CRN Interview: Gene Hodges, Network Associates
Before the latest wave of speculation about the potential sale of Network Associates, company President Gene Hodges discussed the security software vendor's future and the current security market with Editor in Chief Michael Vizard. In the interview, Hodges explains Network Associates' plan to change its name to McAfee, where the security management business is headed and how higher levels of integration can produce more effective security solutions.
CRN: What drove the decision to change the company's name to McAfee?
HODGES: The motivation is predominantly branding-oriented. It's to pull together the marketing investments and be more effective in terms of demand generation for our partners. The reason to do it now is driven by the divestiture of our Sniffer business. Network Associates was formed by the combination of a security business and McAfee Associates and a network management business called Network General. So the timing is driven predominantly by that divestiture, and the rationale is brand awareness. McAfee is a very well-known brand. The product brand name is much stronger in the public venue.
CRN: What does it take for a solution provider to be effective in the security space?
HODGES: In terms of the partner training investment, what we found is that the environmental knowledge and contextual knowledge is very critical. If you take a good networking guy who's been configuring and troubleshooting networks for years, the time for that person to be effective in network security is less than six months. You see the same thing on the system side. You take a guy who understands system calls, who is at a deep level in OS design, and you get the same result. I think the certifications are important. But what's more important on the partner side is that if you want to win in the professional services game in security, you're going to have to take the firstborn. Don't make the mistake of taking a guy who's kind of just an everyday [IT] guy, happens to have some time available and send him to a couple of security courses. The contextual knowledge to be a good security person is pretty daunting. You don't pick that up in two months.
CRN: How can small and midsize businesses keep up with the need to invest in security, given all of the investments they'll be required to make? Today, most of them have a security strategy that's tantamount to hiding in plain sight.
HODGES: On the low end, we think it's all going to go toward services. We just introduced a solution with Check Point [Software Technologies] that we're very excited about called McAfee Secure One, which is a Check Point firewall packaged with [McAfee] online managed services for antivirus. This is Web services-based, and together we're going to add VPN and e-mail/spam scanning in the cloud to that solution over the next couple of quarters. And over the course of the next year, we're going to build simple, manageable parts of [intrusion-prevention technology] into those system-level components. All of that is managed in an ASP model so a partner could run it. If you have partners with predominantly SMB practices, they could run this model and support 20,000 users with a very low-cost investment. The managed service tools we build for partners also means that they're not cobbling them together like a classic MSSP [managed security solution provider]. They actually have something that's done for them, and they can focus on operating it for the client. We build those to be almost totally automated.
CRN: Right now, there are more startups entering the security space than any other market. What's your take on the prospects for a security startup today? And given the fact that your company has acquired some startups, what are you looking for in acquisition candidates?
HODGES: The venture [capital] community has always had a little bit of a herding behavior, and when money starts to flow toward one segment, it's not at all unusual for great pile-ons to occur. Clearly, that is the case in security. But there are not enough really seminal ideas in technology coming out of these companies. The good ones--the ones that you would want as acquisition candidates--are doing very well. They do very well because they get product to market, and the product has innovation and gets noticed by customers. Our acquisition strategy has focused on companies at or near the commercialization stage with new technologies. So they're not seed-stage companies, and they're not at the prototype stage. We like to look at companies that are just getting ready to ship product or have shipped product six months to a year, have a couple of customers in beta and have a small install base.
CRN: For years, people have debated over whether an appliance or a hosted model is better for security software. What's your take?
HODGES: Our strategy is that we are going to need both. It's always been a religious battle between the Net heads and the system heads. In general, the network is a good place to catch mass attacks. The mass attacks are very loud on the network. They can be identified with behavioral mechanisms. You can deploy network intrusion-prevention systems [IPS] at aggregation points on the network so that you get very good coverage without a lot of investment. In general, targeted attacks on a specific type of application on the database server or Web server--even if it's an automated, blended threat type of attack--are best handled on the system, because you can't sandbox and analyze all of the code that's coming over the network. You can inspect behavior and packet contents, but you get an awful lot more out of actually seeing it run.
CRN: How does McAfee stack up on both sides of that equation?
HODGES: We're in there in very strong shape on the technology side. A lot of that came from our acquisition of Entercept a year ago. Our direction is going to be to integrate and simplify those components, because one of the remaining significant challenges is to make this stuff very manageable in the context of a typical IT department. If a customer is looking at a traditional antivirus as a fairly comprehensive solution, it's not sufficient. They're going get hammered by worms. A defense that's going to block significant amounts of the types of attacks that we see today is going to require antivirus, intrusion prevention and an application firewall. Putting those capabilities together allows you to do a pretty good job on the system side.
