Wednesday, February 28, 2007

Blog Attack Prediction Comes True

Last week, in a series of blog entries and interviews, Ray Dickenson and I called attention to the possibility that blogs and RSS feed aggregators would soon become a new and powerful vector for malware.

Unfortunately, this week, that prediction came true - in the form of a new variant of the Storm Worm.

No one - not even the CEO of a security software company - likes to be right when it comes to predicting doom, but blogs and forums and RSS feeds were a disaster waiting to happen. Now, the cleanup must begin - and it will not be pretty: Not enough people will get the message in the short term, and because the effects will only be felt by end users, it is likely many blog operators will keep those open channels open - which may end up enabling a new form of malware syndication on an unprecedented scale.

Why is it important to act? As several people have recently commented, blogs are extremely important tools that enable the proliferation of free speech and political freedom, and the sharing of opinions from all over the world, and all sides of the political spectrum. The fourth-largest blogging population by language is Iranian, and much of what is discussed there involves the creation of a state representative of its young, progressive thinkers. We cannot allowing blogging to become untrusted - it is too valuable.

So what are the next steps? At this moment, it is unclear what examples of best practices exist with respect to blogging and forum sites, and RSS aggregation (gator) sites (I'd love to hear your opinions on what sites you think do represent good examples of best practices). Many of the sites that I visit seem to allow comments by default and load those comments right into the feeds - one of the main vectors by which other aggregating and distributing sites can be attacked.

One approach that we have been working on is going to be moved up the product roadmap for earlier release. Right now we have an RSS aggregator and blog creation widget in beta that has been hardened for this form of attack - it is code-named (and trademarked) SpinStream, and filters all streams in and out of the widget for malware.

This approach will work for delivery of RSS feeds and blogs to and from the desktop. Sorry for the inclusion of the commercial pitch (it isn't really that commercial because we're planning on making this app completely free) but we've been thinking about this for some time, and it might just be useful for someone.

In the absense of end point solutions and up to date malware protection (and kick-ass heuristics-based analysis, which is the only thing you can really rely on in these situations), owners of web-based forums and blogs should consider putting heuristics-based anti-malware engines on their servers, in-line with their feeds.

Bottom line: we need to protect our blogs. Community isn't just a buzzword, folks - for some populations (i.e. the Iranian student population), the blog *is* the community.

Tuesday, February 27, 2007


Some excellent detective work by Symantec's Ollie Whitehouse has uncovered a way that hackers can force Vista's User Account Control (UAC) to show an untrusted application as "trusted".

He has shown that a program core to the Vista legacy software support system - RunLegacyCPLElevated.exe - can be manipulated to display, within the UAC, the "trusted" color normally associated with a digitally-signed program - even when that program is clearly malware.

This is yet another reason why Microsoft should consider certifying Authentium's VirtualATM technology for Vista 64 bit. The only approach to solving the problem of trust is to "create trust" in a very focused and enforceable way within an essentially non-trustworthy environment, and protect all links in the chain.

I haven't got time to blog about the specifics of Symantec's discover now - but eWeek continues its excellent reporting on all things security and Vista-related with an article by Lisa Vaas on this vulnerability.

Sunday, February 25, 2007

A Unique Voice

I'm sitting at home watching the Oscars. I'm thrilled that Ennio Morricone has been given an Oscar at long last. He has written some gorgeous music over the years.

Once upon a time, almost two decades ago, I worked in a quite different industry - as an arranger and composer of orchestral and big-band music. My heroes were the great band leaders - Nelson Riddle, Henry Mancini and Russell Garcia (leader of the NBC Orchestra for many years) - and of course 20th century American composers Gershwin, Copeland, Glass (and virtually every major composer for American film).

Like Ennio Morricone, Mancini and Riddle (Frank Sinatra's conductor and arranger for several decades) were primarily known for their ability to create what we call in the trade "voicings" - essentially unique inversions of chords, and their ability to combine these "voicings" with even more unique combinations of instruments.

Think of Mancini's theme from "The Pink Panther" - have you ever heard anything close to that unusual combination of baritone sax, big band brass, woodwinds and strings since? Mancini did his employers a great service.

