Plausible Deniability

The acquisition of open source technology projects by closed source, for-profit ISVs almost always meet with opposition in some form. Usually, the expressed concern is that for profit owners will throw walls up around the most valuable parts of the code or steal away resources to work on commercial projects, leaving the open source bits to die of neglect. In some cases, these concerns are justified. Often, though, they’re of a knee jerk variety: the kind of stuff you hear when a favorite independent band gets signed to a major record label.

So it goes with the announcement on Tuesday that vulnerability research firm Rapid7 is acquiring Metasploit, the entity behind H.D. Moore’s Metasploit Project. The deal adds the Metasploit’s database of software exploits to Rapid7’s NeXpose platform, allowing better risk rating of vulnerabilities based on their exploitability. For Metasploit, Rapid7 provides stable corporate backing and a reliable source of funding for continued research and platform development.  He’s run Metasploit as a limited liability company that owned the copyrights to the development code, trademarks, and domain names since 2006 and shifted from a hybrid proprietary license to an open source three-clause BSD license. To listen to Mr. Moore (and there’s a nice Risky Business podcast interview with him here), the short term consequence of this deal will be more, better exploits and platform updates for Metasploit as he takes off the handcuffs imposed by his previous, non-aligned corporate gig (application testing firm BreakingPoint Systems) and enjoys of the luxury of getting paid to do what he’s been doing for free for the last six years.

As my former colleague, the ever-insightful Nick Selby has pointed out, the key objectives for a corporate backed Metasploit will be a more even and predictable product development, more (and safer) exploits and that ill defined “enterprise polish” (most likely in the form of a premium version of Metasploit). But Rapid7 will face other challenges, also. While Moore’s white hat bona fides aren’t in question, Metasploit straddles the line between professional pen testing tool and force multiplier for script kiddies. So its no stretch to say that there’s some reputation risk here for Rapid7 - especially as it balances the desire to pull in Metasploit contributors with the need to expand in lucrative, but testy verticals like government and finance.

But with enterprises of all stripes increasingly interested in risk based assessments and correlated threat intelligence, the bigger question is what the union of pen testing and vulnerability management –  ”vulnerability plus exploitability”– will mean for competitors in each of those spaces. Vulnerability scanning outfits like nCircle, Sourcefire, Tenable and Qualys (not to mention IBM and McAfee) will feel pressure to provide more context around exploitability to match what Nexpose+Metasploit offer. In the much smaller world of penetration testing, firms like Core Security and Immunity, Rapid7’s backing will ramp up activity on the MetaSploit platform, as H.D. and crew focus their full attention on what has been a side project. In the short term, that won’t pose too much risk to either camp. Both vendors have relationships with vulnerability management players: Immunity with Tenable, and Core with nearly every scanner you could possibly deploy. (Core’s Technology Partners page reveals just about every competitor Rapid7 could think of: Tenable, Qualys, nCircle, GFI, IBM ISS, and eEye.) Eventually, a premium version of Metasploit could land right in the sweet spot between Core and Immunity: balancing usability and platform coverage with quality exploits and enterprise must-haves like stability and support. It won’t be free anymore, but it probably won’t take too big a bite, either.

The question mark is whether Rapid7 can walk the fine line between profit-minded ISV and open source sugar daddy. As others have pointed out, Sourcefire has managed to pull this off admirably over the years, while firms like Tenable get lower marks. We’re ready to believe H.D. and Rapid7’s protestations about the importance of keeping Metasploit open source and their pledges to continue supporting the platform and the community of exploit researchers and users that sustain it. That said, Rapid7 has earned a reputation as a hard charging, take-no-prisoners kind of company. Its hard to reconcile that with the high minded, altruistic ideals of H.D. and other Metasploit contributors (”Free code is happy code,” Egypt wrote in a blog post announcing his new role at Rapid7). But who knows. Maybe, in this case, the tail will wag the dog.

Lauren Eckenroth, Research Associate at The 451 Group, contributed to this post.

Today brought yet more evidence (as if you needed it) that the hosted Web security space is hot! hot! hot! The latest proof: Barracuda’s cash and stock purchase of Atlanta based hosted Web security startup Purewire. The deal will put the company behind everyone’s favorite security pizza box, Barracuda, in possession of a highly available, multitenanted content-scanning service built from the ground up for hosted deployments. Like near competitors ScanSafe and zScaler, Purewire’s scanning service uses a network of colocated hosting centers to vet inbound and outbound Web traffic. In the cloud, Purewire uses its own reputation intelligence “Purewire Trust” and a cocktail of  third-party URL and threat signature databases to vet Web traffic for malicious content before forwarding it to the customer’s server.

Barracuda’s rationale for this deal is straight forward enough: customers from SME on up are interested in new deployment options for their security wares, including managed and hosted security services. This is the same logic behind Symantec’s purchase of MessageLabs, McAfee’s of MXLogic - even the less noted purchase of Borderware by Watchguard. Web and e-mail offerings are of particular interest, and Barracuda says its been evolving its entire product catalog in the direction of SaaS – whatever that means. Buying Purewire is about time to market and about scooping up Purewire’s SaaS engineering talent pool to quickly expand its offerings to include SaaS and hybrid offerings to compliment its on premises offerings – including a “next generation” firewall, VPN and Web security offering built around technology acquired with Austrian vendor phion in August.

From the Purewire side, we’re betting that the mostly bootstrapped company saw an early takeout by Barracuda (or another suitor) as preferable alternative to battling on in an increasingly crowded hosted Web security space. We heard less from competing secure Web gateway vendors about Purewire than zScaler. That’s not a problem in and of itself - Purewire was working the MSSP channel, and the market for hosted Web security for SME and enterprise is big enough and new enough that bake-offs are the exception rather than the rule. Bottom line: Purewire was in a hot space and had a top notch technical team, led by CTO and co-founder Paul Judge. It also had the benefit of an amazing marketing and PR operation (led by the lovely MaryCatherine Bassett Peterman) to promote its name and technology and turn every whiff of success into a gale force wind. Purewire had fewer than 200 customers, but still found its executives quoted in The Washington Post, The Economist, Forbes and USA Today - not to mention all the trade press. Not too shabby. Still, for Purewire, the cost of taking on more venture funding to scale its hosted operations and compete against the likes of Symantec, McAfee – not to mention Google and Microsoft down the road — must have been daunting. Purewire’s people calculated (correctly, in our opinion) that a solid exit with Barracuda was the best option.

