Musings on Information Security

This Month

Month Archive

January 2006

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

Interview RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page » Interview

Tuesday, February 7

Interview with Alan Shimel, CSO StillSecure

by RaviC on Tue 07 Feb 2006 07:00 AM PST

Interview with Alan Shimel

Alan Shimel is the Chief Strategy Officer at StillSecure.

About StillSecure

StillSecure delivers network security solutions that protect IT business infrastructure. The integrated StillSecure suite includes solutions for network access control, vulnerability management, and intrusion detection/prevention (IDS/IPS). StillSecure manages and reduces risk from network attack and noncompliance for some of the largest organizations in the healthcare, financial services, government, and education sectors.

Ravi> Alan can you elaborate a little more about StillSecure?

Alan> StillSecure is a 6 year old company. Early on we decided to build suite of security products based on a layered security process. Making better firewall or better anti-virus gateway was not what we thought was needed, instead we decided to focus on the following suite of products:

Strata Guard (IDS/IPS): The product is about 4 years. Strata Guard leverages open source components Linux kernel and Mysql plus some of our own proprietary features in an easy to use, efficient solution.

VAM (Vulnerability Management): This product ships with a Nessus scanner but can also work with multiple third party scanners. VAM automates network discovery and scanning, manages remediation through verification and reporting.

Safe Access (Network Access Control): The product uses a “guilty until proven innocent” access model to protect the network. Endpoints are quarantined initially, once the endpoints pass the test they are moved into the regular network. The hottest area we are seeing today is the Network Access Control market.

Ravi> I read on your website that Strata Guard significantly reduces false positives – I am impressed, how does Strata Guard accomplish this?

Alan> False positives are the biggest problem around IDS/ IPS. Rather than build a new IDS engine we used Snort and leveraged our resources to focus on how to reduce false positives, make IDS/IPS more effective while reducing admin time.We have several layers of technology that help reduce false positives:

QuickTune: We start by analyzing your network to enable/disable certain rules as they relate to your network environment. This eliminates the bulk of false positives an admin would see.

Intelligent Profiling: Signature matching coupled with the ability to correlate factors such as time of day and the IP an attack is originating from provide the ability to identify real attacks vs. false positives.

Accessible Device Protection: Network awareness allows Strata Guard to know where devices are plugged in and where inbound attacks are targeted.

Vulnerable Device Protection: Working with our vulnerability management product, VAM, Strata Guard is able to maintain an awareness of which devices on the network are most vulnerable to attack.

All of the above technologies give us the ability to drill down from the following process: first taking action if I see an attack, second to focus on an accessible device and third to take action on a vulnerable device. This level of correlation certainly takes us a long way to eliminate false positives.

Ravi> Strata Guard seems to do everything, it uses signature based detection and anomaly detection, it comes as a software as well as an appliance?

Alan> Strata Guard uses a Snort IDS Engine. Snort is primarily a signature based IDS engine. A few years ago signature based engines were clearly dominant as we listened to the market and to the customer. Recently, anomaly detection techniques have been refined and moreover customers demand quality. If one IDS/IPS does signature based and the other IDS/IPS does anomaly based, correlation between them will be a challenge. The future of IDS/IPS is blended approach like we use in Strata Guard. It does not mean we do as good a job as a pure-play behavior based solution, detecting behavior anomalies alone but we built in key behavior anomaly and protocol analysis ability. By this, customers get the best of both worlds.People who argue signature vs. anomaly is like fighting one religion vs. the other religion; it’s a no win situation. Also, Strata Guard comes as a software appliance (CD) as well as a pre-loaded appliance that provides flexibility for our customers.

Ravi> There 600+ security startups out there, how does StillSecure differentiate itself from other startups?

Alan> In fact there is800+ security startups. StillSecure has a strong pedigree. This is the fifth venture backed company for Rajat Bhargava, our CEO. Rajat has a strong record of success. I too have been involved in many companies and together we know what it takes to build a successful company. We lived through hard times in the market like the bubble burst and 9/11 which forces us to become stronger. Most security startups have a point solution (or just have one product). StillSecure, on the other hand, has a suite of products built around what we call our Enterprise Integration Framework. We interoperate and integrate with third party products and have more than a single API. The whole framework uses HTML/Java, XML API’s which helps to leverage existing investments. A good example of this is our Vulnerability Management Platform, VAM, which is not just a scanner but an entire management console acting with other third party scanners. StillSecure targets medium to large enterprise corporations as well as government private and public sectors. We are seeing phenomenal growth with each of these verticals.

Ravi> What is your vision about StillSecure in five years?

Alan> I wish I had a crystal ball Ravi. Obviously, we did not build this company for a quick exit. We wanted to build a great company. The market keeps changing and evolving and we would like to expand the suite to offer more products to fit these evolving needs. We would also like to make the products even more interoperable.

