Websense CEO Gene Hodges on attack vectors, the future of AV and the malware arms race

Websense CEO Gene Hodges on attack vectors, the future of AV and the malware arms race

Summary: Gene Hodges, CEO of Websense, has had a busy year. The company has integrated the acquisition of SurfControl, built out its security suite and delivered strong financial results.

SHARE:

Gene Hodges, CEO of Websense, has had a busy year. The company has integrated the acquisition of SurfControl, built out its security suite and delivered strong financial results.

genehodges.jpg"Last year was one of rapid change," said Hodges, referring to the integration of SurfControl and removing 50 percent of its operating costs, investments in engineering and customers support and the effort to build out a suite.

By the end of 2007, Websense (all resources) was ahead of schedule on its integration plans--the company also acquired PortAuthority Technologies--and delivered better than expected fourth quarter results. The company had a net loss of $14.5 million in 2007 due to the SurfControl purchase on revenue of $211 million. Websense also issued a strong outlook for 2008.

I recently spoke with Hodges about emerging security trends, the data loss prevention market and the new breed of malware attacks.

Among the highlights of our conversation:

On Websense's strategy: Hodges said that the company's goal for the last 18 months was to build a product line (internally and via acquisition) that had "protection capabilities for now and the next few years." Specifically, Websense is betting its company on data loss prevention, stopping Web vector attacks and software that takes care of "email hygiene." The overall goal: Protect enterprise intellectual property, which can leak out via many means these days.

On the future of security suites: Hodges, who in 1996 was president of McAfee, knows a few things about security suites. In fact, his company's fate depends on suites. If every IT buyer decided that all security software should come in a suite from some giant like Symantec, Websense would have problems. Hodges noted that suites aren't going to make best-of-breed products extinct any time soon."Since 1996 the smart money trend has been suites will dominate the world. But there's room for point security technologies," said Hodges.

On the tug of war between suites and best of breed Hodges added:

"Suites make lives easier for guys at top. There are fewer vendors to manage. There's a senior level relationship and usually some bargaining power when customers buy a wheelbarrow or truckload of products. Best of breed makes sense for the schmuck that has to run it day to day. If management function (in a security suite) isn't strong and core functionality is weak then it doesn't get the job done. It's extremely difficult to put together a broad suite that has a best of breed or close to best of breed with management framework."

Hodges then noted that suites from the likes of Symantec, McAfee, Cisco and Microsoft all have weaknesses. "If a large infrastructure provider could put together a suite that rated 7 out of a 10 (scale in each component) it could sweep market," said Hodges.

Why Websense is building a suite: Despite the fact that suites aren't perfect. Websense is putting together a suite itself. But the company is trying to shift the playing field by focusing on "the current and future battleground around customer data," said Hodges. He said the attacks that used to be infrastructure oriented are now data oriented. "The portfolio we have assembled is focused on integrity of that essential information such as proprietary data and intellectual property," said Hodges. Meanwhile, Websense's software continues to monitor for external attacks coming via Web protocols.

On the modern attack vector: Antivirus software worked fine when attacks were generally focused on attacking infrastructure and making headlines. But current antivirus isn't very good at protecting Web protocols, argued Hodges. "Modern attackware is much better crafted and stealthy than viruses so developing an antivirus signature out of sample doesn't work," said Hodges. The issue is that antivirus signature sampling starts with a customer being attacked. Then that customer calls the antivirus vendor, creates a sample, identifies the malware and then creates the sample. The conundrum for antivirus software comes when there's malware that's never detected. If you don't know you're being attacked there's no starting point for a defense. "Infrastructure attacks are noisy because you wanted the victim to know they have been had. You didn't have to be a brain surgeon to know you were hit by Slammer. Today's malware attacks are stealthy and don't want you to know it's there," said Hodges.

Is antivirus software necessary? Hodges said that antivirus software in general is still necessary, but the value is decreasing. Hodges recalled discussions at a recent conference and the general feeling from CIOs that viruses and worms were a solved problem. Things will get very interesting if there's a recession and customers become more selective about how they allocate their security budgets. For instance, Hodges said CIOs could bring in Sophos, Kaspersky and Microsoft as antivirus vendors and "kick the stuffing out of the price structure for antivirus and firewalls." The dollars that used to be spent on antivirus software could then be deployed for more data centric attacks that require better access control, encryption and data leakage. My take: Obviously, Hodges has a motive here since these budget dollars would presumably flow in Websense's direction. That said the argument that the value of antivirus software is declining makes a lot of sense and is gaining critical mass.

Web 2.0 as security risk. Hodges said Web 2.0--or enterprise 2.0--techniques could become a security risk in the future, but Websense "really hasn't seen significant exploitation of business transactions of Web 2.0." That said enterprises are likely to see these attacks in the future. For starters, enterprises generally allow employees to tap sites like YouTube, Facebook and MySpace. Those sites are big targets for attacks and connections to the enterprise can allow "bad people to sneak bad stuff into good places," said Hodges. In other words, the honey pot isn't lifting data from Facebook as much as it is following that Facebook user to his place of employment. Meanwhile, Web connections are already well established in the enterprise via automated XML transactions, service oriented architecture and current ERP systems. Hodges noted that Oracle Fusion and SAP Netweaver applications fall into the Web 2.0 category.

What will an enterprise 2.0 attack look like? Hodges said these attacks will be stealthy, hard to find and very lucrative. For instance, an attacker could set himself up to be a vendor in a company's SAP system. "Then you pay yourself $5,000, $10,000 and other amounts that aren't too big. You pay yourself here and there and spread it around the world. This attack could even pass a 404 (Sarbanes-Oxley) audit," said Hodges.