Frankly, we were surprised to see Purewire fall to a company that already has strong roots in the SME market. We always felt that Purewire would have been a good fit for a larger vendor like, Blue Coat,  that lacked a SaaS story and was looking to expand down market. That didn’t happen. The question now is: who will be next to fall? Its no secret that zScaler is being courted and we’ve postulated that none less than Cisco might be among the potential suitors. ScanSafe was the grandaddy of hosted Web scanning firms (it prefers to be called a “pioneer”) — though being the granddaddy of anything is a strike against you in a market like this.That company’s been doing well with some of its managed security partners (like AT&T), but we’ve been waiting for the other shoe to drop with ScanSafe for ages. It’s been almost a year since a $22m VC infusion buoyed Web security veteran Finjan to go after the hosted Web security market. That company tells us its executing on its plan of offering a mix of on premises, hybrid on premises/hosted offerings and pure SaaS-based Web security leveraging Amazon’s EC2.

In a weird kind of synchronicity, two stories in the last week have raised the specter of discarded (not merely misplaced) hard drives as the source of considerable consternation and legal wrangling. In the most serious incident, the Inspector General of the National Archives and Records Administration (NARA)  launched an investigation into a potential data breach that could expose the personal information and health records of up to 70 million Veterans.The issue that exposed the information began with a broken hard drive, one that had been part of a RAID  (redundant array of independent disks) system of drives on which data was stored from an Oracle database with the social security numbers and health records of 76 million veterans, dating back to 1972. The database powered the system eVetRecs, a portal used by veterans to access health records and discharge papers. The drive in question failed in November 2008 and was sent back to the contractor from which NARA had bought the drive. When the contractor determined the drive couldn’t be fixed it was sent on to another firm for recycling. The problem, here, is that the unencrypted drive was sent away before the information on it was properly erased.  Hank Bellomy, a NARA IT manager, reported the potential breach to NARA’s inspector general after trying to subvert the agency’s recycling policy by hiding the broken drive in his safe. Bellomy has since been put on long-term leave.

While no security polices were broken at the time, NARA has since changed its recycling policy and will no longer return drives once they are deemed defective.Still, one has to wonder at the careless disposal of personal information by the agency responsible for our records, especially since the security risk posed by discarded drives is no new revelation. Researchers have been warning about it for years. Technologist Simson Garfinkel famously exposed the problem of careless data loss through discarded drives in an article for IEEE Security & Privacy back in 2003. Garfinkel’s article documented inadvertent loss through discarded PCs going back as far as 1997. Since then, countless reporters have repeated his experiment: trolling eBay or local transfer stations for discarded PCs, only to take them home, plug them in and find tax returns, medical records, family photos and other sensitive information cast to the (virtual) winds. In fact, the most recent IG’s report wasn’t the first time NARA has mishandled its electronic records; in March 2009 a hard drive containing copies of records from the Executive Office of the President covering the Clinton administration. Both incidents call to mind the breach in 2006 when a Veteran’s Affairs laptop went missing, exposing some 26 million veteran’s personal information. The laptop was later recovered, with the personal information intact. A lawsuit over the breach was settled earlier this year for $20m.

The other data point, for those of us in the Boston area, is an ongoing drama at City Hall over the loss of some potentially “hot” e-mail messages from an advisor to Mayor Thomas Menino (who, btw, is in the midst of a re-election campaign.) As the Boston Globe reported today, a hard drive belonging to Mayoral aide Michael J. Kineavy has been recovered that may contain months of e-mail exchanges requested in an freedom of information request filed by the Globe. The drive had been replaced by IT staff at City Hall after Kineavy complained the drive was running slowly — a request made just days after receiving the Globe’s FOIA request. (Shocker.) Not only was the City’s handling of that request botched, but the article goes on to state that Kineavy’s replacement laptop had, itself, been repurposed from a “law department employee” and still contained e-mails from that individual, which then showed up on an outside forensic audit by a firm hired by the City. Boston could get stuck with hundreds of thousands of dollars in bills for a forensic search to recover Kineavy’s lost e-mail (he was a habitual “double deleter” we learn), but the Mayor’s Office and City of Boston will still emerge from this smelling pretty bad, even if the sensitive information is recovered.

Long and short: three years after the VA controversy blew up, there’s still a vast gulf between popular awareness of data breach and the practical reality of managing IT infrastructure, with even closely scrutinized organizations playing fast and loose with data security and proper data destruction policies.

[Lauren Eckenroth, Research Associate at The 451 Group, contributed to this blog post.]

Mac addicts running out to the store for their fix of Snow Leopard, the latest version of the Mac OS X operating system, will get more than just a snazzier UI and improved performance. The company, which has marketed its operating systems’ security as a major selling point, has bundled anti malware features with their latest release. The malware removal features weren’t exactly a marquis feature and don’t really qualify as “anti virus” -Snow Leopard appears to have added the names of two new Trojans to a list of verboten software. No wonder the company only verified its existence after reviewers noticed some of the file quarrantining features in action on an early release. Symantec and McAfee executives:file this under “ignore.”