Not everyone thinks timbre/voicing is important. Years after I started arranging, I was accepted into the ABC Young Composers program in Adelaide. I was amazed one day to find my mentor placed timbre at the bottom of the list of things he felt most important - for those interested, timbre was listed after rhythm, melody and harmony - in that order.

I'm glad Morricone never took that course. Listening to Morricone's unique score for "A Fistful of Dollars", you are transported to one movie, one time, one place. It is unique. His music will be remembered - and will remain capable of transporting us out into the desert with Clint Eastwood - for many decades to come.

Note: speaking of Oscars and award-ceremonies, I enjoyed a great "movie moment" once many years ago. I had just arrived in my hotel room in Singapore after a long flight, and as I dropped onto my bed and flipped on the TV, the Emmy Awards came on and a voice announced "... and the award goes to... " and the name that followed was that of my old friend from Sydney (and a hell of a great composer/arranger), Ashley Irwin.

Turns out Ashley won his Emmy award for - you guessed it - his work arranging and rehearsing the Oscars. He was back at it tonight.

The (Criminal) Singularity is Near

Most of my recent weekends and plane flights have been spent reading "The Singularity is Near", Ray Kurzweil's excellent book on the exponential rise of technological progress. I have very much enjoyed the ride, and I believe that he is correct with respect to his predictions about where many of the world's engineering efforts are headed.

However, like too many visionaries and engineers, Kurzweil falls victim to the fallacy that "the good will outweigh the bad", and dismisses the idea that criminals will make use of technology in ways that may or may not be controllable. Take this quote from page 413:

"The fact that computer viruses are not usually deadly to humans only means that more people are willing to create and release them. The vast majority of software-virus authors would not release viruses if they thought they would kill people."

This is naive. Fifteen years ago, your typical virus writer was a student time-sharing on some university computer somewhere. While it is probably true that this kind of person can probably be assumed to be uninterested in causing physical harm, this view (and the view that all criminal efforts may ultimately be controllable) is years out-of-date.

Today, virus-writing is firmly under the influence of criminal gangs motivated by potentially massive financial gains (and, probably real soon now, by potentially massive military or political gains). And while many current threats may seem relatively benign, it is only a matter of time before the scales tip and criminals start regularly aiming hostageware and similar technologies at medical and military equipment, SCADA systems, and other critical pieces of infrastructure, in return for financial and military gains.

Let me argue by extension for a moment here. In the late nineteenth century, well-meaning scientists in Germany produced two promising new drugs. The first, cocaine, was first isolated (and named) by Albert Niemann at the University of Gottingen in 1859 (and later made famous by Sigmund Freud, among other medical practitioners). The second, heroin, first discovered in London, was commercialized by Bayer in 1898 ("heroin" was Bayer's trademarked brand name for the drug).

Both technology advances were predicted to advance civilization. The world applauded the arrival of cocaine and heroin - and, as with so many scientific advances, only good was predicted to come from these engineered developments.

However, mention either drug today and the feelings generated are almost universally negative. In both cases, criminals co-opted the technology and went on to create industries based entirely on criminal activity that generate untold billions today - industries that kill or maim an extraordinary number of human beings each year, and continue to prosper in the face of all attempts to eradicate them.

Maybe this is an unfair analogy. But at the close of writing my recent blog detailing the myriad ways in which malware creators make money, I drew a deep breath. With so much at stake financially and politically and militarily, it is becoming clear to me that we are just at the very beginning, not the end, of the malware-creation cycle.

The criminals are just getting started. As they become better educated, and better at engineering and targeting and distributing their creations - and we move towards the world of implanted software in our homes, our bodies, and even our minds, that Kurzweil describes - the financial stakes are going to become astronomical - on both sides.

Though-bubble: it isn't terribly hard to imagine that within a few years we will see a scenario involving a major world-leader being kept alive by a medical device running on software that receives updates via a network of some kind. What would a terrorist pay to upload their code to that device? Who, with access to that device, could be corrupted?

Let's not fool ourselves that software-based criminals will care anymore about human life than the crime lords involved in the drug trade do - at the end of the day, criminals care only about their own ends (money, power), not about the greater human good.

And it's not just the crime lords we need to keep in mind - let's not forget that many "good" citizens - pillars of the community; doctors, policemen, politicians, soldiers, lawyers among them - have been co-opted into drug-related criminal activities that cause human suffering and death, all because of money.