CRN: Are end users still focused on security, or have they become more jaded? It seems that there's really not much shame in being attacked these days as there once was.
HODGES: I think many are, but I think there's still a lot of fear. The head of security has a tough job, especially in large corporations. To do it well, you need to have a good view of the business drivers because they need to answer these questions: Why should I be investing, and how much security is enough? You need to be technically savvy because the technology picture is pretty complicated. I think a large number of the top chief security officers are going to be the next-generation of CIOs, simply because they understand the dichotomy between the business and the technology. And that's what a CIO does every day--band those two together. The guys who may not be quite as strong probably feel hammered on one side from their own management structure and on the other side from the bad guys. It's a scary place to be.
CRN: Speaking of scary things, the amount of time for responding to a threat is dropping dramatically. How will antivirus tools meet the need to respond faster?
HODGES: The AV systems today--the good ones--are heavily heuristic-based. We identify about 70 percent of the viruses with heuristic techniques. And the IPS products are heavily behavior- and anomaly-based. Signatures are still a good thing to have because they keep down false positives. The technology that gets deployed very broadly needs excellent behavioral analysis and fast deployment capabilities of highly accurate signatures. And we've got that deployed on both the host and the network sides.
CRN: What challenges does that present in terms of response?
HODGES: You can't get everybody out of the bed for a global situation. We've seen a decline in the time it takes to have large-scale damage, so clearly we'll be looking at sub-10 minute times over the next 12 months. And then we have to start measuring the average time between vulnerability and the attack. We do expect a fairly significant rise in attacks where the vulnerability is actually identified by an attack.
CRN: Why do vendors announce the vulnerability, thereby enabling the attacks?
HODGES: It's a damned-if-you-do, damned-if-you-don't type of situation. When you announce the vulnerability, you give the customer an opportunity to start reacting and give the bad guys a chance to start ascending the castle wall. Our belief is that that equation works toward the forces of good because the bad guys are right in the middle of vulnerability research. Very often you'll 'discover' a vulnerability, which was actually identified by somebody else and hosted on a hacker bulletin board. So attribution might go to our threat research team, ISS or Microsoft. But it's actually pulled out of the hacker community, which is already starting to tell the bad guys about it.
CRN: How often would you say human error is responsible for letting attacks in the door in the first place?
HODGES: I think that that absolutely happens. We're seeing that more and more in patching scenarios, where you get guys--very often now on the partner staff--working all weekend, running around like chickens with their heads cut off doing patching on systems, and they make a mistake on installation. A lot of it is just because guys are fire-drilling so hard. The thing that's driving a lot of the partners and customers crazy is variance in the patches. It's not unusual for Microsoft now to put out three or four enhancements to the patch over the course of a 24- or 48-hour period after an attack. That just drives me nuts.
CRN: Will antivirus software evolve to deal with all types of hostile content, such as e-mail that violates a Sarbanes-Oxley policy, etc.?
HODGES: I think we're starting to see that happen now. I think there's a general case that marries business availability analysis and security. You secure a system to keep it up and running and to keep the data safe. The budgets spent on security can't expand at a 25 percent or 30 percent rate forever. The next stage in the market is going to be adding a lot more business acumen. It's going to be portfolio management rather than just throwing cash at it, because the complexity is such that if you throw cash at it, the return on the margin investment is very low. The same analysis that you have to do for Sarbanes-Oxley--the process analysis to document control compliancy--is extremely useful in doing a security analysis to understand where the pressure points are in a business process. I am not a fan of the impact that Sarbanes-Oxley has had on corporations overall, but there's actually one very good side effect: For the first time, most companies have at least first-level documentation of the information flow in the basic processes.
CRN: What kind of specialty practices do you think will emerge around security?
HODGES: The two dimensions in compliance are going to be areas of specific compliance and auditing, and forensic analysis of remediation. I think we'll also probably see--as you see in the applications industry--that the specialization will get deeper around application sets. So you'll have Web services experts and compliance of e-commerce systems in a variety of environments.
CRN: Do you think network and security management will converge?
HODGES: That's been a debate for about the last 10 years. We actually built Network Associates on the assumption that security management and system management were going to converge. But I don't think that's true at an operational level. What we see several years into enterprise management system implementation is that the rollouts are there, but they're used predominantly for information collection and reporting. If you go look at a big Tivoli implementation, 95 times out of 100 it's doing system management, and the network management is just a collection. If you go look at an OpenView implementation, 95 times out of 100 it's doing network management and system management is just collection. I think there's an open question as to whether correlation of activity in IPS from the system side to the network side gives you a better defense. I think there's a need for integration of data flow for better event sifting. But our belief is that security is going to move much more toward realtime behavior anomaly analysis and that those [solutions] will stay fairly simple.