But across the universe in the Windows galaxy, free antivirus isn’t such a weird idea these days. In fact, enough vendors are now offering the stuff that PC World has conducted a free AV roundup, tantilizing called “Can you trust free anti virus?” that looks at six of the freeware offerings, including those by AVG (formerly Grisoft), Alwil, Comodo and, of course, Microsoft’s forthcoming Microsoft Security Essentials (MSE). (And that’s not even all that’s out there). The short answer is “yes, you can.” As an enterprise-focused research firm, free software suites for consumers isn’t really something that we typically pay a lot of attention to. But we think there’s something to the proliferation of free anti malware products in recent years that warrants attention even from enterprise-focused vendors. In a new report, “Freegan revolution: will free products upset the anti-malware game?” we take a look at the free anti malware trend and speculate on the impact it might have on incumbent anti malware vendors, including Symantec and McAfee. While its not clear what, if any, impact free anti malware offerings have had to date, we think there’s certainly the potential for “freeganism” to upset the balance of the anti malware market in significant ways. Here are a few thoughts to consider:

+ Free offerings, which have mostly been limited to small, regional firms like AVG, Alwil and Avira, are becoming mainstream. Microsoft’s upcoming offering, currently available in beta, is the best example of this. Its received wholly positive reviews in beta (and from subject experts we consulted), will play nice with Windows, abjures gimmicks like toolbars or pop-ups that other freeware vendors use to capture revenue and carries the sterling Microsoft brand name.

+ Free antimalware is set to jump the fence from the consumer to the SME space. AVG tells us it is readying a free antimalware package for very small business (fewer than 10 systems) that will include some bare bones management features. Don’t be surprised if other vendors follow suit as they eye free-to-premium conversions in the SME space.

+ Consumer sales of both Symantec and McAfee have chipped in 30% (Symantec) to 40% (McAfee) of revenue for the past few years, despite concerted efforts by both companies to reduce their reliance on sales to consumers. Declining margins in the enterprise and SMB markets were a hot topic on Symantec’s most recent analyst call. If ‘good enough’ free anti-malware starts to gain mindshare (and marketshare) with consumers and small business owners, Symantec, McAfee, Trend and others will need to find new hooks or resign themselves to smaller margins. Declining sales in the profitable consumer space will also concentrate pressure on sales to enterprises, where incumbent vendors also face new threats.

+ The advent of hosted anti malware, such as Spanish AV vendor Panda Software’s new free Cloud Antivirus is also a trend to watch, with thin clients offering fast download and install time and reduced load that seems well suited to both consumers and SMEs looking for good-enough anti-malware protection, either in the form of free or pared-down products. 

In short: the proliferation of free anti-malware products and Microsoft’s embrace of the model suggest that a sea change is under way in which basic protection in some form is an entitlement rather than a privilege. Incumbent security vendors have, to date, made little of the threat from free products. Their talking points are, basically, that consumers want to pay for the added threat protection and for support. THat’s been true enough to date, but may not be something that premium vendors can go to the bank on in the future. What will be interesting is watching how incumbent security vendors respon. Will they roll out their own, stripped down free offerings for consumers or the low end of the SME market, or will vendors find ways to sink their hooks deeper into customers in this part of the market - perhaps with online backup options or other features.

Unified threat management vendor Fortinet filed its Form S-1 with the Securities and Exchange Commission this Monday. The Sunnyvale, California-based company has been headed in this direction since at least September 2007, when public market veteran Ken Goldman was brought on as CFO.  Since then Fortinet has bided its time, acquiring the assets of database activity monitoring vendor IPLocks and D.C. based vulnerability management firm Secure Elements. The privately held company has also been opening its kimono a bit more: releasing yearly and quarterly updates on revenues and earnings, etc. While the details of Fortinet’s IPO aren’t hammered out at this point, expect this to be a big one.

According to its S-1, Fortinet’s revenue as of June 28, 2009 was $115m, up from $98.3m for the same six month period in 2008. Net income is reported at $8.4m, or -$0.04 per share, compared to a loss of $5m (-$0.26 per share) after the first half of 2008. Cash and equivalents total $136m, an increase from $104.8m at H108.

Could this mark the rebirth of the tech IPO market? LogMeIn completed its IPO in June 2009, 17 months after filing its S-1 with the SEC. Security information and event management vendor Arcsight remains the last security vendor to go public, listing on the Nasdaq as ARST in February 2008. Before Arcsight came Sourcefire (FIRE) in March 2007. Both firms are holding their own: ARST is trading just below its all time high of more than $20 set in mid July. FIRE traded as low as $5 in November, 2008 but is now trading above $18, topping the previous peak price set shortly after the IPO.

We’re still waiting to see who else will jump in the game. In our 2008 IPO roundup we identified Lumension, Sophos, Fortinet (we love being right), Kaspersky, and Barracuda as potential vendors ready for an IPO exit. Fortinet’s S-1 underscores the strength of the market for UTM (unified threat management) devices, which we wrote about in our recent report, ROBO Cops, on remote and branch office security.

Take Barracuda, as an example. The firm is muscling forward after a bid for Austrian web application security vendor Phion (listed on the Borse as PHIO) in July 2009.The bid for Phion is Barracuda’s second attempt at an acquisition of a public company (following its two unsuccessful bids for Sourcefire in May and June 2008). Barracuda offered €12 per share for Phion, an offer that management has taken “a friendly position toward”; to the extent that Phion’s three major shareholders (representing 22% of the company) have already signed an agreement with Barracuda.  We’re unsure of Barracuda’s plans for Phion at the moment, but rolling its operations into Phion’s rather than taking the company private could provide the vendor with a good exit in these conditions.

We’ll be keeping an eye on the movement in the playing field in the coming months. We note that Crossbeam might a potential IPO candidate, as could Qualys. The IPO market could very well heat up, once again providing vendors with a viable exit that doesn’t involve life as an acquisition target.

Lauren Eckenroth, Research Associate at The 451 Group, contributed to this report.

IBM will roll out a data-masking product for customer service or call center operators who need to see only non-confidential portions of customer or patient data. Big Blue has been in the data-masking arena for some time now with IBM Optim, an offering based on its acquisition of Princeton Softech in 2007. That product’s focus is based on PCI 6.3.4, which calls for data security during product development and testing.

