CTO at the end of 2007, the question on everyone’s mind was “What’s Marc’s second act?” I got an answer a couple weeks back in the form of a call from Marc, who wanted to talk about his next project: a managed security services company called The DigiTrust Group that is targeting SMBs. Truth be told, Marc isn’t launching something new here. Rather, he’s joining a company that was started 10 years ago by a childhood friend, Jason Lidow.

The company has spent much of its life as an IT consultancy targeting small and mid sized enterprises in all the veriticals you’d expect: retail, finance, education, legal, manufacturing, insurance, etc. So what does a security rock star like Marc bring to the table? According to the two friends, Marc will serve as director of professional and managed services and will be charged with helping expand DigiTrust’s core services such as infrastructure assessment, configuration reviews, Web application assessments and the like. Marc also wants to expand DigiTrust’s managed security business — helping companies deploy, manage and use products from other vendors and, of course, forging relationships with those tech partners (and, yes, eEye is likely to be on the list).

As Jason and Marc see it (and we agree), SMBs are an underserved lot when it comes to the security services business. But with their limited resources and tiny IT staff, they’re among the most needy of high quality IT security services. Organized online crime groups have already figured out that a small business making $20m in revenues a year has steal-able assets that are just as valuable as what they’ll get from the big banks and financial services companies, but far fewer resources to protect them. DigiTrust plans to develop a more-or-less standard set of “best of breed” products — both at the perimeter and on the endpoint — that it works with and standardize across its customer base.

Obviously, Marc and Jason aren’t the first guys to think of this. In fact, there is a slew of competition out there, from giants like AT&T and Verizon Business, to consumer outfits like BestBuy, which bought IT service provider Speakeasy last year, to small, one and two person consultancies that manage a handful of clients. SaaS vendors, from Microsoft and Google on down, are also reaching out to SMB’s with security services like e-mail and Web security, data archiving and the like hosted in the Internet cloud. They’re competitors too. It’s not clear what advantages — in resources or technology — DigiTrust has at this point, but it did pick up a very smart security mind in Maiffret — and someone with contacts who can be a public face for the company and, perhaps, open doors.

Maiffret said he’s not going to be tilting at those windmills anytime soon, just trying to be the best IT security services company for SMBs in southern California, then the best on the West Coast, and then go from there. That sounds a lot more modest than the plans for world dominance that folks at eEye used to regale us journalists with — but it also may be a plan that has legs. Time will tell.

McAfee is hardly the only company to realize that their future lies in cloud-based threat intelligence services. Trend Micro was an early advocate of cloud based intelligence. In August, Spanish antimalware firm Panda Labs announced updates to its products that include a feature Panda has dubbed “Collective Intelligence.” The feature can be used to instantly scan emails and shared programs from the Internet cloud, sending information back to Panda about new malware. With the collected data from all users Panda can determine new malware techniques and distribution points.

And, as the Network World article points out, F-Secure is planning similar features for the next version of its endpoint security products.

As we’ve noted, the trend towards tighter integration between cloud based threat intelligence services in the anti malware industry is nothing new. That said, it’s still a tectonic shift within the industry, which has struggled for years to find a better way to block zero day attacks and fast-morphing viruses and worms. In April, for example, we noted the friction caused by antimalware testing organization Virus Bulletin, which panned products from leading vendors based on a number of highly suspect criteria — for example, VB still takes accuracy in matching a random selection of malware from the Wild List as its primary benchmark, while giving less weight to non-signature based detections.

Trend Micro has notably removed its products from evaluation by VB since then, saying that the evaluation criteria haven’t adapted to a new world in which desktop based and cloud based intelligence services interact to provide protections. As an example, Trend noted that the VB testers refuse to allow products to have access to the Internet during tests, hamstringing newer detection models.

