The state of consumer security

I had the pleasure, and I mean pleasure, of recently rebuilding two of my home PCs running Windows XP because of performance degradation and other issues.  I ended up doing a clean wipe of the hard drives and reinstalling Windows XP from scratch.  Once I got the machines up and running with broadband connection, I recognized that I was completely naked on the web with no protection.  As you may or may not know, I have invested and am on the board of 2 security technology companies which sell into the SMB and enterprise markets (see Deepnines and netForensics).  Therefore, I clearly understand the need to lock down your systems and protect yourself against spyware, viruses, and other malicious attacks.  Of course, there is always a tradeoff between security and performance.  In the past, I have been an avid user of best of breed software on my PC – ZoneAlarm Pro for firewall, Norton Antivirus, and Webroot SpySweeper for Spyware.  One, this is not cheap, and two, and it becomes a headache to manage and keep track of after awhile, especially if you have more than one machine in the house where you have to set up rules for each separate PC.  For example, as you can see from a recent post, a new software release from Webroot killed one of my machines.  Despite the management overhead, what this best-of-breed approach offers me is diversified protection and real-time scanning.  What good is having virus protection if you are already infected and the virus scan detects and removes it after you are already infected?  There is a huge difference between prevention and remediation. 

So of course, with an eye on simplifying my life, I decided to download and install Windows OneCare on one machine.  It was easy to download, offered diversified protection against threats, and also allowed me to add multiple machines.  However, one drawback, which did not really seem to be highlighted anywhere was that there was no real-time scanning and protection for incoming email.  That in my mind is a huge flaw.  How can Microsoft give everyone the perception that they are locked down with this new service when it does not scan your PC in real time for threats antivirus threats in your email?  I can see a whole army of consumers feeling secure but still having tons of issues without the real-time functionality. 

Anyway, this post is not about Windows or any one specific product, but the fact that I have to download and install security software on multiple machines and have to set them up and manage them.  As you know I am all about simplicity and reducing friction in usage, so why not have one simple box that does it all for the consumer – cable/dsl modem, router, wireless LAN, with best of breed security software loaded into the device?  Zarouterpressfinal3jg Just like the enterprise security market went from packaged software installation to set and forget appliances, why can’t I have the same functionality in the consumer market?  As we all know, hardware is a commodity and prices have fallen dramatically.  And just like enterprises, I want defense-in-depth for my house which means building in security at the edge before it can even get to my machines.  With best-of-breed security functionality built into the router, I can set security policies once for my whole house and not have to install and manage client software for every machine.  I also get my CPU cycles back on my PCs as they can be a drain for the machines.  The good news is that forward thinking companies like Checkpoint ZoneAlarm are starting to go after this market and recently announced just such a device for the consumer market.  If you look at this graph you can see why having comprehensive security at the edge is needed.  Malware gets blocked at the edge before it can do damage to your PCs.  In my mind the state of consumer Internet security is that we are still in the dark ages but it is getting better.

What needs to be done to make us more secure

I was in a meeting with an executive at a large financial services company today discussing some of his technology problems and how my portfolio companies could address them. One of the big issues he mentioned was spam and stopping worms. Even though his company has spent real dollars in those areas, they are still problems which need to be solved. As Sasser and other worms and blended threats spread rapidly around the Internet, it got me thinking about what needs to be done to make us more secure. Techdirt has a great piece about taking a hyrbid strategy to stopping these threats, an approach I agree with wholeheartedly. I have always been a fan of a defense in depth strategy where you have security devices at the network level and down to the desktop. Have you seen Cisco’s recent advertising campaign about self-defending networks? While it is a broad-based strategy which you can read more about on their site, one aspect I like about the NAC initiative is that it does not allow anyone to access a network wirelessly or wired before a scan is done to make sure the device is virus and worm free and up-to-date with its patches and antivirus software. They currently have an enterprise focus, but the logic behind the initiative makes a ton of sense. Recently, Earthlink launched a deal with Symantec where consumers could get antivirus and firewall software from Symantec on their monthly bill. While I like the direction Earthlink is taking, I think all ISPs should take this a step further and replicate the Cisco NAC initiative where no user can log on to a network until their system is scanned and updated with the latest patch and antivirus software. Charge consumers an extra $1 a month but make it a prerequisite to get on the Internet. On top of that ISPs are and should continue to apply a number of different security devices on the edge of the network to prevent attacks from reaching end users. Vendors sellling home networking equipment like Linksys and D-Link should figure out how to embed and price antivirus and antispam software in their boxes as well. For the most part this will only stop the vulnerabilities and attacks that we know about, but the reality is that many of these attacks take advantage of known vulnerabilities. Helping the naive consumer in a proactive way will help us take one big giant step in making the Internet a more secure place.

