Growing Security Firm Takes On Batman, Sneakers Personas


Stach and Liu, a prominent security consulting and services firm known for its research into finding sensitive data by manipulating Google searches, is going through a name change. Its co-founder and managing partner, Vincent Liu, said there would be no change to the firm's team of penetration testers, however.

Stach and Liu is now Bishop Fox, according to Liu, a popular speaker at security industry conferences and co-author of several books on hacking and application security. Liu unveiled the new name this month, telling CRN the change was needed to instill meaning into the firm's mission. Bishop represents the ethical hacker in the movie "Sneakers," Liu said. Fox signifies Lucius Fox, the Batman character who heads Wayne Enterprises and has the ability to quickly provide support when Batman needs it most.

"We're not reselling hardware and software, but we're providing a trusted adviser-type approach," Liu said. "I think the work we've done has made us well-established with our customers."

[Related: Verizon Analysis: Top 10 Causes Behind Data Breaches]

Forward-thinking companies are not going out and buying the latest and greatest security technology to solve their problems, according to Liu and other security services firms interviewed by CRN. After a thorough assessment, the focus often turns to the basics: application security, vulnerability and configuration management, as well as stronger authentication measures.

"I think the human link is going to be increasingly more important over time, because it's often an end user's behavior that results in a lot of the more sophisticated APT-style compromises we're seeing," Liu said. "I think you can change the way people behave but there's really no magic bullet on how to solve these issues."

Liu started in 2005 doing subcontracting work for Microsoft and other prominent companies. The company expanded to about 35 people. The company maintains the Google Hacking Diggity Project, where tools and information are available to mine search engines for sensitive data that might be publicly available. It was one of the first firms to show how some Amazon Web Services users were inadvertently exposing data. "We keep quiet and tend to work in the background with customers," Liu said.

Bishop Fox and other firms are seeing business increase among the Fortune 1,000, and venture-based B2B startups. In order to do business, larger, well-established firms that expect their partners to take security seriously -- B2B startups -- often have to show they have established security programs in place, Liu said.

Larger firms are increasingly assessing their partner supply chain to understand the risk in doing business with smaller startups, said Rob Kraus, director of the engineering research team at Omaha, Neb.-based managed security services provider, Solutionary. Often small businesses receive investment capital, and the funding is allocated based on business objectives to get profitable, Kraus said.

"For a lot of startup companies, the focus is more on establishing relationships rather than putting as much as they could into security," Kraus said. "If larger businesses are doing their due diligence, it may make some startups examine their security posture more closely."

Security has increasingly become top of mind, reaching executives who want assurances from staff that security is being applied and being done effectively, said Garry Sidaway, global director of security strategy at Integralis, a security services provider. The Bloomfield, Conn.-based unit of the firm has a strong emphasis on penetration testing and application security. The firm also does compliance assessments. It maintains a separate sales team for the vendor technologies it resells.

"Businesses are becoming more flexible and, in turn, are fine-tuning systems and policies as they accept more risk," Sidaway said. "Security teams are constantly adapting because systems always have a new and different threat against them."

PUBLISHED ON JUNE 14