Websense CEO Gene Hodges on attack vectors, the future of AV and the malware arms race
Gene Hodges, CEO of Websense, has had a busy year. The company has integrated the acquisition of SurfControl, built out its security suite and delivered strong financial results.
By the end of 2007, Websense (all resources) was ahead of schedule on its integration plans--the company also acquired PortAuthority Technologies--and delivered better than expected fourth quarter results. The company had a net loss of $14.5 million in 2007 due to the SurfControl purchase on revenue of $211 million. Websense also issued a strong outlook for 2008.
I recently spoke with Hodges about emerging security trends, the data loss prevention market and the new breed of malware attacks.
Among the highlights of our conversation:
On Websense's strategy: Hodges said that the company's goal for the last 18 months was to build a product line (internally and via acquisition) that had "protection capabilities for now and the next few years." Specifically, Websense is betting its company on data loss prevention, stopping Web vector attacks and software that takes care of "email hygiene." The overall goal: Protect enterprise intellectual property, which can leak out via many means these days.
On the future of security suites: Hodges, who in 1996 was president of McAfee, knows a few things about security suites. In fact, his company's fate depends on suites. If every IT buyer decided that all security software should come in a suite from some giant like Symantec, Websense would have problems. Hodges noted that suites aren't going to make best-of-breed products extinct any time soon."Since 1996 the smart money trend has been suites will dominate the world. But there's room for point security technologies," said Hodges.
On the tug of war between suites and best of breed Hodges added:
"Suites make lives easier for guys at top. There are fewer vendors to manage. There's a senior level relationship and usually some bargaining power when customers buy a wheelbarrow or truckload of products. Best of breed makes sense for the schmuck that has to run it day to day. If management function (in a security suite) isn't strong and core functionality is weak then it doesn't get the job done. It's extremely difficult to put together a broad suite that has a best of breed or close to best of breed with management framework."
Hodges then noted that suites from the likes of Symantec, McAfee, Cisco and Microsoft all have weaknesses. "If a large infrastructure provider could put together a suite that rated 7 out of a 10 (scale in each component) it could sweep market," said Hodges.
Why Websense is building a suite: Despite the fact that suites aren't perfect. Websense is putting together a suite itself. But the company is trying to shift the playing field by focusing on "the current and future battleground around customer data," said Hodges. He said the attacks that used to be infrastructure oriented are now data oriented. "The portfolio we have assembled is focused on integrity of that essential information such as proprietary data and intellectual property," said Hodges. Meanwhile, Websense's software continues to monitor for external attacks coming via Web protocols.
On the modern attack vector: Antivirus software worked fine when attacks were generally focused on attacking infrastructure and making headlines. But current antivirus isn't very good at protecting Web protocols, argued Hodges. "Modern attackware is much better crafted and stealthy than viruses so developing an antivirus signature out of sample doesn't work," said Hodges. The issue is that antivirus signature sampling starts with a customer being attacked. Then that customer calls the antivirus vendor, creates a sample, identifies the malware and then creates the sample. The conundrum for antivirus software comes when there's malware that's never detected. If you don't know you're being attacked there's no starting point for a defense. "Infrastructure attacks are noisy because you wanted the victim to know they have been had. You didn't have to be a brain surgeon to know you were hit by Slammer. Today's malware attacks are stealthy and don't want you to know it's there," said Hodges.
Is antivirus software necessary? Hodges said that antivirus software in general is still necessary, but the value is decreasing. Hodges recalled discussions at a recent conference and the general feeling from CIOs that viruses and worms were a solved problem. Things will get very interesting if there's a recession and customers become more selective about how they allocate their security budgets. For instance, Hodges said CIOs could bring in Sophos, Kaspersky and Microsoft as antivirus vendors and "kick the stuffing out of the price structure for antivirus and firewalls." The dollars that used to be spent on antivirus software could then be deployed for more data centric attacks that require better access control, encryption and data leakage. My take: Obviously, Hodges has a motive here since these budget dollars would presumably flow in Websense's direction. That said the argument that the value of antivirus software is declining makes a lot of sense and is gaining critical mass.
Web 2.0 as security risk. Hodges said Web 2.0--or enterprise 2.0--techniques could become a security risk in the future, but Websense "really hasn't seen significant exploitation of business transactions of Web 2.0." That said enterprises are likely to see these attacks in the future. For starters, enterprises generally allow employees to tap sites like YouTube, Facebook and MySpace. Those sites are big targets for attacks and connections to the enterprise can allow "bad people to sneak bad stuff into good places," said Hodges. In other words, the honey pot isn't lifting data from Facebook as much as it is following that Facebook user to his place of employment. Meanwhile, Web connections are already well established in the enterprise via automated XML transactions, service oriented architecture and current ERP systems. Hodges noted that Oracle Fusion and SAP Netweaver applications fall into the Web 2.0 category.
What will an enterprise 2.0 attack look like? Hodges said these attacks will be stealthy, hard to find and very lucrative. For instance, an attacker could set himself up to be a vendor in a company's SAP system. "Then you pay yourself $5,000, $10,000 and other amounts that aren't too big. You pay yourself here and there and spread it around the world. This attack could even pass a 404 (Sarbanes-Oxley) audit," said Hodges.
Preventing that aforementioned attack: Hodges says preventing such an attack means looking in multiple network nooks. "Perimeters are more holes than walls," said Hodges. "The core hypothesis of our suite is that you have to be able to recognize and classify content in real time like real time classification of modern attackware. We're going out and looking for malware with pretty good automatic classification tools." The goal is to prevent critical data from going out due to "malfeasance, outside attack and human stupidity."
The data loss prevention (DLP) market. Hodges noted some interesting patterns in customer interest in DLP. Typically, security technology interest starts on the coasts--New York and Silicon Valley and then sweeps inland and abroad. For instance, antivirus software interest took about two to three years to sweep the globe. DLP interest is much more country specific. In the U.S. regulations such as Sarbanes-Oxley have spurred interest in DLP software. "In the U.S. IT guys beaten over the head so often that they will look for problems proactively (and buy DLP applications). The Europeans are thinking that 'maybe we don't want to shine light in corner.' Japan is immensely more IP focused and very attuned to protection of IP. Chinese and Indians know they are mistrusted so have to show control of the IP. It's a weird market," said Hodges.
On the malware arms race: Hodges said that malware "has gotten pretty commercial" and resembles the professional applications trying to prevent attacks. "Malware is assembled in source code management system, written by distributed team using global code that's localized, able to dredge data using different standards. Today's malware knows how to look for information in France versus the United States," said Hodges. "These are international software operations. It's a real kick in the head."