IBM’s latest data-masking baby, MAGEN (Masking Gateway for Enterprise), is still in development at its research lab in Israel; as such, the name comes from the Hebrew word for ’shield’. The product uses optical-character recognition to tag and scramble sensitive data on the fly. It’s this masking in real time that IBM claims as a differentiator from the competition. The data is analyzed and sensitive information is blocked before it reaches the user. Administrators use a central console to configure masking and access control rules; and the product will be work with any data format, application, or operating system.

Other contenders in this developing space include Oracle, Camouflage Software, DataGuise, and Axis Technology. Data-masking technology has been around for a while in one form or another, but has often been managed ad-hoc within development shops, outsourcers or large companies. Its early days for data masking as a standalone industry. However with the continued trends towards outsourcing, the proliferation of sensitive data and stricter data privacy becoming a bigger issue with each passing year (not to mention the Obama administration’s push for electronic medical records) we think the ingredients are there for demand for data obfuscation and data masking tools to really pick up speed.

Lauren Eckenroth, Research Associate, Enterprise Security, contributed to this blog post.

The New York Times ran with an interesting story  today on the theft of some critical IP and source code from investment bank…err…bank holding company Goldman Sachs that underscores both the value and shortcomings of data leak detection software. The article, by Graham Bowley, discloses the case of one Sergey Aleynikov, a well compensated ($400k/year), 39 year-old computer programmer who worked as Goldman’s vice president for equity strategy. Aleynikov had recently given notice and said he was joining another trading firm that would pay him triple the salary he earned at Goldman.

However “just before he left, according to the complaint, Mr. Aleynikov used his desktop computer at Goldman’s New York offices to upload a stream of code to a Web site hosted by a server based in Germany,” NYT reports. That data was later copied back to his laptop and what’s described as a “memory device.”

Goldman, it was reported, “noticed the surge of data leaving its servers,” but presumably was unable to block the transfer to the remote server.That turns out to be a big problem, as the code stolen was for so called “black box” computer programs that “Goldman uses to make lucrative, rapid-fire trades in the financial markets.” Those programs earn the firm millions a year, reportedly. And, though authorities have  Aleynikov in their custody, the IP he stole is still sitting on the hosted Wed server where he deposited it, NYT reports.

While its not clear what products were responsible for picking up the theft and monitoring the data flows, the incident is a great example of the gulf that exists between the marketing buzz around DLP - or data leak prevention - technology and the reality, even at top tier firms like Goldman Sachs. Presumably that firm has the pick of the litter of security technologies, the bankroll to purchase and deploy what they want and top tier IT staff to manage the products. The fact that Goldman appears not to have had a means of blocking the transmission outside its firewall of source code and proprietary algorithms whose value is described as “incalculable”  is…shall we say…eye opening.

To be sure: securing source code presents a unique challenge to DLP firms, which have tended to focus on data that might be used in identity theft or for other compromises — credit card and social security numbers, account numbers, names and so on. Today, content monitoring solutions often allow simple regular expression matching that could, in a ham fisted kind of way, be used to identify source code. Many Web filtering firms have or are adding support for features to identify source code files. At a deeper level, firms like Symantec/Vontu claim to be able to index document content (including source code files) then spot even snippets of protected content in transit. With roots in encryption, vendors like BitArmor go a step further: offering data level tagging — essentially metadata containers that travel with data, classifying it and specifying access rights, security policy (encryption) and so on. But tagging and encrypting the incredible diversity of code that resides inside an organization like Goldman Sachs is a Herculean task. And, as Mr. Aleynikov’s alleged excuse for the data breach (that he was merely trying to copy open source code he’d worked on) there are circumnstances under which the movement of source code files back and forth across the network perimeter might be allowed and desirable. On the other side of the fence, there are application protection firms like Arxan, Metaforic and VI Labs, which do a better job securing the underlying code, but have traditionally focused on blocking attempts to reverse engineer applications for piracy or industrial espionage, not spotting or blocking data flows. Finally, source code analysis outfits like Fortify and Ounce Labs, Core Security, Veracode and others focus on finding security holes in compiled or uncompiled code that might be exploited in attacks after applications are deployed.

Expect to see some of these areas of focus converging as more and more of an organization’s value comes to rest in the intellectual property locked up in internal applications and business processes. As we noted in a recent report on BitArmor, the advent of virtualization, private clouds and cloud-based services within the enterprise (as evidenced here in the unnamed hosted Web server the GS application code as spirited off to) challenge network-based DLP with a different set of requirements. Among them: monitoring data movements from local to cloud, cloud to coud or guest OS to guest OS.

A recent report by research firm Infonetics makes the claim that network access control (NAC) appliance sales have been among the hardest hit in the current economic climate; outpacing the rest of the network security space.

The report states that the NAC market fell by 32% between the third and fourth quarters of 2008. Given the scale of the economic meltdown, and that an important NAC customer base lies with financial institutions that were hit hardest, this shouldn’t be surprising. But don’t despair: Infonetics forecasts NAC will be back on top by the end of 2009; and riding high as a $700m industry by 2013.

We don’t participate in market sizing or forecasting of the hard-numbered type. What we can say is that there’s been a considerable amount of movement in the NAC space over the past six months. Autonomic Networks and Nevis Networks have submerged while other players have managed to hold tight and even grow. In February 2009 StillSecure branched into managed services with ProtectPoint, while Trustwave acquired Mirage Networks; both deals combine NAC chops with managed services plays. Appliance vendor Nevis has decamped to India while ConSentry has recapitalized with a valuation far lower than the $80m to $90m put into the company. We expect this kind of movement and consolidation to continue over the next few quarters until NAC, along with the rest of the network security market, can pull itself out of this slump.

– Lauren Eckenroth, Research Associate, Enterprise Security, contributed to this blog entry.

What’s the cost to companies for lax security that leads to identity theft? About $.10 per stolen identity, as it turns out.

