Plausible Deniability

There was a spate of news today on the Web security front, with announcements from two hopefuls in the race to offer SaaS (software as a service) based Web threat detection. Most prominently, Zscaler, a Santa Clara based startup founded by Jay Chaudhry, announced the availability of its in the cloud security services. As reported, prominently, by The New York Times, Zscaler uses a multi-tenanted Web filtering application, hosted at data centers globally, to scrub inbound Web traffic for malicious code, as well as outbound traffic for adherence to security and workplace policies after it leaves a customer’s firewall.

I worked as a technology reporter for a bunch of years, so I can tell you in all honesty that getting Brad Stone from the NYT to rewrite your press release is no small feat, and speaks to the pull that someone like Jay Chaudhry has. Hey, this is a guy who’s started and sold a string of security companies in the last decade including AirDefense, which was sold last week to Motorola and CipherTrust, which sold to Secure Computing in 2006.

The Times story, however, tends to eclipse another release on the Web security front that, interestingly, also has ties back to Mr. Chaudhry. Purewire, an Atlanta company formed by three of Mr. Chaudhry’s former CipherTrust cohorts — Paul Judge, Mike Van Bruinisse and Mark Caldwell– announced the availability of its eponymous SaaS based Web security service, as well as an additional $2m funding round (the company raised $1.75m in May) and the appointment of former ISS head Tom Noonan (an Atlanta tech luminary) to its Board of Directors. Chaudhry, Judge and Van Bruinisse have all held executive positions at Ciphertrust or its acquirer, Secure Computing, before pursing their latest ventures.
That’s a pretty good news day for Purewire, though the Times article raises the uncomfortable prospect that they’ll be fielding a lot of “how are you different from Zscaler?” questions as they go along.

I doubt this is accidental — we see Web security as the big area of investment and one in which there’s a huge opportunity for consolidation, along the lines of data leakage. It’s certainly possible that Chaudhry and the folks at Zscaler got wind of the Purewire announcement and timed their news to steal some of the thunder away from their competitor — or that Purewire did the same to Zscaler. Regardless, landing your product launch announcement in the New York Times is a slam dunk in the big ‘ol basketball game that is public relations.

On paper, anyway, Purewire’s approach sounds pretty similar to Zscaler’s: both companies operate scads of Web content scanning servers in the cloud that intercept inbound and outbound content and scan them for malicious content and for adherence to enterprise security policies (i.e. “if Web_URL == pornotube.com && role !=CEO, action==block”). Web traffic is redirected to the Web security scanners in the cloud from the company’s firewall or existing Web proxy. On the issue of latency (a critical point in Web-based SaaS security that SaaS-based messaging vendors could largely blow off), both companies point to their secret sauce. Zscaler trawled the acronym ghetto and came up with a technology called SSMATM (Single Scan, Multiple Action), that does “sophisticated hashing and caching” to support up to 250,000 transactions per second. Purewire talks about its PureWire Webcelerator, which uses “cooperative caching” — an approach akin to what Akamai has been doing to accelerate Web content — to reduce response time and, in theory, give the company more time to chew on suspicious looking stuff.

But there are some differences, too. [Big caveat here -- We haven't spoken to Zscaler yet and are, thus, basing our read here on what information is publicly available] PureWire’s core Reputation service combines standard URL filtering with “dynamic classification engine” that analyzes requested Web pages based on their content. That sounds pretty close to what Zscaler is talking about. But Purewire is addressing the Web threat at multiple different points. Customers have the option of deploying an on-premises Purewire “adapter applicance” to handle more sophisticated Web application traffic that requires links back to on-premises AAA servers. For script based attacks, the company offers Purewire Sandbox, a Web browser plugin that allows suspicious scripted content to be run safely on the endpoint.

In general, Purewire seems to be aiming for a kind of protection that’s more hollistic than just Web threat detection. Executives talk a lot about offering a kind of Web reputation filtering that guards against malicious “people, places and things.” (Noundefense, maybe?) What does that mean? For one thing, it means trawling the online social networks (Facebook, LinkedIn) for potential threats that might be hiding in what appear to be legitimate online profiles. Purewire talks about being able to pick up on things not accessible to human eyes: different pixel resolutions or color ranges that tend to correlate with bogus profiles that are used as lures in phising attacks, and so on. It still sounds fuzzy to us and our sense is that the company is a long way from being in a position to actually block content based on this kind of reputation awareness.

But we give a tip of the hat to Purewire for recognizing that Web security in the next five years is going to be as much about being able to makes sense of social networks and online reputation as it will be about blocking cross site scripting and SQL injection attacks. As history has shown…the Times doesn’t always get it right.