|Home - CEO Spotlight - Apr 04 Issue
CEO Spotlight: Abe Kleinfeld, nCircle
By Angel Mehta, Managing Director, Sterling-Hoffman Executive Search
Angel Mehta: What has changed about the network security market over the last 5 years? How has it evolved?
Abe Kleinfeld: The thing to understand is that the network security market really hasn’t been around very long. Companies have only needed network security for the last 5 or 6 years. A lot of people don’t realize how new the business problem is - it feels like we’ve always needed it. The reality is, if you go back to 1998 or a little bit before, nobody was connected to the Internet. Everybody had systems that were developed over 35-40 years and were designed to be used by employees of the company. All the networks were private. They had private telephone lines connecting pretty much all of their offices. They had proprietary protocols running over those lines. Things like DECNet and IBM’s SNA or whatever proprietary systems they had. Nobody from the outside connected into a company’s network.
Angel Mehta: So the possibility of an intruder breaking into your network was pretty slim….
Abe Kleinfeld: Very slim. Nobody really worried about it. It wasn’t a problem and the only thing you had to worry about really was authentication on the inside, making sure the right people are logging into your system from inside the company; that was really what security was about 5 or 6 years ago.
And then Netscape goes public, and the Web starts to take off and suddenly everybody has websites and the next thing you know… overnight you’ve got on-line banking. None of those banking systems were designed to have outsiders connected to it. You’ve got on-line shopping, when none of those order systems were designed to have outsiders connected to it. But suddenly your internal systems that were developed over a long period of time for internal use are turned inside out.
Angel Mehta: Nobody had the chance to really think that through….
Abe Kleinfeld: Right. Now consider that plus a few other factors and it made the problem even worse. You took away all those private telephone lines that were connecting those networks. Now everybody connected to their own systems, inside the company, through the Internet. So suddenly all your remote offices are connected through the Internet using things like VPNs and the like. All of a sudden these systems are turned inside out. All of them are connected via one single protocol, IP, no longer proprietary protocols; anybody in the world can access anything in that environment.
Angel Mehta: Hence the firewall market…
Abe Kleinfeld: Sure, that was natural. Firewalls block certain types of traffic. Then people started realizing that firewalls weren’t enough and they progressed to things like intrusion detection and intrusion prevention systems, which essentially are systems that let you know when somebody’s attacked your environment. Then they started realizing there were problems with viruses and worms and they added anti-virus systems. And systems evolved again to deal with that threat. What’s happened is that all of these systems have only worked to a point. For example, last summer we had Blaster and before that you had Slammer. Recently it was the ‘MyDoom’ virus. These things continue to do serious damage despite all these network security solutions that have been deployed.
Angel Mehta: So how does nCircle tackle all of this?
Abe Kleinfeld: We realize there’s something still missing, and so we looked at other analogies and paradigms of security. For example, when you look at fire safety, police safety, and military security, you see that all of them followed an interesting pattern. They all started out with very reactive forms of security. For example, in fire safety, when a fire started, you sent firemen in to put out the fire. Network security has gone through the exact same evolution. When something goes wrong, you send in a whole bunch of people to try to figure out what went wrong or you put in systems that can catch the fire after it starts, right? So it will give you early notification that a fire has started so you can go put it out. But if you follow the trend, if you follow the evolution of fire safety what you find is that after the big fire of San Francisco in 1906 and the big Chicago fire in 1871, people started realizing that you have to be proactive about eliminating the vulnerability of fire before the fire starts.
Today, if you look at the spending patterns in other security paradigms, you find that $10 gets spent for proactive security measures for every $1 in reactive forms of security. So how did that evolve?
Angel Mehta: Making buildings out of stuff that don’t catch fire?
Abe Kleinfeld: Right. In fire prevention, it means constructing buildings with fire retardant materials, making sure that you have policies in place that ensure fires aren’t going to start. Make sure flammable substances are certain distances away from the building; that’s how other paradigms of security have evolved to be more proactive.
nCircle is a proactive form of network security. It finds and eliminates vulnerabilities before they can be exploited. Why is that important? It turns out that between 90% and 99% of network attacks are against known vulnerabilities. If you can find and eliminate them from your network, you eliminate 90% to 99% of the risk of network attack. This maps exactly to these other security paradigms. If you can eliminate the risk of fire, why wouldn’t you do that rather than just send in a bunch of firemen? In fact, if you can build buildings with fire retardant materials and make sure that you are eliminating the vulnerability of fire, or at least minimizing it, the costs of having fire stations and firemen go down. It actually becomes affordable because they’re only dealing with the exceptions.