In response, VB defended its approach, saying that the Wild List itself is being overhauled, and that its working on ways to make its tests more reflective of what’s “hitting people in the real world.” The organization defended its “No Internet Connection” policy saying that the policy is not an oversight, but something that is done to ensure fairness in its tests. “If the test systems were connected to the web, we could not ensure a level playing field,” wrote John Hawes of VB. “Even if we had the resources to run all the tests at once, this would give an advantage to slower products, which would have more time to add in updates before they completed scanning sample sets…”

That’s true enough, but one has to wonder how useful any standard rating system can be, given the helter skelter nature of change within the industry!

Paul Roberts and Lauren Eckenroth, The 451 Group

Zscaler just came out of stealth mode last month to announce the availbility of its in-the-cloud web application filtering and monitoring product. The company was founded by Jay Chaundhry of CipherTrust and, later, AirDefense. Chaundhry invested an undisclosed sum as start-up capital. Zscaler currently has 45 employees and claims 15 customers, notably The Weather Channel, though it is unclear whether those are paying customers, beta customers or what.

zScaler said it has been a work on its platform for the last 18 months and sports a team of hardware developers poached from Citrix’s netScaler team, Microsoft, Google, Yahoo and others. Its multi-tenanted, SaaS based Web scanning platform can support up to 250,000 transactions per second, the company claims.

In addition to standard Web threat detection fare like antivirus scanning and URL filtering, phishing and botnet detection, zScaler claims to offer traffic management (say “view but not upload” when on YouTube.com”) , analysis and compliance and traffic analysis. Basic Web content filtering is being cast at data leak protection (zScaler’s not alone in this) and an analysis engine allows customers to replay attacks, etc. Sounds good — though we haven’t yet spoken to anyone who’s actually using this product.

In a statement, zScaler’s Chaudhry said she “has quite a track record of excellent leadership as well as a valuable background as an entrepreneurial mentor…She is well-known for her strong strategic insights and business acumen and we greatly look forward to working with her.”

As we noted, zScaler is eerily similar to another SaaS-based Web security startup: purewire, which unveiled its flagship service on the same day zScaler announced its own. Like zScaler, Purewire sports an all star board member — Tom Noonan of IBM/ISS.

– Paul Roberts and Lauren Eckenroth, The 451 Group Enterprise Security Practice

Among the key problems I think IQT is now looking at is the oft-lamented fact that the US has no cogent strategy to deal with cyberwarfare, no leadership on the issue (in fact the issues surrounding this are so complex it’s hard to find anything people don’t want to talk about more. Simultaneously, political winds are blowing funds in the form of budget dollars from many places (including my wallet) towards the white tower that is the Office of the Director of National Intelligence.

It is said that the CIA under George Tenet somehow recognized that private industry was surpassing government talent in the field of technological innovation. Is it possible that the CIA was prescient enough to recognize over the past few years that its budgetary influence was waning and that to re-increase its stature in the intelligence community it would need to get really geeky about cyber-warfare and get itself some really cool kit? The CIA? Prescient? It’s become so hip to make the CIA the butt of jokes recently that people forget just how much seriously cool stuff it has done (this is a technological, not a political, discussion).

In his 2002 review of The Bourne Identity, the New York Times’ A.O. Scott wrote that,

The movie … trots out a quaint view of the C.I.A. as not only bottomlessly malevolent, but also endlessly and terrifyingly competent.Shortly after they see Marie’s image on a security camera satellite feed, the folks at Langley are in possession of her entire life history, and they are able to track her movements across Europe with a few clicks of the mouse. This is inadvertently hilarious in light of recent news reports. If Marie had only thought to disguise herself as an international terrorist, she might never have attracted the agency’s notice in the first place.

Well, IQT itself has been a monster success. Its investments are absolutely classic examples of how to do it right: tons of due diligence, heaps of knowledgeable people asking sensible questions about the technology, the leadership of the innovative company-prospect. That they don’t make large investments (generally they’re capped at $3m) or take an equity position is a question of taste, or style, or, you know, propaganda value. But the investments are made in the form of, essentially, non-recurring engineering fees to make something wicked-cool out of something more pedestrian, and come complete with a promise to buy a bunch of it if it works out right.