Preventing that aforementioned attack: Hodges says preventing such an attack means looking in multiple network nooks. "Perimeters are more holes than walls," said Hodges. "The core hypothesis of our suite is that you have to be able to recognize and classify content in real time like real time classification of modern attackware. We're going out and looking for malware with pretty good automatic classification tools." The goal is to prevent critical data from going out due to "malfeasance, outside attack and human stupidity."

The data loss prevention (DLP) market. Hodges noted some interesting patterns in customer interest in DLP. Typically, security technology interest starts on the coasts--New York and Silicon Valley and then sweeps inland and abroad. For instance, antivirus software interest took about two to three years to sweep the globe. DLP interest is much more country specific. In the U.S. regulations such as Sarbanes-Oxley have spurred interest in DLP software. "In the U.S. IT guys beaten over the head so often that they will look for problems proactively (and buy DLP applications). The Europeans are thinking that 'maybe we don't want to shine light in corner.' Japan is immensely more IP focused and very attuned to protection of IP. Chinese and Indians know they are mistrusted so have to show control of the IP. It's a weird market," said Hodges.

On the malware arms race: Hodges said that malware "has gotten pretty commercial" and resembles the professional applications trying to prevent attacks. "Malware is assembled in source code management system, written by distributed team using global code that's localized, able to dredge data using different standards. Today's malware knows how to look for information in France versus the United States," said Hodges. "These are international software operations. It's a real kick in the head."

Topics: Browser, Malware, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Sounds like the Human component is still needed

    With Enterprise 2.0 we seem to want to take the human element out of the picture as much as possible, but at the same time, when we have some shifting of finances without any real follow up, then a there is a greater chance of fail.

    Then again, the human component is a double edged sword. While it can be used to watch for inconsistencies that the system can not pick up. They can also be compromised to create part of the problem.
    nucrash
    • One of WebSense's beauties

      As a user/sufferer of an enterprise that has used WebSense for several years, one of the major weapons in its arsenal is prevention of user initiated problems, e.g., users are prevented from even going to web sites that the enterprise deems inappropriate/non-work related.

      For instance, where I work (a major agency with the State of California), users cannot visit:

      social networking sites
      personal websites and blogs (ZDNet has so far escaped this category)
      auction sites
      free downloads
      dating sites
      streaming audio and video (including news sites like CNN videos)
      hacking sites
      mp3 downloads
      porn
      adult sites

      ...and I am sure a lot of others that I have not encountered over the years.


      Bottom line, employees can waste a lot less time and hopefully it reduces the attack vectors by blocking unsavory sites such as free downloads, social networking and porn sites.

      It has done an admirable job, except with me, who is irrationally addicted to talkbacks... oops, was that my outside voice?
      Confused by religion
      • And Gaming....

        Sorry, but Websense can easily be thwarted.

        You can block the website, but then the user can create a proxy on another system. Managers are then reluctant to check for this in cubes because obviously, they blocked all of the websites, how could any one possibly be surfing locations on the web that they aren't supposed to be surfing.

        If you lock out a criminal, you create a smarter criminal.

        Has DRM not failed because of this?

        Sorry, but Websense and every other website blocker is useless when dealing with proxying websites. So next, let us say we create a filter at the gateway that blocks by content as well as website. Next we would do what we can to create an encrypted packet that could pass through the filter undetected. So then we get into port blocking and I start using ports that are more common, but connect to my remote systems located some where on the other side of the world. I would have the change them occasionally so that the employer doesn't get wise to my notions.

        To summarize, people who are going to slack off, will continue to slack off. The question is, how much to you want to spend in preventing them from slacking off?
        nucrash
        • Bull

          We block those attempts everyday where I work with Websense Network Agents. And our IPS/IDS identifies users/computers and tracks down offenders with rogue software, right down to the very switch port the computer is plugged into. Managers, Employees are all alerted.

          Security, Server, WAN/LAN support are all interloped together to root out these issues.

          The difference? We implement these solutions correctly and you work with a bunch of goofs.

          And no, I will not revel the Industry/Company I work for.
          james_p
          • So wait...

            You pay some one to go through and spend all day trying to figure who is doing what and where. How very Orwellian.

            Of course you have to pay for managed switches down to the workstation level. IDS is nice, but like a spam filter it has to be maintained and tweaked. Then again, you have to consider which option you are looking at for an IDS. Do you want to create an IDS that is looking for traffic that is out of the ordinary to which you define what is normal. Or do you want to build which looks for the abnormal.

            Oh and just for your information. I don't use Websense, where I work has a "No Cubicle Method" in which the workspace is open. That is much more team based. I have seen a location that used Websense and noticed how easily it can be thwarted.
            nucrash
      • Very interesting

        but man that would be a pain as an employee. Not that I'd be on an evil site or anything, but it sounds like Websense would catch a lot of sites that aren't that evil. What's the vibe among the rank and file?
        Larry Dignan
        • It varies.

          We had Websense at the company I used to work at for a few years, with the PIX integration, and it was pretty mixed. Some complain about not being able to get their music or certain news, but overall everyone was pretty acceptable. If there was a site that had a legit reason for being allowed, the employee or management would put in a request and 99% of the time we unblocked it.

          We switched to Smartfilter last year when we upgraded to a Cisco ASA mainly to lower costs, and really haven't seen much of a change.

          I will say I did like Websense's administrative interface much better than Smartfilter, and it has a more granular filter, allowing more control of protocol filtering than was observed in Smartfilter. Also, Websense and Smartfilter are the only two with Cisco PIX/ASA integration.
          jheine