On page 107, Kurzweil quotes US Department of Commerce, Economics and Statistics Administration data that shows IT now accounts for 10% of domestic GDP spending. Let's hope that the "good citizens" of this fast-growing IT industry do better that the "old economy" industries when it comes to preventing assets from being co-opted by criminals.

Friday, February 23, 2007

65 Online Banks Attacked

The latest account hijacking scam to hit online banks was sophisticated and well thought-out. And, according to WebSense, quite effective - over 65 banks and transaction platforms were targeted in the scheme, including American Express, Barclays, eBay and Discover Card.

The scam involved an email promoting the news that John Howard, the Australian Prime Minister, was fighting for his lfie after suffering a heart attack. Clicking on the links in the piece led users to sites running code designed to deliver key-loggers and other credential-stealing technologies, fine-tuned to watch for credentials from over sixty financial institutions.

Our VirtualATM product would have protected every one of these customers from this attack - it was designed with these kinds of pharming/account hijacking attacks in mind and is capable of providing good protection, even if the user clicks through to the hacker site, and downloads the bad code.

By the way, I've met Australia's Prime Minister in person, and he's a nice guy, and extremely healthy. There are very few sixty-plus guys that are as fit as he is. I doubt we'll be hearing about him having a heart attack anytime soon.

Thursday, February 22, 2007

400,000 Malware Definitions and Counting

Our malware database just crossed the 400,000 mark. As proud as I am of our team and their hard work in this area, knowing that there are now more than 400,000 identifiable instances of malware is not exactly something any of us should celebrate.

Think about it. Let's assume the database contains a large amounts of "variants on a theme". At a twenty to one ratio (which is about right), our malware analysis engines, and the engines of other leading malware hunters, are facing the collective output of a football stadium's worth of criminal programmers. That's a lot of programing power.

I know what you're thinking: why do these programmers do this? How do they justify moving their considerable talents over to "the dark side"? The answer is, of course, "money." We all need to pay the rent and feed the kids. And maybe, just maybe, buy a big boat. Here's just six ways malware creators get paid:

1. Botnet creation. Old-fashioned spam.

2. Hostageware. Hostageware hackers focus on creating targeted forms of malware that enable them to slow down or interrupt the commerce infrastructure of an online auction house, casino, stock trading company, or retailer. Most of these hacks focus on denial of service attacks against published IP addresses - or if that fails, the IP addresses of their ISP - and it usually starts with a demonstration of capability. Once the capability has been demonstrated, the hacker calls the casino and asks for cash in exchange for uninterrupted service. Casinos and online trading houses must weigh the advantages of paying the hacker versus losing network access.

3. Phidgeting. Phidget (PHIshing using wiDGETs) attacks haven't yet entered the mainstream, but in a year or two, "phidgeting" could well become the number one form of attack. Why? Because nothing is more effective that a crime that goes undetected in plain sight. Phidgeting hackers have numerous tools available, including several desktop application-creation software engines that enable the creation and rendering of pretty-looking, branded widgets/gadgets that interoperate right in front of you, on the desktop, rather than deep in the operating system. When hackers combine a tasty widget with a fake banking URL and the trusted brand of a financial institution, the potential for stealing credentials is great.

4. Phishing. Has anyone on the planet not yet received an email from the deposed ex-Attorney General of a third world nation offering them thirty million dollars in return for their kindness, a vow of secrecy, and a few thousand bucks in "legal fees"?

5. VOIP-Based Caller-ID Spoofing. Criminals are starting to make use of IP phones programmed to display trustworthy references - the brand of your bank or your trading company - to call unsuspecting consumers to "verify" account details. The better scammers combine this capability with email phishing attacks that tell consumers *not* to trust their email because of the potential for abuse. These emails recommend calling the bank instead to "verify" their accounts have not been touched. According to some of the folks I spoke with at the RSA conference last week, these phone lines typically take you to automated IVR (Interactive Voice Response) recordings that answer in your bank's name and ask you to please enter your account number and PIN in order to speak to a customer service agent. Try to guess what happens while the music plays...