But back to cyberwarfare.

If our current policies and the reality of the US’ digital security stance is any indication, policy makers would rather read tax code than infosec material - hell, even I’m reading a book on tax code, and I think this security stuff is a gas. You take a look at something like H. R. 130, the Smarter Funding for All of America’s Homeland Security Act of 2007), whose dense prose mentions the word ‘cyber’ a total of once, and you wonder. I digress.).

We wrote in this blog back in April about Aaron Turner & Michael Assante’s excellent article in CSO Magazine, in which they compare and contrast the response in the 18th century by the United States to pirates on the high seas with today’s federal response to Internet crime. (read Turner’s prescient testimony to the House Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity, Science and technology here).

In that blog post we also mentioned that, back in 2004 MIT Technology Review published a terrific piece by Eric Hellweg, Cyber Security’s Cassandra Syndrome which discussed the stalled and possibly addle-headed Bush administration approach to the problem of leadership of the effort to protect the nation’s computing infrastructure.

The problem, Hellweg argued, was that you couldn’t get the right people to do the job of protecting the nation’s critical infrastructure (which is basically our government’s ability to use computers and the Internet) because, well, it’s impossible. You can’t get anyone to take all the responsibility while having none of the authority to do what’s necessary. The fact of the matter is that it’s not defense against being attacked, it’s long since devolved to the point that our government should be asking itself, to paraphrase Ed Harris playing Gene Kranz in Apollo 13, ‘Whadda we got in this country’s critical infrastructure that’s good?’

More specifically, how badly are we already owned by foreign nation-states and commercial entities, and how can we look at ways to fix that? Then we can start talking about ways to have ‘Smarter Funding for All of America’s Homeland Security’.

So… IQT as savior? Are Darby and Geer (who raised some fascinating and common sense points on security metrics in his testimony before the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology last year) and the infosec team at IQT the stand-in Cyber tsars by forfeit? Well, there’s an argument for it. Geer (and Assante, by the way) sits on the The Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency, which is working to develop recommendations for a comprehensive strategy to improve cybersecurity in federal systems and in critical infrastructure. So do a lot of other really smart people. But as several of them have admitted, the danger is that the need to reach high level consensus will lead to watered-down pablum despite the best intentions of a truly smart group of people. It’s Washington. It’s almost inevitable. Don’t get me wrong: some great ideas will come out of the CSIS deliberations. Our biggest fear is that politics will pare down the final recommendations to be on par with ‘Don’t-click-on-attachments, wear-mittens, study-hard‘-caliber advice.

A look at the political climate in Washington, especially that surrounding the intelligence community, shows that the winds are being shifted by a Bush administration miffed at…Well, who knows.

The unclassified Annual Threat Assessment of the Director of National Intelligence from this past February had this to say about Cyber warfare:

The US information infrastructure—including telecommunications and computer networks and systems, and the data that reside on them—is critical to virtually every aspect of modern life. Therefore, threats to our IT infrastructure are an important focus of the Intelligence Community. As government, private sector, and personal activities continue to move to networked operations, as our digital systems add ever more capabilities, as wireless systems become even more ubiquitous, and as the design, manufacture, and service of information technology has moved overseas, our vulnerabilities will continue to grow.

In an Op-Ed piece in The Wall St Journal this past April by DNI Mike McConnell and House Intelligence Committee sub-committee chair Anna G. Eshoo, they talked about responsible domestic surveillance:

If we are going to ask our intelligence agencies to help defend our country, we need to carefully construct policies that give them access to this information when necessary, and protect the rights of Americans. The National Security Agency, for example, is governed by strict rules that protect the information of U.S. citizens. It must apply protections to all of its foreign surveillance activities, regardless of the source. As we add new authorities and programs to secure our country, we must ensure appropriate safeguards and protections to secure our liberties. We must maintain the balance between safety and freedom.