TJX announced Tuesday it had reached a $9.75m settlement with the group of 41 State Attorneys General investigating the now infamous 2006 breach that exposed up to 94 million credit and debit card numbers. The group was led by Massachusetts Attorney General Martha Coakley with the help of Attorneys General in Arkansas, California, Connecticut, Florida, Illinois, New Jersey, Ohio, Oregon, Pennsylvania, Tennessee and Vermont.

Under the terms of the settlement, TJX must pay $1.75m to cover the cost of the states’ investigation and $2.5m to establish a Data Security Trust Fund available to states Attorneys General to enforce policy developments in data security and consumer protection. This leaves a paltry $5.5m in settlement fees to be split among the 41 states for use in data security initiatives; Massachusetts is slated to receive $951,000. Given the scope of the breach TJX has gotten off easy; paying out roughly $0.10 per exposed credit or debit card number. The funds will come from a $107m reserve set up by TJX in 2007 to cover costs associated with the breach.

In addition to the monetary penalty, TJX must comply with an information security program laid out by the Attorneys General. The company must obtain a third party assessment and report “regularly” to the group. Among the actions mandated by the program, TJX must agree to: upgrade its WEP systems to wired or Wi-Fi protected access systems; safely discard consumer account data once it has been processed for legitimate business purposes; implement firewalls, access controls, etc to segment the areas of the TJX network that process personal information; and implement appropriate password management system for that part of the network that handles personal information.

Of course, this settlement is only the latest development in the storm created by the largest reported data breach to date. TJX has already settled with major credit card companies Visa (for $40.9m) and MasterCard ($24m). In August 2008, 11 people were arrested and charged with aggravated identity theft, conspiracy, and computer intrusion related to the breach; and in January 2009, a Ukrainian hacker linked to the TJX breach was sentenced to 30 years in a Turkish prison (yikes).

To combat breaches of this nature Massachusetts has since passed a data privacy law that requires all companies that “own, license, store or maintain personal information” to comply with broad regulations for handling transaction and personnel-based data.That law sets a higher bar for breaches: $5,000 per violation. By that measure, TJX would have had to pay out far more — around $470 billion — in penalties.

Amidst all the breathless commentary on how Google Wave is what email would be like if we only knew then what we know now, what has gone unnoticed is that Google is essentially using SMTP as the jumping off point for an entirely new model for federation. Federation in its current iteration amounts to securely facilitating cross-domain authentication and lightweight authorization through metadata exchange between two parties. What Google Wave entails is an any-to-any dynamic message transfer between two participating ‘wave servers’. The connection is based on the ‘handshake’  process between two servers that have deemed the other party an acceptable  based on its globally unique wave id, which is a pair of a domain name and an id string. However, Google has advanced down the path of developing a protocol that will define the parameters of how a user can interact with a living document - using the principles of operational transformation.

The potential to pull in work done in the area of messaging protocols  (like AMQP) and and data classification through extensions to the protocol is, from my perspective, huge when seen in the context of mapping actual business process to policy logic. Thousands of Wave servers can subscribe to a policy server, allowing for large-scale automation of access and collaboration decisions, as well as the creation of a standalone, abstracted policy management tier with direct interaction with the policy decision tier.  Also, the Wave model not only allows for 1 to n connectivity , but also the ability to establish hierarchies within federated relationships.  This is an important advance when you consider the need to balance privacy (or degree of data lockdown) and openness - which could be paraphrased as “share as much as you need to when you have to”. The ability to establish hierarchical sharing constructs based on resource and user profile - what Google describes as winnowing - by takcling inherent tension between security, privacy and access, will ultimately have critical repercussions.My thanks to Chris Swan for highlighting this aspect of the Wave initiative.

There’s been some speculation that SharePoint is the target here. Given SharePoint’s success, that’s certain a possibility - although Google claims that Wave has been in development for four years, predating the rise of SharePoint. Instead, what Wave could offer is the integration of Geneva Server and SharePoint, with possibly a Ping Identity or TriCipher acting as a clearinghouse. Either way, identity management players are going to have to make an explicit strategic decision at some point in the not too distant future: either for or against Google Wave.

A growing number of firms are trying to capitalize on the trend toward proactive intelligence and prevention of e-crime, and the announcement today of the acquisition of Arlington, VA-based cyber intel firm Cyveillance by defense contractor Qinetiq speaks directly to the fundamental underlying trend behind this.

As we wrote recently in our ESP Quarterly, ‘The Evolving Endpoint Agent‘, the past three years have witnessed a revolution in malicious code writing. Professional, well-funded organized criminal groups have poured resources into the development of more powerful and versatile programs. Their goal is the theft of personally identifiable information, the theft of intellectual property, and the enrollment of millions of hosts into large botnet armies designed to distribute tasks, generating the computing power necessary to perpetrate fraud, theft and brute-force attacks.

More important, the criminal groups committing these crimes have become larger and more sophisticated. As criminals go, so do terrorists and those who seek to fund terror. For the first time, this brings the world of viruses, phishing scams and other fraud out of the realm of commerce and smack into the world of nation-state intelligence services: when your enemy is funding his operations through phishing, phishing becomes a security priority. For government, leaving commercial, public networks out of the picture when it comes to cyber security is simply no longer a tenable option.

This is not to suggest that government has responded in an organized or consistent fashion to the threats at hand: it has not. Lumpy and uneven distribution of understanding of the core issues; a notable lag in government agencies’ ability to formulate a response, lobby for budget and gain mandates to conduct cyber-intelligence operations; and internecine squabbling over turf and other issues have plagued efforts to enumerate, let alone catch, bad guys. But the will is there, efforts are underway and the response will come – it’s just a question of working the system until it’s good to go.

At the same time, those at the business end of the battle over cyber crime and cyber terror – financial institutions, mainly – are facing challenges like never before. Some time ago, we saw a sea change: banks began to cooperate in ways previously unseen in terms of the sharing of information about common threats. Until very recently, this kind of information was considered to be competitively sensitive – by revealing specific threat vectors, one risks having a rival reverse-engineer an IT landscape in the same manner as it has been reverse-engineered by a cyber criminal creating malware that specifically targets a given bank.