6. Account Hijacking (Zombie Trading). In November, both eTrade and TD Waterhouse reported that their clients had suffered $22m in losses suffered due to "zombie trading". For this hack, criminals hijacked a hundred trading accounts on the platforms and used these stolen credentials to drive up the price of several targeted stocks held by the criminals. Once the stocks reached their target price, the criminals purchased the stock using the hijacked accounts from their own accounts, at a massive profit. It has been widely reported that they made $22m on the trade. Was this a test for a bigger scam, involving tens or hundreds of millions? Let's hope these guys don't head over to the derivative counter anytime soon.

The most worrying stuff to me involves the criminal use of real accounts, "call center staff", real-sounding IVR recordings, and "in your face" branded desktop applications. Regardless of what has happened in recent years, consumers still trust brands - and human voices. I sense there is a ton of money still to be scammed via these vectors.

Wednesday, February 21, 2007

Brand Owners Need to Do More to Stop Spam

Spam, like cigarette smoke, is annoying. Lawmakers and lawyers have the power to reduce it, permanently, using similar methods.

Laws work best when the ultimate perpetrators of a crime are easily identifiable, the law is clear, and the penalties are heavy. We know who the assumed perpetrators of spam are - the shady distributors of products sold under major brands - products that may or may not be the advertised item. We know these spammers are criminals. But what about the role of the brand owners in all this? Are they the "ultimate perpetrators", or the victims?

In my view, spam persists because current laws target spam network operators directly, not third party spending by brand owners. I believe lawmakers need to step in and incentivize the brands owners to act against third party spending on spam networks, and unauthorized use of their brands - because brand owners are not exactly setting the world on fire when it comes to aggressive prosecution of spammers. Spam isn't exactly slowing down.

Why are brand owners not fighting spam more aggressively? The owners of the brands that show up in our inboxes oftentimes profit from the spam game, via increased brand recognition and the sale of their products. Is there really an incentive for brand owners to step in and stop all this advertising?

One way lawmakers could instantly reduce spam is to extend the CanSpam initiatives to all third party spamming actions involving brand marketing and require brand owners to "follow the money" and audit their sales and marketing channels for compliance. That's the first action that needs to take place - have brand owners account for not just their own marketing activities, but all third-party activity related to their brand, and the spamming of consumers.

The second thing that needs to happen is that shareholders need to start holding executives accountable for brand management - because one of these days, the patience of the consumer is going to run out, and these brands may suffer an extreme, or even fatal, loss of equity. Shareholders with an ability to think long-term may want to consider the negative effects of a rampant spamming campaign featuring their brand - and the current temperature of the public - and start asking questions of senior executives at their annual meetings.

Currently, brand owners don't do enough to protect these shareholder assets - few even attempt to stop spammers from using their trademarks - even spammers that use their brands to sell other products continue to abuse brands with impunity. And although some brand owners have filed law suits against known spam perpetrators, such actions are few and far between.

If brand owners don't act, I predict things will get even more interesting on the legal front. It isn't hard to imagine an increasing number of class actions against brand owners by consumers sick of spam. When the first lawyers were hired by people made ill from cigarettes, the lawyers didn't waste time suing their place of employment, or their doctor - they went "upstream" to the cigarette manufacturers, and as a result of those efforts, profits are now being redistributed from the tobacco companies back to those affected by their products.

It's a proven strategy. It has enabled the world to get rid of tobacco smoke in interior environments. The mere threat of this tactic worked to rid New York City fast-food places of transfats. This approach may even work to rid us consumers of spam. Stay tuned.

Brand owners, if you have not already done so, you need to start aggressively fighting the unauthorized use of your brands using the courts, and international copyright laws and trade agreements (need an example of best practices? Disney is great at fighting unauthorized use of their brands, worldwide.) Then you need to follow the money funding the spam campaigns that feature your brands, audit your marketing partners and distributors, put an injunction in place against non-compliant parties, and tell the world about what you've just done.

Become part of the solution - your brand will become more valuable as a result.

Really Simple Malware Syndication

Computerworld picked up on my latest blog about how RSS feeds are increasingly being used as malware vectors. They interviewed Ray Dickenson, our head of products, yesterday. Ray's answers, and Jaikumar Vijayan's excellent article, can be found here.