And then pooh-poohed technology…

Too often, our country has invested in dazzling new technology as the solution to our intelligence woes. Technology is vitally important. But a computer is only as good as the person who programs it. No piece of technology can substitute human judgment. A computer – even one that costs millions – cannot recruit a spy.

Meanwhile, Joe Lieberman (IND-CT) and Susan Collins (R-ME) are asking good questions that are worth reading. If you’re up for it, answers to those questions are in a letter that highlights the marvels of redaction.

We, like you, can only speculate about what the CIA will do with Veracode’s technology, but I would be willing to bet it has something to do with finding weaknesses in code. Which is quite useful stuff, if it works. I bet there’s more where it came from, and I bet IQT will be and is looking at other infosec investments.

And with regards to Cyber warfare, we would say that, at the very least, IQT and its staffers are raising the level of discourse about the problems faced by the US - or at least by the CIA.

Many people sort of wink knowingly when they hear about IQT, but don’t really have a sense of what the thing does, or in fact, its successes to date. The interesting thing, which we will go into in a bit, is that for the most part, IQT - which sounds really spooky and security-ish, has invested in hugely successful companies that could not be less directly related to information security. Like OpGen, which does single molecule DNA analysis technology to identify and analyze microorganisms. The closest it gets to something like IPS is, well, IPS, or Infinite Power Solutions, which makes thin-film energy storage devices for micro-electronics. It’s not like it’s a bunch of guys dressed like Lefty skulking around corridors in Silicon Valley saying, “Psssst! Hey Bud…Wanna take some NRE money?”

IQT exists to determine an answer the question, ‘Is it possible to solve [problem set here]?’. If the answer is, ‘yes’, IQT’s job is to identify fiscally viable, practically capable, innovative private organizations which might be able to solve the problem at hand. By providing availability to these technologies, often by re-purposing existing ones to accomplish things outside thre scope of their original design, IQT will increase the capabilities of its main customer, the CIA.

So going out on a long, unsupported limb, we think that the Veracode investment is the first in what will be a string of more traditional infosec investments, especially in the areas of digital identity and access control technologies addressing the concepts of digital persona. And we think that this is being driven in part by a several-years’ long political climate change that has led money and influence away from the CIA. More on that tomorrow.

By the way, IQT has not spoken to me about this issue other than typically flacky guff about the Veracode investment, to wit:

“… We have relatively recently expanded our internal organization in terms of the technology practice, derived from the specific problems we see; we spend lots of time examining not just the technical capabilities but the company itself. Our selection of Veracode speaks for itself; as a strategic investment firm it’s there to meet a strategy.” Blah, blah, blah [blah, blah, blah added].

IQT is, intriguingly, a 501(c)(3) not-for-profit organization, meaning, I suppose, that donations to it are tax deductible. I’ll try to donate fifty bucks and blog about how that works out, and what kind of newsletter I get for it.

Its activities are unclassified, and the company only deals with open source (in the spook sense, not the licensing sense) stuff.

There are some fascinating documents available on the CIA’s website about IQT’s history and on IQT’s website about the organization and how it has been operated, especially including a report excoriating the hand-wringing at the CIA as it tried to get past its, ‘Private sector? Pah! We made CORONA! We can read the gender of a newt from nine miles in space!’ attitude.

In the past, this has often not been a case of information security in a standard sense of the phrase. Still, the perception of IQT as a ’security’ investor remains. When the investment in Veracode was announced, many felt that it was par for the course - code analysis, security, CIA….All goes hand in hand.

Except that for most of its nearly ten year history, IQT has been anything but an investor in information security companies. Sure, since its inception it’s made investments in lots of things that seem cloak and dagger. Keyhole, the satellite imagery and 3-D Earth visualization company, was an early investment (in 2003 my accountant, reviewing my expenses, saw a credit card charge to ‘Keyhole’ and asked me if I was trying to write off a visit to a strip club); it ended up becoming Google Earth. Many other investments are in areas like zoom lens development, chemical analysis tools, entity extraction and semantic analysis stuff. An analysis of the investments that the, uh, firm, has made since its inception under the George Tenet-led CIA of 1998 shows that most of the investments are of the build-a-cooler-mousetrap variety for things that seem decidedly bookish.

