Is your vision unified threat management?
I'm talking about unified controls -- threats, risk, access and management -- horizontally across a distributed network, and really tying together the concept of "lights-out security," where things are driven intuitively and intelligently across the network as opposed to by humans reacting to events, alarms and alerts. It's all strongly vested in our preemptive security message, which says that by the time a human reacts, it's too late: By the time a threat manifests itself, it's too late. So the concept of "lights-out" is heavily vested in automation.
Do I need to buy lion, tiger and bear traps? Do I really need standalone [technology to combat] spyware, spam, viruses, Trojans and worms? Or can I begin to have those as features of a robust intrusion prevention platform? The operative term is this concept of prevention. The difference is intelligence. They all do the same thing. They sit on the network or the host, they all open up a packet and they all look at it. One is looking for viruses, the other worms, the other Trojans. IT executives are going to have a choice. They can buy a lion, tiger and bear trap, and after that, they'll buy a spider trap, and then a mouse trap. Or they can feed a platform that already opens up and looks at a packet preemptively. What will be the lions, tigers and bears of 2006?
They will be mobile-oriented threats that are not necessarily viruses like MMS executables. They will be heavily vested in application-level exploits, so they won't look like viruses and won't be visible to the transport- or network-layer filters. These are things that compromise Web applications and ERP apps. I believe you will see an uptick in zero-day exploits, which render the legacy signature-based security infrastructure almost useless. How has the zero-day exploit changed your business?
The zero-day exploit was how this business was founded 10 years ago. We began with a belief that if you could fully research the vulnerability and understand the vulnerability, you could build the equivalent of a protective shield for that vulnerability without knowing the signature. Zero-day exploits have become extremely problematic for both customers and traditional security vendors who rely on signatures. The reason is simple: If they haven't seen it, they can't write the signature. If they can't write the signature, their customer is vulnerable to that exploit. Our concept is to proactively and preemptively research vulnerabilities in widely deployed infrastructures and build their complement -- the intrusion prevention platform to detect and prevent against zero-day exploits. All of the next-generation systems have to analyze executables on the network and the host in a behavioral pattern -- again not a signature, but a way to watch the behavior of the attachment or executable. If the behavior is bad, you shouldn't allow it. Network providers like Cisco are baking more security features into their routers and switches. What does that mean for ISS and the future of intrusion detection?
First, Cisco has been our largest competitor since 1995. We've built this entire company in the shadow of Cisco. I don't think there's a single customer I do business with that doesn't have a Cisco infrastructure. There's always discussion of Cisco "getting into security," but Cisco's been in it for 10 years at least.
Second is the debate over whether security can be entirely built into the network infrastructure. There are a handful of things that can be done in the routing infrastructure, and there are lots of security things that cannot be done including host-based and application protection. The router just doesn't see that. So, I don't believe technically you will ever be ale to do that as long as we have the TCP/IP that we use today and the IPv4 or v6 that we use. Former ISS researcher Michael Lynn disclosed a Cisco IOS vulnerability last year and lost his job. The story was widely reported. Did the media get it right?
I can't say whether I think the media got it right. I read a handful of reports. Most of the reports I read, unfortunately, I thought were patently biased. Biased toward whom?
Biased towards an opinion that Cisco is a bully. There is a very simple position with ISS: We hold our employees to a certain standard in terms of confidentiality, and we felt the [Cisco IOS] research was not complete, which it was not. And, we asked our research engineers not to disclose ISS intellectual property. This had nothing to do with Cisco; it's not Cisco's intellectual property. If we went to market and talked about everything we have in research right now, we would scare the whole world. We work responsibly with vendors so they can repair these vulnerabilities before they disclose them. It would be irresponsible for us not to have enormous discipline for the process by which a vulnerability is disclosed. We would only aid and abet the bad guys. How do you think Microsoft handled the recent flap over its Windows Meta File flaw and the perceived delay in releasing a patch?
In our case, our customers were already protected. Going back six months, we had built the protective shield in our Proventia platform. We always like our vendor partners to get their patches out as soon as they can, but we fully understand that is about 5% of the battle. Companies have to take these patches into their labs and test them with the different operating systems, and, in most cases, they cannot get them deployed even if they have them because of the production servers and because all our businesses are online.
Read more of our RSA Conference '06 coverage.