Yet the volume of attacks and their sophistication increased so dramatically that banks had no choice but to begin teaming up to confront a common enemy. The National Cyber-Forensics and Training Alliance (NCFTA), for example, was created to be a neutral collaborative forum in which critical and confidential information about cyber incidents could be shared among industry, academia and law enforcement.

Conversations with information security professionals of the type that would join NCTFA, informal polling of banking IT security professionals and general industry scuttlebutt holds one thing to be true: at this point, we are approaching the ceiling of what we can do reactively. People want proactive tools.

Not to put too fine a point on it, people want aggressive preemptive action taken against bad guys. The use of force, something which is rare to hear information security professionals talk about, is now being discussed at least theoretically. But to even consider any kind of action, you have to find out who’s doing what, when, to whom, and how. Then at least you can have discussions about a range of pre-emptive moves. Until you do that, you’re shouting at the surf.

Cyveillance gathers intelligence about the villainous and illegal use of digital content, and the misrepresentation and resale of digital content into real-world assets. The high-level issues that concern Cyveillance’s client organizations around the world involve cyber-squatting for the purposes of fraud and phishing; online sales of counterfeit and stolen goods; and the peddling of stolen digital assets. In addition, the vendor can provide valuable insight into a slew of other areas, from mere smut peddling, distribution of dangerous child pornography and criminal communications to other spooky stuff. Typically, Cyveillance messages around the first three areas, and conducts the latter quietly on behalf of various government and law enforcement agencies.

We have written a deal analysis of the acquisition which runs tonight in our TechDealmaker service containing target and acquirer profiles, deal rationale and deal details.

Last week in London I did a panel on the Dynamics of e-Crime at the excellent InfoSecurity conference. What follows is the really high level introduction that I gave to the conversation, and a link to the PowerPoint deck I used.

Panelists:

James Brokenshire MP, Shadow Crime Reduction Minister And Member of Parliament for Hornchurch
Mike Humphrey, Head Of Information Assurance & Accreditation Serious Organised Crime Agency
Howard Schmidt, President & CEO Information Security Forum Ltd. UK

Introductory Remarks
Nick Selby, VP & Research Director, Enterprise Security, The 451 Group:

As the availability of broadband Internet continues to rise, and computing power and Internet access continues to democratize, holes in the regulatory landscape have appeared. The crimes themselves – fraud, social engineering, theft – have not changed. Nor have the motives – profit seeking, fundraising for illegal activities or terror, money laundering of illicit gain, the list goes on.

What has changed is the medium in which these crimes are committed, and with that change in medium came a change in scale. Criminals are now able to reach a larger pool of targets faster and more effectively than ever before. At the same time, lawmakers struggle to understand technological advances, and are frequently concerned that laws to restrict criminal activities will stanch commercial initiatives.

Law enforcement is faced with a vexing problem: trying to understand jurisdictional issues and rapidly changing regulations.

Criminals, terrorists, drug dealers and others seeking to hide and monetize illegal activity and launder ill-gotten gains are taking keen advantage of this lag. Their risk in doing so is relatively low compared to other criminal endeavours, their chances for success high, and the scale of success even larger. The risk of being successfully prosecuted even if caught is even lower, and their risk of doing serious jail time even lower due to the process of adapting and creating laws to deal with these types of crime.

At the same time, the worldwide economic slowdown has created desperation among many. Many are more tempted than ever to find ways to get rich – or even get liquid – quick. Some of this large and growing number of people will do the maths I just set forth and turn to crime, while others will become victims of fraud.

This is the environment in which we currently find ourselves. Our panel today will discuss these issues in more specific detail. We will break the subjects generally into three categories: how citizens aren affected by these trends, what government and law enforcement can do, and finally we will discuss some of the opportunities available to entrepreneurs and private industry.

–End of remarks–

Download the presentation

I thought the panel went well and was well-attended. We had some interesting questions, especially the one from Steve Howarth, a detective inspector from the Met police’s e-Crime unit. He mentioned the appalling lack of resources his team has. More on that in another post, soon to come.

I’m here with the rest of the 451 security team at the annual RSA Conference and looking ahead to a busy day of briefings today, tomorrow and Thursday, after a more manageable day yesterday. With all the information that streams at you at a big show like this, it can be tough to keep your bearings and see through all the marketing hype. RSA can be a launching pad for interesting, new businesses, and even entire new categories of firms. As an example, this year’s RSA innovative new company is AlertEnterprise, a converged physical and IT security outfit that appears to be targeting the energy vertical. Very “Dr. No” type stuff. Very cool. I’m gonna stop by their booth.

Of course, there’s no guarantee that those companies or their technology will have staying power. One need only look to past years’ “Tomorrowland” visions around things like converged security or even more quotidian visions, such as network access control, to be reminded that marketing spend != viability.

One good mental yardstick I like to use is to ask myself (and often the companies I’m talking with) why an enterprise _needs_ to own their technology. In the case of NAC, which came about as a way to stop virus and worm outbreaks behind the firewall, there was no one thing compelling companies to make a big investment, though almost everyone agreed on the usefullness of NAC in the abstract. On the flip side, The Payment Card Industry’s PCI DSS gave an enormous boost to vulnerability management firms, anti virus firms and, now, companies that make Web security products like secure Web gateways and Web application testing tools: PCI audits specifically called for the use of those technologies, compelling companies to make an investment, or at least come up with some form of compensating controls.