Of its 76 investments, IQT has made ten in what I would consider to be classic infosec investments. The other 66 investments have been spread across IQT’s other practice areas: Application Software and Analytics, Bio, Nano, and Chemical Technologies, Communications and Infrastructure and Embedded Systems and Power.

In-Q-Tel’s Digital Identity and Security group invests and seeks technologies in the truly hot if not downright sexy areas of identity management and access control as well as risk analysis capabilities, system design and analysis tools and policy definition and management. The investments have been:

• 3VR Security (wicked-cool video facial recognition, like, ‘Show me where this guy has been on every camera you have’ kind of recognition - you have to watch the demo);
• A4Vision (facial biometric and camera tracking systems technology acquired in January 2007 by BioScrypt, which itself was acquired in January, 2008 for $44.3m by L-1 Identity Solutions, Inc;
• ArcSight (the enterprise security information management vendor which has since, of course, gone public and whose stock has recently recovered from elephant-tranquilizer-territory);
• PKI and ID infrastructure vendor CoreStreet;
• Encryption vendor Decru (bought by Network Appliance, Inc for $272.1m in June, 2005);
• Master data management vendor Initiate Systems (whose $26m series F round takes total funding to about $61m);
• Awesome-cool ‘where’s-that-RF-device?’ vendor Network Chemistry, which sold its security assets to Aruba in July 2007 and got waaaay pissed off with us when we priced that deal at $3m;
• SRD Software (if you thought RSA’s Verid is spooky you should talk to these guys; it was acquired in January, 2005 by IBM for $69m);
• and, of course, Veracode.

But the Veracode investment is interesting. The core technology of Veracode’s on-demand service was developed in 2002 at @stake, the pen testing and assessment firm acquired for $49m by Symantec in April, 2004. Want to know what’s also interesting? IQT President and CEO Chris Darby was Chairman and CEO of @stake. And the Veracode investment comes three months after the appointment by IQT of Dan Geer as its Chief Information Security Officer.

Now, Geer is a plain-spoken star in the security world. He was CTO at @stake (and a gazillion banks) before a much celebrated and reviled paper declaring that Microsoft was a national security threat hastened his departure; to quote another former @Staker, ‘It’s hard not to suck deep, deep down when you are Microsoft Windows’). Geer has also worked at Verdasys and on a host of other projects and organizations (more on him and some of those other projects tomorrow).

Based on what I know of IQT and of Geer (I’ve never met Darby but I think Geer is a truly honorable guy), I don’t believe that there is much connection that Geer is on the board of Veracode and the IQT investment in Veracode. We understand that IQT has actual conflict-of-interest firewalls that are taken seriously by the firm, so we don’t believe Geer would have been involved in the investment decision on the IQT side). I am much more willing to believe, based on IQT’s investment history and the people involved that these guys simply knew that the stuff was out there to meet the specific requirements that were presented, and that Darby and Geer would naturally have said, ‘Oh yeah, that stuff - you wanna talk to the guys at Veracode.’ As I said, maybe I am being a sucker, but I think not.

For Veracode, the cachet of the investment is PR no one can buy, and the cache of having sold stuff to the CIA will be on its own enough to open doors at other government agencies (especially, one would assume, the three-letter kind). And for reasons I will get into tomorrow, I think that the statement I made earlier - that it is the first in what will prove to be a series of straight-up infosec and ID and Access management-related investments - will prove true.

The presentation, by MIT student’s Zack Anderson, RJ Ryan and Alessandro Chiesa (who are under the tutelage of crypto-legend Ron Rivest, no less), is scheduled as part of the annual Defcon hacking conference at the Riviera Hotel and Casino in Las Vegas. According to the Defcon Conference guide, the students will show “how we reverse engineered the data on magstripe card” and “present several attacks to completely break the CharlieCard, the MIFARE Classic smartcard used in many subways around the world.” The talk includes discussions of brute force attacks using field programmable gate arrays and software tools to read the cards RFID data, WiFi hacks and, of course, social engineering attacks on T employees (who have already shown a lackadaisical attitude to other kinds of crime fighting).