Mydoom and securing the perimeter

As I said before, if you want to stop blended threats like Mydoom and others, the best way to do so is to secure the perimeter by preventing an attack before it has a chance to infiltrate your network. That is best done on the edge, IN FRONT OF THE ROUTER, but for a number of reasons no one has attempted it. Of course, if you tried to do it on the router it would degrade performance 60-70% which is not a good solution. One other big issue is having the scalability to inspect every packet entering and leaving a network (router) with minimal latency. Finally, being able to effectively detect and prevent anomalous traffic from entering a network requires sophisticated algorithms. You have to have minimal false positives and no false negatives. In other words, the last thing a Chief Security Officer wants to be blamed for is screwing up a large multi-million dollar transaction for a business unit by blocking it from entering or leaving the network. Therefore, many CSOs are willing to just have the detect function turned on instead of solely relying on technology to make decisions about what is good and what is bad traffic. Of course, given the proliferation of complex viruses and blended threats, we are seeing more and more security teams moving from detection to prevention.

Before we dive further into securing the perimeter, let’s first understand how Mydoom works. Mydoom is a mass-mailing worm that attempts to spread via email and by copying itself to any available shared directories used by Kazaa. The worm harvests addresses from infected machines and also tries to randomly generate or guess likely email addresses to send itself to. It also leaves a backdoor wide open for hackers to take control of the machine to steal user information or start spam campaigns or DDoS attacks. The kicker is that these new viruses typically send email messages using a built-in messaging or SMTP system bypassing the normal messaging host on a computer and therefore bypassing any antivirus software you may have installed. This sounds pretty nasty, doesn’t it? The amount of inbound and outbound email traffic can easily bring your network down leading to lost revenue and lost productivity. The fact that it leaves a back door open for nefarious uses could be even more damaging. For example, someone could use millions of infected computers to launch a DDoS (Distributed Denial of Service) attack on you bringing down your transactional web site.

In my opinion, an effective security solution would sit on the edge, prevent anomalous traffic and malformed packets from entering or leaving a network, and provide capable antivirus technology. In other words, you would buy an integrated security solution that includes a firewall, intrusion prevention, DDoS, and gateway antivirus technology that can sit in FRONT OF THE ROUTER. Therefore the only data that should be traversing your network is good, clean data and all of the bad stuff, ingress and egress, is left behind and dropped. I have spent a fair amount of time during the last few years looking at this problem. During the last 3 months, I have been working closely with one company that can offer customers all of the above. Please check back in the near future to learn more about it. Of course, if you have come across any companies that fit the bill, I would love to hear from you.

Life in a connected world…

As we increasingly move to a connected world where all of our devices and products have embedded chips in them communicating with a wireless network to share information and data, we will become more susceptible to privacy and security issues. The New York Times has a great article (must log on but free to join) on automobiles and how products like Onstar from GM, EZPass, and even tires from Michelin can share data about you and where you have been. Obviously, there are a plethora of benefits from services like the above and a potential invasion of privacy is the tradeoff that we need to live with in order to have more convenience. However, there is one aspect of living in a more connected world that I worry about and that is security. In an earlier posting, I commented on potential security breaches in mobile phones and other devices. Currently Onstar can remotely unlock your doors and turn on lights and horns. What if a hacker found ways to control other functions in your automobile via Onstar? As new technologies emerge and proliferate into the market, you can bet that hackers will find a hole to exploit. When taking advantage of new technology and designing new products, companies must carefully balance the tradeoff between convenience/simplicity and security.

Citrix buys GoToMyPc maker, Expertcity-great day for ASPs

Congratulations to Expertcity and Andreas, John, and Klaus. It has been great to work with you from a board level over the last 4 1/2 years. When the transaction closes, I look forward to writing a little more about how you were able to persevere through some tough times, launch new product, stay focused on leveraging the core screen sharing technology, and build a high growth business in a completely new market. Not only were you an early player in remote access, but you also were one of the first ASPs out there.

