Seriously Secure

Since 2001, the security boom has resulted in a lot of headlines that weren't always backed up by numbers. The Meta Group's 2004 Worldwide IT Benchmark Report says security spending increased 3.2 percent in 2001, 7.6 percent in 2002 and 8.2 percent in 2003,on the rise, but a little short of earthshaking. Why the disparity between publicity and revenue growth? Blame the ultraconservative IT budgets of the past few years and the often dizzying array of security solutions available to solve an even more confusing variety of potential risks. Until recently, many security companies found it tough to sell preventative security solutions to companies that hadn't been attacked yet.

But security firms and their VARs are seeing the dawn of 2004 as the dawn of a new round of opportunities. A combination of factors, including the rise of insecure wireless networks, increasing sophistication and the sheer number of attacks across the Internet, new tools and techniques for fighting them, and an overall market consolidation have combined to make a big difference for the top vendors and their VARs.

We interviewed CEOs from five of the market leaders: Check Point Software Technologies, Computer Associates, RSA Security, Symantec and Trend Micro. We found that as 2004 begins to take shape, customers, resellers and vendors will have a new set of threats to deal with and new tools to handle them, but there isn't always unanimity about what works best, and where.

Gil Shwed, Check Point's founder and CEO, recently met with a customer that relied on three different types of firewalls, figuring if there was a vulnerability in one, it wouldn't likely be in all three. Redundant? Yes. Safer? Perhaps.

"We don't necessarily encourage customers to go this way, but some do," Shwed says. One reason, he says, is because some thought leaders say it's simply safer to embrace protection from a variety of sources rather than try to get it all from one place,a form of checks and balances. Check Point's solution is to make it all integrated, from virtual private networks (VPNs) to firewalls. The company recently launched Check Point Express for midsize companies, and perimeter security still accounts for much of the company's business, although Shwed says the network protection area has huge potential and will help the company compete with Cisco and NetScreen, among others.

Symantec's CEO John Thompson sees a real need for companies to work together,what former Novell CEO Ray Noorda coined "coopetition." "The real issue is, if we as technology leaders don't come together to solve problems, we run the risk of having users become disenfranchised and decide not to use the network as much as they possibly could," Thompson says. "Or even more devastating, governments will feel like they need to intercede, regulate and enforce laws that control the way innovation occurs. Either result is not good."

But working together is just one aspect that makes the security space intriguing. There is also the need to match the right technology with the right problem,something especially acute in security, where there are so many point products and individual problems to solve. The question of which technologies solve which problems brings up the point of whether it's better for companies to buy as much of their security technologies as possible from one vendor or go for the best-of-breed solution in each category. Naturally, these CEOs would each love to be the soup-to-nuts vendor for as many clients as possible, but they realize the unlikelihood of this in such a complex world.

"The real issue for customers today isn't about choosing between best-of-breed or single-source. It's about how deeply security can be integrated within their business operations," says Sanjay Kumar, chairman and CEO of Computer Associates. "Customers need to evaluate what they have and determine how integration can be realistically achieved. While best-of-breed solutions may yield the latest technology, these innovations cannot fulfill their potential without integration and

management. Today's businesses are looking to reduce business risk. Resellers and vendors who can help customers achieve this will have far greater success than those who attempt to settle this age-old debate."

Symantec's Thompson agrees, saying the single-vendor approach doesn't work any better for smaller companies than for larger ones. But he adds that best-of-breed only works with the proper integration. "In the largest enterprises, it's highly unlikely you'll end up in a one-vendor environment, so the question becomes how a company like Symantec can simplify the process to help [customers] manage the tools they've already deployed," he says. "For us, the toughest thing was to get the industry to accept that it was a valid idea to deliver more integrated, tightly packed security solutions, so SMB companies that don't have big IT staffs can get the same technologies the enterprise can without a lot of the headaches associated with it."

Even if customers never migrate completely to a single-

vendor scenario, there's some virtue in at least getting closer to it. The Aberdeen Group, a Boston-based IT market-analysis and positioning-services firm, estimates that there are currently some 70 publicly held security vendors and almost 350 private ones, further complicating already-mind-boggling purchasing solutions.

"Customers would prefer to have fewer vendors," according to Art Coviello, RSA's president and CEO. "In the past few years, customers have been feeling burned by smaller companies; they thought they were getting best-of-breed technology, but the claims didn't match the reality."

One big advantage larger vendors and their resellers have over smaller ones is the ability to offer comprehensive solutions rather than simple point products. "Technology is only about 20 percent of the puzzle; policy and enforcement [make up] the other 80 percent, and 70/30 would be more reasonable," says Joseph Dell, CTO of Vigilar, an information security-

services provider in Atlanta.