As the Lynn and IOActive/HID controversies have already shown, getting lawyers involved and filing injunctions is exactly the WRONG approach to take, should your black box security system come under attack. The controversy that the legal wrangling between DEFCON and the T will provoke will do far more to ensure that the students’ presentation gets spread far and wide within the hacking community than would a sleepy presentation on the last day of Defcon. Companies need to practice a kind of PR Jiu-Jitsu with blow ups like this — playing it cool, being respectful to the researcher, hacker community, then working like hell with the vendor to get things fixed behind the scenes.

The brewing controversy also casts a bright light, yet again, on the continued reliance of major corporations (HID, Diebold) and public agencies on the thoroughly discredited notion of security through obscurity — you know, the idea that “our stuff is secure because nobody knows how it works.” Fare token systems, RFID-based purchasing systems, door access products and the like would be a lot more secure if they actually built secure systems and methodologies for conducting transactions via RFID, etc. then opened up their inner workings to review by the likes of Zach, RJ and Alessandro to poke around.

While I won’t try to rehash the entirety of his presentation, there are a couple take away points that are worth repeating for the Plausible Deniability crowd. In general, Chris stuck a big, sharp pin into the hype bubble that surrounds virtualization technology and security. Like others before him, Chris pointed out that the virtualization and security issue is actually three different issues, that don’t necessarily overlap: there’s the Joanna Rutkowska stuff concerning the use of virtualization as an aide to malware writers -subverting the hypervisor, etc. etc. Cool stuff, but in Chris’s thinking, more proof of concept than pressing concern.

Then there’s virtualization as a tool in the enterprise IT toolbelt — consider the use of virtual switches as tool for quarantine or network isolation. Finally, there the adoption of virtualization by security vendors (security virtualization) — a totally different trend that concerns the migration of traditional enterprise security products (firewall, IDS/IPS, and so on) and which Hoff expects will soon lead to a “gold rush” phenomenon, as vendors of all stripes look to sex up their offerings moving them from hardware appliances to UTM-like virtual appliances. Beware: Hoff sees a lot of magical thinking on the part of vendors, who want us to believe that their software-based virtual appliances will somehow be able to scale in the same way as their hardware appliances, while still competing for processor time and resources with all the other software running on their box. Before plunking down $$ on a virtual appliance, be sure to dig in on the high availability and load balancing capabilities of the thing and make sure that you’re getting 1:1 with what the physical appliance offers. If Hoff is right — you probably aren’t.

Of course, with all the hype that surrounds virtualization technology in the enterprise (and our Cloud Cover blog is a great tool for cutting through that hype), most enterprise IT security folks haven’t had the time to weigh these issues or figure out what their strategy for dealing with the security of virtual environments is…let alone how virtualization might help them with existing security problems.

As I see it, some of the magical thinking about virtualized security appliances will come out in the wash, as companies begin to realize that soft virtual appliances aren’t really stand ins for the hardened and optimized boxes they have loaded in their racks. But Hoff is right to say that better management and monitoring tools for virtualized environments are high on the “got to have” list for enterprises. One possibility he sees is for access control for virtualization — basically tools that will profile and qualify VMs offline before they’re allowed to gain access to the network — verifying that they are properly configured with the standard endpoint security products, that they’re not compromised in any way and that they’re configured in such a way as to not impact the overall performance on other virtual or actual hosts on the network, and so on. That sounds pretty close to the standard NAC line about endpoint “posture assessment,” but is a use case that enterprises might soon be hungry for.

We know of at least one traditional NAC vendor who’s looking seriously at this possibility though others have expressed skepticism that the market is really ready or interested in what Hoff is talking about.