Ravi> Thanks a lot Alan. I wish you and StillSecure continued success!

If you would like to know more about StillSecure please visit www.stillsecure.com. Alan has an interesting blog, check it out at http://ashimmy.typepad.com/

Leave Comment | Permanent Link | Cosmos

Friday, January 20

Meeting with Ari Takanen - CTO, Codenomicon

by RaviC on Fri 20 Jan 2006 09:00 AM PST

I was very fortunate to meet with Ari Takanen and Steve Guruwaiya. Ari is the CTO of Codenomicon. Steve is the Business Development Manager at Codenomicon. The discussion centered around Ari's thoughts about security.

Ari is based in Oulu, Finland which is just 100 miles away from the Arctic Circle. Steve is based in Silicon Valley.

Codenomicon develops and markets state-of-the-art software testing tools for proactive elimination and prevention of security vulnerabilities. Codenomicon test tools are available for a wide range of protocols and file formats.

Ari's thoughts about Codenomicon
-------------------------------------------------
1. Codenomicon started as a testing company in 2001, it is an offshoot of PROTOS project (1999-2001). Codenomicon founders have been researching the topic of security testing since 1996.

2. Codenomicon product employs software engineering approach, which treats security as a part of quality. Security is built into the framework of a product rather than being treated as an afterthought.

3. Codenomicon performs regression testing. Automated nightly builds and nightly security tests can be implemented.

4. Redhat team used Codenomicon tool to test Apache and OpenSSL and they worked with UK governament body called NISCC to correct the found problems. More information on this can be found at: http://www.google.com/search?q=niscc+codenomicon

5. Codenomicon is uniquely positioned to discover security bugs in vendor's product before the product reaches customer. Bugs found in vendor's product at the customer site are very expensive.

6. Cisco is one of the customers for Codenomicon, there are other leading companies who have integrated Codenomicon into their development methodology. Here is a list of customers using Codenomicon.

Ari's thoughts about security
---------------------------------------

1. Big issue is there is no formal training for software developers in security except in some large companies. Software developers tend to make similar mistakes. They also make new mistakes, same vulnerabilites re-appear.

2. For vendors with a mature security engineering practices, the testers can actually find up to 75-90% of all security flaws during QA, leaving the hackers behind in both skills and tools. It is the Media that creates the false impression that hackers are somehow skilled at finding security flaws. They just damage the security of all products and networks by publishing those flaws, enabling the attackers to abuse the flaws. What I am worried about is the companies that have neither the hackers in their ranks, nor the tools like ours in their testing phase.

3. The laws that are being enacted currently is pushing companies to use best possible product development process. Companies can be sued for being negligent.

4. There is a lot of media buzz around thousands of viruses out of which only 1% has significance.

Ari's advice to software developers
------------------------------------------------
Employ out of the box thinking - How is a similar code implemented in other projects? Correlate, leverage and network with other developers. Be sensitive to feedback from customers. Last but not the least, Ari thinks that software developers need to be trained in secure software development methodology.

Thanks to Ari and Steve for their time. Thanks to Steve for arranging this meeting. For more information about Codenomicon, please visit: http://www.codenomicon.com

Leave Comment | Permanent Link | Cosmos

Wednesday, January 4

Interview with Ajit Patankar, SOX IT Consultant

by RaviC on Wed 04 Jan 2006 06:11 AM PST

Ajit Patankar is a SOX IT consultant. Ajit is an entrepreneur with strong technical research background. Ajit received a B. Tech from India Institute of Technology, Bombay and a Ph.D. in Information Systems from the University of California, Berkeley.

Interview

-----------

Ravi -> Why is SOX compliance important for companies?

Ajit -> If a company passes SOX audit successfully, they get a higher valuation by the Wallstreet. If a company does not pass the SOX audit, Wallstreet will take away valuation from the company.

Ravi -> Recently there was a news item about some legislators banding together to derail SOX, will that happen?

Ajit -> The probability of such an event occuring is very low. The year 2004, corporates experienced the "first time" cost of compliance, the cost of SOX compliance will be lower going in to the future. Many CFOs and Board Members realize that SOX has achieved the goal of integrity in financial reporting system and it is here to stay.

Ravi -> How does Biztrol differentiate itself from other vendors in the SOX space?

Ajit -> Many other vendors implement compliance by taking an existing product and by putting a veneer of compliance on it. Biztrol's product has compliance built into the framework. Also, the hosted ASP model which provides Biztrol a high degree of flexiblity.

Ravi -> Can a person with information technology background become a SOX consultant?

Ajit -> SOX 404 is an area which needs lot of background in finance. Person with the right stamp in business and finance (like working for one of those big consulting companies) are leveraged in this area.

Thanks for your time Ajit.

Leave Comment | Permanent Link | Cosmos

RSS Newsfeeds

Main Page RSS

Interview RSS