Customers may soon get their wish for fewer company choices. The CEOs we interviewed agree that the industry, which already has seen considerable consolidation, has more on tap this year. Thompson says the move toward multilayered approaches to security almost mandates the demise of smaller security companies.

"The little niche players that have had their heyday recently are in for a huge awakening over the next 12 to 18 months; they'll find that customers are less willing to accept a little piece of technology as the answer to their security problems," he says. "What they want is a solution that has a more encompassing, more holistic view of how to secure the enterprise. While a little piece of technology may be interesting, if it doesn't fit into the broad scheme of how security processes can be administered, customers won't be able to accept that someone has a better thingamajig."

Shwed also thinks more consolidation is in the works, and that the more than 400 companies in the security space are simply too much for the market to sustain.

WIRELESS INSECURITIES

One of the primary things making network viruses so tricky to combat is the explosion in the number of network-access points due to wireless and remote users. Like a town with a housing boom that outpaces the capacity of its roads, the exponential expansion of wired and wireless network traffic is creating an increasingly congested and chaotic situation,one that leaves corporate and personal networks at risk of potential meltdowns ranging from irksome to catastrophic.

Steve Chang, Tech Micro's chairman and CEO, says wireless networks create a whole new set of unique issues. "Wireless has a lot of vulnerabilities: Wi-Fi hotspots create potential entry points that don't have a solution yet," he says. On the other hand, Thompson and Coviello don't see wireless networks as substantively different from wired ones, although they agree with how it must be addressed. "As much as 60 percent to 70 percent of wireless information is transmitted into the clear, which is why VPNs, or some form of encryption, need to be built into the networks," Coviello says. "But wireless will continue unabated because of its ease of use; people want access wherever they are."

Symantec is working with Cisco in one of many alliances designed to alleviate the issue. "It became apparent to us that if we can ensure that devices with access to the network have at least the minimum standards of security, we can do a better job of stopping the attacks," Thompson says. "We're trying to build a more secure infrastructure where agents can verify that users have a minimum level of hygiene before they can access a network."

Security-focused VARs say the solution to this problem is straightforward enough, but the tools for it are just now beginning to arrive. "There's a lot of emphasis now on identifying who's actually on the network; the growth in mobile users and things like wireless hotspots and public Internet kiosks means you need another secure layer," says Ron Fowler, president of Structured Communications Systems, a reseller of Check Point, NetScreen and Symantec solutions in Portland, Ore.

RSA's Coviello says one of the hot technologies this year will be tools that utilize secure socket layer (SSL) encryption of VPNs. NetScreen bought Neoteris last November solely to add this technology to its lineup. "All applications have been moving down-market, creating more Web-enabled applications," he says. "Even small companies are implementing VPNs or wireless networks because it's so inexpensive. But they're that much less secure at the front end because anyone can get access, so you need to authenticate users at that point, which is what drives our business."

SSL VPNs are a good example of a clear-cut solution to a specific problem, but the sector still suffers from customer confusion that can result in a tougher sales task, especially when the target is a company that isn't bound by security-specific regulations, such as the Sarbanes-Oxley Act.

"Larger organizations definitely are more proactive, but there's still a lot of market confusion about which technologies solve which problems," Fowler says. "We're still in education mode sometimes, explaining things to customers who are upset when what they bought doesn't solve the problem they thought it would. The challenge is convincing companies in nonregulated industries that weren't planning to spend preventatively on security to fight for that money."

"No one big company dominates here," Shwed adds. "The solutions available today are mostly point products such as SSL VPNs, Web firewalls, etc., not comprehensive solutions like you find elsewhere. There are competitors, and we are going to be competitive in those spaces, but the approach we are taking is a much bigger solution from the technology and what we have in the network."

WORMS AND OTHER INTERNAL THREATS

Wireless is just one worry. A bigger issue is that the perimeter is porous and infections can occur internally and spread from trusted sources across the enterprise. One reason Shwed is so keen on internal security is that it's often where users have been impacted most. He notes that the majority of users infected by the most recent high-profile viruses and worms were infected internally, getting their viruses from one another behind the firewall. Once rogue code makes its way inside a company, there's very little to stop it from spreading. "The strength of Check Point plays into that," Shwed says. "We didn't pick the largest, most established markets because some of these markets have good companies with good products that play there today."

Shwed thinks the market reached an inflection point in 2003, when criminals and hackers became very sophisticated. That prompted more businesses to wake up, although only a fraction of his own customers deploy the broadest amount of available protection. Customers still have a way to go before they catch up to criminals.

