Networks Under Siege
March 12, 2007
Security Special: Companies enhance their arsenals.
In the continuously shifting world of IT security, where restless entrepreneurs are constantly scouting for the next big thing, Jay Chaudhry is taking a breather.
In July, the 22-year veteran of the security business sold his startup, CipherTrust, which specialized in products to stop threats like spam, viruses, phishing, and sensitive data leakage, to Secure Computing for $274 million. But he's already plotting his next venture.
"Why do you see hundreds of startups in the security space instead of financial applications, for instance?" asks Mr. Chaudhry. "Because customers are willing to buy the next mousetrap because it's better, or it can save them money, or it's easier to use."
Mr. Chaudhry has bet correctly on the security market in the past. In 1997, his Internet security services startup, SecureIT, was acquired by VeriSign. In 2002, he launched AirDefense to detect and prevent threats on wireless local area networks, a company that is still a major player in that segment. Now he's setting his sights on application gateways and VoIP security, two areas he thinks will explode in the next few years.
Certainly, the security market is evolving rapidly. Up until a few years ago, businesses simply purchased firewalls, antivirus software, anti-spam and anti-spyware applications, virtual private networks, and intrusion prevention systems to protect their networks. Ever-more sophisticated hackers are launching targeted attacks on corporate networks in a bid to steal data, instead of just wreaking havoc on Internet users, which means companies have a new set of security products on their corporate shopping lists.
While antivirus and anti-spyware applications are essential multimillion-dollar businesses and will continue to remain so, the opportunities of tomorrow lie elsewhere. Unified threat management systems that bring together different security products in a single box, as well as data leak prevention systems, are emerging as the new must-have security technologies, layered on top of the traditional security products.
"Historically, people addressed the threat du jour," says Jon Olsik, senior analyst with research firm Enterprise Security Group. "Now they are looking at solutions that can address things on a more end-to-end basis."
Companies typically spend about 3 to 7 percent of their IT budget on security, but that is expected to increase at least 10 to 15 percent in the next three years, according to the Enterprise Security Group. Not surprisingly, a fresh breed of startups and private companies are angling for a piece of this pie, even as larger players like Symantec, Computer Associates, and Cisco are realizing the holes in their product portfolios and trying to fill them in-house or through acquisitions.
"It's a game of catch-up," says Richard Stiennon, interviewed when he was chief analyst with IT Harvest, a research firm he founded. "If you look at the publicly traded companies, they offer very good defenses for the threats of 2002, but they are not focused on the threats of the future." Since being interviewed for this article, Mr. Stiennon has gone on to become chief marketing officer at Fortinet, a Sunnyvale, California-based security appliance maker.
And the big players are in on the game. In January, Cisco announced its $830-million acquisition of messaging security appliance maker IronPort Systems, while Symantec moved to snap up enterprise management software provider Altiris for the same amount.
Evolution of Security
The security industry has evolved in waves. First came antivirus software, then firewalls, followed by virtual private networks, and then anti-spyware applications.
The billion-dollar security players of today like Symantec, McAfee, or Checkpoint got their head start because of their ability to spot these segments when they were still new. Take Nasdaq-listed Checkpoint. The 1,570-employee company started in 1993 when entrepreneurs Gil Schwed, Shlomo Kramer, and Marius Nacht invented a firewall that prevented unauthorized access into a computer from the network. The trio parlayed the idea into a company with a market capitalization of $5.5 billion, and played a large part in convincing the world that firewalls are must-have products.
Companies like Symantec and McAfee focused on protecting desktops from cyber threats, and eventually used that expertise to branch out into security for businesses. Meanwhile, another category of players focused on detecting and preventing malicious network traffic, including Atlanta-based Internet Security Systems. Last August, IBM bought the company for $1.3 billion.
Now, industry veterans agree that the trend is toward data security. "Security moves in five- to 10-year cycles," says Simon Khalaf, CEO of Vernier Networks. "Now people are no longer worried about protecting their disks, they are worried about protecting their data."
That may explain why database encryption companies like Ingrian Networks and Imperva are gaining so much attention. Often referred to as the crown jewels of a company, databases are the repositories of some of the most sensitive customer and corporate records. Four-year-old startup Imperva, which was founded by former Checkpoint founder Shlomo Kramer, says it grew revenues 25 percent per quarter. Earlier this year, it raised $17 million in its third round of funding from investors including Greylock Partners, Accel Partners, and US Venture Partners. Meanwhile, Checkpoint's $586-million buy-out of Protect Data, a Swedish company that owns data encryption seller Pointsec Mobile Technologies, reached completion.
Inside the Network
Often, companies spend millions adding appliances or buying software products that will protect their networks from intruders. But they ignore a likely source of leaks: insiders or employees who have access to sensitive information and can send it out inadvertently or deliberately through emails, instant messages, or file transfers.
With more contractors and third parties like outsourced call center operations now part of many companies, stopping insider leaks will become increasingly important, say experts. Venture capitalists have already sniffed out this opportunity. Since 2000, more than $200 million has been invested in startups like Vontu, Vericept, Oakley Networks, Tablus, PortAuthority, and Reconnex—all of which promise to protect IP and sensitive information from flowing out of the network.
And there's no letting up. In October, startup Tablus said it raised $16 million in a second round of funding from investors including Trident Capital and Menlo Ventures, bringing total funding for the four-year-old company to $24 million.