Angel Mehta: So does nCircle find those vulnerabilities… or rather, how does it find and remove?
Abe Kleinfeld: nCircle’s system automatically finds the vulnerabilities on a network and then manages the process of removing them. The removing part, called remediation, is still largely a manual effort because fixing vulnerabilities requires some decision making on the part of the people involved. Sometimes the way you fix these vulnerabilities is by changing a configuration in your network. Other times, it’s downloading a patch from a software company to fix a flaw. Other times, it’s literally taking a product that shouldn’t have been there in the first place off your network. nCircle automatically finds these vulnerabilities and then manages the process of remediation. We have a complete trouble ticketing system built into our product that assigns trouble tickets and then tracks them all the way through completion. And we then automatically test to validate that the problem was resolved.
Angel Mehta: So the workflow process is built in.
Abe Kleinfeld: Yes. And the product is implemented as an appliance-based solution. We found that companies want to deploy this very broadly throughout their enterprise, but they need to be able to manage it centrally. Appliance-based technologies are generally more scalable, and easier to manage than pure software solutions. So we’ve built our software on top of a very hardened appliance that’s easy to deploy and is very low maintenance. What these appliances do is continuously scan your network and check every single IP address to figure out exactly what’s running there, and identify every vulnerability that exists on every single device on your network. Those vulnerabilities then get prioritized based on their risk and on asset value information that you provide us about your network. Certain pieces of your network are more important than others. Certain devices are running more sensitive systems than others. We prioritize all these problems so companies can focus on the most important and sensitive systems first. After all, it’s not unusual to find thousands of problems on a network. So net/net, our system can quickly show what your worldwide network risk profile is day to day. And manage the reduction of that risk.
Angel Mehta: To some degree then, doesn’t the value of nCircle’s solution go down over time? I mean, after you’ve done an initial vulnerability assessment, do you really need it the same way? Though I suppose a network is always changing itself as a company grows…
Abe Kleinfeld: Well, that’s exactly right. We focus primarily on large corporations, the Global 2000 and large government agencies. We’re working with one large organization that isn’t even sure how many IP addresses they have. They think they have somewhere between 250,000 and 400,000 IPs. Most companies don’t even know what’s on their network. That’s why they need a vulnerability management system. If you don’t even know what’s running on your network how are you going to know where the vulnerabilities are?
When you have a network that large, it’s not static. Your network is a living, breathing thing. It’s changing minute-by- minute. People bring their laptops from home. People bring devices and connect them to the network. It’s not unusual, for example, for people to bring in a wireless access point. Just plug it into the network and suddenly anybody can connect. When you have thousands of employees, it’s not unusual for somebody to bring something from home or bring something into the network that introduces new vulnerabilities into the network on a daily basis. The IT organization will know nothing about it.
So if you scan once a week or once a month or once a year or once a quarter, from the minute that scan is complete it’s already obsolete, it’s already out of date. So you really need to have a continuous process. You need to be continuously disciplined and diligent about finding and eliminating vulnerabilities in your network.
Bottom line: You need to have a technology that’s doing continuous auditing and continuous risk assessment and managing that risk downward.
Angel Mehta: But how much is enough? How much security is enough?
Abe Kleinfeld: It’s very analogous to quality. How much quality is enough? How much security is enough? The answer is that you want to continually improve — and what most people have found is that quality is essentially free. It costs less to improve the quality of your products before they go out the door.
Angel Mehta: Versus shipping crap and fixing the problems later.
Abe Kleinfeld: Right. Security is the same – it is attainable. If you put in the effort to continually improve your security operations and continually improve your security practices and continually make sure that you are minimizing your vulnerabilities, the cost of doing that will be significantly less than dealing with the problem afterwards. For example, one of our customers told us that before acquiring our product they got badly hit with the Blaster virus and it cost them something like 4,500 staff hours to recover. If you don’t eliminate the vulnerability and stay ahead of the problem, you don’t know when it’s going to happen again. It could happen again tomorrow, it could happen again next month — you just don’t know.