Saturday, February 17, 2007

Blog Droppers & Gator Spam: RSS as a Vector

RSS (Really Simple Syndication) cross-scripting hacks have been around a while - but until quite recently, RSS feed readers were not on enough desktops, and "gators" (RSS feed-aggregating web sites) were not well-visited enough to make either destination an appealing target for criminals. That is changing fast.

How fast? At the last Black Hat conference last October, Bob Auger of SPI Dynamics presented on how RSS feed hacking could potentially become more ubiquitous than spam - and potentially more harmful, because RSS feeds made up of blogs and "spiced comments" (i.e. comments laced with malicious script) can quite easily be used to deliver malware and other problems right to the desktop, especially when blogs or gators are created and managed by non-sophisticated admins.

Think for a moment about how many blogs enable unmoderated comments to be posted by their readers. Think about how many RSS readers are being downloaded every day, in the form of desktop widgets, or browser tool bars. Think about how many web sites there are out there that aggregate and publish every RSS feed they come across. The answer is: millions. How many of these sites and desktop technologies are wired to filter out scripts from these comments using human intervention or anti-malware engines before they reach the reader base?

Like many bloggers, when I see something I want to quote in someone else's blog, or in their RSS feed, or their comments, I copy and paste it, and write around it. Regardless if there are links or tags or images involved, or just text, I always make it a habit to take a peek into the html source before sending it on. But how many other bloggers check these web objects and links before they publish?

Inserting malicious code into the blogosphere is *way* easy if you're a hacker. Here's one way we're seeing it done - let's say I have Comments enabled on my blog site, and my RSS feed is set up to deliver those comments to you via a popular feed mechanism and a reader widget.

Now, let's assume that someone wants to use this feed to deliver a piece of malicious piece of script designed to download a keylogger or some other piece of malware onto my reader's PCs. All the person inserting the comments needs to do is to write a comment, drop some script in it behind an innoculous-looking URL, and voila - out goes the malicious script with my feed to every desktop reader and gator signed up for it.

Now, if your anti-malware engine is up to date, and your browser settings are well-tuned, you might catch it before it does any harm - assuming you choose the right button on the alert. But most likely, this is going to be a brand-new threat, not a repurposed piece of malware. In which case you'd better hope your zero day malware filtering technology is working, otherwise, you're going to end up hosed - probably by a dropper or a keylogger if you're a desktop user, or, if you're a gator, by a half-ton of pharmaspam.

Although some developers appear to be making strides in this direction (Bloglines is one of them), most RSS feeders and readers were not built with security foremost in mind - they were built to achieve ubiquity with one eye on style and efficiency. Many desktop readers are little more than extremely simple XML parsers wrapped in widget (or phidget) clothing, and many aggregation sites are worse - they use literally hundreds of technologies, many home-cooked.

This cannot stand - developers of RSS feeders, aggregators and readers need to start thinking seriously about establishing a certification standard for security, and feed injection prevention. In the meantime, popular feeders should consider pushing their RSS feeds through antimalware engines - the same way Yahoo and Hotmail started checking mail for viruses and spam post the tipping point of email adoption. This is not an expensive proposition - and would provide at least a starting point for protecting folks downstream.

Thursday, February 15, 2007

Don't Ask, Don't Tell

And speaking of Fox News, this statement from the Kelly Middle School Principal, Scott Fain, has him admitting that Amero reported the popups as a problem:

"Principal Scott Fain... said Amero was the only one to report such a problem. 'We've never had a problem with pop-ups before or since,' he said."

So Amero was "the only one" to report such a problem - and before that, there was no problem, and there hasn't been one since, as in "zero" pop-ups or porn. That must be a helluva filtering program they have installed up there.

Teachers, take heed. Reporting problems such as porn-inducing popups to the school principal could be hazardous to your career, your family, and your liberty. Best to say nothing - that's the lesson here.

"Popup Porn" Teacher Loses, Prosecutor Wins

Several weeks ago, we were alerted to the story of Julie Amero, the substitute teacher due to be sentenced on March 2nd in Norwich, Connecticut, for four counts of endangering a minor. Julie faces forty years in jail because hyperlinks embedded inside images on a web page she visited took her to a Russian sex site and then locked her classroom PC in a cycle of popups and new browser windows in the presence of seventh-graders.

