RealTime IT News

Security Vendors Debate the 'Arms Race'

MONTEREY, Calif. -- With the rise in attacks, from malware  and phishing  to assorted viruses and identity theft, it's no wonder the market for security software and services is booming. And with no one-size-fits-all security solution, there's plenty of opportunity for new entrants and established players to drive new revenue streams.

One example of the growth: Out of about 3,000 companies Opus Capital evaluates annually for investment, 500 are security-related. Of those, "we invest in about 10," said Ken Elefant, founding partner of Opus.

He noted that security is one sector where enterprise customers are willing to buy from startups, particularly if they have differentiated technology. "If a startup can prove it has a better solution to address a security issue, the sales cycle can be quite short," he said.

Elefant spoke on a "Security Arms Race" panel of security vendors and investors here at the Red Herring conference. Another speaker, Oliver Friedrichs, director of emerging technologies at Symantec , said startups and relatively small security companies can provide useful solutions for specific problems, but that most enterprise customers prefer dealing with a larger established company.

"Companies have been burned by startups who over-promise," Friedrichs told internetnews.com.

He also conceded companies that have been victimized by an attack, particularly in the finance and government sectors, are anxious to get the problem resolved by whatever vendor can prove it has an answer. And there's a lot of anxiety out there.

"If you're an e-commerce site, it's not 'Do you have vulnerabilities?' it's 'Where are they?'" said Jeremiah Grossman, founder and CTO of WhiteHat Security.

WhiteHat has one of the more daunting security challenges. Rather than plugging leaks where security holes arise, WhiteHat does Web site assessment, looking for potential threats in new Web sites and services that companies launch or are preparing to launch.

Grossman said you can't find unique or previously unknown vulnerabilities in a lab effectively. "We learn one Web site at a time," he said. "Our assessments are similar to what a hacker might try to do." The company conducts about 600 assessments a week for various clients including what he said were well-known brands he's not at liberty to disclose.

Before WhiteHat, Grossman was an information security officer at Yahoo  where he saw the scope and depth of attacks first hand. "The No. 1 problem [at Yahoo] was dealing with the sheer size of attacks," he said. "None of the security technology would ever scale to address it all."

Amrit Williams, CTO at BigFix, added that even a combination of so-called best-of-breed solutions can be problematic for IT departments. "When you're talking about antivirus, to data leakage, to compliance widgets, to identity theft -- and trying to manage it all -- most organizations just can't because you have eight different solutions that aren't all designed to scale."

Friedrichs of Symantec agreed. "We know we don't have the best applications in all areas, but they're all competitive. The benefit is the integration and having a single source of support."

He noted Symantec also has a consulting group that builds custom security products for certain large customers and has helped some governments set up their own security operations center.

While there may always be new security threats, Niloo Howe, managing director of Paladin Capital Group, said there are structural and behavioral issues that worsen the situation. For example, she said that 80 percent of identity theft is enabled by avoidable errors.

"The issue is you have systems built without security in mind. And then you have a global supply chain, which increases the capability of injecting malicious code."

She said Paladin's investment strategy was to "get out of the whack-a-mole syndrome" of solutions that fix one threat only to have another take its place. "We want to get ahead of this super-evolving list of threats."