Expertcity is not the only ASP making headlines today. Salesforce.com filed to go public and raise $115mm. As I mention in an earlier posting about Google and IPOs, pre-bubble, it took companies 4-6 years from their first round of funding to IPO/acquisition. During the bubble it took 1-2 years. While I am excited about today’s announcements and other recent deals like VMWare (bought by EMC) and Zonelabs (bought by Checkpoint), it is obvious that we have returned to a pre-bubble mentality and the companies that will be significantly rewarded are the ones that embody the philosophy of building real businesses with real revenue and cash flow. Well, isn’t that just business 101? Yes, and this is great news as it is something we can all understand.

Check Point makes first meaningful acquisition

So Checkpoint is going to buy Zone Labs for $205mm. Here are my thoughts on the deal. Zone is expected to do around $28mm of revenue in 2003 and $42mm in 2004. The revenue multiple is 7x for 2003 and 5x for 2004. That is pretty much in line with existing security multiples of 6-8x revenue. The more significant point is that Checkpoint made its first, meaningful acquisition. So for all of you security companies out there, add Checkpoint as another potential acquirer. Some future deals could include an SSL VPN player or network intrusion prevention provider. It seems that concerns over their revenue growth has finally hit management, and they are trying to find ways to accelerate the top line. However, I am not too sure that acquiring a desktop firewall product and competing against established competition like Microsoft, Symantec and NAI is the way to do it.

Securing Cyberspace-the Government vs. the private sector

There were 2 conferences yesterday addressing cybersecurity. One was the National Cyber Security Summit in Santa Clara and the other was a smaller event in DC. While I was not in attendance, I did speak with a couple of people who participated in the events. The takeaway is that 85% of the critical infrastructure in the US is owned and controlled by the private sector. The other 15% is the government. While security has gotten better over the last few years, there are still some major holes in the system. There is a classic standoff right now as the government wants the private sector to take control of securing their networks and data while the private sector says why bother when the government’s infrastructure is not even secure. For example, if cyber terrorists took down critical DNS systems, whether or not the private sector secures its infrastructure is moot as the Internet will have massive troubles. Some in the private sector also alluded to the fact that Chief Security Officers do not have enough control as most are only VPs who report to CIOs who sometimes report to CFOs. If CSOs have no real control over budget, then how can they really effectuate change? The government, on the other hand, is threatening to take action and impose mandates for securing private infrastructure. The government wanted to give the private sector the chance to organize itself and develop its own best practices before it is forced to do so through legislative mandate. To hammer the point home, one official apparently said that the next terrorist attack could be on the information systems of a large financial services institution causing serious economic damage. Despite the warnings, it does not sound like the 2 sides made much progress yesterday. At the end of the day, companies in the private sector are driven by dollars. If these companies feel secure enough already, they are not going to rush out to spend more money for the sake of national cybersecurity. Therefore, my feeling is that Ridge and his team will not get what they want until the private sector feels pain on their bottom line in the form of stiff economic sanctions. That being said, the government has to live up to its end of the bargain and drive security in its 15% of the infrastructure as well, because as Ridge says, all it takes is one hole to compromise national security.

Hand-held device security

Hackers like to go where they can cause the most pain. As 3G rolls out in the US, you can bet that hackers will go there as well. There was a great article last Friday in the New York Times about viruses and other security issues on cellphone and hand-held devices in Japan(free site but registration required). It is clear that we should look at how Japan is dealing with this issue as their wireless infrastructure is much more advanced than ours at this point. At the same time, it seems that not many people in the US are dealing with the issue now. Having suffered attacks in the past, NTT DoCoMo has gotten proactive and not only put security software on its servers but also on its handsets. We should learn from this and prepare our infrastructure accordingly. Spam is not the major problem on these devices; think viruses that can jam the 911 emergency response system or denial of service attacks that can bring a wireless network down. What happens when we live in an even more embedded world where chips in cars, appliances, etc. begin talking to a wireless network and becomes infected with a virus?

Many of the companies that I have seen that focus on wireless security are looking at the client or handheld device level. This is the approach that companies like Network Associates and Symantec are taking with handhelds. While I applaud the effort to protect our devices, I do not believe that putting antivirus software on every handheld device is the right solution:

1. Installing antivirus software on every device is not an easy to manage task;
2. While it is much easier to constantly update virus definitions on connected devices, this will increasingly eat up precious memory and computing cycles on your device.

What is needed is smart security on the edge. This will require software that can sit on the network/server layer and in real-time inspect every message being sent from one device to another. It is not easy to sit inline and inspect every message without creating latency. In addition, the software will have to be able to prevent unknown attacks through behavioral analysis and not rely solely on signatures to prevent nefarious activity. This will lessen the need to constantly update every handheld, chew up precious memory and power, and give users an easy way to use their connected devices without headaches.

