This article can also be found in the Premium Editorial Download "Information Security magazine: Symantec 2.0: Evaluating their recent acquisitions."
Download it now to read this article plus other related content.
To Buy or Build
This new attitude and strategy at Symantec is not so much about securing systems and networks as it is protecting the data that resides on those machines and ensuring that only the appropriate people, applications and processes have access to it. The Veritas purchase fits neatly into that line of thinking, as do a number of advanced projects the company has in the works.
To help shape Symantec into the enterprise software provider he wants it to be, Thompson and his executive team are relying on their tried-and-true method of innovation through acquisition. But they're also putting much of their faith in the company's growing internal research team.
That team is the domain of Stephen Trilling, vice president of research and advanced development who runs the company's four research groups: core research, university, government and advanced concepts. Each group has its charter and operates somewhat independently, but they also work together occasionally and share ideas constantly. The more than 50 researchers the company employs get the chance to work on a lot of complex and interesting projects, but Trilling makes it clear that his is no pie-in-the-sky lab with indeterminate milestones and vague goals.
"We want every part of what we do to bring value to our customers," Trilling says. "Developing an entirely new product is expensive. We have millions of customers who expect a high level of quality. We keep tight reins on the projects, but we give people the freedom to innovate."
Probably the purest example of this idea is the advanced concepts research group. This team is designed to operate like a startup: Find a need for a product in an uncertain market, build it and ship it to a few adventurous customers to see how it holds up, and then see whether one of the Symantec business units is interested in adopting it.
Occasionally, one of the other research teams will transfer its projects to the advanced concepts group to get it customer-ready. One of the first products to emerge from this process is the company's forthcoming database security and auditing tool, an appliance-based offering that will hit the market in the next few months. The core research team created the technology and transferred it to advanced concepts, which got it into the hands of a few customers for evaluation.
The tool, Symantec Database Security, is essentially an out-of-band network sniffer that looks at a copy of the traffic going to and from the database. Like other similar tools, it has a learning mode in which it observes typical database traffic and learns which queries should be considered legitimate. It can then flag potentially malicious or abnormal database queries for follow-up. It also has a feature Trilling calls "extrusion detection" that can send up alerts whenever potentially sensitive data leaves the network. The first version will not be able to block malicious queries, however.
Although several vendors, including Lumigent Techno-logies and Tizor Systems, have had database security and auditing tools on the market for years, Thompson believes that building such technology in-house instead of going down the acquisition path has benefits for Symantec.
"[The research group] knew that no one was focused on that particular problem area and took a few of the technologies we had that were focused on the inside threat. The group said, 'Is there something we could do that would move our technology closer to where the data is being managed that would allow us to deliver better protection?'" says Thompson. "They came up with this idea, they prototyped it, they worked with some customers, and it's worked its way through the cycle and will become a part of a business unit. It's transferred from the research lab to the business unit, and they sustain it in the marketplace as part of the broader enterprise security strategy."
CareGroup Healthcare System, a Boston-based management company that runs three hospitals in the city, has been testing Database Security since its alpha phase, and administrators at the company are pleased with its simplicity and effectiveness. Thanks to HIPAA, the auditing and security requirements have multiplied exponentially in recent years, and Ayad Shammout, lead technical database administrator at CareGroup, was making do with a patchwork of native database tools and custom scripts he and his team had written over the years.
"We're trying to get to the point of maximizing security and availability without adding any overhead to the system. The big advantage [of Database Security] is that it runs in passive mode, so I don't have to worry if we add another server. It's automatically protected," Shammout says. "We've set up a custom policy that alerts us when someone queries a particular column or field with patient data in it, so we can go back and see who did that and when. It's very simple. You don't have to be a security expert."
This was first published in November 2006