This year, I’m looking for the impact of new and toughened data privacy laws, such as Massachusetts’ new data privacy provisions, the FTC’s Red Flag Rules and a toughened, toothier HIPAA from DHHS and the federal government (much more on that later!) Which companies stand to benefit (or not) from the provisions of these new laws concerning protection of consumer information, financial data and health information? Its early days here at RSA, but I’ve already briefed with two firms in an fast developing sector that plays right into the increased focus on data privacy: Camouflage and Dataguise. Both sell data masking tools that allow companies to protect sensitive information in databases that are used for testing and other development purposes. The concept here is fairly simple: companies that do application development want to be able to use the best data possible to test their applications. Often, that means using actual, production data. But the loose security practices that often characterize development environments, not to mention the increased use of outsourcing, preclude the practice of piping production data into a test environment. Enter data masking firmslike Dataguise and Camoflage, which sell technology that can replace sensitive data with fake test data without compromising data integrity (i.e. credit card and social security numbers still look like credit card and social security numbers, etc.) Vendors point to regulations like PCI Section 6.3.4, which calls on companies to look at data used in testing, as a major driver -but not the only one. IBM’s been in this space since at least 2007,and some of these firms have been around -in one form or another - for almost a decade. Still, the data masking issue is picking up steam: Forbes recently addressed it in an article, and its likely to get a lot more attention as companies become more attuned to the gaping hole that internal development efforts punch in their data security and data protection plans. 

I suppose I can thank Oracle for providing me with a reliable conversation topic over the next few days at RSA. My perspective is that although IAM specifically is unlikely to have figured prominently in the deal deliberations, the acquisition will likely have far-reaching repercussions for the IAM market.

While Oracle is a recent entrant to the market relative to Sun, IBM and CA with technology derived entirely from acquisition, it is generating the fastest growth and has put the incumbents on the back foot. There is more overlap in terms of product portfolio, thorny integration issues and open source questions ahead compared with an IBM acquisition, but we expect that a shiver has run down many spines at IBM and CA. Sun has suffered from a weak sales organization even as product development has remained strong. Clearly, there are significant integration risks, but at a high level, Sun products will now have a favorable sales model behind them.

Oracle will gain Sun’s directory and federated identity technology and in theory Sun will have Oracle’s Entitlement Server, Adaptive Access Manager for risk-based authentication and upcoming data governance integration at its disposal. But outside of those complementary areas, there will be plenty of overlap in provisioning and Web access management (although a shared SSO OEM in Passlogix). The integration issues are ameliorated by a common Java technology platform but the the challenge should not be over estimated, particularly in light of Sun’s open source approach and emphasis on services layer.

Rivals may have some window of opportunity as the decision process takes it course - since it is unlikely to have been given that much thought in the deal run up - but we expect that to be shortlived. Of all the major IT vendors, Oracle has proven the most adept at minimizing acquisition and integration disruptions.

I can’t comment on the technical challenges involved - but the delay of close to a year in the release of Microsoft’s Identity Lifecycle Manager (ILM) 2.0 is clearly a blow to the Microsoft identity ‘ecosystem’. There are sure to be competitors who feel like they can breathe a sigh of relief, but not having a strong Microsoft set of products for provisioning and credential lifecycle management has to be seen on balance as a negative for the market as a whole and certainly technology buyers. Given that there is a natural community for whom the downside of the delay is significant, the question in my mind, is whether the need to delay the release could have been diminished by adopting some open source approach. This is not just an attempt to set the cat among the pigeons (or any other number of other metaphors for creating controversy). I think it’s a legitimate question whether the transparency of an open source project and combining the talents and expertise of a like-minded community with a specific, shared goal would have smoothed out the development process, or at least made the debugging process more efficient and productive.

Read more »

ESTRAGON: In my opinion we were here.
VLADIMIR: (looking round). You recognize the place?
ESTRAGON: I didn’t say that.
– Waiting for Godot, Act 1. Samuel Beckett

I’m going to have to excuse myself for sitting out most of the hype storm about the coming Conficker worm conflagration but, to be honest, I’ve been here before.

I’ll explain what I mean by that. But first, for those PD readers that have been hiding in a cave, here’s where things stand:

Conficker is a widespread Windows based worm and information stealing Trojan that is poised to launch a coordinated “action” on April 1st that will, depending on who you talking to, bring the Internet to its knees, or flop harder than A-Rod in an ALCS playoff game. It first appeared in late November and — like most computer viruses — also has more aliases than Jason Bourne. You might also have heard mention of Downadup, or Kido or Pakes? They’re all the same beast. Conficker spreads over computer networks by exploiting unpatched Windows machines (again, for the cave dwellers, MS08-067 is the patch you need) by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE) and by brute force attacks on networked computers and file shares that are secured with weak administrator passwords.There’s an excellent writeup on the worm available on Ars Technica. Read up, then apply the patch. A more technical analysis from SRI International is available here. (Thanks to SANS’ ISC for the link.) The Honeynet Project also has an analysis of Conficker available on its Web site.

With the deadline fast approaching — indeed racing across Conficker infected countries like South Korea — the media hype (including a sensational(ist) piece by 60 Minutes correspondent Lesley Stahl) has set the stage for a Y2K style conflagration, but (willingly) overlooked the consensus opinion of security experts, which is that Conficker’s April 1 surprise will be a big nothing. Indeed, SANS Internet Storm Center predicts “business as usual” on April 1st.

Rest assured, this won’t be the first or the last time that the public is treated to a media-induced roller coaster ride about computer security. If you remember, the Code Red Worm had a similar “attack” programmed into its code back in 2001. That denial of service attack was directed at an IP address that corresponded to the Web site of the Whitehouse. Government officials sidestepped the attack by pointing the Web site to a new IP address — an early victory for the administration of George W. Bush.

Read more »

I recently contributed an opinion piece to a new, online security news Web site on the topic of mobile phone security. In it, I pushed a couple different ideas. The main thesis, which I based on conversations with anti malware vendors, was that the consumerization of IT — evident in adoption of platforms like the Blackberry and iPhone — had opened a gulf between mobile device users and their employers. In contrast to five years ago — or even two years ago — employees are using their mobile devices to surf the Web, e-mail, IM and access enterprise resources. However, most enterprises still don’t have an easy way to track and manage those mobile devices or ensure that they adhere to corporate IT security policies for data protection. In fact, mobile security management tools offered by companies like Symantec and Trend Micro still don’t support the iPhone or Blackberry, despite widespread adoption by employees. As I point out in my piece for Threatpost, this is another manifestation of the loss of control that goes along with the “consumerization of IT” — user adoption of cool new tools and gadgets that runs far ahead of the ability of enterprise IT shops to keep up.