What Microsoft really needs to secure the perimeter

We all know that there have been a number of issues with Microsoft’s security. We have all been bothered by the daily ‘Windows Update Available’ alert. Steve Ballmer has stated that making their products more secure is their highest priority. In fact, MSFT’s CFO mentioned that security-related issues had a negative impact on its most recent quarter delaying some very large licensing deals. So what is Microsoft doing to fix this? In MSFT’s recently announced ‘Securing the Perimeter’ initiative, the company will place greater emphasis on firewalls and other network security technologies to prevent hackers from reaching vulnerable PCs. What does this mean? Well, first of all MSFT is emphasizing the importance of Defense in Depth. Defense in depth implies that enterprises must have security in every layer of a company’s infrastructure from the edge to the center where all of the data resides. MSFT is also acknowledging that patching systems and installing windows updates as a sole method of security does not work because these methods are all reactive. In fact, most people do not even install updates and patches right away still leaving many computers and servers highly vulnerable. Selling antivirus technology (via their acquisition of Romania’s GeCAD Software) will not make their OS less vulnerable. All of these technologies are all getting better but for the most part will still not catch the newest blended threat, worm, or virus. Antivirus software relies on signature updates of attacks that have already happened and with patch management most of the patches are never installed. So Microsoft is telling us that they need an early warning signal technology to allow its customers to stop an attack at the edge before it hits vulnerable PCs and Servers.

I applaud Microsoft for getting it. Windows is an old, bulky piece of software rife with holes. While security on Windows is a high priority, MSFT has finally acknowledged that a customer needs a defense in depth strategy to enhance security and that they need to push this into enterprises. By the time a worm, virus, DOS attack, etc. reaches the desktop it is too late. If we want real security we have to put proactive defense on the edge and not just in the center. The edge means that MSFT needs to take security out to the network and yes, this is where companies like Cisco dominate. We all know that routers are dumb, and that it is time to put more intelligence in them. Yes, this has not happened yet. Right now, MSFT seems to be looking at firewalls as their perimeter defense. Even if they add Intrusion Detection (lots of false positives, data overload, most technology relies on signatures) via partnership or acquisition, it will still not be enough. In order to fully round out their strategy, MSFT should look at security management software companies like netForensics (full disclosure-i am on currently on the Board of Directors) to provide real time analysis of a company’s total infrastructure from the routers and edge firewalls to the NT and IIS servers residing in the internal data center.

How does security management software help? Most corporations spend millions of dollars buying security products yet they still do not feel secure. It is the equivalent of having a building equipped with numerous cameras (security hardware) without anyone monitoring (security management software) the activity in real time. Therefore, how will anyone really know if they were attacked, by whom, when, and where? Take this concept to an enterprise and you get the same picture-lots, and I mean lots of dollars spent on security (firewalls, intrusion detection systems, antivirus, etc.) to protect a company, but if there is no software to proactively filter all of the reams of data (gigabits upon gigabits of it) from a myriad of heterogenous devices to correlate what happened and when in real time, then a company will never really know it was under attack. Well done security management software does not rely on past events to issue warnings. For example, netForensics was able to catch SQL Slammer while it was happening. It was able to view anomalous network activity gathered from various devices like firewalls and intrusion detection systems and in real time correlate and send an alert to the user who could then shut off the port for Slammer. Of course, if one could shut that data stream off automatically as soon as it detected an issue (prevention), that would be even better. While netForensics can do this to a certain extent, many customers are afraid of having machines completely take over security control without a human filter. There is lots of buzz around prevention these days but most Chief Security Officers I speak with are not yet ready to let machines do all of the work. What happens if an automated security system causes a trader to miss a $100 million trade?

My recommendation is that MSFT should look at partnering with security management software companies so its customers can take control of their security. Adding more firewalls, intrusion detection systems, and antivirus technology alone does not make an enterprise more secure. Without a highly intelligent software layer sitting on top of and providing real-time monitoring of all of these devices and the systems and servers in an infrastructure, a company will be as secure as a building with lots of cameras and no one there to monitor it. One other reason for partnering with companies like netForensics is that MSFT has already taken a step into the management software arena with the Microsoft Operations Manager (MOM), an area they were traditionally happy to let vendors like NetIQ handle on its own.