For better or worse, the customers' stance began to change after the Nimda worm attacks in 2001 and the highly publicized MSBlaster, Sobig, Code Red and SQL Slammer attacks in 2002 and 2003. Suddenly, almost everyone either had suffered some kind of network breach or knew someone who had, and the purse strings began to loosen. But convincing customers to spend proactively remains one of security vendors' and resellers' biggest challenges. "Customers get hit all the time, lose so much money and try to clean up viruses that keep coming back," says Trend Micro CEO Steve Chang. "The customers say, 'Wow, I was hit,' but if you ask them why they don't spend money to prevent the problem, they say they don't yet see any solutions that really solve the network-virus problem, so they're still not as willing to spend the money."

And Microsoft is always an interesting situation,something about which each of the CEOs is currently worried. While the Redmond giant doesn't have any particular security strengths,some might say that it still creates opportunities for security vendors due to numerous Windows break-ins,it is clearly on companies' radars, especially in terms of how it will play vis-%E0-vis the Linux world.

"One of the strongest players in the Linux client space was GeCAD, which was acquired by Microsoft," Thompson says. "I doubt Microsoft will continue its Linux-development activity, so the opportunity is there to fill the void. Linux is a force to be dealt with, and we view the multivendor, multiplatform opportunity as one we should continue to avail ourselves of. How quickly it hits is a function of how quickly people can move applications to that platform. If the industry starts to embrace application migration at the desktop level, it will become a real issue in large enterprises. I think that's a real concern for Microsoft."

NEW ISSUES ON THE HORIZON

Coviello says that identity theft, long a bane for consumers, is showing up in the corporate world because the increase in remote-access and wireless users makes it easier to swipe someone's identity online. "I don't think we've scratched the surface of identity theft," he says. "More than 27 million people in the United States have had their identities stolen, but most of it has been the old-fashioned way, via theft, rummaging through your garbage. But where does most of it get exploited? Online, which means one way to protect against it is for businesses to authenticate users and be absolutely sure that the person is who they say they are." Coviello adds that along with SSL VPNs, areas such as Web-access management, provisioning and Web-services security all have a strong future. "But these probably will be a bit slower to arrive, depending on the rate of growth in Web-based applications and whether Web-services standards are agreed upon," he says.

Thompson says Symantec is researching numerous technologies, including behavioral blocking, which monitors a program's behavior in real-time to detect malicious actions; and anomaly protection and generic exploit-blocking, which monitor network traffic and screen out anything that doesn't meet preset policies. But he warns that the industry is at a critical juncture. It's a call to arms that all security players should heed.

"There still is an enormous amount of research that needs to be done to put the tools in place to protect a 2 billion-

person Internet infrastructure when it arrives," he says. "There now are 300 million to 400 million active users, so triple or quadruple that number. The security technologies required for that infrastructure are very, very different than the infrastructures we have today. We'd better get on with it, with a combination of private-sector organizations and governments working together on advanced research projects. It has to happen if we're going to move the needle."

THE RACE IS ON

The security industry's top CEOs are largely optimistic about their prospects for, as Thompson says, "realizing the promise of the networked world." These executives are pragmatists; they understand the challenges at hand, and most of them agree that the sector is nearing a crossroads that will require it to self-

regulate or be regulated by various governments,a dreaded prospect. They're getting a message similar to what Internet companies heard in the mid- to late 1990s: "Clean your own house, or we'll clean it for you."

No one on the IT side wants that, which is why 2004 promises to be a critical year for the industry. Just as the nature of cyberattacks is evolving, so, too, are the tools to combat them. The challenge for these executives, and all security companies, will be to inch ever closer to a point where, if they can't prevent the attacks, at least they'll be able to anticipate them and dilute their effects. The race is on.

"We're at a very, very critical juncture," Thompson says. "The promise of the wired world will ebb and flow on the confidence that people have about how secure their [connections are]. If we have another rash of attacks like we had last summer, that might be more dissuading to users, and it might prompt governments around the world to come in on their white chargers to protect their citizens. This wouldn't be a good thing, so the security sector has to step up, get out of its comfort zone and deal with the reality of the threats, and not with the little product niches that we're comfortable with today. A layered approach to security, dealing with multiple technologies to protect customers, is the only way to solve this problem."

In a way, the work of security vendors, VARs and ISVs will never be done. There never will come a day when they can say all networks are completely secure, because hackers and their accomplices will forever continue to discover new ways to create and exploit network vulnerabilities, putting the good guys in the position of always trying to hit a moving target.

T.C. Doyle provided additional reporting for this story.