"We are fundamentally solving a mission-critical problem for customers," says Anne Bonaparte, CEO of Tablus. "As businesses use sensitive data, they need to understand how the data travels around their organization and figure out a way to stop unauthorized leaks," says Ms. Bonaparte.
One way to do that is to set up rules about what data is confidential. Once that is done, the software automates the search process and monitors for information on the network that fits the profile. Everything from source code to quarterly reports and intellectual property can be caught in the net.
"Leak prevention," as it is often referred to, is a rapidly growing business. Gartner expects it to go from $25 million worldwide in 2005 to $60 million in 2006. IDC believes it can be a $1.9-billion global business by 2009. But right now, the market remains fragmented. "Existing leak prevention players have very little penetration in the enterprise," says Mr. Stiennon, formerly of IT Harvest. "It is difficult even today to find a company with more than 60 customers."
And larger players like Symantec and Trend Micro haven't made a move—yet. In October, McAfee became one of the first publicly listed security firms to acquire a startup in the leak prevention space. McAfee bought Tel Aviv, Israel-based startup Onigma for $20 million in a move that surprised many, because Onigma was off the radar for most analysts and Silicon Valley competitors.
Managing Networks and Identities
Preventing leakage of documents is important, but companies also have to manage access to those documents carefully.
Network Access Control (NAC) has evolved from simpler virtual private networks (VPNs), which created a secure tunnel between the remote user and the corporate network. What VPNs did not do was check the health of the machine logging on to the network. That meant an infected laptop or home machine could bring worms, viruses, or spyware into the corporate network. Now networking giants like Cisco and Juniper, and smaller startups like Vernier Networks, are trying to grab a slice of the NAC pie.
Some companies are moving beyond NAC to "identity management," using products that not only check if laptops or computers coming into the network from remote locations are healthy, but also set the level to which they can access the network.
"We can say a user can connect to a specific network, a server, or to a particular location only," says Rob Ciampa, vice president of marketing and business strategy at Trusted Network Technologies, which offers identity management software. "So if a user comes from home, we can say restrict their access to just email."
Three-year-old Trusted Network Technologies has raised $18 million in funding so far and competes with rivals like Applied Identity and Caymas Systems.
Some of the identity management players could pique the interest of big systems vendors like Symantec, CA, IBM, and Oracle, says Mike Rothman, president and principal analyst of consulting firm Security Incite. That's because the identity management market is expected to grow to over $8.5 billion worldwide by 2008, according to research firm The Radicati Group.
At Symantec's ninth annual customer and analyst conference last year, CEO John Thompson acknowledged the growing importance of the identity and access management market. "We are not, at the moment, in the identity management business at all, but it is an area of great interest to us," he said.
The Big Box of Security
Ultimately, all of this could boil down to creating a super box of security. In many ways, the enterprise security market is fragmented, dominated by point products that address specific areas. Bringing together the different products and appliances to a single, "unified threat management" device could be the next step, say analysts.
"Categories like anti-spam, antivirus, and intrusion prevention are all coming together," says Mr. Rothman.
Mr. Chaudhry's CipherTrust was valuable prey for Secure Computing because it could help the larger firm create a unified portfolio of security products, including unified threat management, web filtering, and identity management.
IDC projects that by 2008, the UTM category worldwide will consist of a majority of the $3.5-billion firewall and VPN appliances sector and will have 58 percent of the overall share of that business.
Still, there's plenty left to do around unified threat management, says Mr. Rothman. "As with every other marketed term out there, it has come to mean a whole bunch of things in a box as opposed to real unification with policies and functions," he says.
One recent opportunity is the gradual, sometimes reluctant conversion of the telecommunications carriers to IP telephony, where all traffic is transmitted as digital packets. Because IP telephony sometimes involves sending voice and data over the public Internet, carriers have new security needs.
Narus, a Mountain View, California-based security firm, has raised more than $100 million from both telcos like AT&T and NTT Software and venture capital firms like Mayfield, Walden International, and JP Morgan Partners. The company is developing what Steve Bannerman, vice president of marketing and product management, calls "emerging carrier-class security." Its premise is that carriers that are now managing much more complex networks need better control of a bewildering array of wireless, wireless VoIP, and IP data services. Narus says it provides operators with a means to comprehensively monitor all this activity. "We can collate data across every link on the network," Mr. Bannerman says.
All the Rest
As more businesses opt for VoIP-enabled phone networks, experts fear VoIP systems will eventually face the same problems that computer networks face today, including worms, viruses, and even spam. That's why VoIP security is another emerging trend.
It's a problem that has caught the attention of startups like Sipera and Covergence, as well as larger companies like Secure Computing, which plans to release its first VoIP security product in the coming months.
Despite such a potentially lucrative market, most security startups face an uphill battle. Industry experts estimate that there are 700 to 800 IT security companies in the country, and they say buyouts and mergers are inevitable. Others, including Fortinet, Qualys, and Webroot, may follow Sourcefire's lead and opt for the public markets. Sourcefire, a purveyor of open-source security software for the corporate world, is dotting the i's and crossing the t's on its IPO, announced last fall. "Most of these companies will disappear, while some will have their technologies bought out by larger companies and integrated into their solution," says Mr. Chaudhry.
For entrepreneurs like him, that is good news. They can once again participate in the race for the next big thing.