As reported earlier, I have seen the javascript from the original web page and others we trust in the industry have studied the computer she used. We contacted Fox News and gave them this information and they have been diligent in reporting the story - yet one more story involving an ambitious prosecutor, a non-caring judge, and a less than diligent lawyer. Fingers are also being pointed now at the school IT administrator, who has admitted that the computers were not protected at the time.

At the trial, David Smith, the ambitious local Norwich prosecutor who brought the base, argued that it was possible to tell the mouse clicks leading to the URLs were made by a human with the intention of visiting a site. This is absolutely false. The javascript shows otherwise - there is no way of telling the images at would take you to a Russian sex site - short of right-clicking on the page, selecting "view source" and sorting through the code.

While Amero sits at home awaiting whatever amount of the forty year sentence she gets, the Norwich, CT prosecutor, David Smith, is now rumored to have been promoted. What's next, a shot at a House seat? We can only hope that the local newspaper and the more informed citizens of Norwich wake up sometime soon and start picketing this guy's house for a retrial.

Amero's career as a teacher is over - she has been convicted of four counts of endangering a minor. Smith's career as a prosecutor is on the rise. Does anyone think this is a just result?

Saturday, February 10, 2007

January Rocked

Our financial year starts Jan 1, so January is always a closely-watched month for us. Last month, we beat our January sales target handily, and development delivered everything on the list. It was a great month for both the sales team, and the developers.

I expect this upward trend to continue. Our fulfillment team conducted twice the number of installs of ESP Enterprise last month than in either of the previous two months, and evaluations are up 4x over December. If this trend continues, ESPE will become our largest-selling product this year.

Our ESP Small Business product is going great and the British Telecom rollout in particular is getting off to a great start. Our other large consumer ISPs are also trending upwards. And after a successful RSA, it looks like we will meet our SDK targets for 2007, based on the rising success of our OEM, gateway appliance and MSSP customers, including Astaro, IronKey, Microsoft, MX Logic, Postini and Secure Computing.

I'm also very pleased at the number of applications coming online now, for both ESP Enterprise, and Elements, the new consumer platform. This quarter will see the release of Kaspersky Labs, SurfControl, Authentium Firewall, Microsoft Exchange, and IBM SAAS application modules for the ESPE platform. That's a great collection of technologies to be releasing in one quarter.

Zero Day Analysis & Antivirus Rankings

One of the conversation threads prevalent right now is malware detection. Specifically, what methods should be relied upon to determine the success of an anti-malware product? Does it really make sense to rank AV products using signatures and years-old samples any more?

Clearly, the answer is "no". We need a better approach - one that purchasers can rely on to protect their systems from the threats of tomorrow. From a purchasing standpoint, ranking systems need to be truly informative. Most of the people that I talked to at RSA this week were not concerned about detection rates of viruses from five years ago - what they are looking for is a ranking system that can show them how the various antimalware companies deal with real-time detection of brand-new threats.

The guys who work on tuning the Authentium Antimalware heuristics engine understand this, and they are doing an incredible job. According to Robert Sandilands, our head virus researcher, our heuristics-based malware detection methods are stopping an increasing amount of malware on the fly - including 90% of everything we encountered in the wild on Jan 29th. See Robert's blog for the graph.

Signature-only systems are working overtime, locked in hand-to-hand combat with Warezov and Storm, the two worst pieces of malware currently circulating. Our guys are spending their time tuning the engine, with far better results, both in terms of detection and speed to market of protection.

Certifying authorities - it's time for a "zero day detection" bake-off. Let's see who's really got the goods when it comes to detecting malware.

Thursday, February 8, 2007

RSA Highlights

I really enjoyed the RSA Conference this year. It was crazy.

Tuesday was packed, but Wednesday was even busier - Doug and I had 12 meetings in eight hours, followed by a series of ten minute "power dating" sessions and demos at the show - during which I finally got to see some security technology.

Tim Shull of Crossbeam gave me a great overview of what the company is doing, and I finally got to see some of the boxes (us software guys ship stuff to the box guys all the time but rarely get to see them for real). Crossbeam and Authentium really do much the same thing - both companies enable choice, while focusing on quality of service: the difference is Crossbeam ships hardware packed with integrated technologies from multiple vendors to data centers, while Authentium ships integrated technologies from multiple vendors to end points.