Not that security software vendors are all to blame. In the case of the iPhone, the word is that Apple doesn’t want to give third parties access to kernel level APIs they need to do realtime threat protection or data encryption.  In the meantime, the company’s development efforts haven’t prioritized enterprise concerns. As my collegue Chris Hazelton noted in a recent report, the latest rev of the iPhone OS, Version 3.0, did little to advance the iPhone’s enterprise readiness. In particular, it failed to add the ability for one or more third party applications to run in the background, limiting security (i.e. encryption) and management features. 

This leaves security  and mobile device management vendors to do what they can. Sybase’s announcement this week of a new version of its iAnywhere suite is a good example. The company’s iAnywhere Mobile Office, which includes e-mail, calendar, tasks and contacts, as well as Exchange and Lotus Notes integration, offers the kinds of features enterprises want: password protection, data encryption and remote data wipe…but only for data resident in the iAnywhere Mobile Office application. The company tries the spin this as flexibility…enterprise security “without compromising user’s personal information,” but isn’t it just “encryption for me, but not for thee”? Whatever the case, its hard to see how islands of security on a multi function device like iPhone will work practically, or how they advance the interests of companies or the community as a whole.  

In the meantime, another major anti malware vendor told us that it is at work on its own secure Web browser for the iPhone that will allow it to integrate Web reputation technology that it has long offered to PC users. As with Sybase, however, users will have to download and install the third party Web browser to get the protections, rather than leveraging it as a plug-in to the native iPhone implementation of Safari. We can expect more of the same from other vendors (encryption, anti malware, management) who are hot to trumpet “iPhone support” to their enterprise customers in any guise. The result? Expect the balkanization of the iPhone  desktop to contiunue, at least until the Mandarins in Cupertino make good with the tools that third party developers need to do iPhone security right.   

With the rumors now being publicly aired of an IBM acquisition of Sun, our inquiring minds turned to the specifics of how the combination of two of the Big 5 identity management vendors would play out. (Our colleagues at Inorganic Growth have looked at the implications for the server market). Although both Sun and IBM have seen themselves outflanked by an aggressive Oracle in identity and access management, the combination of the two identity management businesses could significantly shift the balance of power in the market. (Alternatively, there’s not a small risk that it could further undermine their combined market position if integration slows down product development and creates confusion over product strategy, playing directly into the hands of competitors). Sun has taken an open source approach to IAM that emphasizes services and support as a source of revenue. Sorting out the overlap with IBM’s portfolio may indeed prove intricate, but as we speculated earlier on the likelihood that the industry goes down the path of consolidation, there is scope for capturing Sun’s install base and using the open source versions of the technology as a means to expand its ability to address different market segments. IBM’s sales strategy is heavily weighted toward its install base, and Sun’s open source software may prove a useful vehicle to expand into the mid-tier, where its current license and implementation cost structure is prohibitively high.

There are sure to be some difficult product rationalization issues, complicated by Sun’s still in progress transition toward open source development and business model. However, in some areas, the product portfolio strengths are complementary. Sun, for instance, has led the market in enterprise directories (although its product has grown long in the tooth and the OpenDS open source version has yet to reach full product maturity) and the acquisition would supply IBM with federated identity and role management technology where the company has lagged the market. There seems to be some difference of opinion over the relative value of Sun’s directory server over IBM’s equivalent, but in terms of market segment penetration, we would postulate that Sun’s is larger (although under attack) and spread across a broader set of businesses.

The rumored deal would certainly provide one possible explanation for why IBM has been so quite on the acquisition front.

After a year at the helm of Cisco’s Security Technology Business Unit, Scott Weiss, the former CEO of IronPort, is leaving the company. Weiss will be replaced with fellow Ironport co-founder Tom Gillis, who has taken the helm at the SBTU. Nick Edwards, who is senior manager of product management in charge of Cisco’s e-mail products said that Weiss is still technically on board at Cisco and is working as an “adviser” to Brett Galloway, SVP for Wireless and Security Technology. In that position he’ll “help assist in a smooth transition” (translation: not freak too many Ironport employees out by leaving abruptly), but after that it’s happy trails, with Weiss - wait for it - “spending more time with his family.”

Edwards, himself an Ironport-er, said that the loss of Weiss — who got high marks on leadership and vision — was going to be tough. But he put a good face on it all the same. “We get to retain the Ironport DNA and history (with Gillis),” he said.

Of course, there’s nothing surprising about a former CEO like Weiss chaffing under the constraints that come with a role down the org chart in a mega corporation like Cisco. Sounds like Scott gave it the old college try, but has decided to move on to his next act. The surprise, I suppose, comes as a result of the big vision that his appointment at the head of the SBTU set for Cisco’s overall security strategy. Cisco’s security portfolio had grown long in the tooth in recent years, and Weiss came in talking big about reinventing Cisco’s security portfolio. In part, that would come from integrating smarts from the IronPort platform across the other Cisco products. That includes reputation intelligence from the SenderBase online reputation system and from the global deployment of IronPort appliances.  With him gone, its not clear what happens to that vision and whether Gillis will have the clout and vision to carry it forward. Cisco staff insist that Weiss’s departure has nothing to do with the SBTU’s 2008 numbers or a difference in vision with other Cisco brass. That could be true (and we’re waiting on specifics on the SBTU performance that might confirm it either way), but we’ll be waiting to see what the next few months bring.

“And, yay, the call for compliance did ring out across the land. And the vendors of role management software did declare: through us will your access be certified. And the security priests and business kings did see that compliance was good for no longer would a user access resources, each to his own way. Yet, they looked upon those who could access their resources and saw that they were many and different - among them too were consultants and partners. And they inquired of themselves: “Verily, how we will institute access control systems and points of enforcement so that we may trade profitably and remain free from thieves and scoundrels?”