Security Vendors Debate the ‘Arms Race’

MONTEREY, Calif. — With the rise in attacks, from malware
 and phishing  to assorted
viruses and identity theft, it’s no wonder the market for security software
and services is booming.
And with no one-size-fits-all security solution, there’s plenty of
opportunity for new entrants and established players to drive new revenue
streams.

One example of the growth: Out of about 3,000 companies Opus Capital
evaluates annually for investment, 500 are security-related. Of those, “we
invest in about 10,” said Ken Elefant, founding partner of Opus.

He noted
that security is one sector where enterprise customers are willing to buy
from startups, particularly if they have differentiated technology. “If a
startup can prove it has a better solution to address a security issue, the
sales cycle can be quite short,” he said.

Elefant spoke on a “Security Arms Race” panel of security vendors and
investors here at the Red Herring
conference. Another speaker, Oliver Friedrichs, director of emerging
technologies at Symantec , said startups and relatively
small security companies can provide useful solutions for specific problems,
but that most enterprise customers prefer dealing with a larger established
company.

“Companies have been burned by startups who over-promise,” Friedrichs
told internetnews.com.

He also conceded companies that have been victimized by an attack,
particularly in the finance and government sectors, are anxious to get the
problem resolved by whatever vendor can prove it has an answer. And there’s
a lot of anxiety out there.

“If you’re an e-commerce site, it’s not ‘Do you have vulnerabilities?’ it’s
‘Where are they?'” said Jeremiah Grossman, founder and CTO of WhiteHat Security.

WhiteHat has one of the more daunting security challenges. Rather than
plugging leaks where security holes arise, WhiteHat does Web site
assessment, looking for potential threats in new Web sites and services that
companies launch or are preparing to launch.

Grossman said you can’t find unique or previously unknown
vulnerabilities in a lab effectively. “We learn one Web site at a time,” he
said. “Our assessments are similar to what a hacker might try to do.” The
company conducts about 600 assessments a week for various clients including what
he said were well-known brands he’s not at liberty to disclose.

Before WhiteHat, Grossman was an information security officer at Yahoo
 where he saw the scope and depth of attacks first
hand. “The No. 1 problem [at Yahoo] was dealing with the sheer size of
attacks,” he said. “None of the security technology would ever scale to
address it all.”

Amrit Williams, CTO at BigFix, added that even a
combination of so-called best-of-breed solutions can be problematic for IT
departments. “When you’re talking about antivirus, to data leakage, to
compliance widgets, to identity theft — and trying to manage it all — most
organizations just can’t because you have eight different solutions that
aren’t all designed to scale.”

Friedrichs of Symantec agreed. “We know we don’t have the best
applications in all areas, but they’re all competitive. The benefit is the integration and having a single source of support.”

He noted Symantec also has a consulting group that builds custom security
products for certain large customers and has helped some governments set up
their own security operations center.

While there may always be new security threats, Niloo Howe, managing
director of Paladin Capital Group, said there are structural and behavioral
issues that worsen the situation. For example, she said that 80 percent
of identity theft is enabled by avoidable errors.

“The issue is you have
systems built without security in mind. And then you have a global supply
chain, which increases the capability of injecting malicious code.”

She said Paladin’s investment strategy was to “get out of the
whack-a-mole syndrome” of solutions that fix one threat only to have another
take its place. “We want to get ahead of this super-evolving list of
threats.”

News Around the Web