ISS discusses its security procedures

Internet Security Systems Chairman, CEO and President Tom Noonan says customers increasingly are looking for security platforms that do two basic things: Let the good guys in and keep the bad guys out. He spoke with Network World's Editor in Chief John Dix and News Editor Bob Brown. Here is an edited transcript of Noonan's thoughts on a host of topics.

Platforms vs. best-of-breed products

Today the argument is more platforms vs. suites. Best-of-breed product companies don't exist in any way, shape or form anymore. The vast majority of our customers are asking us to do more. They can't maintain all these relationships with tiny security companies. Point products don't address the evolution of threats on the network either. The industry has been reacting for over a decade in a short-term, pragmatic way to new threats. When the threat was spam, we had an anti-spam device. When we discovered spyware, we got anti-spyware products. Next year when the threat is lions, tigers and bears, we'll have anti-lion, anti-tiger and anti-bear products. But I have corporations saying: Time out. I can't keep adding another box on each network connection or another software application on the desktop. That's why we're offering a system to control any kind of threat and that's extensible.

Building a platform from the ground up

We've built Proventia from the ground up as a platform, something that makes us unique. The people we compete with that are very good in their disciplines -- Cisco, Juniper, Symantec, Network Associates -- have built their security solutions through acquisitions. We have made acquisitions, too, but have not marketed one of those acquired products as we acquired it. We've taken the intellectual property and rebuilt the technologies we've acquired within the Proventia architecture.

That has cost us from an R&D perspective. But the benefit is that all of our offerings have a similar look and feel, with integrated reporting, data and policy systems. Others like Cisco are mashing their acquired products together. But if you've ever run a network, mashed together enterprise products tend to deliver mashed together performance.

What ISS is actually selling these days

There's no question that we are selling IPS systems and a whole bunch of other stuff [and not just platforms]. The challenge in this strategy is a simple matter of economics. Customers have invested millions of dollars in point security products and no company likes the idea of ripping everything out to put in a platform. It's a step-by-step approach to enterprisewide protection, and for us, it usually starts with the customer installing IPS systems.

Cisco's argument that security is best built into the network

They're right. I preach at that altar. You've got to consider this as a whole. The good thing for us is every customer I go into has Cisco, Juniper, Microsoft, Linux, SAP, Oracle or some mix of that. You will never solve the problem of securing all that through a feature in a router. You can't tell me that a company capitalized with 37 Visa cards and US$2.4 million in venture capital investment 10 years later could be competing so successfully vs. Cisco if Cisco got it right.

We've built a $350 million company in the shadow of that tree. Now if the entire world goes Cisco and the others all go out of business, then yes, you can solve all this with a feature [in the router]. Keep in mind that we all have access to the network, not just Cisco. It's not access to the network that is key to security, but access to the packet, and I have equal access to that whether it's on a wireless, land-based or virtual LAN network.

Cisco as the company to beat in security

No one wakes up in the morning and says I want to compete with Cisco or Microsoft. But they've forced us to focus better. But still, that kind of gorilla can suspend decision making for a while on the part of the buyer. But most people are beyond waiting for them.

Application-level security

There are two types of application-level security that come to mind. Security for proprietary applications and security for HTTP-oriented ones. We are building systems for both. Most people are not doing the former. Our X-Force [R&D group] for a long time has been taking off-the-shelf applications that our customers are running, like those from Oracle and SAP, and beating on them, reverse-engineering them to find vulnerabilities and then building protective shields into our products. Pre-emption is key, as we don't need to wait for a threat to come out as has been the case with signature-based anti-virus plans.

Going beyond single sign-on and public-key infrastructure (PKI)

What will be new over the next few years is the coming together of systems that let the good guys in and keep the bad guys out. These two security areas have evolved in totally stovepipe fashion. There have been too many keep-the-bad-guys-out companies [firewall, IDS, anti-spam, etc.] companies to speak of. Then you have the let-the-good-guys-in approaches such as single sign-on and PKI, which have been absolute disasters. They've been too hard to do - implementing single sign-on has been like birthing something unnatural. PKI cost way too much. The next generation way to solve these problems is by bringing the two types of security together on a platform that is integrated with a directory system that is completely independent of the infrastructure. This way you don't need to go in and make changes to applications.

Threats on the horizon

One of the things we were extremely concerned about with the recent Black Hat affair [a flap occurred when a now former ISS employee shared company research on a Cisco vulnerability without gaining ISS permission ] was trying to protect our intellectual property. I think you're going to see a whole new generation of [Cisco] IOS-oriented problems. When you have the ability to remotely control the routing infrastructure you have power.

I see continued problems with identity theft. [Traffic related to this] typically comes across as low and slow on the network ingress and big and fat on the egress. Oftentimes it's difficult to detect where the compromise occurred, but you can see the data moving out of the network. That's a huge anomaly. This is a threat because there's real money in this.

We'll also see more application-level hacks. It's a cinch to go to a Fortune 1,000 company and find Oracle, PeopleSoft or SAP applications, from which you get a whole new point of entry into a network.

There's also the concept of hybrid, automated-type threats. Bot nets are intriguing because they can allow bad guys to disrupt networks, compromise data, steal information, and do so in an automated and scalable way.

Foregoing patching

I have lots of customers who will say we patch on our own schedule, knowing that we have the protection. I don't know that you'll find ISS proactively advocating don't ever patch.

Join the newsletter!

Error: Please check your email address.

More about CiscoGood GuysInternet Security SystemsIPSISS GroupJohn DixJuniper NetworksMicrosoftOraclePeopleSoftSAP AustraliaSecurity SystemsSymantecVisaX-Force

Show Comments