Down the hall from Crossbeam, I met with Mike Lloyd, Chief Scientist of RedSeal. SC Magazine recently lauded RedSeal as "the only company that truly understands IT risks". The system is designed to enable discovery of potential vulnerabilities across the network, and view the impact of them from the standpoint of pathways through the entire system. It displays in detail where the vulnerabilities exist, and what devices could potentially be targeted or abused, and in what manner. It appeared to me to be an excellent tool for security consultants and auditors.

Scott Montgomery of Secure Computing pointed me over to Tarari, a company that focuses on accelerating the processing of data such as virus definition files. I can see why Symantec and our appliance and service providers partners are signing up up for this - the optimization rate differential shown in the demo was tremendous. Although our engine is already highly optimized, we will definitely be taking a look at joining Kaspersky on this platform.

At the CA booth, I took a tour through their new antivirus and antispyware enterprise management system and came away with a big smile. The Authentium system is light years better than CA's. Not only did the CA solution have a smaller feature set relative to our own ESP Enterprise Manager, but the CA solution manages just two end point applications - EZTrust Vet, and CA PestPatrol. Our system is capable of managing these, plus an unlimited number of additional soft blades from multiple vendors.

Finally, we met with analysts from several of the investment banking and business intelligence units. These guys seemed to be most interested in VirtualATM - and in our demo of "phidgeting" (PHIshing using wiDGETs - see my January post entitled "The Birth of Phidgeting).

Companies to watch? Authentium, of course. You could pick any aisle at the conference and walk down it and find an Authentium ESP partner. Ambiron Trustwave - what a great business model. SignaCert could be interesting - their approach to enabling trusted computing is elegant and timely. And of course Prevx, which has a very interesting behavioral analysis approach that I will personally keeping an eye on over the next year, as will Helmuth Freericks, our CTO.

Of course the real highlight was getting to hang out with Doug and Kirk and Ann and our partners after hours and get relaxed and get caught up. Following drinks with the guys from OPSWAT, we had a great night out on Tuesday with the guys from Microsoft, SurfControl and Sunbelt - and Brian Krebs, who writes a terrific blog on security for the Washington Post.

There was a great moment when the guys from Sunbelt Software won an award for Ninja - the product our AV engine sits inside. Drinks were on them for the rest of the night.

Note: Brian Krebs story on the public computer kiosks at the show running in full administrator mode (and the attendant risks) will be talked about for years - you can check out his story (and the picture) here.

Saturday, February 3, 2007

Managing IT Budgeting Decisions

Very few organizations are able to fund "the perfect IT security budget."

The majority of IT purchasers usually end up having to make some pretty tough choices - on one hand they need to satisfy all mandatory requirements, but they also need to ensure performance levels don't dip, and there are enough brands on display to satisfy non-IT guys that the IT organization is making sound choices. It's a tough, and often frustrating challenge.

We recently did a survey of our customer base and found that the top choice in the category of end point security remains "antivirus", but antispyware is catching up fast. Also high on the list were client VPN technologies, URL filtering, and image restore technologies. SSO, tokens, etc rounded out the list.

The buyers I know would love to be able to approach a single vendor with a purchase order for all of these technologies, however many branded solutions fall down in at least one or more areas of performance, putting the buyer into the situation of requiring at least two, and possibly more vendors, in order to get the mix of brands, performance and price that they require.

Of course you already know where I'm going with this - our ESP Enterprise end point security procurement and management platform includes a built-in multi-vendor store that enables IT buyers to "mix and match" software choices and make choices in each category based on brand, performance and price. These choices are guaranteed to be conflict-free, which frees buyers from the hassle of having to QA their choices prior to deployment.

A couple of years back, when we were just launching our ESP (Extensible Service Platform) solution, I went up to pitch for a large customer account (that we later won), and found a very gloomy bunch of people waiting for my pitch. It turned out no other vendors had offered them any choices, and this had negated the research they had spent months doing.

Thanks to ESP, we left the room with the deal, because we were able to enable each of their choices and allow them to manage their chosen combination of brands and great-performing, best-of-breed technologies using the ESP unified management infrastructure.